Skip to main content
SpringerLink
Log in

SAT-based model-checking for security protocols analysis

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multi-set rewriting formalism and a positive integer k, builds a propositional formula whose models (if any) correspond to attacks on the protocol. Thus, finding attacks on protocols boils down to checking a propositional formula for satisfiability, problem that is usually solved very efficiently by modern SAT solvers. Experimental results indicate that the approach scales up to industrial strength security protocols with performance comparable with (and in some cases superior to) that of other state-of-the-art protocol analysers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi M. (1999). Secrecy by typing in security protocols. J. ACM 46(5): 749–786

    Article  MATH  MathSciNet  Google Scholar 

  2. Aho A.V. and Sloane N.J.A. (1973). Some doubly exponential sequences. Fibonacci Q. 11: 429–437

    MATH  MathSciNet  Google Scholar 

  3. Aiello L.C. and Massacci F. (2001). Verifying security protocols as planning in logic programming. ACM Trans. Comput. Logic 2(4): 542–580

    Article  Google Scholar 

  4. Allamigeon, X., Blanchet, B.: Reconstruction of attacks against cryptographic protocols. In: 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005), 20–22 June 2005, Aix- en-Provence, France, pp. 140–154 (2005)

  5. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heam, P., Kouchnarenko, O., Mantovani, J., Moedersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Proceedings of the 17th International Conference on Computer-Aided Verification (CAV’05) (2005)

  6. Armando, A., Basin, D., Bouallagui, M., Chevalier, Y., Compagna, L., Mödersheim, S., Rusinowitch, M., Turuani, M., Viganò, L., Vigneron, L.: The AVISS security protocol analysis tool. In: Proceedings of CAV’02, LNCS, vol. 2404, pp. 349–354. Springer (2002). URL of the AVISS and AVISPA projects: http://www.avispa-project.org

  7. Armando, A., Compagna, L.: Automatic SAT-compilation of protocol insecurity problems via reduction to planning. In: Proceedings of FORTE 2002, LNCS, vol. 2529, pp. 210–225. Springer (2002)

  8. Armando, A., Compagna, L.: Abstraction-driven SAT-based analysis of security protocols. In: Giunchiglia, E., Tacchella, A. (eds.) Theory and Applications of Satisfiability Testing, LNCS, vol. 2919, pp. 257–271. Springer (2004). Selected Revised Papers. Presented to SAT 2003, S. Margherita Ligure, Italy. Available at http://www.avispa-project.org

  9. Armando, A., Compagna, L.: SATMC: a SAT-based model checker for security protocols. In: Proceedings of the 9th European Conference on Logics in Artificial Intelligence (JELIA 2004), LNAI, vol. 3229. Springer, Lisbon (2004)

  10. Armando, A., Compagna, L., Ganty, P.: SAT-based model- checking of security protocols using planning graph analysis. In: Proceedings of FME’2003, LNCS, vol. 2805. Springer (2003)

  11. Armando, A., Compagna, L., Lierler, Y.: Automatic compilation of protocol insecurity problems into logic programming. In: Proceedings of the 9th European Conference on Logics in Artificial Intelligence (JELIA 2004), LNAI, vol. 3229. Springer, Lisbon (2004)

  12. Basin, D., Mödersheim, S., Viganò, L.: An on-the-fly model-checker for security protocol analysis. In: Snekkenes, E., Gollmann, D. (eds.) Proceedings of ESORICS’03, LNCS, vol. 2808, pp. 253–270. Springer (2003). Available at http://www.avispa-project.org

  13. Basin, D., Mödersheim, S., Viganò, L.: Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In: Atluri, V., Liu, P. (eds.) Proceedings of CCS’03, pp. 335–344. ACM Press (2003). Available at http://www.avispa-project.org

  14. Basin, D., Mödersheim, S., Viganò, L.: OFMC: a symbolic model-checker for security protocols. Int. J. Information Security (2004) (in press)

  15. Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) Proceedings of TACAS’99, LNCS, vol. 1579, pp. 193–207. Springer (1999)

  16. Blanchet, P.: Verification of cryptographic protocols: Tagging enforces termination. Theor. Comput. Sci. 333 (2005) (in press)

  17. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW’01, pp. 82–96. IEEE Computer Society Press (2001)

  18. Blanchet, B.: Automatic verification of cryptographic protocols: a logic programming approach (invited talk). In: Proceedings of PPDP’03, pp. 1–3. ACM Press (2003)

