Automatic Generation of Sources Lemmas in Tamarin: Towards Automatic Proofs of Security Protocols

Abstract

Tamarin is a popular tool dedicated to the formal analysis of security protocols. One major strength of the tool is that it offers an interactive mode, allowing to go beyond what push-button tools can typically handle. Tamarin is for example able to verify complex protocols such as TLS, 5G, or RFID protocols. However, one of its drawback is its lack of automation. For many simple protocols, the user often needs to help Tamarin by writing specific lemmas, called “sources lemmas”, which requires some knowledge of the internal behaviour of the tool.

In this paper, we propose a technique to automatically generate sources lemmas in Tamarin. We prove formally that our lemmas indeed hold, for arbitrary protocols that make use of cryptographic primitives that can be modelled with a subterm convergent equational theory (modulo associativity and commutativity). We have implemented our approach within Tamarin. Our experiments show that, in most examples of the literature, we are now able to generate suitable sources lemmas automatically, in replacement of the hand-written lemmas. As a direct application, many simple protocols can now be analysed fully automatically, while they previously required user interaction.

This work has been partially supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No 714955-POPSTAR and grant agreement No 645865-SPOOC), as well as from the French National Research Agency (ANR) under the project TECAP.

A Proofs of Theorems 1 and 2

Theorem 1

Given a set of well-formed protocol rules P, a rule \( ru \in \mathsf {Variant}(P)\), a variable x occurring in \( ru \), and \(\phi \) returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru ,x)\), then \(\phi \) is satisfied by \(\mathsf {Variant}(P)\), that is \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \).

Proof

Let P be a set of protocol rules, \( ru \in \mathsf {Variant}(P)\) and a variable x occurring in \( ru \), let \(\phi \) be a formula returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru ,x)\). The rule \( ru \) is of the form \([l] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a \mathrel {]\!\!\!\rightarrow }}} [r]\) and \(\phi \) is of the form:

$$\forall y,x,i\ \mathsf {Left}_{F, ru ,t_1}(y,x)@i \Longrightarrow \ \begin{array}{l} \ \ (\exists k \ \mathsf {Right}_{F', ru '_1,t_1}(y)@k \ \wedge \ k\lessdot i)\\ \vee \ldots \\ \vee (\exists k \ \mathsf {Right}_{F', ru '_n,t_1}(y)@k \ \wedge \ k\lessdot i)\\ \vee (\exists k\ {\textsf {K}^{\uparrow }_{}}(x)@k \ \wedge \ k\lessdot i) \end{array} $$

for some \(t_1\) deepest protected term w.r.t. x, subterm of \(F(t)\in l\). By definition of a deepest protected subterm, \(t_1|_p=x\) for some position p and there are only pairs along the path p (except at position \(\epsilon \)).

Let tr be a normalised trace of \(\mathsf {Variant}(P)\). Let us show that tr satisfies \(\phi \).

Let i be such that \(\mathsf {Left}_{F, ru ,t_1}(m,n)\in S_i\) for some terms m, n. Then the i^th applied rule must the rule \( ru \) in \(\mathsf {Variant}(P)\) mentioned above which has the form:

$$ ru =\{[F(t)\}\cup l'] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\mathsf {Left}_{F, ru ,t_1} (t_1,x)\cup a' \mathrel {]\!\!\!\rightarrow }}} [r] $$

Moreover, there exists a substitution \(\sigma _i\) in normal form (the one used to instantiate \( ru \)) such that and . Since the trace is normalised, \(m=_\textit{AC}t_1\sigma _i\) and \(n =_{\textit{AC}}x\sigma _i\). Let . Again, we have \(u =_{\textit{AC}}t\sigma _i\). Since \(t_1\) is a subterm of t and \(t_1\) is not headed by an AC symbol, we have that m is a subterm of u (modulo AC). Moreover \(F(u)\in S_{i-1}\) by definition of the application of a rule.

Let \(j< i\) be the first occurrence of j such that m (modulo \(\textit{AC}\)) is a subterm of a fact in \(S_{j}\) and consider the j^th rule that has been applied.

• Either this rule is a rule \( ru ''\) in \(\mathsf {Variant}(P)\) of the form

  $$\begin{aligned} { ru ''} = [l''] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a'' \mathrel {]\!\!\!\rightarrow }}} [\{F'(w)\}\cup r''] \end{aligned}$$

  and there exists \(\sigma _j\) in normal form (the substitution used to instantiate \( ru ''\)) such that m (modulo AC) is a subterm of . Since the trace is normalised, . Let \(p'\) be the position at which m occurs in \(w\sigma _j\), i.e. such that \({w\sigma _j}|_{p'} =_{\textit{AC}}m\).

  • Either \(p'\) is a path of w that does not end on a variable. Then \(w|_{p'}=w'\) with \(w'\) a protected subterm of w.

