Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders

Nigam, Vivek; Talcott, Carolyn; Aires Urquiza, Abraão

doi:10.1007/978-3-319-45741-3_23

Vivek Nigam¹⁷,
Carolyn Talcott¹⁸ &
Abraão Aires Urquiza¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9879))

Included in the following conference series:

European Symposium on Research in Computer Security

2229 Accesses
21 Citations

Abstract

Timed Intruder Models have been proposed for the verification of Cyber-Physical Security Protocols (CPSP) amending the traditional Dolev-Yao intruder to obey the physical restrictions of the environment. Since to learn a message, a Timed Intruder needs to wait for a message to arrive, mounting an attack may depend on where Timed Intruders are. It may well be the case that in the presence of a great number of intruders there is no attack, but there is an attack in the presence of a small number of well placed intruders. Therefore, a major challenge for the automated verification of CPSP is to determine how many Timed Intruders to use and where should they be placed. This paper answers this question by showing it is enough to use the same number of Timed Intruders as the number of participants. We also report on some preliminary experimental results in discovering attacks in CPSP.

You have full access to this open access chapter, Download conference paper PDF

Automated Verification of Timed Security Protocols with Clock Drift

TAuth: Verifying Timed Security Protocols

Timed Analysis of Security Protocols

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The Dolev-Yao intruder model is one of the cornerstones for the success of protocol verification being used in most verification tools. The protocol security literature contains a number of properties about the Dolev-Yao intruder, many of them vital for automated verification. For instance, it has been shown that protocol security verification is complete when considering only a single Dolev-Yao intruder in the following sense: if there is an attack in the presence of one or more (colluding) Dolev-Yao intruders, then the same attack with a single Dolev-Yao intruder is possible [4]. Such result greatly simplifies the implementation of tools as it is enough to use only one Dolev-Yao intruder.

However, for the important class of Cyber-Physical Security Protocols (CPSP), the Dolev-Yao intruder model is not suitable. CSPS normally rely on the physical properties of the environment where sessions are carried out to establish some physical properties. For example, Distance Bounding Protocols are used to infer an upper-bound on the distance between two players V, the verifier, and P, the prover. It works as follows:

The verifier sends a challenge m remembering the time $t_1$, when this message is sent. The prover responds to the challenge, $m'$, and by measuring the round-trip time of the challenge response round, the verifier can compute (using assumptions on the transmission channel used) an upper bound on the distance to the prover.

It is easy to check that the Dolev-Yao intruder is not suitable for CPSP verification, as the Dolev-Yao intruder does not obey the physical properties of the system. As the Dolev-Yao intruder controls the network, he can receive the challenge m and instantaneously respond $m'$ to the verifier’s challenge. There have been, therefore, proposals to amend the Dolev-Yao intruder model to CSPS [3, 16] in the form of Timed Dolev-Yao models. These have been used to prove general decidability of important properties of CSPS [3, 15] and prove the security of protocols using theorem provers.

In contrast with the traditional Dolev-Yao intruder, who is the whole network, a timed intruder is placed at some location and in order to learn a message, must wait until the message arrives to that location. A consequence of this is that a greater number of colluding intruders may not do as much damage as a smaller number of intruders that are better placed. For example, consider Fig. 1. With a distribution of intruders shown to the left, there may not be an attack as it might take too long for intercepting and forwarding messages among intruders (illustrated by the dashed lines), while there may be an attack with the distribution of intruders shown to the right.

The main contribution of this paper is to answer the question: How many intruders are enough for verification and where should they be placed? We prove that it is enough to consider one intruder per protocol participant, thus bounding the number of timed intruders. This result greatly simplifies automated CSPS verification as the specifier no longer has to guess how many timed intruders to consider and where to place them.

Our second contribution is a general specification language, which extends strand spaces [25] by allowing for the symbolic representation of time. Instead of instantiating time variables and time constraints with explicit values, the semantics of our language accumulates symbolic time constraints. An execution using symbolic time constraints corresponds to a set of possible concrete executions, considerably reducing state-space. We implemented a prototype of our language in Maude [8] with SMT support. Our preliminary experiments show that it is possible to find attacks traversing few states. While we do not claim (yet) to have a complete tool, our first results are promising.

This paper is structured as follows: Sect. 2 specifies the syntax of our protocol specification language and its semantics extending Strand Spaces [25]. We introduce the Timed Intruder Model in Sect. 3. Section 4 contains the definition of the Timed Intruder Completeness problem and a solution to it. We revisit some examples in Sect. 5 briefly commenting on our prototype implementation. Finally we conclude by reviewing related and future work in Sect. 6.

2 A Specification Language for Cyber-Physical Security Protocols

We start first by specifying the syntax of our CPSP specification language with symbolic time variables and symbolic time constraints. We exemplify the specification of protocols using our language. Then, we formalize the operational semantics of our language by extending Strand Spaces [25] to include time variables.