  19. Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 86–100. IEEE Computer Society Press (2004)

  20. Blum, A., Furst, M.: Fast planning through planning graph analysis. In: Proceedings of the 14th International Joint Conference on Artificial Intelligence (IJCAI 95), pp. 1636–1642 (1995). URL http://citeseer.nj.nec.com/blum95fast.html

  21. Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Control flow analysis can find new flaws too. In: Proceedings of Workshop on Issues in the Theory of Security (WITS 04) (2004). URL http://www2.imm.dtu.dk/pubdb/p.php?3058

  22. Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis~Nielson, H.: Automatic validation of protocol narration. In: Proceedings of CSFW’03, pp. 126–140. IEEE Computer Society Press (2003)

  23. Bugliesi, M., Focardi, R., Maffei, M.: Compositional analysis of authentication protocols. In: Schmidt, D.A. (ed.) ESOP, Lecture Notes in Computer Science, vol. 2986, pp. 140–154. Springer (2004). URL http://springerlink.metapress.com/openurl.asp?genre=article&issn=0302-9743&volume=2986&spage=140

  24. Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A meta-notation for protocol analysis. In: CSFW, pp. 55–69 (1999). URL http://citeseer.nj.nec.com/cervesato99metanotation.html

  25. Chevalier, Y., Compagna, L., Cuellar, J., Hankes~Drieslma, P., Mantovani, J., Mödersheim, S., Vigneron, L.: A high level protocol specification language for industrial security-sensitive protocols. In: Proceedings of SAPS’2004 (2004)

  26. Chevalier, Y., Vigneron, L.: Automated unbounded verification of security protocols. In: Brinksma, E., Larsen, K.G. (eds.) Proceedings of CAV’02, LNCS, vol. 2404, pp. 324–337. Springer (2002)

  27. Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0, 17. Nov. 1997 (1997). URL: http://www.cs.york.ac.uk/~jac/papers/drareview.ps.gz

  28. Clarke, E.M., Jha, S., Marrero, W.R.: Partial order reductions for security protocol verification. In: TACAS, pp. 503–518 (2000)

  29. Compagna, L.: SAT-based model-checking of security protocols. Ph.D. thesis, Università degli Studi di Genova and the University of Edinburgh (joint programme) (2005)

  30. Corin, R., Etalle, S.: An improved constraint-based system for the verification of security protocols. In: Proceedings of SAS 2002, LNCS, vol. 2477, pp. 326–341. Springer (2002)

  31. Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Trans. Inf. Theory 2(29) (1983) (in press)

  32. Donovan, B., Norris, P., Lowe, G.: Analyzing a library of security protocols using Casper and FDR. In: Proceedings of the Workshop on Formal Methods and Security Protocols (1999)

  33. Durante, F., Gorrieri: CVS at work: a report on new failures upon some cryptographic protocols. In: MMMACNS: International Workshop on Methods, Models and Architectures for Network Security, LNCS (2001)

  34. Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols (2002)

  35. Ernst, M.D., Millstein, T.D., Weld, D.S.: Automatic SAT- compilation of planning problems. In: Proceedings of the 15th International Joint Conference on Artificial Intelligence (IJCAI-97), pp. 1169–1177. Morgan Kaufmann (1997)

  36. Even, S., Goldreich, O.: On the security of multi-party ping pong protocols. In: Proceedings of 24th IEEE Symposium on Foundations of Computer Science. IEEE Computer Society (1983)

  37. Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why a security protocol is correct? In: Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp. 160–171. IEEE Computer Society Press, New York (1998)

  38. Focardi, R., Gorrieri, R., Martinelli, F.: Secrecy in security protocols as non interference. Electr. Notes Theor. Comput. Sci 32 (2000). URL http://www.elsevier.com/gej-ng/31/29/23/57/23/show/Products/notes/index.htt#007

  39. Ghallab, M., Howe, A., Knoblock, C., McDermott, D., Ram, A., Veloso, M., Weld, D., Wilkins, D.: The PDDL planning domain definition language (1998). The AIPS-98 Planning Competition Commitee

  40. Gordon, J.: Typing correspondence assertions for communication protocols. Theor. Comput. Sci. 300 (2003) (in press)

  41. Gordon A.D. and Jeffrey A. (2003). Authenticity by typing for security protocols. J. Comput. Security 11(4): 451–520

    Google Scholar 

  42. Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the SAML single sign-on protocol. In: WITS (2005). URL http://www2.imm.dtu.dk/pubdb/p.php?3657

