Skip to main content
SpringerLink
Log in

OFMC: A symbolic model checker for security protocols

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We present the on-the-fly model checker OFMC, a tool that combines two ideas for analyzing security protocols based on lazy, demand-driven search. The first is the use of lazy data types as a simple way of building efficient on-the-fly model checkers for protocols with very large, or even infinite, state spaces. The second is the integration of symbolic techniques and optimizations for modeling a lazy Dolev–Yao intruder whose actions are generated in a demand-driven way. We present both techniques, along with optimizations and proofs of correctness and completeness.

Our tool is state of the art in terms of both coverage and performance. For example, it finds all known attacks and discovers a new one in a test suite of 38 protocols from the Clark/Jacob library in a few seconds of CPU time for the entire suite. We also give examples demonstrating how our tool scales to, and finds errors in, large industrial-strength protocols.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Amadio R, Lugiez D (2002) On the reachability problem in cryptographic protocols. In: Proceedings of CONCUR’00. Lecture notes in computer science, vol 1877. Springer, Berlin Heidelberg New York, pp 380–394

  2. Armando A, Basin D, Bouallagui M, Chevalier Y, Compagna L, Mödersheim S, Rusinowitch M, Turuani M, Viganò L, Vigneron L (2002) The AVISS security protocol analysis tool. In: Proceedings of CAV’02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 349–354

  3. Armando A, Compagna L (2002) Automatic SAT-compilation of protocol insecurity problems via reduction to planning. In: Proceedings of FORTE 2002. Lecture notes in computer science, vol 2529. Springer, Berlin Heidelberg New York, pp 210–225

  4. Armando A, Compagna L, Ganty P (2003) SAT-based model-checking of security protocols using planning graph analysis. In: Proceedings of FME 2003. Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, pp 875–893

  5. AVISPA: Automated validation of internet security protocols and applications (2003) FET Open Project IST-2001-39252. www.avispa-project.org

  6. Baader F, Nipkow T (1998) Term rewriting and all that. Cambridge University Press, Cambridge, UK

  7. Basin D (1999) Lazy infinite-state analysis of security protocols. In: Proceedings of CQRE’99. Lecture notes in computer science, vol 1740. Springer, Berlin Heidelberg New York, pp 30–42

  8. Basin D, Denker G (2001) Maude versus Haskell: an experimental comparison in security protocol analysis. In: Electronic notes in computer science, vol 36. Elsevier, Amsterdam, pp 235–256

  9. Basin D, Mödersheim S, Viganò L (2003) An on-the-fly model-checker for security protocol analysis. In: Proceedings of ESORICS’03. Lecture notes in computer science, vol 2808. Springer, Berlin Heidelberg New York, pp 253–270

  10. Basin D, Mödersheim S, Viganò L (2003) Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In: Proceedings of CCS’03. ACM Press, New York, pp 335–344

  11. Boreale M (2001) Symbolic trace analysis of cryptographic protocols. In: Proceedings of ICALP’01. Lecture notes in computer science, vol 2076. Springer, Berlin Heidelberg New York, pp 667–681

  12. Boreale M, Buscemi MG (2002) A framework for the analysis of security protocols. In: Proceedings of CONCUR’02. Lecture notes in computer science, vol 2421. Springer, Berlin Heidelberg New York, pp 483–498

  13. Boreale M, Buscemi MG (2003) On the symbolic analysis of low-level cryptographic primitives: modular exponentiation and the Diffie-Hellman protocol. In: Proceedings of FCS’03. TR-2003-04, Computer Science Department, University of Ottawa

  14. Bouallagui M, Jain H (2003) Automatic session generation. AVISPA report, LORIA-INRIA-Lorraine

  15. Cervesato I, Durgin NA, Lincoln PD, Mitchell JC, Scedrov A (2000) Relating strands and multiset rewriting for security protocol analysis. In: Proceedings of CSFW’00. IEEE Press, New York, pp 35–51

  16. Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) An NP decision procedure for protocol insecurity with Xor. In: Proceedings of LICS 2003. IEEE Press, New York, pp 261–270

  17. Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. Lecture notes in computer science, vol 2914. In: Proceedings of FST TCS’03. Springer, Berlin Heidelberg New York, pp 124–135

  18. Chevalier Y, Küsters R, Rusinowitch M, Turuani M, Vigneron L (2003) Extending the Dolev–Yao intruder for analyzing an unbounded number of sessions. In: Proceedings of CSL 2003. Lecture notes in computer science, vol 2803. Springer, Berlin Heidelberg New York, pp 128–141

  19. Chevalier Y, Vigneron L (2001) A tool for lazy verification of security protocols. In: Proceedings of ASE’01. IEEE Press, New York, pp 373–376

  20. Chevalier Y, Vigneron L (2002) Automated unbounded verification of security protocols. In: Proceedings of CAV’02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 324–337

  21. Clark J, Jacob J (1997) A survey of authentication protocol literature: version 1.0, 17 November 1997. www.cs.york.ac.uk/∼jac/papers/drareview.ps.gz

