Meng-Jun LI,Zhou-Jun LI,Huo-Wang CHEN

DOI: https://doi.org/10.1360/jos170898

2006-01-01

Journal of Software

Abstract:This paper describes the security protocol verifier SPVT developed by Objective-Caml. In SPVT (security protocol verifying tool), the specification language is the π-like calculus extended with three appendixes, the Dolev-Yao model is described with Horn logic rules, the π-like calculus model of security protocol is transformed into the logic program model by abstract rules, the security properties are verified based on the calculus of the logic program's fixpoint, and the counter-examples on security properties are constructed from the process of the fixpoint calculus and the process of the property verification. The simplified Needham-Schroeder public-key authentication protocol is used to exemplify the automatic verification process of security protocol with SPVT, and the results show the validity of the verifier.

Zhoujun Li,Qianqian Zhao,Ti Zhou

2010-01-01

Abstract:Automatical verification of time sensitive protocols is a difficult research topic in formal analyses, with the key problem being how to simply and efficiently check time constraints led by time stamps. TSPVT, which automatically verifies time sensitive protocols, was developed from the SPVT(security protocol verifying tool) in the Objective Caml language. TSPVT takes time sensitive protocols in an extended π-like calculus model with time events as its input model, then translates the π-like calculus model into a Horn logic model P extended by the time constraint system. The Horn logic model P is composed of a set of rules for honest participants as well as another set of rules for attackers. In the verification period, TSPVT computes the fix point of P when the tool needs to process the X-resolution among rules within the time constraint system and then verifies the authentication of the protocol based on the fixed point. A simplified description of the verification process using TSPVT is given in detail using the Denning-Sacco protocol as an example, with the results showing the validity of the verifier.

Ti Zhou,Mengjun Li,Zhoujun Li

DOI: https://doi.org/10.1145/1456396.1456399

2008-01-01

Abstract:The verification problem for security protocols is undecidable, but it is feasible to verify protocols by abstract interpretation. This paper presents a method based on local abstraction and refinement for verifying security protocols terminably. Local abstraction produces a safe approximation of the security protocol, modeled as a set of Horn logic rules. Refinement removes false attacks introduced by local abstraction. In contrast with methods based on global abstraction, our method abstracts only certain rules that can lead to non-termination when computing fixpoints, that is, it does not abstract all rules. We implement this method in a verification tool SPVT and are able to verify well-known protocols. Moreover, our experiments indicate that local abstraction is less costly than global abstraction.

MengJun Li,Ti Zhou,ZhouJun Li,HuoWang Chen

DOI: https://doi.org/10.1007/978-3-540-76929-3_16

2007-01-01

Abstract:Using depth(k) abstract domain, we present an abstraction and refinement framework for verifying security protocols based on logic programming. The solved-form fixpoint of the logic program model is abstracted by depth(k) abstract domain, which guarantees termination of the verification algorithm; If the result of the verification algorithm with the abstract solved-form fixpoint shows there exists counterexamples, but the result of the verification algorithm with the logic rules in abstract solved-form fixpoint which are not abstracted shows there exists no counterexamples, then the abstracted solved-form fixpoint is refined by increasing the value of term depth bound k. With this framework, all of the verification, constructing counterexamples and refinement can be implemented in a mechanized way.

Yan Xiong,Cheng Su,Wenchao Huang,Fuyou Miao,Wansen Wang,Hengyi Ouyang

DOI: https://doi.org/10.1109/tdsc.2024.3368131

2020-01-01

Abstract:Current formal approaches have been successfully used to find design flaws in many security protocols. However, it is still challenging to automatically analyze protocols due to their large or infinite state spaces. In this paper, we propose SmartVerif, a novel and general framework that pushes the limit of automation capability of state-of-the-art verification approaches. The primary technical contribution is the dynamic strategy inside SmartVerif, which can be used to smartly search proof paths. Different from the non-trivial and error-prone design of existing static strategies, the design of our dynamic strategy is simple and flexible: it can automatically optimize itself according to the security protocols without any human intervention. With the optimized strategy, SmartVerif can localize and prove supporting lemmata, which leads to higher probability of success in verification. The insight of designing the strategy is that the node representing a supporting lemma is on an incorrect proof path with lower probability, when a random strategy is given. Hence, we implement the strategy around the insight by introducing a reinforcement learning algorithm. We also propose several methods to deal with other technical problems in implementing SmartVerif. Experimental results show that SmartVerif can automatically verify all security protocols studied in this paper. The case studies also validate the efficiency of our dynamic strategy.

xiao yinyin,su kaile,ma zhenyuan,hu ruo

DOI: https://doi.org/10.13245/j.hust.2013.07.015

2013-01-01

Abstract:The important properties of SET(secure electronic transaction)payment protocols were verified and improved by a knowledge reasoning method ISL(instantiation space logic)and its tool SPV(security protocol verifier).The method could verify the correctness of protocols in unbounded number of sessions compared with model checking method.By comparison with theorems or proved methods,the method was testified fully automatically.A model more closed to the original protocols was proposed by simplifying complex messages of protocols under the ISL and choosing the protocol steps rationally,without affecting the important security properties.The SPV formal description of the model and its properties(secrecy and authentication) was given,and the verification results and effectiveness were showed.The protocols were improved according to the unsatisfied epistemic specifications,and the improvement resolved the authentication problem between the cardholder and pay-gate in the protocols.

