Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

韩进,蔡圣闻,王崇峻,赖海光,谢俊元

2010-01-01

Journal of Computer Research and Development

Abstract:The security protocol model is the basis of the security protocol analysis and verification. Existing modeling methods have some shortcomings, such as high complexity, bad reusability, and so on. A typed π calculus-π(superscript t) calculus is presented in this paper, and its type rules and evaluation rules are also given. It is proved that π(superscript t) calculus is a safely typed system. π(superscript t) calculus can be used to build formal models of security protocols and their attackers. NRL protocol is taken for an example to show how to build a security protocol model based on π(superscript t) calculus. The attacker model for a security protocol is also presented in this paper. The action ability which the attacker model based on π(superscript t) calculus has is proved the same to the D-Y attacker model. So the correctness of the results which come from verifying the security protocol models based on π(superscript t) calculus is promised. The security protocol modeling approach based on π(superscript t) calculus can give more detailed description of the semantics of protocol data and the knowledge of participators. Compared with other kinds of methods, this method has better usability and high reusability and can provide more analysis support. The analysis result shows that the method can detect flaws of a security protocol in its modeling process.

Michele Boreale,Maria Grazia Buscemi

DOI: https://doi.org/10.1016/j.tcs.2005.03.044

IF: 1.002

2005-06-01

Theoretical Computer Science

Abstract:In security protocols, message exchange between the intruder and honest participants induces a form of state explosion which makes protocol models infinite. We propose a general method for automatic analysis of security protocols based on the notion of frame, essentially a rewrite system plus a set of distinguished terms called messages. Frames are intended to model generic crypto-systems. Based on frames, we introduce a process language akin to Abadi and Fournet's applied pi. For this language, we define a symbolic operational semantics that relies on unification and provides finite and effective protocol models. Next, we give a method to carry out trace analysis directly on the symbolic model. We spell out a regularity condition on the underlying frame, which guarantees completeness of our method for the considered class of properties, including secrecy and various forms of authentication. We show how to instantiate our method to some of the most common crypto-systems, including shared- and public-key encryption, hashing and Diffie–Hellman key exchange.

computer science, theory & methods

姜励,平玲娣,陈小平,潘雪增,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.010

2008-01-01

Abstract:The concept of trust domain was introduced into probabilistic secure process algebra(PSPA),and the intransitive noninterference information flow security model was extended to probabilistic systems to implement many important security policies such as secure downgrading of probabilistic information and channel control.Intransitive probabilistic information flow security properties were analyzed based on the probabilistic weak bisimulation equivalence.Intransitive bisimulation strong probabilistic noninterference(I_BSPNI) and intransitive probabilistic bisimulation-based nondeducibility on composition(I_PBNDC) were presented.To expose the potential secure problem that I_PBNDC cannot discover in dynamic context,the persistent I_PBNDC property was proposed,which required that every reachable state of the system must satisfy I_PBNDC.The properties like bisimulation-based nondeducibility on composition are difficult to prove.To overcome this shortcoming,strong I_PBNDC property was defined in terms of unwinding conditions demanding properties of individual actions.Finally,the relations between these properties were given and proved.

Vincent Cheval,Steve Kremer,Itsaka Rakotonirina

DOI: https://doi.org/10.46298/theoretics.24.4

2024-03-12

Abstract:Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.

Cryptography and Security

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Rongxiao Fu,Ornela Dardha,Michel Steuwer

2023-04-27

Abstract:Strategy languages enable programmers to compose rewrite rules into strategies and control their application. This is useful in programming languages, e.g., for describing program transformations compositionally, but also in automated theorem proving, where related ideas have been studies with tactics languages. Clearly, not all compositions of rewrites are correct, but how can we assist programmers in writing correct strategies? In this paper, we present a static type system for strategy languages. We combine a structural type system capturing how rewrite strategies transform the shape of the rewritten syntax with a novel tracing system that keeps track of all possible legal strategy execution paths. Our type system raises warnings when parts of a composition are guaranteed to fail at runtime, and errors when no legal execution for a strategy is possible. We present a formalization of our strategy language and novel tracing type system, and formally prove its type soundness. We present formal results, showing that ill-traced strategies are guaranteed to fail at runtime and that well-traced strategy executions "can't go wrong", meaning that they are guaranteed to have a possible successful execution path.

