Abstract
We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multi-set rewriting formalism and a positive integer k, builds a propositional formula whose models (if any) correspond to attacks on the protocol. Thus, finding attacks on protocols boils down to checking a propositional formula for satisfiability, problem that is usually solved very efficiently by modern SAT solvers. Experimental results indicate that the approach scales up to industrial strength security protocols with performance comparable with (and in some cases superior to) that of other state-of-the-art protocol analysers.
Similar content being viewed by others
References
Abadi M. (1999). Secrecy by typing in security protocols. J. ACM 46(5): 749–786
Aho A.V. and Sloane N.J.A. (1973). Some doubly exponential sequences. Fibonacci Q. 11: 429–437
Aiello L.C. and Massacci F. (2001). Verifying security protocols as planning in logic programming. ACM Trans. Comput. Logic 2(4): 542–580
Allamigeon, X., Blanchet, B.: Reconstruction of attacks against cryptographic protocols. In: 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005), 20–22 June 2005, Aix- en-Provence, France, pp. 140–154 (2005)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heam, P., Kouchnarenko, O., Mantovani, J., Moedersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Proceedings of the 17th International Conference on Computer-Aided Verification (CAV’05) (2005)
Armando, A., Basin, D., Bouallagui, M., Chevalier, Y., Compagna, L., Mödersheim, S., Rusinowitch, M., Turuani, M., Viganò, L., Vigneron, L.: The AVISS security protocol analysis tool. In: Proceedings of CAV’02, LNCS, vol. 2404, pp. 349–354. Springer (2002). URL of the AVISS and AVISPA projects: http://www.avispa-project.org
Armando, A., Compagna, L.: Automatic SAT-compilation of protocol insecurity problems via reduction to planning. In: Proceedings of FORTE 2002, LNCS, vol. 2529, pp. 210–225. Springer (2002)
Armando, A., Compagna, L.: Abstraction-driven SAT-based analysis of security protocols. In: Giunchiglia, E., Tacchella, A. (eds.) Theory and Applications of Satisfiability Testing, LNCS, vol. 2919, pp. 257–271. Springer (2004). Selected Revised Papers. Presented to SAT 2003, S. Margherita Ligure, Italy. Available at http://www.avispa-project.org
Armando, A., Compagna, L.: SATMC: a SAT-based model checker for security protocols. In: Proceedings of the 9th European Conference on Logics in Artificial Intelligence (JELIA 2004), LNAI, vol. 3229. Springer, Lisbon (2004)
Armando, A., Compagna, L., Ganty, P.: SAT-based model- checking of security protocols using planning graph analysis. In: Proceedings of FME’2003, LNCS, vol. 2805. Springer (2003)
Armando, A., Compagna, L., Lierler, Y.: Automatic compilation of protocol insecurity problems into logic programming. In: Proceedings of the 9th European Conference on Logics in Artificial Intelligence (JELIA 2004), LNAI, vol. 3229. Springer, Lisbon (2004)
Basin, D., Mödersheim, S., Viganò, L.: An on-the-fly model-checker for security protocol analysis. In: Snekkenes, E., Gollmann, D. (eds.) Proceedings of ESORICS’03, LNCS, vol. 2808, pp. 253–270. Springer (2003). Available at http://www.avispa-project.org
Basin, D., Mödersheim, S., Viganò, L.: Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In: Atluri, V., Liu, P. (eds.) Proceedings of CCS’03, pp. 335–344. ACM Press (2003). Available at http://www.avispa-project.org
Basin, D., Mödersheim, S., Viganò, L.: OFMC: a symbolic model-checker for security protocols. Int. J. Information Security (2004) (in press)
Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) Proceedings of TACAS’99, LNCS, vol. 1579, pp. 193–207. Springer (1999)
Blanchet, P.: Verification of cryptographic protocols: Tagging enforces termination. Theor. Comput. Sci. 333 (2005) (in press)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW’01, pp. 82–96. IEEE Computer Society Press (2001)
