Higher-Order and Symbolic Computation

, Volume 20, Issue 1–2, pp 123–160

Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols

Article

Abstract

Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory ℛ. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under appropriate executability assumptions about ℛ. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by ℛ. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.

Keywords

Rewrite theories Narrowing Reachability Security protocols 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Amadio R., Lugiez, D.: On the reachability problem in cryptographic primitives. In: Palamidessi, C. (ed.) 11th International Conference on Concurrency Theory (CONCUR ”00), vol. 1877 of Lecture Notes in Computer Science, pp. 380–394. Springer (2000)Google Scholar
  2. 2.
    Antoy, S.: Definitional trees. In: Proceedings of the 3rd International Conference on Algebraic and Logic Programming ALP”92, vol. 632 of Lecture Notes in Computer Science, pp. 143–157. Springer, Berlin (1992)Google Scholar
  3. 3.
    Antoy, S., Echahed, R., Hanus, M.: Parallel evaluation strategies for functional logic languages. In: Proceedings of the Fourteenth International Conference on Logic Programming (ICLP”97), pp. 138–152. MIT Press (1997)Google Scholar
  4. 4.
    Antoy, S., Echahed, R., Hanus, M.: A needed narrowing strategy. J. ACM 47(4), 776–822 (2000)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Antoy, S., Ariola, Z.M.: Narrowing the narrowing space. In: International Symposium on Programming Languages, Implementations, Logics, and Programs, vol. 1292 of Lecture Notes in Computer Science, pp. 1–15. Springer (1997)Google Scholar
  6. 6.
    Basin, D., Modersheim, S., Vigano, L.: Constraint differentiation: A new reduction technique for constraint-based analysis of security protocols. Technical Report TR-405, Swiss Federal Institute of Technology, Zurich (May 2003)Google Scholar
  7. 7.
    Bockmayr, A.: Conditional narrowing modulo of set of equations. Appl. Algebra Eng. Commun. Comput. 4(3), 147–168 (1993)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Bockmayr, A., Krischer, S., Werner, A.: An optimal narrowing strategy for general canonical systems. In: Rusinowitch, M., Rémy, J.L. (eds.) 3rd International Workshop on Conditional Term Rewrite systems, vol. 656 of Lecture Notes in Computer Science, pp. 483–497. Springer (1992)Google Scholar
  9. 9.
    Bouajjani, A., Mayr, R.: Model checking lossy vector addition systems. In: Meinel, C., Tison, S. (eds.) 16th Annual Symposium on Theoretical Aspects of Computer Science, vol. 1563 of Lecture Notes in Computer Science, pp. 323–333 (1999)Google Scholar
  10. 10.
    Burkart, O., Caucal, D., Moller, F., Steffen, B.: Verification over infinite states. In: Bergstra, J.A., Ponse, A., Smolka, S.A. (eds.) Handbook of Process Algebra, pp. 545–623. Elsevier Publishing (2001)Google Scholar
  11. 11.
    Chevalier, Y., Kusters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. In: Pandya, P., Radhakrishnan, J. (eds.) 23rd Conference on Foundations Software Technology and Theoretical Computer Science, vol. 2914 of Lecture Notes in Computer Science. Springer (2003)Google Scholar
  12. 12.
    Chevalier, Y., Kusters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: 18th Annual IEEE Symposium on Logic in Computer Science (LICS ”03), pp. 261–270 (2003)Google Scholar
  13. 13.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press (1999)Google Scholar
  14. 14.
    Clarke, E.M., Grumberg, O., Long, D.E.: Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16(5), 1512–1542 (1994)CrossRefGoogle Scholar
  15. 15.
    Clavel, M.: Reflection in Rewriting Logic: Metalogical Foundations and Metaprogramming Applications. CSLI Publications (2000)Google Scholar
  16. 16.
    Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Quesada, J.: Maude: specification and programming in rewriting logic. Theor. Comput. Sci. 285, 187–243 (2002)MATHCrossRefGoogle Scholar