Programming Languages

Yu-Fang Chen,Chih-Duo Hong,Anthony W. Lin,Philipp Ruemmer

DOI: https://doi.org/10.48550/arXiv.1709.07139

2017-10-03

Abstract:We revisit the classic problem of proving safety over parameterised concurrent systems, i.e., an infinite family of finite-state concurrent systems that are represented by some finite (symbolic) means. An example of such an infinite family is a dining philosopher protocol with any number n of processes (n being the parameter that defines the infinite family). Regular model checking is a well-known generic framework for modelling parameterised concurrent systems, where an infinite set of configurations (resp. transitions) is represented by a regular set (resp. regular transducer). Although verifying safety properties in the regular model checking framework is undecidable in general, many sophisticated semi-algorithms have been developed in the past fifteen years that can successfully prove safety in many practical instances. In this paper, we propose a simple solution to synthesise regular inductive invariants that makes use of Angluin's classic L* algorithm (and its variants). We provide a termination guarantee when the set of configurations reachable from a given set of initial configurations is regular. We have tested L* algorithm on standard (as well as new) examples in regular model checking including the dining philosopher protocol, the dining cryptographer protocol, and several mutual exclusion protocols (e.g. Bakery, Burns, Szymanski, and German). Our experiments show that, despite the simplicity of our solution, it can perform at least as well as existing semi-algorithms.

Logic in Computer Science,Formal Languages and Automata Theory,Programming Languages

Joshua Guttman

DOI: https://doi.org/10.4204/EPTCS.8.5

2009-11-11

Abstract:A model-theoretic approach can establish security theorems for cryptographic protocols. Formulas expressing authentication and non-disclosure properties of protocols have a special form. They are quantified implications for all xs . (phi implies for some ys . psi). Models (interpretations) for these formulas are *skeletons*, partially ordered structures consisting of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors. We show two results. (1) If phi is the antecedent of a security goal, then there is a skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi implies for some ys . psi) iff every realized homomorphic image of A_phi satisfies psi. Hence, to verify a security goal, one can use the Cryptographic Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in each of these shapes, then the goal holds.

Cryptography and Security,Logic in Computer Science

Serdar Erbatur,Ulrich Schöpp,Chuangjie Xu

DOI: https://doi.org/10.1145/3479394.3479413

2021-07-23

Abstract:A common approach to improve software quality is to use programming guidelines to avoid common kinds of errors. In this paper, we consider the problem of enforcing guidelines for Featherweight Java (FJ). We formalize guidelines as sets of finite or infinite execution traces and develop a region-based type and effect system for FJ that can enforce such guidelines. We build on the work by Erbatur, Hofmann and Zălinescu, who presented a type system for verifying the finite event traces of terminating FJ programs. We refine this type system, separating region typing from FJ typing, and use ideas of Hofmann and Chen to extend it to capture also infinite traces produced by non-terminating programs. Our type and effect system can express properties of both finite and infinite traces and can compute information about the possible infinite traces of FJ programs. Specifically, the set of infinite traces of a method is constructed as the greatest fixed point of the operator which calculates the possible traces of method bodies. Our type inference algorithm is realized by working with the finitary abstraction of the system based on Büchi automata.

Logic in Computer Science,Programming Languages

Qin Li,Qingkai Zeng

DOI: https://doi.org/10.1109/nss.2009.12

2009-01-01

Abstract:We present a calculus of concurrent objects for specification and security analysis of ad hoc security protocols. The communicating nodes and the network are modeled by objects, while the interactions between them are modeled by asynchronous method invocations. The internal state of an object is represented by a constant method which can be overridden. The approach is complemented by a control flow analysis which can be used to automatically check properties such as security routing. The attacker model is integrated into the analysis as set values containing the knowledge of the attacker.