    We have that \(w'\sigma _j =_{\textit{AC}}m =_{\textit{AC}}t_1\sigma _i\) thus \(w'\) and \(t_1\) are unifiable (modulo AC) thus we have annotated \( ru ''\), that is, \(\mathsf {Right}_{F', ru '',t_1}(w')\in a''\), which concludes this case.

  • Or \(p'\) is a path of w that ends on a variable or is not a path at all. Then there must exist a variable y in w such that m (modulo AC) is a subterm of \(y\sigma _j\). Then y also appears in some premise fact \(F''(w'')\), thanks to the definition of a protocol rule and the fact that the variant rules are still protocol rules. Therefore m (modulo AC) is a subterm of a fact in \(S_{j-1}\) (since ), which contradicts the minimality of j.

• Or the rule is one of the \(\mathsf {MD}\) rules. Since m is a protected term, the rule cannot be \([] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x:\textit{pub})]\) nor \([\textsf {Fr}(x:\textit{fr})] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x:\textit{fr})]\) since these two rules only generate names. By minimality of j, it cannot be the rule \( [\textsf {Out}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} [{\textsf {K}^{\downarrow }_{}(x)}]\), nor \([\textsf {K}^{\uparrow }_{}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {In}(x)]\), nor the rule \([\textsf {K}^{\downarrow }_{}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x)]\) either. So it must be the deduction rule, either in the \(\textsf {K}^{\uparrow }_{}\) version or in the \(\textsf {K}^{\downarrow }_{}\) version.

  • Either it is the rule

    $$[\textsf {K}^{\uparrow }_{}(x_1\theta ),\ldots , \textsf {K}^{\uparrow }_{}(x_n\theta )] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(\mathsf {f}(x_1,\ldots ,x_n)\theta ) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(\mathsf {f}(x_1,\ldots ,x_n)\theta )]$$

    with \(\mathsf {f}(x_1,\ldots ,x_n)\theta \) in normal form. We have \(\textsf {K}^{\uparrow }_{}(x_1 \theta ),\ldots ,\textsf {K}^{\uparrow }_{}(x_k \theta )\in S_{j-1}\). Then, by minimality of j, and since m is not headed with an AC symbol, we must have \(m =_{\textit{AC}}t_1{\sigma _i} =_{\textit{AC}}\mathsf {f}(x_1\theta ,\ldots ,x_k\theta )\), otherwise we would have that m is subterm of some \(x_i\theta \) hence subterm of \(S_{j-1}\) or m is a constant, which cannot be the case since m is a protected subterm. Remember that \(x{\sigma _i}\) is a subterm at position \(p=i_0.p'\) (for some \(i_0\)) of \(t_1\) such that there are only pairs along \(p'\), that is, \(x{\sigma _i}\in St _{\mathsf {pair}}(x_{i_0}\theta )\). Since the trace is normalised (i.e. pairs are decomposed before being used), we get that \(\textsf {K}^{\uparrow }_{}(x{\sigma _i})\in S_{j-1}\), that is \(\textsf {K}^{\uparrow }_{}(n)\in S_{j-1}\). Now, by inspection of the rules, we notice that the only way to obtain \(\textsf {K}^{\uparrow }_{}(t)\) in a state is through a rule annotated by \(\textsf {K}^{\uparrow }_{}(t)\), hence we can conclude that \(\textsf {K}^{\uparrow }_{}(n)\) appears in one of the actions of an earlier rule.

  • Or the rule

    

    has been applied, with \(\mathsf {f}(x_1,\ldots ,x_k)\theta \) that can be reduced at top level. Since the equational theory is a subterm theory, it must be the case that \(m = (\mathsf {f}(x_1,\ldots ,x_k)\theta )\downarrow \) is a subterm of one of the \(x_i\sigma \), hence m is a subterm of a fact of \(S_{j-1}\), which contradicts the minimality of j.    \(\square \)

Theorem 2

Given a set of well-formed protocol rules P, a composed rule \( ru = ru _1\circ _{\theta } ru _2\circ _{\theta }\cdots \circ _{\theta } ru _k\) with \( ru _i\in \mathsf {Variant}(P)\), a variable x occurring in \( ru \), and \(\phi \) returned by \(\mathsf {SourceLemmaComp}(\mathsf {Variant}(P), ru ,x)\), then \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \).

Proof

The correctness of Algorithm 2 is a direct consequence of Theorem 1. Indeed, let \(\phi \) be a formula returned by \(\mathsf {SourceLemmaComp}(\mathsf {Variant}(P), ru ,x)\). Then \(\phi \) is actually a formula returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru _i,v_i|_p)\) for some \( ru _i\in \mathsf {Variant}(P)\) and some variable \(v_i|_p\) of \( ru _i\). Applying Theorem 1, we have that \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \), hence the conclusion.    \(\square \)