2.1 Syntax

Message Expressions. We assume a message signature $\varSigma $ of constants, and function symbols. Constants include nonces, symmetric keys and player names. The set of messages is constructed as usual using constants, variables and at least the following function symbols:

$$\begin{aligned} \begin{array}{l@{\qquad }l} \mathsf {sk} (\mathsf {p}) &{} \text {Denoting the secret key of the player } \mathsf {p};\\ \mathsf {pk} (\mathsf {p}) &{} \text {Denoting the public key of the player } \mathsf {p};\\ \mathsf {enc} (\mathsf {m},\mathsf {k}) &{} \text {Encryption function denoting the encryption of } m \text { using key }k;\\ \{\mathsf {m} _1,\mathsf {m} _2,\ldots ,\mathsf {m} _n\} &{} \text {Tuple function denoting a list of messages }\mathsf {m} _1,\mathsf {m} _2,\ldots ,\mathsf {m} _n;\\ \end{array} \end{aligned}$$

where $\mathsf {c} _1, \mathsf {c} _2, \ldots $ range over constants, $\mathsf {n} _1,\ldots ,\mathsf {n} _n$ range over nonces, $\mathsf {k} _1,\mathsf {k} _2,\ldots $ range over symmetric keys, $\mathsf {p} _1, \mathsf {p} _2 \ldots $ range over player names, $\mathsf {v} _1,\mathsf {v} _2, \ldots $ range over variables, and $\mathsf {m} _1,\mathsf {m} _2,\ldots $ range over messages. For example, the message $\mathsf {enc} (\{\mathsf {v} _1, \mathsf {enc} (\mathsf {c},\mathsf {k})\},\mathsf {pk} (\mathsf {p}))$ denotes the encryption using the public key of $\mathsf {p}$ of the pair of messages $\mathsf {v} _1$ (not instantiated) and $\mathsf {enc} (\mathsf {c},\mathsf {k})$. We define $ (\mathsf {pk} (\mathsf {p}))^{-1} = \mathsf {sk} (\mathsf {p})$ and $\mathsf {k} ^{-1} = k$ if $\mathsf {k} $ is a symmetric key. We also write interchangeably the singleton tuple $\{\mathsf {m} \}$ and $\mathsf {m} $.

For a given scenario with some protocol session instances, we are going to distinguish the players that are participating in the protocol sessions, e.g., as verifiers and as provers, which we call protocol participants (briefly participants), from the Timed Intruders which are not participating explicitly in the protocol sessions in the given scenario, but are simply manipulating messages and possibly interacting with the participants. The symbols $\mathsf {p} _1, \mathsf {p} _2 \ldots $ will range over participant names while $\mathsf {ti} _1, \mathsf {ti} _2, \ldots $ will range over the names of such Timed Intruders.

Time Expressions. We also assume a time signature $\varXi $ which is disjoint to the message alphabet $\varSigma $. It contains:

$$\begin{aligned} \begin{array}{l@{\quad }l} \mathsf {r} _1,\mathsf {r} _2,\ldots &{} \text {A set of numbers;}\\ \mathsf {tt} _1,\mathsf {tt} _2,\ldots ,&{} \text {A set of time variables including the special variable} \mathsf {cur};\\ +,-,\times ,/, \mathsf {floor},\mathsf {ceiling}, \ldots &{} \text {A set of arithmetic symbols and other function symbols.} \end{array} \end{aligned}$$

Time Expressions are constructed inductively by applying arithmetic symbols to time expressions. For example $\mathsf {ceiling} ((2 + \mathsf {tt} + \mathsf {cur})/ 10)$ is a Time Expression. The symbols $\mathsf {tr} _1,\mathsf {tr} _2, \ldots $ range over Time Expressions. We do not constrain the set of numbers and function symbols in $\varXi $. However, in practice, we allow only the symbols supported by the SMT solver used. All examples in this paper will contain SMT supported symbols (or equivalent). Finally, the time variable $\mathsf {cur} $ will be a keyword in our protocol specification language denoting the current global time.

Definition 1

(Symbolic Time Constraints). Let $\varXi $ be a time signature. The set of symbolic time constraints is constructed using time expressions. Let $\mathsf {tr} _1,\mathsf {tr} _2$ be time expressions, then

$$\begin{aligned} \begin{array}{l} \mathsf {tr} _1 = \mathsf {tr} _2, \qquad \mathsf {tr} _1 \ge \mathsf {tr} _2 \qquad \mathsf {tr} _1 > \mathsf {tr} _2, \qquad \mathsf {tr} _1 < \mathsf {tr} _2, \quad \text {and} \quad \mathsf {tr} _1 \le \mathsf {tr} _2 \end{array} \end{aligned}$$

are Symbolic Time Constraints.

For example, $\mathsf {cur} + 10 < \mathsf {floor} (\mathsf {tt}- 5)$ is a Time Constraint. The symbols $\mathsf {tc} _1, \mathsf {tc} _2, \ldots $ will range over Time Constraints.

Finally, we let $\mathsf {b} _1, \mathsf {b} _2, \ldots $, range over boolean expressions, which include timed comparison constraints. We also allow for checking whether two messages $\mathsf {m} _1$ and $\mathsf {m} _2$ can be unified, e.g., $\{\mathsf {v} _1,\mathsf {v} _2\} :=: \{\mathsf {p} _1, \mathsf {k} _1\} $ evaluates to true as they can be unified by the substitution $\{\mathsf {v} _1 \mapsto \mathsf {p} _1,\mathsf {v} _2 \mapsto \mathsf {k} _1\}$.

Definition 2

(Timed Protocols). The set of Timed Protocols, $\mathcal {PL}$, is composed of Timed Protocol Roles, $\mathsf {pl} $, which are constructed by using commands as specified by the following grammar, where $\mathsf {b} $ is a boolean expression:

$$\begin{aligned} \begin{array}{l@{\quad }c@{\quad }l@{\qquad }l} \mathsf {pl} &{} := &{} \mathsf {nil} &{} \text {Empty Protocol}\\ &{}&{} \mid (\mathsf {new} ~ \mathsf {v}), \mathsf {pl} &{} \text {Fresh Constant}\\ &{}&{} \mid (+ \mathsf {m}), \mathsf {pl} &{} \text {Message Output}\\ &{}&{} \mid (+ \mathsf {m} ~\#~ \mathsf {tc}), \mathsf {pl} &{} \text {Timed Message Output}\\ &{}&{} \mid (- \mathsf {m}), \mathsf {pl} &{} \text {Message Input}\\ &{}&{} \mid (- \mathsf {m} ~\#~ \mathsf {tc}), \mathsf {pl} &{} \text {Timed Message Input}\\ &{}&{} \mid (\mathsf {if}~\mathsf {b} ~\mathsf {then}~\mathsf {pl}_1~\mathsf {else}~\mathsf {pl}_2) &{} \text {Conditional}\\ &{}&{} \mid (\mathsf {if}~\mathsf {b} ~\#~\mathsf {tc} ~\mathsf {then}~\mathsf {pl}_1~\mathsf {else}~\mathsf {pl}_2) &{} \text {Timed Conditional} \end{array} \end{aligned}$$

