Deduction with XOR Constraints in Security API Modelling

  • Graham Steel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3632)


We introduce XOR constraints, and show how they enable a theorem prover to reason effectively about security critical subsystems which employ bitwise XOR. Our primary case study is the API of the IBM 4758 hardware security module. We also show how our technique can be applied to standard security protocols.


Application Program Interface Security Protocol Automate Deduction Proof Search Electronic Payment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antoniou, G., Ohlbach, H.J.: TERMINATOR. In: International Joint Conference on Artificial Intelligence, pp. 916–919 (1983)Google Scholar
  2. 2.
    Bachmair, L., Ganzinger, H., Lynch, C., Snyder, W.: Basic paramodulation and superposition. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 462–476. Springer, Heidelberg (1992)Google Scholar
  3. 3.
    Basin, D., Mödersheim, S., Viganò, L.: An on-the-fly model-checker for security protocol analysis. In: Proceedings of the, European Symposium on Research in Computer Security, pp. 253–270, Extended version available as Technical Report 404, ETH Zurich (2003)Google Scholar
  4. 4.
    Bond, M.: Understanding Security APIs. PhD thesis, University of Cambridge (2004)Google Scholar
  5. 5.
    Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Computer Magazine, 67–75 (October 2001)Google Scholar
  6. 6.
    Bundy, A. (ed.): CADE 1994. LNCS, vol. 814. Springer, Heidelberg (1994)zbMATHGoogle Scholar
  7. 7.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Kolaitis [15], pp. 261–270Google Scholar
  8. 8.
    Chevalier, Y., Vigneron, L.: Automated unbounded verification of security protocols. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 324–337. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)Google Scholar
  10. 10.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Kolaitis [15], pp. 271–281Google Scholar
  11. 11.
    Delaune, S., Jacquemard, F.: A decision procedure for the verification of security protocols with explicit destructors. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 278–287. ACM Press, New York (2004)CrossRefGoogle Scholar
  12. 12.
    Ganapathy, V., Seshia, S.A., Jha, S., Reps, T.W., Bryant, R.E.: Automatic discovery of API-level exploits. In: ICSE 2005: Proceedings of the 27th International Conference on Software Engineering, New York, NY, USA, May 2005, pp. 312–321. ACM Press, New York (2005)CrossRefGoogle Scholar
  13. 13.
    Godoy, G., Nieuwenhuis, R.: Superposition with completely built-in abelian groups. J. Symb. Comput. 37(1), 1–33 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Jacquemard, F., Rusinowitch, M., Vigneron, L.: Compiling and verifying security protocols. In: Parigot, M., Voronkov, A. (eds.) LPAR 2000. LNCS (LNAI), vol. 1955, pp. 131–160. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Kolaitis, P.G.: Proceedings 18th IEEE Symposium on Logic in Computer Science (LICS 2003), Ottawa, Canada, June 22-25. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  16. 16.
    Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers and Security 11(1), 75–89 (1992)CrossRefGoogle Scholar
  17. 17.
    Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56(3), 131–133 (1995)zbMATHCrossRefGoogle Scholar
  18. 18.
    Lowe, G.: Breaking and fixing the Needham Schroeder public-key protocol using FDR. In: Proceedings of TACAS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Millen, J.K.: On the freedom of decryption. Inf. Process. Lett. 86(6), 329–333 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Nieuwenhuis, R., Rubio, A.: Theorem proving with ordering constrained clauses. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 477–491. Springer, Heidelberg (1992)Google Scholar
  21. 21.
    R. Nieuwenhuis and A. Rubio. AC-superposition with constraints: No AC-unifiers needed. In: Bundy [6], pages 545–559.Google Scholar
  22. 22.
    Nieuwenhuis, R., Rubio, A.: Paramodulation-based theorem proving. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, pp. 371–443. Elsevier and MIT Press (2001)Google Scholar
  23. 23.
    Paulson, L.C.: The Inductive Approach to Verifying Cryptographic Protocols. Journal of Computer Security 6, 85–128 (1998)Google Scholar
  24. 24.
    Steel, G.: Visualising first-order proof search. In: Workshop on User Interfaces for Theorem Provers (UITP 2005), Edinburgh, Scotland, April 2005, pp. 179–189 (2005)Google Scholar
  25. 25.
    Vigneron, L.: Associative-commutative deduction with constraints. In: Bundy [6], pp. 530–544Google Scholar
  26. 26.
    Weidenbach, C., et al.: System description: Version 1.0.0. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 378–382. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Graham Steel
    • 1
  1. 1.School of InformaticsUniversity of EdinburghEdinburghScotland

Personalised recommendations