Blanchet, B.: Automatic verification of cryptographic protocols: a logic programming approach (invited talk). In: Proceedings of PPDP’03, pp. 1–3. ACM Press (2003)
Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 86–100. IEEE Computer Society Press (2004)
Blum, A., Furst, M.: Fast planning through planning graph analysis. In: Proceedings of the 14th International Joint Conference on Artificial Intelligence (IJCAI 95), pp. 1636–1642 (1995). URL http://citeseer.nj.nec.com/blum95fast.html
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Control flow analysis can find new flaws too. In: Proceedings of Workshop on Issues in the Theory of Security (WITS 04) (2004). URL http://www2.imm.dtu.dk/pubdb/p.php?3058
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis~Nielson, H.: Automatic validation of protocol narration. In: Proceedings of CSFW’03, pp. 126–140. IEEE Computer Society Press (2003)
Bugliesi, M., Focardi, R., Maffei, M.: Compositional analysis of authentication protocols. In: Schmidt, D.A. (ed.) ESOP, Lecture Notes in Computer Science, vol. 2986, pp. 140–154. Springer (2004). URL http://springerlink.metapress.com/openurl.asp?genre=article&issn=0302-9743&volume=2986&spage=140
Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A meta-notation for protocol analysis. In: CSFW, pp. 55–69 (1999). URL http://citeseer.nj.nec.com/cervesato99metanotation.html
Chevalier, Y., Compagna, L., Cuellar, J., Hankes~Drieslma, P., Mantovani, J., Mödersheim, S., Vigneron, L.: A high level protocol specification language for industrial security-sensitive protocols. In: Proceedings of SAPS’2004 (2004)
Chevalier, Y., Vigneron, L.: Automated unbounded verification of security protocols. In: Brinksma, E., Larsen, K.G. (eds.) Proceedings of CAV’02, LNCS, vol. 2404, pp. 324–337. Springer (2002)
Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0, 17. Nov. 1997 (1997). URL: http://www.cs.york.ac.uk/~jac/papers/drareview.ps.gz
Clarke, E.M., Jha, S., Marrero, W.R.: Partial order reductions for security protocol verification. In: TACAS, pp. 503–518 (2000)
Compagna, L.: SAT-based model-checking of security protocols. Ph.D. thesis, Università degli Studi di Genova and the University of Edinburgh (joint programme) (2005)
Corin, R., Etalle, S.: An improved constraint-based system for the verification of security protocols. In: Proceedings of SAS 2002, LNCS, vol. 2477, pp. 326–341. Springer (2002)
Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Trans. Inf. Theory 2(29) (1983) (in press)
Donovan, B., Norris, P., Lowe, G.: Analyzing a library of security protocols using Casper and FDR. In: Proceedings of the Workshop on Formal Methods and Security Protocols (1999)
Durante, F., Gorrieri: CVS at work: a report on new failures upon some cryptographic protocols. In: MMMACNS: International Workshop on Methods, Models and Architectures for Network Security, LNCS (2001)
Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols (2002)
Ernst, M.D., Millstein, T.D., Weld, D.S.: Automatic SAT- compilation of planning problems. In: Proceedings of the 15th International Joint Conference on Artificial Intelligence (IJCAI-97), pp. 1169–1177. Morgan Kaufmann (1997)
Even, S., Goldreich, O.: On the security of multi-party ping pong protocols. In: Proceedings of 24th IEEE Symposium on Foundations of Computer Science. IEEE Computer Society (1983)
Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why a security protocol is correct? In: Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp. 160–171. IEEE Computer Society Press, New York (1998)
Focardi, R., Gorrieri, R., Martinelli, F.: Secrecy in security protocols as non interference. Electr. Notes Theor. Comput. Sci 32 (2000). URL http://www.elsevier.com/gej-ng/31/29/23/57/23/show/Products/notes/index.htt#007
Ghallab, M., Howe, A., Knoblock, C., McDermott, D., Ram, A., Veloso, M., Weld, D., Wilkins, D.: The PDDL planning domain definition language (1998). The AIPS-98 Planning Competition Commitee