We explain some examples intuitively before we formalize the semantics of our language in the following section. We will elide $\mathsf {nil}$ whenever it is clear from the context.

Example 1

The following program specifies the verifier of a (very simple) distance bounding protocol:

$$\begin{aligned} \begin{array}{l} (\mathsf {new} ~\mathsf {v}),(+ \mathsf {v} ~\#~\mathsf {tt} = \mathsf {cur}), (- \mathsf {v} ~\#~\mathsf {cur} \le \mathsf {tt} + 4) \end{array} \end{aligned}$$

It creates a fresh constant and sends it to the prover, remembering the current global time by assigning it to the time variable $\mathsf {tt} $. Finally, when it receives the response $\mathsf {v} $ it checks whether the current time is less than $\mathsf {tt} + 4$.

Example 2

Timed conditionals can be used to specify the duration of operations, such as checking whether some message is of a given form. In practice, the duration of these operations can be measured empirically to obtain a finer analysis of the protocol [6].

For example, consider the following protocol role:

$$\begin{aligned} \begin{array}{l} (\mathsf {new} ~\mathsf {v}),(+ \mathsf {v}),(- \{\mathsf {v} _{enc},\mathsf {v} _{mac}\}~\#~\mathsf {tt} _0 = \mathsf {cur}),\\ \mathsf {if} ~ (\mathsf {v} _{mac} :=: \mathsf {enc} (\mathsf {v} _{enc},\mathsf {k} _M))~ \# ~ \mathsf {tt} _1 = \mathsf {tt} _0 + \mathsf {tt} _{Mac}\\ \mathsf {then} ~ (\mathsf {if} ~(\mathsf {v} _{enc} :=: \mathsf {enc} (\mathsf {v},\mathsf {k} _E)) ~\# ~ \mathsf {tt} _2 = \mathsf {tt} _1 + \mathsf {tt} _{Enc})\\ \qquad \mathsf {then} ~ (+ done ~\#~ \mathsf {cur} = \mathsf {tt} _2)~\mathsf {else} ~ (+ error ~\#~ \mathsf {cur} = \mathsf {tt} _2))\\ \mathsf {else} ~(+ error ~\#~ \mathsf {cur} = \mathsf {tt} _1) \end{array} \end{aligned}$$

This role creates a fresh value $\mathsf {v} $ and sends it. Then it is expecting a pair of two messages $\mathsf {v} _{mac}$ and $\mathsf {v} _{enc}$, remembering at time variable $\mathsf {tt} _0$ when this message is received. It then checks whether the first component $\mathsf {v} _{mac}$ is of the form $\mathsf {enc} (\mathsf {v} _{enc},\mathsf {k} _M))$, i.e., it is the correct MAC. This operation takes $\mathsf {tt} _{mac}$ time units. The time variable $\mathsf {tt} _1$ is equal to the time $\mathsf {tt} _0 + \mathsf {tt} _{mac}$, i.e., the time when the message was received plus the MAC check duration. If the MAC is not correct, an error message is sent exactly at time $\mathsf {tt} _1$. Otherwise, if the first component, $\mathsf {v} _{MAC}$, is as expected, the role checks whether the second component, $\mathsf {v} _{enc}$, is an encryption of the form $\mathsf {enc} (\mathsf {v},\mathsf {k} _E))$, which takes (a longer) time $\mathsf {tt} _{enc}$. If so it sends the done message, otherwise the error message, both at time $\mathsf {tt} _2$ which is $\mathsf {tt} _1 + \mathsf {tt} _{enc}$.

We will need to identify a particular command in a Timed Protocol Role. We use a string of the form $i_1.i_2.i_3.\ldots .i_n$, called position and denoted by $\bar{i}$, where each $i_j \in \{1,2\}$ to specify a path in the control flow of the Timed Protocol. For example, 1.1.1.1.2 in Example 2 leads to $(+ error ~\#~ \mathsf {cur} = \mathsf {tt} _1)$. We denote by $\mathcal {PS}(\mathsf {pl})$ the set of strings representing the paths in the Timed Protocol Role $\mathsf {pl} $.

2.2 Timed Strand Spaces and Bundles

We formalize the semantics of Timed Protocols by extending Strand Spaces and Bundles [25] to include time constraints and a network topology.

Network Topology. Messages take time to travel between agents, both honest players and intruders. The network model is specified by representing the time a message needs to travel from any agent a to any agent b, specified by $\mathsf {td}(a,b) $ using a function that takes two names and returns a number. Typically, $\mathsf {td}(a,a) = 0$, that is the time for a message sent from a player to reach himself is 0, but we do not need to enforce this. We also assume the following axiom for all players $a,a_1, \ldots , a_n,a'$ (with $1 \le n$):

$$\begin{aligned} \mathsf {td}(a,a') \le \mathsf {td}(a,a_1) + \mathsf {td}(a_1,a_2) + \cdots + \mathsf {td}(a_n,a') \end{aligned}$$

(1)

That is, it is faster for a message to travel directly from a to $a'$, then to first travel through $a_1,\ldots ,a_n$. This is similar to the usual triangle inequality in basic geometry.