  17. 17.
    Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: Maude Manual (version 2.2) (Dec. 2005)Google Scholar
  18. 18.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: 18th Annual IEEE Symposium on Logic in Computer Science (LICS ”03), pp. 271–280 (2003)Google Scholar
  19. 19.
    Denker, G., Meseguer, J., Talcott, C.L.: Protocol specification and analysis in Maude. In: Heintze, N., Wing, J. (eds.) Proceedings of Workshop on Formal Methods and Security Protocols, June 25, 1998, Indianapolis, Indiana (1998)Google Scholar
  20. 20.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)CrossRefMathSciNetGoogle Scholar
  21. 21.
    Durán, F., Eker, S., Lincoln, P., Meseguer, J.: Principles of Mobile Maude. In: Agent Systems, Mobile Agents, and Applications, ASA/MA 2000, vol. 1882 of Lecture Notes in Computer Science, pp. 73–85. Springer (2000)Google Scholar
  22. 22.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of Bounded Security Protocols. In: Workshop on formal methods and security protocols, FMSP (1999)Google Scholar
  23. 23.
    Emerson, A., Namjoshi, K.: On model checking for nondeterministic infinite state systems. In: 13th IEEE Symposium on Logic in Computer Science, pp. 70–80 (1998)Google Scholar
  24. 24.
    Escobar, S.: Refining weakly outermost-needed rewriting and narrowing. In: Miller, D. (ed.) Proceedings of the 5th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, PPDP”03, pp. 113–123. ACM Press, New York (2003)Google Scholar
  25. 25.
    Escobar, S.: Implementing natural rewriting and narrowing efficiently. In: Kameyama, Y., Stuckey, P.J. (eds.) 7th International Symposium on Functional and Logic Programming (FLOPS 2004), vol. 2998 of Lecture Notes in Computer Science, pp. 147–162. Springer, Berlin (2004)Google Scholar
  26. 26.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer: Grammar generation. In: Proceedings of the 3rd ACM Workshop on Formal Methods in Security Engineering: From Specifications to Code. ACM Press (2005)Google Scholar
  27. 27.
    Escobar, S., Meseguer, J., Thati, P.: Natural narrowing for general term rewriting systems. In: Giesl, J. (ed.) 16th International Conference on Rewriting Techniques and Applications, vol. 3467 of Lecture notes in computer science, pp. 279–293. Springer (2005)Google Scholar
  28. 28.
    Fay, M.: First order unification in equational theories. In: Bibel, W., Kowalski, R. (eds.) 4th Conference on Automated Deduction, vol. 87 of Lecture Notes in Computer Science, pp. 161–167. Springer (1979)Google Scholar
  29. 29.
    Finkel, A., Schnoebelen, Ph.: Well-structured transition systems everywhere! Theor. Comput. Sci. 256(1), 63–92 (2001)CrossRefMathSciNetGoogle Scholar
  30. 30.
    Genet, T., Klay, F.: Rewriting for cryptographic protocol verification. In: McAllester, D. (ed.) Automated Deduction—CADE 17, vol. 1831 of Lecture notes in artificial intelligence, pp. 271–290. Springer (2000)Google Scholar
  31. 31.
    Genet, T., Tong, V.V.T.: Reachability analysis of term rewriting systems with Timbuk. In: Nieuwenhuis, R., Voronkov, A. (eds.) 8th International Conference on Logic for Programming, vol. 2250 of Lecture Notes in Computer Science, pp. 695–706 (2001)Google Scholar
  32. 32.
    Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) Computer Aided Verification. 9th International Conference, CAV”97, Haifa, Israel, June 22–25, 1997, Proceedings, vol. 1254 of Lecture Notes in Computer Science, pp. 72–83. Springer (1997)Google Scholar
  33. 33.
    Hanus, M.: The integration of functions into logic programming: From theory to practice. J. Log. Program. 19(20), 583–628 (1994)CrossRefMathSciNetGoogle Scholar
  34. 34.
    Huet, G., Lévy, J.-J.: Computations in Orthogonal Term Rewriting Systems, Part I + II. In: Computational logic: Essays in honour of J. Alan Robinson, pp. 395–414 and 415–443. The MIT Press, Cambridge, MA (1992)Google Scholar
  35. 35.
