Attack Trees in Isabelle

  • Florian KammüllerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11149)


In this paper, we present a proof theory for attack trees. Attack trees are a well established and useful model for the construction of attacks on systems since they allow a stepwise exploration of high level attacks in application scenarios. Using the expressiveness of Higher Order Logic in Isabelle, we succeed in developing a generic theory of attack trees with a state-based semantics based on Kripke structures and CTL. The resulting framework allows mechanically supported logic analysis of the meta-theory of the proof calculus of attack trees and at the same time the developed proof theory enables application to case studies. A central correctness and completeness result proved in Isabelle establishes a connection between the notion of attack tree validity and CTL. The application is illustrated on the example of a healthcare IoT system and GDPR compliance verification.


  1. 1.
    Nipkow, T., Wenzel, M., Paulson, L.C. (eds.): LNCS, vol. 2283. Springer, Heidelberg (2002). CrossRefzbMATHGoogle Scholar
  2. 2.
    Kammüller, F.: A proof calculus for attack trees in Isabelle. In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., Herrera-Joancomartí, J. (eds.) ESORICS/DPM/CBT -2017. LNCS, vol. 10436, pp. 3–18. Springer, Cham (2017). CrossRefGoogle Scholar
  3. 3.
    Kammüller, F.: Isabelle infrastructure framework with IoT healthcare s&p application (2018).
  4. 4.
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, Hoboken (2004)Google Scholar
  5. 5.
    CHIST-ERA, Success: Secure accessibility for the internet of things (2016).
  6. 6.
    Union, E.: The EU general data protection regulation (GDPR). Accessed 20 Mar 2018, proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [first reading] - Analysis of the final compromise text with a view to agreement, Brussels, 15 December 2015.
  7. 7.
    Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: IEEE Symposium on Security and Privacy. IEEE (1999)Google Scholar
  8. 8.
    Kordy, B., Piètre-Cambacédés, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefGoogle Scholar
  9. 9.
    Kordy, B., Mauw, S., Radomirovic, S., Schweitzer, P.: Attack-defense trees. J. Log. Comput. 24(1), 55–87 (2014)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). CrossRefGoogle Scholar
  11. 11.
    Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In: CSF 2016. IEEE (2016)Google Scholar
  12. 12.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017). CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Middlesex University LondonLondonUK
  2. 2.Technische Universität BerlinBerlinGermany

Personalised recommendations