A given scenario with some protocol session instances includes the protocol participants (or simply participants), $\mathcal {P}= \{\mathsf {p} _1, \ldots , \mathsf {p} _n\}$ and a set of Timed Intruders $\mathcal {I}= \{\mathsf {ti} _1, \ldots ,\mathsf {ti} _m\}$, who may be manipulating messages. The Network Topology is composed by two disjoint functions $\mathsf {td} = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _\mathcal {I}$ defined as follows:

$$\begin{aligned} \mathsf {td}(a,b) = \left\{ \begin{array}{ll} \mathsf {td} _\mathcal {P}(a,b) &{} \text {if }a,b \in \mathcal {P}\\ \mathsf {td} _\mathcal {I}(a,b) &{} \text {otherwise} \end{array}\right. \end{aligned}$$

Thus, $\mathsf {td} _\mathcal {P}$ specifies the time messages take to travel among participants, while $\mathsf {td} _\mathcal {I}$ specifies the time messages take to travel between Timed Intruders, between a Timed Intruder and a participant and between a participant and a Timed Intruder.

Remark 1

Here we are assuming that two agents share a single transmission channel. We leave to future work how to incorporate different transmission channels. One way to do so is to add another parameter to $\mathsf {td} $, which would imply the addition of more axioms. If multiple transmission channels are allowed, then it may well be the case that Eq. 1 does not hold as some participants might use much faster transmission channels. While we leave a more careful analysis of such cases to future work, we strongly believe that our completeness theorem (Theorem 1) still holds (see Remark 2) as one can assume that intruders communicate among themselves using the fastest available transmission medium.

The following definitions extend Strands and Bundles to include time variables capturing the semantics of Timed Protocols. A Timed Protocol Role is ground if it does not contain variables.

Definition 3

A Timed Strand Space is a set $\varPi $ and a trace mapping $tr : \varPi \longrightarrow \mathcal {P}\times \mathcal {GPL}$, where $\mathcal {P}$ is the set of player names $\{\mathsf {p} _1, \ldots , \mathsf {p} _n\}$ and $\mathcal {GPL}$ is the set of Ground Timed Protocol Roles. We denote by $tr(s)_1$ the player name and $tr(s)_2$ the Timed Protocol Role of a strand $s \in \varPi $.

For the remainder we fix a Timed Strand Space $[\varPi ,tr]$.

Definition 4

The Timed Strand Space Graph, $\mathcal {G}= \langle \mathcal {N},\Rightarrow \cup \rightarrow \rangle $, has nodes $\mathcal {N}$ and edges $\Rightarrow $ and $\rightarrow $ as defined below.

1.
A node n is a tuple $\langle \mathsf {p},s,\bar{i}\rangle @\mathsf {tt} $ with $s \in \varPi $, $\mathsf {p} = tr(s)_1$, $\bar{i}\in \mathcal {PS}(tr(s)_2)$ is a string identifying a command in the Timed Protocol, and $\mathsf {tt} $ is a time variable timestamping the node n. The set of nodes is denoted by $\mathcal {N}$;
2.
If $n = \langle \mathsf {p},s,\bar{i}\rangle @\mathsf {tt} $, we denote by term(n), the command at position $\bar{i}$ in $tr(s)_2$;
3.
If $n_1 = \langle \mathsf {p},s,\bar{i}\rangle @\mathsf {tt} _1$ and $n_2 = \langle \mathsf {p},s,\bar{i}.j\rangle @\mathsf {tt} _2$ are in $\mathcal {N}$, then there is an edge $n_1 \Rightarrow n_2$;
4.
For two nodes $\mathsf {n} _1, \mathsf {n} _2 \in \mathcal {N}$, there is an edge $n_1 \rightarrow n_2$ if and only if $term(n_1)$ is of the form $+\mathsf {m} $ or $+\mathsf {m} ~\#~\mathsf {tc} _1$ and $term(n_2)$ is of the form $-\mathsf {m} $ or $-\mathsf {m} ~\#~\mathsf {tc} _2$;
5.
If a node $n \in \mathcal {N}$, $term(n) = \mathsf {new} ~\mathsf {c} $, then $\mathsf {c} $ originates on n, that is, all nodes $n'$ such that $term(n')$ contains $\mathsf {c} $ are such that $n~(\Rightarrow \cup \rightarrow )^* ~n'$, where $(\cdot )^*$ is the reflexive and transitive closure operator.

Definition 5

Let $\mathsf {td} $ be a Network Topology and let $\mathcal {C}= \langle \mathcal {N}_\mathcal {C},\rightarrow _\mathcal {C}\cup \Rightarrow _\mathcal {C}\rangle $ be a subgraph of $\mathcal {G}= \langle \mathcal {N},\Rightarrow \cup \rightarrow \rangle $. The Timed Constraint Set of $\mathcal {C}$ over $\mathsf {td} $, denoted by $\mathcal {TC}(\mathcal {C},\mathsf {td})$, is the smallest set of Time Constraints specified as follows:

1.
If $n = \langle \mathsf {p},s,\bar{i}\rangle @\mathsf {tt} \in \mathcal {N}_\mathcal {C}$, such that term(n) is of the form $\pm \mathsf {m} ~\#~\mathsf {tc} $ or $\mathsf {if} ~{\mathsf {b} ~\#~\mathsf {tc}}$, then $\mathsf {tc} ' \in \mathcal {TC}(\mathcal {C},\mathsf {td})$ where $\mathsf {tc} '$ is the Time Constraint obtained by replacing $\mathsf {cur} $ by $\mathsf {tt} $;
2.
If $\langle \mathsf {p},s,\bar{i}\rangle @\mathsf {tt} _1 \Rightarrow _\mathcal {C}\langle \mathsf {p},s,\bar{i}.j\rangle @\mathsf {tt} _2$, then $\mathsf {tt} _2 \ge \mathsf {tt} _1 \in \mathcal {TC}(\mathcal {C},\mathsf {td})$;
3.
If $\langle \mathsf {p} _1,s_1,\bar{i}_1\rangle @\mathsf {tt} _1 \rightarrow _\mathcal {C}\langle \mathsf {p} _2,s_2,\bar{i}_2\rangle @\mathsf {tt} _2$, then $\mathsf {tt} _2 \ge \mathsf {tt} _1 + \mathsf {td}(\mathsf {p} _1,\mathsf {p} _2) \in \mathcal {TC}(\mathcal {C},\mathsf {td})$.

Intuitively, the $\Rightarrow $ specifies the sequence of actions carried out by a protocol session participant, while the $\rightarrow $ specifies the interactions between protocol sesssion participants. However, not all timed strand space graph will correspond to possible executions. Thus, we introduce Timed Bundle which is a subset of the Timed Strand space graph, playing a similar role of Bundles for Strand Spaces.

Definition 6

Let $\mathsf {td} $ be a Network Topology. Let $\rightarrow _\mathcal {C}\subseteq \rightarrow $ and $\Rightarrow _\mathcal {C}\subseteq \Rightarrow $ and suppose $\mathcal {C}= \langle \mathcal {N}_\mathcal {C},\rightarrow _\mathcal {C}\cup \Rightarrow _\mathcal {C}\rangle $ is a sub-graph of $\langle \mathcal {N},\Rightarrow \cup \rightarrow \rangle $. $\mathcal {C}$ is a Timed Bundle over $\mathsf {td} $ if:

1.
$\mathcal {C}$ is finite and acyclic;
2.
$n_2 \in \mathcal {N}_\mathcal {C}$ is Message Input or a Timed Message Input, then there is a unique $n_1 \in \mathcal {N}_\mathcal {C}$ such that $n_1 \rightarrow _\mathcal {C}n_2$;
3.
$n_2 \in \mathcal {N}_\mathcal {C}$ and $n_1 \Rightarrow n_2$, then $n_1 \in \mathcal {N}_\mathcal {C}$, and $n_1 \Rightarrow _\mathcal {C}n_2$;
4.
$n = \langle \mathsf {p},s,\bar{i}\rangle $ is a node such that term(n) is of the form $\mathsf {if} ~{\mathsf {b}}$ or $\mathsf {if} ~{\mathsf {b} ~\#~\mathsf {tc}}$ and $\mathsf {b} $ is evaluated to true, then $n \Rightarrow _\mathcal {C}\langle \mathsf {p},s,\bar{i}.1\rangle $ and $n \nRightarrow _\mathcal {C}\langle \mathsf {p},s,\bar{i}.2\rangle $; otherwise $n \Rightarrow _\mathcal {C}\langle \mathsf {p},s,\bar{i}.2\rangle $ and $n \nRightarrow _\mathcal {C}\langle \mathsf {p},s,\bar{i}.1\rangle $;
5.
the Timed Constraint Set of $\mathcal {C}$ over $\mathsf {td} $ is satisfiable, i.e., there is a substitution $\sigma $, called model of $\mathcal {TC}(\mathcal {C},\mathsf {td})$, replacing all time variables in $\mathcal {TC}(\mathcal {C},\mathsf {td})$ by Real numbers so that all inequalities in $\mathcal {TC}(\mathcal {C},\mathsf {td})$ are true.

Example 3

The following is a graphical representation for a Timed Bundle using the Distance Bounding Protocol described in Example 1:

It involves two participants $\mathsf {p} _1$ and $\mathsf {p} _2$ which simply exchange a fresh value $\mathsf {c} $.^{Footnote 1} Its Timed Constraint Set should be satisfiable for the assumed Network Topology specified by the function $\mathsf {td} $:

$$\begin{aligned} \left\{ \begin{array}{c} \mathsf {tt} _5 \ge \mathsf {tt} _4, \mathsf {tt} _3 \ge \mathsf {tt} _2, \mathsf {tt} _2 \ge \mathsf {tt} _1, \mathsf {tt} = \mathsf {tt} _2, \mathsf {tt} _4 \ge \mathsf {tt} _2 + \mathsf {td}(\mathsf {p} _1,\mathsf {p} _2), \mathsf {tt} _3 \ge \mathsf {tt} _5 + \mathsf {td}(\mathsf {p} _2,\mathsf {p} _1), \mathsf {tt} _3 \le \mathsf {tt} + 4 \end{array}\right\} \end{aligned}$$

Notice that the use of the time symbols in this representation means that this single object specifies a possibly infinite collection of executions of the Distance Bounding Protocol, where the time symbols are instantiated by concrete timestamps taken from the set of non-negative Real numbers $\mathbb {R}^{+}$. This compact representation greatly reduces the state space during automated protocol verification. In our prototype implementation, we use an SMT solver to check whether the set of Time Constraints is satisfiable or not.

Finally, consider the following specification $ (\mathsf {new} ~\mathsf {v}),(- \mathsf {v})$. This specification creates a fresh constant and then expects $\mathsf {v} $ as input. Since this is a fresh constant and is never sent, it will never be received. The condition (5) in Definition 4 captures this restriction, as it disallows an $\rightarrow $ edge to $\langle \mathsf {p},(- \mathsf {v})\rangle $

3 Timed Intruder Model

The Timed Intruder Model is similar to the usual Dolev-Yao Intruder Model in the sense that it can compose, decompose, encrypt and decrypt messages provided it has the right keys. However, unlike the Dolev-Yao intruder, a Timed Intruder is constrained by the physical properties of the systems, namely, an intruder is not able to learn any message instantaneously, instead, must wait until the message arrives.

