The DEEPSEC Prover
In this paper we describe the DeepSec prover, a tool for security protocol analysis. It decides equivalence properties modelled as trace equivalence of two processes in a dialect of the applied pi calculus.
Cryptographic protocols ensure the security of communications. They are distributed programs that make use of cryptographic primitives, e.g. encryption, to ensure security properties, such as confidentiality or anonymity. Their correct design is quite a challenge as security is to be enforced in the presence of an arbitrary adversary that controls the communication network and may compromise participants. The use of symbolic verification techniques, in the line of the seminal work by Dolev and Yao , has proven its worth in discovering logical vulnerabilities or proving their absence.
Nowadays mature tools exist, e.g. [7, 10, 24] but mostly concentrate on trace properties, such as authentication and (weak forms of) confidentiality. Unfortunately many properties need to be expressed in terms of indistinguishability, modelled as behavioral equivalences in dedicated process calculi. Typically, a strong version of secrecy states that the adversary cannot distinguish the situation where a value \(v_1\), respectively \(v_2\), is used in place of a secret. Privacy properties, e.g., vote privacy, are also stated similarly [2, 4, 18].
In this paper we present the DeepSec prover (Deciding Equivalence Properties in Security protocols). The tool decides trace equivalence for cryptographic protocols that are specified in a dialect of the applied pi calculus . DeepSec offers several advantages over existing tools, in terms of expressiveness, precision and efficiency: typically we do not restrict the use of private channels, allow else branches, and decide trace equivalence precisely, i.e., no approximations are applied. Cryptographic primitives are user specified by a set of subterm-convergent rewrite rules. The only restriction we make on protocol specifications is that we forbid unbounded replication, i.e. we restrict the analysis to a finite number of protocol sessions. This restriction is similar to that of several other tools and sufficient for decidability. Note that decidability is nevertheless non-trivial as the system under study is still infinite-state due to the active, arbitrary attacker participating to the protocol.
2 Description of the Tool
2.1 Example: The Helios Voting Protocol
The voter first generates a random number r that will be used for encryption and ZKP. After that, she encrypts her vote and assigns it to the variable bal which is output on the channel auth. Finally, she outputs the ballot, id and the corresponding ZKP on the public channel c. All in all, the process VotingSystem(v1,v2) represents the complete voting scheme: two honest voters id1 and id2 respectively vote for v1 and v2; the process Tally collects the ballots, checks the ZKP and outputs the result of the election. The instances of the processes Voter and Tally are executed concurrently, modeled by the parallel operator |. Other operators supported by DeepSec include input on a channel (in(c,x); P), conditional (if u = v then P else Q) and non-deterministic choice (P + Q).
DeepSec checks whether an attacker, implicitly modelled by the notion of trace equivalence, cannot distinguish between these two instances. Note that all actions of dishonest voters can be seen as actions of this single attacker entity; thus only honest participants need to be specified in the input file.
2.2 The Underlying Theory
We give here a high-level overview of how DeepSec decides trace equivalence. Further intuition and details can be found in .
Symbolic Setting. Although finite-depth, even non-replicated protocols have infinite state space. Indeed, a simple input in(c,x) induces infinitely-many potential transitions in presence of an active attacker. We therefore define a symbolic calculus that abstracts concrete inputs by symbolic variables, and constraints that restrict their concrete instances. Constraints typically range over deducibility contraints (“the attacker is able to craft some term after spying on public channels”) and equations (“two terms are equal”). A symbolic semantics then performs symbolic inputs and collects constraints on them. Typically, executing input in(c,x) generates a deducibility constraint on x to model the attacker being able to craft the message to be input; equations are generated by conditionals, relying on most general unifiers modulo equational theory.
Decision Procedure. DeepSec constructs a so-called partition tree to guide decision of (in)equivalence of processes P and Q. Its nodes are labelled by sets of symbolic processes and constraints; typically the root contains P and Q with empty constraints. The tree is constructed similarly to the (finite) tree of all symbolic executions of P and Q, except that some nodes may be merged or split accordingly to a constraint-solving procedure. DeepSec thus enforces that concrete instances of processes of a same node are indistinguishable (statically).
The final decision criterion is that P and Q are equivalent iff all nodes of the partition tree contain both a process originated from P and a process originated from Q by symbolic execution. The DeepSec prover thus returns an attack iff it finds a node violating this property while constructing the partition tree.
DeepSec is implemented in Ocaml (16k LOC) and the source code is licensed under GPL 3.0 and publicly available . Running DeepSec yields a terminal output summarising results, while a more detailed output is displayed graphically in an HTML interface (using the MathJax API ). When the query is not satisfied, the interface interactively shows how to mount the attack.
Partial-Order Reductions. Tools verifying equivalences for bounded number of sessions suffer from a combinatorial explosion as the number of sessions increases. We therefore implemented state-of-the-art partial-order reductions (POR)  that eliminate redundant interleavings, providing a significant speedup. This is only possible for a restricted class of processes (determinate processes) but DeepSec automatically checks whether POR can be activated.