  43. Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proceedings of the 13th computer Security Foundations Workshop (CSFW’00). IEEE Computer Society Press (2000)

  44. ISO/IEC: ISO/IEC 9798-3: Information technology—Security techniques—Entity authentication—Part 3: Mechanisms using digital signature techniques (1997)

  45. Kautz, H., McAllester, H., Selman, B.: Encoding plans in propositional logic. In: Aiello, L.C., Doyle, J., Shapiro S. (eds.) KR’96: Principles of Knowledge Representation and Reasoning, pp. 374–384. Morgan Kaufmann (1996)

  46. Kautz, H.A., Selman, B.: Planning as satisfiability. In: ECAI, pp. 359–363 (1992)

  47. Lifschitz, V.: Answer set programming and plan generation. Artif. Intell. 138(1–2), 39–54 (2002). doi: http://dx.doi.org/10.1016/S0004-3702(02)00186-8

  48. Lin F. and Zhao Y. (2004). ASSAT: computing answer sets of a logic program by SAT solvers. Artif. Intell. 157(1–2): 115–137

    Article  MATH  MathSciNet  Google Scholar 

  49. Lowe, G.: Breaking and fixing the Needham–Shroeder Public-Key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) Proceedings of TACAS’96, LNCS, vol. 1055, pp. 147–166. Springer (1996)

  50. Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW’97), pp. 31–43. IEEE Computer Society Press (1997)

  51. Lowe, G.: Towards a completeness result for model checking of security protocols. In: Proceedings of CSFW’98. IEEE Computer Society Press (1998). URL http://citeseer.nj.nec.com/article/lowe98towards.html

  52. Marrero, W.R., Clarke, E.M., Jha, S.: Model checking for security protocols. In: DIMACS Workshop on Design and Formal Verication of Security Protocols (1997)

  53. Martinelli F. (2003). Analysis of security protocols as open systems. Theor. Comput Sci. 290(1): 1057–1106

    Article  MATH  MathSciNet  Google Scholar 

  54. Millen, J.K., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of the ACM Conference on Computer and Communications Security CCS’01, pp. 166–175 (2001)

  55. Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murphi. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 141–153 (1997)

  56. Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Proceedings of the 38th Design Automation Conference (DAC’01) (2001). URL http://www.ee.princeton.edu/~chaff/DAC2001v56.pdf

  57. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Tech. Rep. CSL-78-4, Xerox Palo Alto Research Center, Palo Alto (1978). Reprinted June 1982

  58. Niemelä I. (1999). Logic programs with stable model semantics as a constraint programming paradigm. Ann. Math. Artif. Intell. 25(3–4): 241–273

    Article  MATH  Google Scholar 

  59. Paulson L.C. (1998). The inductive approach to verifying cryptographic protocols. J. Comput. Security 6(1): 85–128

    Google Scholar 

  60. Rintanen, J., Heljanko, K., Niemelä, I.: Planning as satisfiability: parallel plans and algorithms for plan search (2005). Submitted for journal publication. Eearlier version: Technical report 216, Albert-Ludwigs-Universität Freiburg, Institut fnr Informatik, 2005. Available at URL http://www.informatik.uni-freiburg.de/~rintanen

  61. Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press (2001)

  62. Song D., Berezin S. and Perrig A. (2001). Athena: a novel approach to efficient automatic security protocol analysis. J. Comput. Security 9: 47–74

    Google Scholar 

  63. Sperschneider V. and Antoniou G. (1991). Logic: A Foundation for Computer Science. Addison-Wesley, Reading

    MATH  Google Scholar 

  64. Turuani, M.: Sécurité des Protocoles Cryptographiques: Décidabilité et Complexité. Ph.D. thesis, Université Henri Poincaré, Nancy (2003)

Download references

Author information

Authors and Affiliations

  1. AI-Lab, DIST, Università di Genova, Viale Causa 13, 16145, Genova, Italy

    Alessandro Armando & Luca Compagna

  2. SAP Research, 805 Av. du Dr M. Donat, 06250, Mougins, France

    Luca Compagna

Authors
  1. Alessandro Armando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca Compagna
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandro Armando.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Armando, A., Compagna, L. SAT-based model-checking for security protocols analysis. Int. J. Inf. Secur. 7, 3–32 (2008). https://doi.org/10.1007/s10207-007-0041-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0041-y

Keywords

Search

Navigation