A Timed Intruder Set is a set of intruder names $\mathcal {I}= \{\mathsf {ti} _1,\ldots ,\mathsf {ti} _n\}$ a set of initially known keys $K_P$, which contain all public keys, all private keys of all the intruders, all symmetric keys initially shared between intruders and honest players, and may contain “lost keys” that an intruder learned previously by, for instance, succeeding in some cryptoanalysis. Recall that Timed Intruders are situated at locations specified by the Network Topology. For instance, $\mathsf {td}(\mathsf {p} _1,\mathsf {ti} _1) = \mathsf {td} _\mathcal {I}({\mathsf {p} _1},{\mathsf {ti} _1}) = 4$ denotes that the timed needed for a message to travel from participant $\mathsf {p} _1$ to intruder $\mathsf {ti} _1$ is 4.

Definition 7

An intruder trace is one of the following, where $\mathsf {ti} $ is a Timed Intruder Name, $\mathsf {tt},\mathsf {tt} _1,\mathsf {tt} _2,\mathsf {tt} _3$ are time variables, and $\mathsf {m},\mathsf {m} _1,\ldots , \mathsf {m} _n,\mathsf {m} _1',\ldots ,\mathsf {m} _p'$ are messages:

Text Message: $\langle \mathsf {ti},+ \mathsf {t} \rangle @\mathsf {tt} $, where $\mathsf {t} $ is a text constant;
Flushing: $\langle \mathsf {ti},-\mathsf {m} \rangle @\mathsf {tt} $;
Forward: $\langle \mathsf {ti}, -\mathsf {m}, +\mathsf {m} \rangle @(\mathsf {tt} _1,\mathsf {tt} _2)$ denoting the strand $\langle \mathsf {ti},-\mathsf {m} \rangle @\mathsf {tt} _1 \Rightarrow \langle \mathsf {ti},+\mathsf {m} \rangle @\mathsf {tt} _2$;
Concatenation: $\langle \mathsf {ti},-\{\mathsf {m} _1,\ldots ,\mathsf {m} _n\}, -\{\mathsf {m} _1',\ldots ,\mathsf {m} _p'\}, + \{\mathsf {m} _1,\ldots ,\mathsf {m} _n,\mathsf {m} _1',\ldots ,\mathsf {m} _p'\}\rangle @(\mathsf {tt} _1,\mathsf {tt} _2,\mathsf {tt} _3)$ denoting the strand ${\begin{array}{l} \langle \mathsf {ti},-\{\mathsf {m} _1,\ldots ,\mathsf {m} _n\}\rangle @\mathsf {tt} _1 \Rightarrow \langle \mathsf {ti},-\{\mathsf {m} _1',\ldots ,\mathsf {m} _p'\}\rangle @\mathsf {tt} _2 \Rightarrow \langle \mathsf {ti},+ \{\mathsf {m} _1,\ldots ,\mathsf {m} _n,\mathsf {m} _1',\ldots ,\mathsf {m} _p'\}\rangle @\mathsf {tt} _3 \end{array}} $
Decomposing: $\langle \mathsf {ti},-\{\mathsf {m} _1,\ldots ,\mathsf {m} _n\}, +\{\mathsf {m} _1,\ldots ,\mathsf {m} _i\},+\{\mathsf {m} _{i+1},\ldots ,\mathsf {m} _n\} \rangle @(\mathsf {tt} _1,\mathsf {tt} _2,\mathsf {tt} _3)$ denoting the strand $ {\begin{array}{l} \langle \mathsf {ti},-\{\mathsf {m} _1,\ldots ,\mathsf {m} _i,\mathsf {m} _{i+1},\ldots ,\mathsf {m} _n\}\rangle @\mathsf {tt} _1 \Rightarrow \langle \mathsf {ti},+\{\mathsf {m} _1,\ldots ,\mathsf {m} _i\}\rangle @\mathsf {tt} _2 \Rightarrow \langle \mathsf {ti},+ \{\mathsf {m} _{i+1},\ldots ,\mathsf {m} _n\}\rangle @\mathsf {tt} _3 \end{array}} $
Key: $\langle \mathsf {ti},+\mathsf {k} \rangle @\mathsf {tt} $ if $\mathsf {k} \in K_P$;
Encryption: $\langle \mathsf {ti},-\mathsf {k},-\mathsf {m},+\mathsf {enc} (\mathsf {m},\mathsf {k})\rangle @(\mathsf {tt} _1,\mathsf {tt} _2,\mathsf {tt} _3)$ denoting the strand $ \begin{array}{c} \langle \mathsf {ti},-\mathsf {k} \rangle @\mathsf {tt} _1 \Rightarrow \langle \mathsf {ti},-\mathsf {m} \rangle @\mathsf {tt} _2 \Rightarrow \langle \mathsf {ti},+\mathsf {enc} (\mathsf {m},\mathsf {k})\rangle @\mathsf {tt} _3 \end{array} $
Decryption: $\langle \mathsf {ti},-\mathsf {k} ^{-1},-\mathsf {enc} (\mathsf {m},\mathsf {k}),+\mathsf {m} \rangle @(\mathsf {tt} _1,\mathsf {tt} _2,\mathsf {tt} _3)$. $ \begin{array}{c} \langle \mathsf {ti},-\mathsf {k} ^{-1}\rangle @\mathsf {tt} _1 \Rightarrow \langle \mathsf {ti},-\mathsf {enc} (\mathsf {m},\mathsf {k})\rangle @\mathsf {tt} _2 \Rightarrow \langle \mathsf {ti},+\mathsf {m} \rangle @\mathsf {tt} _3 \end{array} $