    Huima, A.: Efficient infinite state analysis of security protocols. In: Workshop on Formal Methods and Security Protocols, FMSP (1999)Google Scholar
  36. 36.
    Hullot, J.M.: Canonical forms and unification. In: Bibel, W., Kowalski, R. (eds.) 5th Conference on Automated Deduction, vol. 87 of Lecture Notes in Computer Science, pp. 318–334. Springer (1980)Google Scholar
  37. 37.
    Jacquemard, F., Rusinowitch, M., Vigneron, L.: Compiling and verifying security protocols. In: Parigot, M., Voronkov, A. (eds.) Logic Programming and Automated Reasoning, vol. 1955 of Lecture Notes in Computer Science, pp. 131–160. Springer (2000)Google Scholar
  38. 38.
    Jouannaud, J.-P., Kirchner, C., Kirchner, H.: Incremental construction of unification algorithms in equational theories. In: 10th International Colloquium on Automata, Languages and Programming, vol. 154 of Lecture Notes in Computer Science, pp. 361–373. Springer (1983)Google Scholar
  39. 39.
    Kapur, D., Narendran, P., Wang, L.: An e-unification algorithm for analyzing protocols that use modular exponentiation. In: Nieuwenhuis, R. (ed.) International Conference on Rewriting Techniques and Applications (RTA”03), vol. 2706 of Lecture Notes in Computer Science, pp. 165–179. Springer (2003)Google Scholar
  40. 40.
    Kesten, Y., Pnueli, A.: Control and data abstraction: The cornerstones of practical formal verification. Int. J. Softw. Tools Technol. Transfer 4(2), 328–342 (2000)CrossRefGoogle Scholar
  41. 41.
    Kirchner, H.: On the use of constraints in automated deduction. In: Podelski, A. (ed.) Constraint Programming: Basics and Trends, pp. 128–146. Springer LNCS 910 (1995)Google Scholar
  42. 42.
    Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., Bensalem, S.: Property preserving abstractions for the verification of concurrent systems. Form. Methods Syst. Des. 6, 1–36 (1995)Google Scholar
  43. 43.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Steffen, B., Margaria, T. (eds.) Tools and algorithms for construction and analysis of systems (TACAS ”96), vol. 1055 of Lecture Notes in Computer Science, pp. 147–166. Springer (1996).Google Scholar
  44. 44.
    Martí-Oliet, N., Meseguer, J.: Rewriting logic as a logical and semantic framework. In: Gabbay, D., Guenthner, F. (eds.) Handbook of Philosophical Logic, 2nd. Edn., pp. 1–87. Kluwer Academic Publishers (2002). First published as SRI Tech. Report SRI-CSL-93-05 (Aug. 1993)Google Scholar
  45. 45.
    Meadows, C.: The NRL protocol analyzer: An overview. J. Log. Program. 26(2), 113–131 (1996)MATHCrossRefGoogle Scholar
  46. 46.
    Meadows, C.: The NRL protocol analyzer: An overview. J. Log. program. 26(2), 113–131 (1996)MATHCrossRefGoogle Scholar
  47. 47.
    Meseguer, J.: Localized fairness: A rewriting semantics. In: Giesl, J. (ed.) International Conference on Term Rewriting and Applications, vol. 3467 of Lecture Notes in Computer Science, pp. 250–263. Springer (2005)Google Scholar
  48. 48.
    Meseguer, J., Talcott, C.: Semantic models for distributed object reflection. In: Magnusson, B. (ed.) Proceedings of ECOOP”02, Málaga, Spain, June 2002, pp. 1–36. Springer LNCS 2374 (2002)Google Scholar
  49. 49.
    Meseguer, J., Thati, P.: Symbolic reachability analysis using narrowing and it application to verification of cryptographic protocols. In: Martí-Oliet, N. (ed.) International Workshop on Rewriting Logic and its Application, WRLA”04, vol. 117 of Electronic Notes in Theoretical Computer Science, pp. 153–182. Elsevier Sciences Publisher (2004)Google Scholar
  50. 50.
    Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)MATHCrossRefMathSciNetGoogle Scholar
  51. 51.
    Meseguer, J.: A logical theory of concurrent objects and its realization in the Maude language. In:Agha, G., Wegner, P., Yonezawa, A. (eds.) Research Directions in Concurrent Object-Oriented Programming, pp. 314–390. The MIT Press (1993)Google Scholar
  52. 52.