Gordon, J.: Typing correspondence assertions for communication protocols. Theor. Comput. Sci. 300 (2003) (in press)
Gordon A.D. and Jeffrey A. (2003). Authenticity by typing for security protocols. J. Comput. Security 11(4): 451–520
Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the SAML single sign-on protocol. In: WITS (2005). URL http://www2.imm.dtu.dk/pubdb/p.php?3657
Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proceedings of the 13th computer Security Foundations Workshop (CSFW’00). IEEE Computer Society Press (2000)
ISO/IEC: ISO/IEC 9798-3: Information technology—Security techniques—Entity authentication—Part 3: Mechanisms using digital signature techniques (1997)
Kautz, H., McAllester, H., Selman, B.: Encoding plans in propositional logic. In: Aiello, L.C., Doyle, J., Shapiro S. (eds.) KR’96: Principles of Knowledge Representation and Reasoning, pp. 374–384. Morgan Kaufmann (1996)
Kautz, H.A., Selman, B.: Planning as satisfiability. In: ECAI, pp. 359–363 (1992)
Lifschitz, V.: Answer set programming and plan generation. Artif. Intell. 138(1–2), 39–54 (2002). doi: http://dx.doi.org/10.1016/S0004-3702(02)00186-8
Lin F. and Zhao Y. (2004). ASSAT: computing answer sets of a logic program by SAT solvers. Artif. Intell. 157(1–2): 115–137
Lowe, G.: Breaking and fixing the Needham–Shroeder Public-Key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) Proceedings of TACAS’96, LNCS, vol. 1055, pp. 147–166. Springer (1996)
Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW’97), pp. 31–43. IEEE Computer Society Press (1997)
Lowe, G.: Towards a completeness result for model checking of security protocols. In: Proceedings of CSFW’98. IEEE Computer Society Press (1998). URL http://citeseer.nj.nec.com/article/lowe98towards.html
Marrero, W.R., Clarke, E.M., Jha, S.: Model checking for security protocols. In: DIMACS Workshop on Design and Formal Verication of Security Protocols (1997)
Martinelli F. (2003). Analysis of security protocols as open systems. Theor. Comput Sci. 290(1): 1057–1106
Millen, J.K., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of the ACM Conference on Computer and Communications Security CCS’01, pp. 166–175 (2001)
Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murphi. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 141–153 (1997)
Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Proceedings of the 38th Design Automation Conference (DAC’01) (2001). URL http://www.ee.princeton.edu/~chaff/DAC2001v56.pdf
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Tech. Rep. CSL-78-4, Xerox Palo Alto Research Center, Palo Alto (1978). Reprinted June 1982
Niemelä I. (1999). Logic programs with stable model semantics as a constraint programming paradigm. Ann. Math. Artif. Intell. 25(3–4): 241–273
Paulson L.C. (1998). The inductive approach to verifying cryptographic protocols. J. Comput. Security 6(1): 85–128
Rintanen, J., Heljanko, K., Niemelä, I.: Planning as satisfiability: parallel plans and algorithms for plan search (2005). Submitted for journal publication. Eearlier version: Technical report 216, Albert-Ludwigs-Universität Freiburg, Institut fnr Informatik, 2005. Available at URL http://www.informatik.uni-freiburg.de/~rintanen
Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press (2001)
Song D., Berezin S. and Perrig A. (2001). Athena: a novel approach to efficient automatic security protocol analysis. J. Comput. Security 9: 47–74
Sperschneider V. and Antoniou G. (1991). Logic: A Foundation for Computer Science. Addison-Wesley, Reading
Turuani, M.: Sécurité des Protocoles Cryptographiques: Décidabilité et Complexité. Ph.D. thesis, Université Henri Poincaré, Nancy (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Armando, A., Compagna, L. SAT-based model-checking for security protocols analysis. Int. J. Inf. Secur. 7, 3–32 (2008). https://doi.org/10.1007/s10207-007-0041-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0041-y