As with the the usual Dolev-Yao intruder model as, e.g., in [25], the Timed Intruder can send text messages and known keys, receive a message, replay a message, concatenate and decompose messages, and finally encrypt and decrypt messages. There are, however, two differences with respect to the usual Dolev-Yao intruder model as defined in [25]. Each node of the trace is associated with an intruder name $\mathsf {ti} $ and a time variable $\mathsf {tt} $. These are necessary for extracting the Time Constraints of a Strand Graph (as described in Definition 5), specifying the physical restrictions of the Timed Intruder.

As the time when timed intruders receive and manipulate messages cannot be measured by the protocol participants, they do not have control over the time variables of timed intruder strands. The following assumption captures this intuition:

Time Variable Disjointness Assumption. For any Bundle $\mathcal {B}$, the set of time variables appearing in protocol participant strands in $\mathcal {B}$ is disjoint from the set of time variables appearing in timed intruder strands in $\mathcal {B}$.

Example 4

Let us return to the distance bounding protocol described in Example 1. The following is an attack, where two colluding intruders $\mathsf {ti} _1$, who is close to $\mathsf {p} _1$, and $\mathsf {ti} _2$, who is close to $\mathsf {p} _2$, collude by sharing a fast channel to fool $\mathsf {p} _1$ into thinking that $\mathsf {p} _2$ is closer than he actually is.

The intruders $\mathsf {ti} _1$ and $\mathsf {ti} _2$ simply forward messages between each other and the players $\mathsf {p} _1$ and $\mathsf {p} _2$. However, this is a Bundle only if the following Time Constraint Set is satisfiable:

$$\begin{aligned} \left\{ \begin{array}{c} \mathsf {tt} _2 \ge \mathsf {tt} _1, \mathsf {tt} = \mathsf {tt} _2, \mathsf {tt} _6 \ge \mathsf {tt} _2 + \mathsf {td}(\mathsf {p} _1,\mathsf {ti} _1), \mathsf {tt} _7 \ge \mathsf {tt} _6, \mathsf {tt} _8 \ge \mathsf {tt} _7 + \mathsf {td}(\mathsf {ti} _1,\mathsf {ti} _2), \mathsf {tt} _9 \ge \mathsf {tt} _8,\\ \mathsf {tt} _4 \ge \mathsf {tt} _9 + \mathsf {td}(\mathsf {ti} _1,\mathsf {p} _2), \mathsf {tt} _5 \ge \mathsf {tt} _4, \mathsf {tt} _{10} \ge \mathsf {tt} _5 + \mathsf {td}(\mathsf {p} _2,\mathsf {ti} _1), \mathsf {tt} _{11} \ge \mathsf {tt} _{10}, \mathsf {tt} _{12} \ge \mathsf {tt} _{11} + \mathsf {td}(\mathsf {ti} _2,\mathsf {ti} _1),\\ \mathsf {tt} _{13} \ge \mathsf {tt} _{12}, \mathsf {tt} _3 \ge \mathsf {tt} _{13} + \mathsf {td}(\mathsf {ti} _1,\mathsf {p} _1), \mathsf {tt} _3 \le \mathsf {tt} _2 + 4 \end{array} \right\} \end{aligned}$$

This set of constraints represents a set of concrete executions, where the Timed Intruders $\mathsf {ti} _1$ and $\mathsf {ti} _2$ collude. There is a concrete execution only if the set of Time Constraints is satisfiable, which depends on the Network Topology, that is, on the function $\mathsf {td} $.

4 Timed Intruder Completeness

Standard Security Protocol Verification is already very challenging. However, automated verification has been very successful in discovering new attacks. A good part of this success is due to the Dolev-Yao intruder model, which greatly simplifies the design of verification tools. Tools can rely on the important result that just a single Dolev-Yao intruder is enough, in the sense that if there is an attack in the presence of multiple (colluding) Dolev-Yao intruders, then there is also an attack in the presence of a single Dolev-Yao intruder [4].

Unfortunately, for Cyber-Physical Security Protocols, it is not the case that a single Timed Intruder is enough for verification. Consider the attack illustrated in Example 4. There may be a great number of Timed Intruders, but none of them situated between $\mathsf {p} _1$ and $\mathsf {p} _2$, as illustrated by Fig. 1. In such a scenario there might not be an attack as the round time to receive and return a message between such a display of intruders may never be less than the distance bound (4). On the other hand, two strategically placed Timed Intruders, as in the second picture in Fig. 1, may lead to an attack.

Clearly there is an unbounded number of choices based on deciding:

How many Timed Intruders are there?
Where are these Timed Intruders located?

This is similar to the challenge in usual security protocol verification of determining how many protocol sessions running in parallel should the scenario have, which is undecidable [20]. Fortunately, we are able to prove a completeness result which answers the two questions above. In order to formalize the completeness statement, we introduce some notation.