Yan Xiong,Cheng Su,Wenchao Huang,Fuyou Miao,Wansen Wang,Hengyi Ouyang

DOI: https://doi.org/10.48550/arxiv.1807.00669

2018-01-01

Abstract:Current formal approaches have been successfully used to find design flaws in many security protocols. However, it is still challenging to automatically analyze protocols due to their large or infinite state spaces. In this paper, we propose a novel framework that can automatically verifying security protocols without any human intervention. Experimental results show that SmartVerif automatically verifies security protocols that cannot be automatically verified by existing approaches. The case study also validates the effectiveness of our dynamic strategy.

Chao-jing TANG,Zhi-yong LU,Chao FENG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2014.06.022

2014-01-01

Abstract:This paper proposes a logic for verifying security protocols in the computational model ,which can describe the computation and communication actions precisely .We present a cryptographically sound proof system on the logic and can formalize the various security properties for encryption algorithms directly .During the research ,several unsoundness of the formalization with the computational protocol compositional logic in prior work is discovered ,and corresponding solutions are proposed .By proving the security properties for the Needham-Schroeder-Lowe protocol ,the power of the logic is demonstrated .Being different from most of the current verification approaches ,this logic reasons about the security of protocols from the security of cryptographic algorithms forwardly ,and is both easy to use and cryptographically sound .

Meng-Jun LI,Zhou-Jun LI,Huo-Wang CHEN

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.022

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Based on analyzing and pointing out the limitations for constructing counter-examples of the security protocol's Horn logic model and its verification method proposed by Bruno Blanchet and Martin Abadi, the security protocol's extended Horn logic model and the modified-version verification method are presented such that the counter-examples are able to be constructed from them automatically. In the authors' verifier SPVT developed based on the functional programming language Objective Caml, these algorithms are implemented and their correctness are proved.

ZHOU Ti,LI Meng-Jun,LI Zhou-Jun

DOI: https://doi.org/10.3724/sp.j.1016.2011.01275

2011-01-01

Chinese Journal of Computers

Abstract:Based on the dynamic approach to characterizing termination of generic logic program,a dynamic approach to characterizing termination of solved-form fixpoint is researched in this paper,and a sufficient condition of non-termination of solved-form fixpoint of the extended Horn logic model of security protocol is presented.Based on this condition,an approach is represented to predict non-termination of computation of solved-form fixpoint.This approach can predict the non-termination of computing fixpoint by checking new generated rules,and localize the solved-form rules in the extended Horn logic model which cause infinite computations of solved-form fixpoint.The non-termination prediction results will provide the criteria for choosing different verification methods of security protocols,such as accurate methods and abstract methods.The experiment results show the effectiveness of the prediction algorithms.

Vincent Cheval,Caroline Fontaine

2024-10-20

Abstract:Computer-aided analysis of security protocols heavily relies on equational theories to model cryptographic primitives. Most automated verifiers for security protocols focus on equational theories that satisfy the Finite Variant Property (FVP), for which solving unification is decidable. However, they either require to prove FVP by hand or at least to provide a representation as an E-convergent rewrite system, usually E being at most the equational theory for an associative and commutative function symbol (AC). The verifier ProVerif is probably the only exception amongst these tools as it automatically proves FVP without requiring a representation, but on a small class of equational theories. In this work, we propose a novel semi-decision procedure for proving FVP, without the need for a specific representation, and for a class of theories that goes beyond the ones expressed by an E-convergent rewrite system. We implemented a prototype and successfully applied it on several theories from the literature.

Cryptography and Security

Vincent Cheval,Steve Kremer,Itsaka Rakotonirina

DOI: https://doi.org/10.46298/theoretics.24.4

2024-03-12

Abstract:Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.

Cryptography and Security

Li Zhou,Xia Yin,Zhiliang Wang

DOI: https://doi.org/10.1109/icstw.2011.18

2011-01-01

Abstract:Protocol security testing is an important technique to ensure the security of communication protocols. However, methods considering both effective detection to specification vulnerabilities and efficient testing on protocol implementations are not well developed. In this paper, we present a general method for protocol security testing including protocol verification with SPIN model checker and protocol testing with formal testing language TTCN-3. We use threat model to model malicious entities and import the classification of information security to achieve a complete analysis of security requirements for protocol verification. We also develop a SPIN Trail to TTCN-3(st2ttcn) conversion tool to generate test cases automatically from counter examples obtained from model checking. As a case study, we apply our approach to the security testing of Source Address Validation Improvements (SAVI) protocol. We test two versions of SAVI-DHCP protocol. Security vulnerabilities have been found and tested in corresponding implementations.