    Meseguer, J. Membership algebra as a logical framework for equational specification. In: Parisi-Presicce, F. (ed.) International Workshop on Algebraic Development Techniques, vol. 1376 of Lecture Notes in Computer Science, pp. 18–61. Springer (1998)Google Scholar
  53. 53.
    Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: 8th ACM Conference on Computer and Communications Security (CCS ”01), pp. 166–175 (2001)Google Scholar
  54. 54.
    Millen, J., Shmatikov, V.: Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In: 16th IEEE Computer Security Foundations Workshop (CSFW-16), pp. 47–61 (2003)Google Scholar
  55. 55.
    Narendran, P., Meadows, C.: A unification algorithm for the group Diffie-Hellman protocol. In: Workshop on Issues in the Theory of Security (WITS”02) (2002)Google Scholar
  56. 56.
    Nieuwenhuis, R.: On narrowing, refutation proofs and constraints. In: Hsiang, J. (ed.) 6th International Conference on Rewriting Techniques and Applications, vol. 914, pp. 56–70. Springer LNCS (1995)Google Scholar
  57. 57.
    Ohsaki, H., Seki, H., Takai, T.: Recognizing boolean closed A-tree languages with membership conditional mechanism. In: Nieuwenhuis, R. (ed.) 14th International Conference on Rewriting Techniques and Applications, vol. 2706 of Lecture notes in computer science, pp. 483–498. Springer (2003)Google Scholar
  58. 58.
    Owre, S., Shankar, N., Rushby, J., Stringer-Calvert, D.: PVS system guide, PVS language reference, and PVS prover guide version 2.4. Computer Science Laboratory, SRI International (2001)Google Scholar
  59. 59.
    Paulson, L.: Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Springer (1994)Google Scholar
  60. 60.
    Ramos, J.G., Silva, J., Vidal, G.: Fast Narrowing-Driven Partial Evaluation for Inductively Sequential Systems. In: Proceedings of the 10th ACM SIGPLAN International Conference on Functional Programming (ICFP 2005), pp. 228–239. ACM Press (2005)Google Scholar
  61. 61.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions and composed keys is NP-complete. In: 14th IEEE Computer Security Foundations Workshop, pp. 174–190 (2001)Google Scholar
  62. 62.
    Ryan, P., Schneider, S.: An attack on a recursive authentication protocol. Inf. Process. Lett. 65, 7–10 (1998)CrossRefGoogle Scholar
  63. 63.
    Saïdi, H., Shankar, N.: Abstract and model check while you prove. In: Halbwachs, N., Peled, D. (eds.) Computer Aided Verification. 11th International Conference, CAV”99, Trento, Italy, July 6–10, 1999, Proceedings, vol. 1633 of Lecture Notes in Computer Science, pp. 443–454. Springer (1999)Google Scholar
  64. 64.
    Sekar, R.C., Ramakrishnan, I.V.: Programming in equational logic: Beyond strong sequentiality. Inf. Comput. 104(1), 78–109 (1993)MATHCrossRefMathSciNetGoogle Scholar
  65. 65.
    Stehr, M.-O., Meseguer, J., Ölveczky, P.: Rewriting logic as a unifying framework for Petri nets. In: Unifying Petri Nets, vol. 2128 of Lecture Notes in Computer Science, pp. 250–303. Springer (2001)Google Scholar
  66. 66.
    Thati, P., Meseguer, J.: Complete symbolic reachability analysis using back-and-forth narrowing. In: Fiadeiro, J.L., Harman, N., Roggenbach, M., Rutten, J. (eds.) Conference on Algebra and Co-algebra in Computer Science, vol. 3629 of Lecture Notes in Computer Science, pp. 379–394. Springer (2005)Google Scholar
  67. 67.
    Takai, T.: A verification technique using term rewriting systems and abstract interpretation. In: Halatsis et al., (eds.) Proceedings RTA 2004, vol. 3091 of Lecture Notes in Computer Science, pp. 119–133. Springer (2004)Google Scholar
  68. 68.
    Viry, P.: Rewriting: An effective model of concurrency. In: Halatsis, C., Maritsas, D., Philokyprou, G., Theodoridis, S. (eds.) PARLE”94 Parallel Architectures and Languages Europe, 6th International PARLE Conference, Athens, Greece, July 4–8, 1994, Proceedings, vol. 817 of Lecture Notes in Computer Science, pp. 648–660. Springer (1994)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  1. 1.University of Illinois at Urbana-ChampaignUrbana-ChampaignUSA

Personalised recommendations