Ruggero Lanotte,Massimo Merro,Andrei Munteanu

DOI: https://doi.org/10.48550/arXiv.2007.09399

2020-09-11

Abstract:We define a simple process calculus, based on Hennessy and Regan's Timed Process Language, for specifying networks of communicating programmable logic controllers (PLCs) enriched with monitors enforcing specifications compliance. We define a synthesis algorithm that given an uncorrupted PLC returns a monitor that enforces the correctness of the PLC, even when injected with malware that may forge/drop actuator commands and inter-controller communications. Then, we strengthen the capabilities of our monitors by allowing the insertion of actions to mitigate malware activities. This gives us deadlock-freedom monitoring: malware may not drag monitored controllers into deadlock states.

Logic in Computer Science

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/uic-atc.2009.44

2009-01-01

Abstract:We propose an approach on model checking information flow for imperative language with procedures. We characterize our model with pushdown system, which has a stack of unbounded length that naturally models the execution of procedural programs. Because the type-based static analysis is sometimes too conservative and rejects safe program as ill-typed, we take a semantic-based approach by self-composing symbolic pushdown system and specifying noninterference with LTL formula. Then we verify this LTL-expressed property via model checker Moped. Except for overcoming the conservative characteristic of type-based approach, our motivation also includes the insufficient state of arts on precise information flow analysis under interprocedural setting. To remedy the inefficiency of model checking compared with type system, we propose both compact form and contracted form of self-composition. According to experimental results, they can greatly increase the efficiency of realistic verification. Our method provides flexibility on separating program abstraction from noninterference verification, thus could be expected to use on different programming languages.

Lawrence C. Paulson

DOI: https://doi.org/10.3233/JCS-1998-61-205

2021-05-13

Abstract:Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components decrypted from previous traffic. Three protocols are analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder (which uses public-key encryption), and a recursive protocol by Bull and Otway (which is of variable length). One can prove that event $ev$ always precedes event $ev'$ or that property $P$ holds provided $X$ remains secret. Properties can be proved from the viewpoint of the various principals: say, if $A$ receives a final message from $B$ then the session key it conveys is good.

Cryptography and Security,Logic in Computer Science

Kangfeng Ye,Roberto Metere,Poonam Yadav

2024-10-01

Abstract:Current formal verification of security protocols relies on specialized researchers and complex tools, inaccessible to protocol designers who informally evaluate their work with emulators. This paper addresses this gap by embedding symbolic analysis into the design process. Our approach implements the Dolev-Yao attack model using a variant of CSP based on Interaction Trees (ITrees) to compile protocols into animators -- executable programs that designers can use for debugging and inspection. To guarantee the soundness of our compilation, we mechanised our approach in the theorem prover Isabelle/HOL. As traditionally done with symbolic tools, we refer to the Diffie-Hellman key exchange and the Needham-Schroeder public-key protocol (and Lowe's patched variant). We demonstrate how our animator can easily reveal the mechanics of attacks and verify corrections. This work facilitates security integration at the design level and supports further security property analysis and software-engineered integrations.

Cryptography and Security,Logic in Computer Science

Fusheng Wu,Jinhui Liu,Yanbin Li,Mingtao Ni

DOI: https://doi.org/10.1049/2024/2634744

2024-06-14

IET Information Security

Abstract:The π‐calculus is a basic theory of mobile communication based on the notion of interaction, which, is aimed at analyzing and modeling the behaviors of communication processes in communicating and mobile systems, and is widely applied to the security analysis of cryptographic protocol's design and implementation. But the π‐calculus does not provide seamless logical security analysis, so the logical flaws in the design and the implementation of a cryptographic protocol cannot be discovered in time. This paper introduces logical rules and logical proofs, binary tree, and the KMP algorithm and proposes a new extension of the π‐calculus theory, a logical security analysis method, and an algorithm. The aim is to analyze whether there are logical flaws in the design and the implementation of a cryptographic protocol, to ensure the security of the cryptographic protocol when it is encoded into software and implemented. This paper presents the logical security proof and analysis of the TLS1.3 protocol's interactional implementation process. Empirical results show that the additional extension theory, the logical security analysis method, and the algorithm can effectively analyze whether there are logical flaws in the design and the implementation of a cryptographic protocol.

