Advertisement

OFMC: A symbolic model checker for security protocols

  • David BasinEmail author
  • Sebastian Mödersheim
  • Luca Viganò
Regular contribution

Abstract

We present the on-the-fly model checker OFMC, a tool that combines two ideas for analyzing security protocols based on lazy, demand-driven search. The first is the use of lazy data types as a simple way of building efficient on-the-fly model checkers for protocols with very large, or even infinite, state spaces. The second is the integration of symbolic techniques and optimizations for modeling a lazy Dolev–Yao intruder whose actions are generated in a demand-driven way. We present both techniques, along with optimizations and proofs of correctness and completeness.

Our tool is state of the art in terms of both coverage and performance. For example, it finds all known attacks and discovers a new one in a test suite of 38 protocols from the Clark/Jacob library in a few seconds of CPU time for the entire suite. We also give examples demonstrating how our tool scales to, and finds errors in, large industrial-strength protocols.

Keywords

Security protocols Verification Model checking Formal methods Constraints  

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Amadio R, Lugiez D (2002) On the reachability problem in cryptographic protocols. In: Proceedings of CONCUR’00. Lecture notes in computer science, vol 1877. Springer, Berlin Heidelberg New York, pp 380–394Google Scholar
  2. 2.
    Armando A, Basin D, Bouallagui M, Chevalier Y, Compagna L, Mödersheim S, Rusinowitch M, Turuani M, Viganò L, Vigneron L (2002) The AVISS security protocol analysis tool. In: Proceedings of CAV’02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 349–354Google Scholar
  3. 3.
    Armando A, Compagna L (2002) Automatic SAT-compilation of protocol insecurity problems via reduction to planning. In: Proceedings of FORTE 2002. Lecture notes in computer science, vol 2529. Springer, Berlin Heidelberg New York, pp 210–225Google Scholar
  4. 4.
    Armando A, Compagna L, Ganty P (2003) SAT-based model-checking of security protocols using planning graph analysis. In: Proceedings of FME 2003. Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, pp 875–893Google Scholar
  5. 5.
    AVISPA: Automated validation of internet security protocols and applications (2003) FET Open Project IST-2001-39252. www.avispa-project.orgGoogle Scholar
  6. 6.
    Baader F, Nipkow T (1998) Term rewriting and all that. Cambridge University Press, Cambridge, UKGoogle Scholar
  7. 7.
    Basin D (1999) Lazy infinite-state analysis of security protocols. In: Proceedings of CQRE’99. Lecture notes in computer science, vol 1740. Springer, Berlin Heidelberg New York, pp 30–42Google Scholar
  8. 8.
    Basin D, Denker G (2001) Maude versus Haskell: an experimental comparison in security protocol analysis. In: Electronic notes in computer science, vol 36. Elsevier, Amsterdam, pp 235–256Google Scholar
  9. 9.
    Basin D, Mödersheim S, Viganò L (2003) An on-the-fly model-checker for security protocol analysis. In: Proceedings of ESORICS’03. Lecture notes in computer science, vol 2808. Springer, Berlin Heidelberg New York, pp 253–270Google Scholar
  10. 10.
    Basin D, Mödersheim S, Viganò L (2003) Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In: Proceedings of CCS’03. ACM Press, New York, pp 335–344Google Scholar
  11. 11.
    Boreale M (2001) Symbolic trace analysis of cryptographic protocols. In: Proceedings of ICALP’01. Lecture notes in computer science, vol 2076. Springer, Berlin Heidelberg New York, pp 667–681Google Scholar
  12. 12.
    Boreale M, Buscemi MG (2002) A framework for the analysis of security protocols. In: Proceedings of CONCUR’02. Lecture notes in computer science, vol 2421. Springer, Berlin Heidelberg New York, pp 483–498Google Scholar
  13. 13.
    Boreale M, Buscemi MG (2003) On the symbolic analysis of low-level cryptographic primitives: modular exponentiation and the Diffie-Hellman protocol. In: Proceedings of FCS’03. TR-2003-04, Computer Science Department, University of OttawaGoogle Scholar
  14. 14.
    Bouallagui M, Jain H (2003) Automatic session generation. AVISPA report, LORIA-INRIA-LorraineGoogle Scholar
  15. 15.
    Cervesato I, Durgin NA, Lincoln PD, Mitchell JC, Scedrov A (2000) Relating strands and multiset rewriting for security protocol analysis. In: Proceedings of CSFW’00. IEEE Press, New York, pp 35–51Google Scholar
  16. 16.
    Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) An NP decision procedure for protocol insecurity with Xor. In: Proceedings of LICS 2003. IEEE Press, New York, pp 261–270Google Scholar
  17. 17.
    Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. Lecture notes in computer science, vol 2914. In: Proceedings of FST TCS’03. Springer, Berlin Heidelberg New York, pp 124–135Google Scholar
  18. 18.
    Chevalier Y, Küsters R, Rusinowitch M, Turuani M, Vigneron L (2003) Extending the Dolev–Yao intruder for analyzing an unbounded number of sessions. In: Proceedings of CSL 2003. Lecture notes in computer science, vol 2803. Springer, Berlin Heidelberg New York, pp 128–141Google Scholar
  19. 19.
    Chevalier Y, Vigneron L (2001) A tool for lazy verification of security protocols. In: Proceedings of ASE’01. IEEE Press, New York, pp 373–376Google Scholar
  20. 20.
    Chevalier Y, Vigneron L (2002) Automated unbounded verification of security protocols. In: Proceedings of CAV’02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 324–337Google Scholar