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Philipp Schröer,Kevin Batz,Benjamin Lucien Kaminski,Joost-Pieter Katoen,Christoph Matheja

DOI: https://doi.org/10.1145/3622870

2023-10-16

Proceedings of the ACM on Programming Languages

Abstract:This paper presents a quantitative program verification infrastructure for discrete probabilistic programs. Our infrastructure can be viewed as the probabilistic analogue of Boogie: its central components are an intermediate verification language (IVL) together with a real-valued logic. Our IVL provides a programming-language-style for expressing verification conditions whose validity implies the correctness of a program under investigation. As our focus is on verifying quantitative properties such as bounds on expected outcomes, expected run-times, or termination probabilities, off-the-shelf IVLs based on Boolean first-order logic do not suffice. Instead, a paradigm shift from the standard Boolean to a real-valued domain is required. Our IVL features quantitative generalizations of standard verification constructs such as assume- and assert-statements. Verification conditions are generated by a weakest-precondition-style semantics, based on our real-valued logic. We show that our verification infrastructure supports natural encodings of numerous verification techniques from the literature. With our SMT-based implementation, we automatically verify a variety of benchmarks. To the best of our knowledge, this establishes the first deductive verification infrastructure for expectation-based reasoning about probabilistic programs.

Kenan Wood,Runtian Zhou,Haoze Wu,Hammurabi Mendes,Jonad Pulaj

2024-09-27

Abstract:Correctness of results from mixed-integer linear programming (MILP) solvers is critical, particularly in the context of applications such as hardware verification, compiler optimization, or machine-assisted theorem proving. To this end, VIPR 1.0 is the first recently proposed general certificate format for answers produced by MILP solvers. We design a schema to encode VIPR's inference rules as a ground formula that completely characterizes the validity of the algorithmic check, removing any ambiguities and imprecisions present in the specification. We implement a checker for VIPR certificates by expressing our ground formula with the Satisfiability Modulo Theory Library (SMT-LIB) and check its validity. Our approach is solver-agnostic, and we test its viability using benchmark instances found in the literature.

Logic in Computer Science

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Zheng Yang,Hang Lei,Weizhong Qian

DOI: https://doi.org/10.1109/access.2020.2969437

IF: 3.9

2020-01-01

IEEE Access

Abstract:This paper reports a formal symbolic process virtual machine (FSPVM) denoted as FSPVM-E for verifying the reliability and security of Ethereum-based services at the source code level of smart contracts. A Coq proof assistant is employed for programming the system and for proving its correctness. The current version of FSPVM-E adopts execution-verification isomorphism, which is an application extension of Curry-Howard isomorphism, as its fundamental theoretical framework to combine symbolic execution and higher-order logic theorem proving. The four primary components of FSPVM-E include a general, extensible, and reusable formal memory framework, an extensible and universal formal intermediate programming language denoted as Lolisa, which is a large subset of the Solidity programming language using generalized algebraic datatypes, the corresponding formally verified interpreter of Lolisa, denoted as FEther, and assistant tools and libraries. The self-correctness of all components is certified in Coq. FSPVM-E supports the ERC20 token standard, and can automatically and symbolically execute Ethereum-based smart contracts, scan their standard vulnerabilities, and verify their reliability and security properties with Hoare-style logic in Coq.

刘锋,李舟军,李梦君,宋震,张艳

DOI: https://doi.org/10.3969/j.issn.1007-130x.2004.02.009

2004-01-01

Abstract:SMV is a symbolic model checking tool based on linear temporal logic. In this paper we verify the Needham-Schroeder protocol by SMV, and finally find out an attack sequence which is achieved by replaying messages.

Linard Arquint,Felix A. Wolf,Joseph Lallemand,Ralf Sasse,Christoph Sprenger,Sven N. Wiesner,David Basin,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2212.04171

2022-12-08

Abstract:We provide a framework consisting of tools and metatheorems for the end-to-end verification of security protocols, which bridges the gap between automated protocol verification and code-level proofs. We automatically translate a Tamarin protocol model into a set of I/O specifications expressed in separation logic. Each such specification describes a protocol role's intended I/O behavior against which the role's implementation is then verified. Our soundness result guarantees that the verified implementation inherits all security (trace) properties proved for the Tamarin model. Our framework thus enables us to leverage the substantial body of prior verification work in Tamarin to verify new and existing implementations. The possibility to use any separation logic code verifier provides flexibility regarding the target language. To validate our approach and show that it scales to real-world protocols, we verify a substantial part of the official Go implementation of the WireGuard VPN key exchange protocol.

Cryptography and Security,Programming Languages