Parallelism. DeepSec generates a partition tree (cf Sect. 2.2) to decide trace equivalence. As sibling nodes are independent, the computation on subtrees can be parallelized. However, the partition tree is not balanced, making it hard to balance the load. One natural solution would be to systematically add children nodes into a queue of pending jobs, but this would yield an important communication overhead. Consequently, we apply this method only until the size of the queue is larger than a given threshold; next each idle process fetches a node and computes the complete corresponding subtree. Distributed computation over n cores is activated by the option -distributed n. By default, the threshold in the initial generation of the partition tree depends on n but may be overwritten to m with the option -nb_sets m.
3 Experimental Evaluation
Comparison to Other Work. When the number of sessions is unbounded, equivalence is undecidable. Verification tools in this setting therefore have to sacrifice termination, and generally only verify the finer diff-equivalence [9, 11, 23], too fine-grained on many examples. We therefore focus on tools comparable to DeepSec, i.e. those that bound the number of sessions. SPEC [25, 26] verifies a sound symbolic bisimulation, but is restricted to fixed cryptographic primitives (pairing, encryption, signatures, hashes) and does not allow for else branches. APTE  covers the same primitives but allows else branches and decides trace equivalence exactly. On the contrary, Akiss  allows for user-defined primitives and terminates when they form a subterm-convergent rewrite system. However Akiss only decides trace equivalence without approximation for a subclass of processes (determinate processes) and may perform under- and over-approximations otherwise. Sat-Eq  proceeds differently by reducing the equivalence problem to Graph Planning and SAT Solving: the tool is more efficient than the others by several orders of magnitude, but is quite restricted in scope (it currently supports pairing, symmetric encryption, and can only analyse a subclass of determinate processes). Besides, Sat-Eq may not terminate.
Authentication. Figure 1 displays a sample of our benchmarks (complete results can be found in ). DeepSec clearly outperforms Akiss, APTE, and SPEC, but Sat-Eq takes the lead as the number of sessions increase. However, the Otway-Rees protocol already illustrates the scope limit of Sat-Eq.
DeepSec can also distribute on multiple servers, using SSH connections. Despite a communication overhead, multi-server computation may be a way to partially avoid the server-overload issue discussed above. For example, the verification of the Helios protocol (Dishonest revote W) on 3 servers (using resp. 10, 20 and 40 cores) resulted in a running time of 18 m 14 s, while the same verification took 51 m 49 s on a 70-core server (also launched remotely via SSH).
- 3.Adida, B.: Helios: web-based open-audit voting. In: Proceedings of 17th USENIX Security Symposium, USENIX 2008, pp. 335–348. USENIX Association (2008)Google Scholar
- 4.Arapinis, M., Chothia, T., Ritter, E., Ryan, M.D.: Analysing unlinkability and anonymity using the applied pi calculus. In: Proceedings of 23rd Computer Security Foundations Symposium, CSF 2010, pp. 107–121. IEEE Computer Society Press (2010)Google Scholar
- 6.Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: Proceedings of 19th Conference on Computer and Communications Security, CCS 2012, pp. 205–216. ACM Press (2012)Google Scholar
- 8.Baelde, D., Delaune, S., Hirschi, L.: Partial order reduction for security protocols. In: Proceedings of 26th International Conference on Concurrency Theory, CONCUR 2015. Leibniz International Proceedings in Informatics, vol. 42, pp. 497–510. Leibniz-Zentrum für Informatik, September 2015Google Scholar
- 9.Basin, D.A., Dreier, J., Sasse, R.: Automated symbolic proofs of observational equivalence. In: Proceedings of 22nd Conference on Computer and Communications Security, CCS 2015, pp. 1144–1155. ACM Press (2015)Google Scholar
- 10.Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and proverif. Found. Trends Priv. Secur. 1(1–2), 1–135 (2016)Google Scholar
- 11.Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: Proceedings of Symposium on Logic in Computer Science, LICS 2005, pp. 331–340. IEEE Computer Society Press (2005)Google Scholar
- 14.Cheval, V., Kremer, S., Rakotonirina, I.: DEEPSEC: deciding equivalence properties in security protocols - theory and practice. In: Proceedings of 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 525–542. IEEE Computer Society Press (2018)Google Scholar
- 15.Cortier, V., Delaune, S., Dallon, A.: Sat-equiv: an efficient tool for equivalence properties. In: Proceedings of 30th IEEE Computer Security Foundations Symposium, CSF 2017, pp. 481–494. IEEE Computer Society Press (2017)Google Scholar
- 17.The DeepSec Prover, January 2018. https://deepsec-prover.github.io
- 19.Dolev, D., Yao, A.: On the security of public key protocols. In: Proceedings of 22nd Symposium on Foundations of Computer Science, FOCS 1981, pp. 350–357. IEEE Computer Society Press (1981)Google Scholar
- 20.MathJax: Beautiful Math in All Browsers. https://www.mathjax.org
- 21.PKI Task Force: PKI for machine readable travel documents offering ICC read-only access. Technical report, International Civil Aviation Organization (2004)Google Scholar
- 23.Santiago, S., Escobar, S., Meadows, C., Meseguer, J.: A formal definition of protocol indistinguishability and its verification using Maude-NPA. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 162–177. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11851-2_11CrossRefzbMATHGoogle Scholar
- 25.Tiu, A., Dawson, J.: Automating open bisimulation checking for the spi-calculus. In: Proceedings of 23rd Computer Security Foundations Symposium, CSF 2010, pp. 307–321. IEEE Computer Society Press (2010)Google Scholar
<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>