Automated Analysis of Security Protocols with Global State

Abstract: Abstract. Security APIs, key servers and protocols that need to keep the status of transactions, require to maintain a global, non-monotonic state, e.g., in the form of a database or register. However, most existing automated verification tools do not support the analysis of such stateful security protocols -sometimes because of fundamental reasons, such as the encoding of the protocol as Horn clauses, which are inherently monotonic. A notable exception is the recent tamarin prover which allows specifying prot… Show more

“…The grammar for terms (M, N ) and processes (P, Q), given in Table 1, follows [12]. In addition to usual operators for concurrency, replication, and name creation, the calculus A inherits from the applied π-calculus [1] input and output constructs in which terms appear both as communication subjects and objects.…”

“…This paper connects two distinct formal models of communicating systems: a process language for the analysis of security protocols [12], and a process language for session-based concurrency [9,10]. They are representative of two separate research strands: (a) Process models for security protocols, such as [12] (see also [7]), rely on variants of the applied π-calculus [1] to establish properties related to process execution (e.g., secrecy and confidentiality).…”

“…They are representative of two separate research strands: (a) Process models for security protocols, such as [12] (see also [7]), rely on variants of the applied π-calculus [1] to establish properties related to process execution (e.g., secrecy and confidentiality). These models support cryptography and term passing, but lack support for high-level communication structures.…”

“…-A, a (low-level) applied π-calculus in which processes explicitly describe term communication, cryptographic operations, and state manipulation [12]; -S, a (high-level) π-calculus in which communication actions are organized as multiparty session protocols [5,10].…”

“…Process specifications in S can now integrate cryptographic operations and be analyzed by (re)using existing methods. In fact, since A processes can be faithfully translated into multiset rewriting rules using SAPIC [12] (which can in turn be fed into the Tamarin prover [14]), our encoding bridges the gap between S processes and toolsets for the analysis of security properties: …”

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

“…The grammar for terms (M, N ) and processes (P, Q), given in Table 1, follows [12]. In addition to usual operators for concurrency, replication, and name creation, the calculus A inherits from the applied π-calculus [1] input and output constructs in which terms appear both as communication subjects and objects.…”

“…This paper connects two distinct formal models of communicating systems: a process language for the analysis of security protocols [12], and a process language for session-based concurrency [9,10]. They are representative of two separate research strands: (a) Process models for security protocols, such as [12] (see also [7]), rely on variants of the applied π-calculus [1] to establish properties related to process execution (e.g., secrecy and confidentiality).…”

“…They are representative of two separate research strands: (a) Process models for security protocols, such as [12] (see also [7]), rely on variants of the applied π-calculus [1] to establish properties related to process execution (e.g., secrecy and confidentiality). These models support cryptography and term passing, but lack support for high-level communication structures.…”

“…-A, a (low-level) applied π-calculus in which processes explicitly describe term communication, cryptographic operations, and state manipulation [12]; -S, a (high-level) π-calculus in which communication actions are organized as multiparty session protocols [5,10].…”

“…Process specifications in S can now integrate cryptographic operations and be analyzed by (re)using existing methods. In fact, since A processes can be faithfully translated into multiset rewriting rules using SAPIC [12] (which can in turn be fed into the Tamarin prover [14]), our encoding bridges the gap between S processes and toolsets for the analysis of security properties: …”

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

TrollThrottle —Raising the Cost of Astroturfing

Formal Support for Standardizing Protocols with State