  21. 21.
    Clark J, Jacob J (1997) A survey of authentication protocol literature: version 1.0, 17 November 1997. www.cs.york.ac.uk/∼jac/papers/drareview.ps.gzGoogle Scholar
  22. 22.
    Comon H, Shmatikov V (2002) Is it possible to decide whether a cryptographic protocol is secure or not? J Telecommun Inf Technol 4:5–15Google Scholar
  23. 23.
    Comon-Lundh H, Cortier V (2003) Security properties: two agents are sufficient. In: Proceedings of ESOP’03. Lecture notes in computer science, vol 2618. Springer, Berlin Heidelberg New York, pp 99–113Google Scholar
  24. 24.
    Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of LICS 2003. IEEE Press, New York, pp 271–280Google Scholar
  25. 25.
    Corin R, Etalle S (2002) An improved constraint-based system for the verification of security protocols. In: Proceedings of SAS 2002. Lecture notes in computer science, vol 2477. Springer, Berlin Heidelberg New York, pp 326–341Google Scholar
  26. 26.
    Denker G, Millen J, Ruess H (2000) The CAPSL integrated protocol environment. Technical Report SRI-CSL-2000-02, SRI International, Menlo Park, CAGoogle Scholar
  27. 27.
    Dolev D, Yao A (1983) On the security of public-key protocols. IEEE Trans Inf Theory 2(29):198–208MathSciNetCrossRefGoogle Scholar
  28. 28.
    Donovan B, Norris P, Lowe G (1999) Analyzing a library of security protocols using Casper and FDR. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)Google Scholar
  29. 29.
    Durgin N, Lincoln PD, Mitchell JC, Scedrov A (1999) Undecidability of bounded security protocols. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)Google Scholar
  30. 30.
    Fiore M, Abadi M (2001) Computing symbolic models for verifying cryptographic protocols. In: Proceedings of CSFW’01. IEEE Press, New York, pp 160–173Google Scholar
  31. 31.
    Huima A (1999) Efficient infinite-state analysis of security protocols. In: Proceedings of the FLOC’99 workshop on formal methods and security protocols (FMSP’99)Google Scholar
  32. 32.
    ITU-T Recommendation H.530: Symmetric security procedures for H.510 (mobility for H.323 multimedia systems and services) (2002)Google Scholar
  33. 33.
    ITU-T Recommendation H.530, Corrigendum 1 (2003) Corrected version of [32]Google Scholar
  34. 34.
    Jacquemard F, Rusinowitch M, Vigneron L (2000) Compiling and verifying security protocols. In: Proceedings of LPAR 2000. Lecture notes in computer science, vol 1955. Springer, Berlin Heidelberg New York, pp 131–160Google Scholar
  35. 35.
    Lowe G (1996) Breaking and fixing the Needham–Shroeder public-key protocol using FDR. In: Proceedings of TACAS ’96. Lecture notes in computer science, vol 1055. Springer, Berlin Heidelberg New York, pp 147–166Google Scholar
  36. 36.
    Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of CSFW’97. IEEE Press, New York, pp 31–43Google Scholar
  37. 37.
    Lowe G (1998) Casper: a compiler for the analysis of security protocols. J Comput Secur 6(1):53–84CrossRefGoogle Scholar
  38. 38.
    Meadows C (1996) The NRL protocol analyzer: an overview. J Logic Programm 26(2):113–131CrossRefGoogle Scholar
  39. 39.
    Meadows C (1999) Analysis of the Internet Key Exchange Protocol using the NRL protocol analyzer. In: Proceedings of the 1999 IEEE symposium on security and privacy. IEEE Press, New York, pp 216–231Google Scholar
  40. 40.
    Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of CCS’01. ACM Press, New York, pp 166–175Google Scholar
  41. 41.
    Millen JK, Shmatikov V (2003) Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In: Proceedings of CSFW’03. IEEE Press, New York, pp 47–61Google Scholar
  42. 42.
    Mitchell JC, Mitchell M, Stern U (1997) Automated analysis of cryptographic protocols using Murphi. In: Proceedings of the 1997 IEEE symposium on security and privacy. IEEE Press, New York, pp 141–153Google Scholar
  43. 43.
    Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Secur 6(1):85–128CrossRefGoogle Scholar
  44. 44.
    Paulson LC (1999) Relations between secrets: the Yahalom protocol. In: Proceedings of the 7th Cambridge international workshop on security protocols. Lecture notes in computer science, vol 1796. Springer, Berlin Heidelberg New York, pp 73–77Google Scholar
  45. 45.
    Perrig A, Song D (2000) Looking for diamonds in the desert (extending automatic protocol generation to three-party authentication and key agreement protocols). In: Proceedings of CSFW’00. IEEE Press, New York, pp 64–76Google Scholar
  46. 46.
    Rusinowitch M, Turuani M (2001) Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of CSFW’01. IEEE Press, New York, pp 174–187Google Scholar
  47. 47.
    Ryan P, Schneider S, Goldsmith M, Lowe G, Roscoe B (2000) Modelling and analysis of security protocols. Addison-Wesley, Reading, MAGoogle Scholar
  48. 48.
    Song D, Berezin S, Perrig A (2001) Athena: a novel approach to efficient automatic security protocol analysis. J Comput Secur 9:47–74CrossRefGoogle Scholar
  49. 49.
    Thayer Fábrega FJ, Herzog JC, Guttman JD (1999) Strand spaces: proving security protocols correct. J Comput Secur 7:191–230CrossRefGoogle Scholar
  50. 50.
    Turuani M (2003) Sécurité des protocoles cryptographiques: décidabilité et complexité. PhD Thesis, Université Henri Poincaré, Nancy, FranceGoogle Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  • David Basin
    • 1
    Email author
  • Sebastian Mödersheim
    • 1
  • Luca Viganò
    • 1
  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland

Personalised recommendations