Verifying security protocols with Brutus

Clarke, Edmund M.; Jha, Somesh; Marrero, Will

doi:10.1145/363516.363528

Cited by 99 publications

(51 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Finite state analysis of cryptographic protocols can take place in specialized security model checkers, like BRUTUS [6], where security violations are encoded as failures of secrecy or authentication. Alternatively, finite state analysis is often carried out in generalpurpose model checkers like Murφ [31] and the FDR (Failures Divergence Refinement) [32] model checker.…”

Section: Related Workmentioning

confidence: 99%

“…When focused on the problem of the state space explosion, a series of interesting works exploit symmetry and partial order reduction techniques [6,7,31,33]. In [10], the authors propose model checking with pre-configuration, which is a divide-and-conquer method for verifying security protocols.…”

Section: Related Workmentioning

confidence: 99%

“…Existing intruder models [6,9,29,31,33], whether they are based on mere state space exploration or whether they combine it with natural deduction-style reasoning or "lazy" evaluation, delimit the state space branching by exploiting information about the messages that protocol participants expect. This optimization avoids generating from the intruder's knowledge, fake messages that cannot have an effect in the protocol's execution, if every protocol participant rejects them as unexpected.…”

Section: Related Workmentioning

confidence: 99%

“…Symmetry reductions partition the state space into various equivalence classes, which are exploited by taking into account only one state from each partition. Symmetry reductions for security protocol verification have been first implemented in Brutus [6]. In another work [7], the same authors address the complications of applying partial order reduction, due to tracking the accumulated knowledge of the intruder.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An intruder model with message inspection for model checking security protocols

Basagiannis

Katsaros

Pombortsis

2010

Computers & Security

View full text Add to dashboard Cite

Model checking security protocols is based on an intruder model that represents the eavesdropping or interception of the exchanged messages, while at the same time performs attack actions against the ongoing protocol session(s). Any attempt to enumerate all messages that can be deduced by the intruder and the possible actions in all protocol steps results in an enormous branching of the model's state space. In current work, we introduce a new intruder model that can be exploited for state space reduction, optionally in combination with known techniques, such as partial order and symmetry reduction. The proposed intruder modeling approach called Message Inspection (MI) is based on enhancing the intruder's knowledge with metadata for the exchanged messages. In a preliminary simulation run, the intruder tags the analyzed messages with protocol-specific values for a set of predefined parameters. This metadata is used to identify possible attack actions, for which it is a priori known that they cannot cause a security violation. The MI algorithm selects attack actions that can be discarded, from an open-ended base of primitive attack actions. Thus, model checking focuses only on attack actions that may disclose a security violation. The most interesting consequence is a non negligible state-space pruning, but at the same time our approach also allows customizing the behavior of the intruder model, in order e.g. to make it appropriate for model checking problems that involve liveness. We provide experimental results obtained with the SPIN model checker, for the Needham Schroeder security protocol.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An intruder model with message inspection for model checking security protocols

Basagiannis

Katsaros

Pombortsis

2010

Computers & Security

View full text Add to dashboard Cite

show abstract

“…; see e.g. [16,10,3,6]. Actually, both approaches have strong and weak points: automatic tools are quite successful on particular finite-state systems, but they naturally suffer of state-explosion problems and usually cannot be used for proving general properties.…”

Section: Introductionmentioning

confidence: 99%

Implementing Spi Calculus Using Nominal Techniques

Kahsai

Miculan

Logic and Theory of Algorithms

View full text Add to dashboard Cite

Abstract. The aim of this work is to obtain an interactive proof environment based on Isabelle/HOL for reasoning formally about cryptographic protocols, expressed as processes of the spi calculus (a π-calculus with cryptographic primitives). To this end, we formalise syntax, semantics, and hedged bisimulation, an environment-sensitive bisimulation which can be used for proving security properties of protocols. In order to deal smoothly with binding operators and reason up-to α-equivalence of bound names, we adopt the new Nominal datatype package. This simplifies both the encoding, and the formal proofs, which turn out to correspond closely to "manual proofs".

show abstract

Synthesis of attack actions using model checking for the verification of security protocols

Basagiannis

Katsaros

Pombortsis

2011

Security Comm Networks

View full text Add to dashboard Cite

Model checking cryptographic protocols have evolved to a valuable method for discovering counterintuitive security flaws, which makes it possible for a hostile agent to subvert the goals of the protocol. Published works and existing security analysis tools are usually based on general intruder models that embody at least some aspects of the seminal work of Dolev--Yao, in an attempt to detect failures of secrecy. In this work, we propose an alternative intruder model, which is based on a thorough analysis of how potential attacks might proceed. We introduce an intruder model that provides an open-ended base for the integration of multiple basic attack tactics. Those attack tactics have the possibility to be combined, in a way to compose complex attack actions that require a number of procedural steps from the intruder's side, such as a Denial of Service attack. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. The analyst can express security properties of specific attack actions that are not restricted to safety violations captured by a generic model checker. The described intruder model methodology was implemented within the SPIN model checker for verifying two security protocols, Micromint and PayWord.

show abstract

Verifying security protocols with Brutus

Cited by 99 publications

References 20 publications

An intruder model with message inspection for model checking security protocols

An intruder model with message inspection for model checking security protocols

Implementing Spi Calculus Using Nominal Techniques

Synthesis of attack actions using model checking for the verification of security protocols

Contact Info

Product

Resources

About