computer science, information systems, theory & methods

M.L. Martinez Ricci,J. Mazzaferri,A.V. Bragas,O.E. Martinez

DOI: https://doi.org/10.1119/1.2742400

2007-10-02

Abstract:We present a photon counting experiment designed for an undergraduate physics laboratory. The statistics of the number of photons of a pseudo-thermal light source is studied in two limiting cases: much longer and much shorter than the coherence time, giving Poisson and Bose-Einstein distributions, respectively. The experiment can be done in a reasonable time using a digital oscilloscope without the need of counting boards. The use of the oscilloscope has the advantage of allowing the storage of the data for further processing. The stochastic nature of the detection phenomena adds additional value because students are forced to do data processing and analysis.

Optics

Sabina Szymoniak,Olga Siedlecka-Lamch,Mirosław Kurkowski

DOI: https://doi.org/10.1007/978-3-319-92459-5_28

IF: 5.493

2018-01-01

Computer Networks

Abstract:In many verification approaches for security protocols analysis time aspects are omitted. According to this in our work we try to show how these problems are important in this area. To do this we present new ideas as well as methods for calculating and checking several types of time parameters that characterize some time aspects during and after the protocol’s execution. As an example we present the timed analysis in the case of the timed version of the well known the NSPKL protocol (Needham Schroeder Public Key Protocol revised by Lowe). The experimental results obtained using a proprietary tool are also shown. Using this, during the running of the protocol, the “presence” of the Intruder can be followed by observing incorrect time of the protocol execution. As we will see, both those too short and too long allows this.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ashish Mishra,Deepak Dsouza,Y. N. Srikant

DOI: https://doi.org/10.48550/arXiv.1712.08753

2017-12-23

Programming Languages

Abstract:Typestates are good at capturing dynamic states of a program as compared to normal types that can capture static structural properties of data and program. Although useful, typestates are suitable only for specifying and verifying program properties defined using finite-state abstractions. Many useful dynamic properties of programs are not finite-state definable. To address these issues, we introduce parameterized typestates (p-typestates). p-typestates associate a logical property with each state of regular typestate, thereby allowing specification of properties beyond finite-state abstractions. We present a dependent type system to express and verify p-typestate properties and a typestate-oriented core programming language incorporating these dependent types. Automatic inductive type-checking of p-typestate properties usually requires a programmer to provide loop invariants as annotations. Here we propose a way to calculate loop invariants automatically, using loop acceleration techniques for Presburger definable transition systems. \keywords{Programming Languages, Typestates, Dependent Types, Non-Regular Program Properties, Verification, Loop Invariants}

Fusheng Wu,Jinhui Liu,Yanbing Li,Mingtao Ni

2023-11-01

Abstract:The pi calculus is a basic theory of mobile communication based on the notion of interaction, which, aimed at analyzing and modelling the behaviors of communication process in communicating and mobile systems, is widely applied to the security analysis of cryptographic protocol's design and implementation. But the pi calculus does not provide perfect logic security analysis, so the logic flaws in the design and the implementation of a cryptographic protocol can not be discovered in time. The aim is to analyze whether there are logic flaws in the design and the implementation of a cryptographic protocol, so as to ensure the security of the cryptographic protocol when it is encoded into a software and implemented. This paper introduces logic rules and proofs, binary tree and the KMP algorithm, and proposes a new extension the pi calculus theory, a logic security analysis framework and an algorithm. This paper presents the logic security proof and analysis of TLS1.3 protocol's interactional implementation process. Empirical results show that the new extension theory, the logic security analysis framework and the algorithm can effectively analyze whether there are logic flaws in the design and the implementation of a cryptographic protocol. The security of cryptographic protocols depends not only on cryptographic primitives, but also on the coding of cryptographic protocols and the environment in which they are implemented. The security analysis framework of cryptographic protocol implementation proposed in this paper can ensure the security of protocol implementation.

Cryptography and Security,Logic in Computer Science