    Google Scholar 

  22. Comon H, Shmatikov V (2002) Is it possible to decide whether a cryptographic protocol is secure or not? J Telecommun Inf Technol 4:5–15

    Google Scholar 

  23. Comon-Lundh H, Cortier V (2003) Security properties: two agents are sufficient. In: Proceedings of ESOP’03. Lecture notes in computer science, vol 2618. Springer, Berlin Heidelberg New York, pp 99–113

  24. Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of LICS 2003. IEEE Press, New York, pp 271–280

  25. Corin R, Etalle S (2002) An improved constraint-based system for the verification of security protocols. In: Proceedings of SAS 2002. Lecture notes in computer science, vol 2477. Springer, Berlin Heidelberg New York, pp 326–341

  26. Denker G, Millen J, Ruess H (2000) The CAPSL integrated protocol environment. Technical Report SRI-CSL-2000-02, SRI International, Menlo Park, CA

  27. Dolev D, Yao A (1983) On the security of public-key protocols. IEEE Trans Inf Theory 2(29):198–208

    Article  MathSciNet  Google Scholar 

  28. Donovan B, Norris P, Lowe G (1999) Analyzing a library of security protocols using Casper and FDR. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)

  29. Durgin N, Lincoln PD, Mitchell JC, Scedrov A (1999) Undecidability of bounded security protocols. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)

  30. Fiore M, Abadi M (2001) Computing symbolic models for verifying cryptographic protocols. In: Proceedings of CSFW’01. IEEE Press, New York, pp 160–173

  31. Huima A (1999) Efficient infinite-state analysis of security protocols. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)

  32. ITU-T Recommendation H.530: Symmetric security procedures for H.510 (mobility for H.323 multimedia systems and services) (2002)

  33. ITU-T Recommendation H.530, Corrigendum 1 (2003) Corrected version of [32]

  34. Jacquemard F, Rusinowitch M, Vigneron L (2000) Compiling and verifying security protocols. In: Proceedings of LPAR 2000. Lecture notes in computer science, vol 1955. Springer, Berlin Heidelberg New York, pp 131–160

  35. Lowe G (1996) Breaking and fixing the Needham–Shroeder public-key protocol using FDR. In: Proceedings of TACAS ’96. Lecture notes in computer science, vol 1055. Springer, Berlin Heidelberg New York, pp 147–166

  36. Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of CSFW’97. IEEE Press, New York, pp 31–43

  37. Lowe G (1998) Casper: a compiler for the analysis of security protocols. J Comput Secur 6(1):53–84

    Article  Google Scholar 

  38. Meadows C (1996) The NRL protocol analyzer: an overview. J Logic Programm 26(2):113–131

    Article  Google Scholar 

  39. Meadows C (1999) Analysis of the Internet Key Exchange Protocol using the NRL protocol analyzer. In: Proceedings of the 1999 IEEE symposium on security and privacy. IEEE Press, New York, pp 216–231

  40. Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of CCS’01. ACM Press, New York, pp 166–175

  41. Millen JK, Shmatikov V (2003) Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In: Proceedings of CSFW’03. IEEE Press, New York, pp 47–61

  42. Mitchell JC, Mitchell M, Stern U (1997) Automated analysis of cryptographic protocols using Murphi. In: Proceedings of the 1997 IEEE symposium on security and privacy. IEEE Press, New York, pp 141–153

  43. Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Secur 6(1):85–128

    Article  Google Scholar 

  44. Paulson LC (1999) Relations between secrets: the Yahalom protocol. In: Proceedings of the 7th Cambridge international workshop on security protocols. Lecture notes in computer science, vol 1796. Springer, Berlin Heidelberg New York, pp 73–77

  45. Perrig A, Song D (2000) Looking for diamonds in the desert (extending automatic protocol generation to three-party authentication and key agreement protocols). In: Proceedings of CSFW’00. IEEE Press, New York, pp 64–76

  46. Rusinowitch M, Turuani M (2001) Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of CSFW’01. IEEE Press, New York, pp 174–187

  47. Ryan P, Schneider S, Goldsmith M, Lowe G, Roscoe B (2000) Modelling and analysis of security protocols. Addison-Wesley, Reading, MA

  48. Song D, Berezin S, Perrig A (2001) Athena: a novel approach to efficient automatic security protocol analysis. J Comput Secur 9:47–74

    Article  Google Scholar 

  49. Thayer Fábrega FJ, Herzog JC, Guttman JD (1999) Strand spaces: proving security protocols correct. J Comput Secur 7:191–230

    Article  Google Scholar 

  50. Turuani M (2003) Sécurité des protocoles cryptographiques: décidabilité et complexité. PhD Thesis, Université Henri Poincaré, Nancy, France

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, CH-8092, Zurich, Switzerland

    David Basin, Sebastian Mödersheim & Luca Viganò

Authors
  1. David Basin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Mödersheim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luca Viganò
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Basin.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Basin, D., Mödersheim, S. & Viganò, L. OFMC: A symbolic model checker for security protocols. Int J Inf Secur 4, 181–208 (2005). https://doi.org/10.1007/s10207-004-0055-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0055-7

Keywords

Search

Navigation