Definition 8

Let $\mathcal {B}$ be a Timed Bundle over the Network Topology $\mathsf {td} $ involving the participants $\mathcal {P}= \{\mathsf {p} _1,\ldots ,\mathsf {p} _n\}$ and the Timed Intruders $\mathcal {I}= \{\mathsf {ti} _1, \ldots , \mathsf {ti} _n\}$. The graph $\mathcal {B}$ restricted to participants $\mathcal {P}$, written $\mathcal {B}_\mathcal {P}$, is the graph $\langle \mathcal {N}_\mathcal {B}^\mathcal {P}, (\Rightarrow _\mathcal {B}^\mathcal {P}\cup \rightarrow _\mathcal {B}^\mathcal {P})\rangle $ specified as follows:

$\mathcal {N}_\mathcal {B}^\mathcal {P}$ contains only the nodes in $\mathcal {B}$ belonging to a participant in $\mathcal {P}$, i.e., of the form $\langle \mathsf {p},s,\bar{i}\rangle $ where $\mathsf {p} \in \mathcal {P}$;
For two nodes $n_1,n_2$ in $\mathcal {N}_\mathcal {B}^\mathcal {P}$, if $n_1 \Rightarrow n_2$ in $\mathcal {B}$, then $n_1 \Rightarrow _\mathcal {B}^\mathcal {P}n_2$;
If n is a node in $\mathcal {N}_\mathcal {B}^\mathcal {P}$ whose term is a message receive, $-\mathsf {m} $ or $-\mathsf {m} ~\#~\mathsf {tc} $, and $n'$ is a maximal element of the set of predecessors of n in $\mathcal {N}_\mathcal {B}^\mathcal {P}$ under the relation $(\Rightarrow \cup \rightarrow )^*;\rightarrow $ then $n' \rightarrow _\mathcal {B}^\mathcal {P}n$. We let $\mathcal {P}(n,\mathcal {B})$ denote this set of predecessors.

Intuitively, a Bundle restricted to the set of participants specifies the events observable by the participants without including the moves corresponding to the timed intruders. It includes all the edges of the original bundle connecting two nodes of $\mathcal {N}_\mathcal {B}^\mathcal {P}$. The “maximal predecessor” in $\mathcal {N}_\mathcal {B}^\mathcal {P}$ is the first element of $\mathcal {N}_\mathcal {B}^\mathcal {P}$ encountered when following edges in the predecessor direction. It is maximal in the partial order on nodes induced by the edges of the bundle. Thus the terms of nodes in $\mathcal {P}(n,\mathcal {B})$ contain all the terms used by the intruders to derive the term at node n.

The Bundle shown in Example 4 restricted to the participants $\{\mathsf {p} _1,\mathsf {p} _2\}$ is

The edge $\langle \mathsf {p} _1,+ \mathsf {c} ~\#~\mathsf {tt} = \mathsf {cur} \rangle @\mathsf {tt} _2 \rightarrow \langle \mathsf {p} _2,- \mathsf {c} \rangle @\mathsf {tt} _4$ in this figure simply specifies that using the message, $\mathsf {c} $, sent by $\mathsf {p} _1$, the timed intruders were able to send the message $\mathsf {c} $ to the participant $\mathsf {p} _2$.

For another example, consider the following Bundle, where timed intruder $\mathsf {ti} $ uses his key $\mathsf {k} \in K_P$ and the messages $\mathsf {c} _1$ and $\mathsf {c} _2$ to compose the message $\mathsf {enc} (\{\mathsf {c} _1,\mathsf {c} _2\},\mathsf {k})$ to $\mathsf {p} _3$:

The corresponding bundle restricted to the participants $\mathsf {p} _1,\mathsf {p} _2$ and $\mathsf {p} _3$ is:

It captures the fact that the messages sent by $\mathsf {p} _1$ and $\mathsf {p} _2$ are used to generate the message received by $\mathsf {p} _3$ without explicitly showing how intruders manipulated these messages.

Notice that unlike bundles, a receive node in a restricted bundle may have multiple incoming edges, reflecting the possibility of processing by multiple intruders.

The next two lemmas follow directly from the definition of Bundles and restricted Bundles.

Lemma 1

Let $p = \mathsf {n} \leadsto _1 \mathsf {n} _1 \leadsto _2 \mathsf {n} _2 \leadsto _3 \cdots \leadsto _{j-1} \mathsf {n} _{j} \leadsto _{j} \mathsf {n} '$ be a path from $\mathsf {n} $ in $\mathcal {P}(\mathsf {n} ',\mathcal {B})$ to $\mathsf {n} '$, where $\leadsto _i$ is either $\rightarrow $ or $\Rightarrow $ for $1 \le i \le j$. Then p is necessarily of the form:

$$\begin{aligned} \langle \mathsf {p},snd\rangle @\mathsf {tt} \rightarrow \langle \mathsf {ti} _1,s_1\rangle @\mathsf {tt} _1 \leadsto _2 \langle \mathsf {ti} _2,s_2\rangle @\mathsf {tt} _2 \leadsto _2 \cdots \leadsto _{j-1} \langle \mathsf {ti} _j,s_j\rangle @\mathsf {tt} _j \rightarrow \langle \mathsf {p} ',rcv\rangle @\mathsf {tt} ' \end{aligned}$$

where snd is a message send $(+ \mathsf {m})$ or a timed message send $(+\mathsf {m} ~ \#~\mathsf {tc})$, rcv is a message receive $(- \mathsf {m})$ or a timed message receive $(-\mathsf {m} ~ \#~\mathsf {tc})$, and for $1 \le i \le j$, $\langle \mathsf {ti} _i,s_i\rangle $ are timed intruder strands.

Lemma 2

Let $\mathcal {T}(\mathcal {B},\mathsf {td})$ be the Time Constraint Set of $\mathcal {B}$ for a given Network Topology $\mathsf {td} $. Let p be a path in $\mathcal {B}$ as described in Lemma 1 of the form:

$$\begin{aligned} \langle \mathsf {p},snd\rangle @\mathsf {tt} \rightarrow \langle \mathsf {ti} _1,s_1\rangle @\mathsf {tt} _1 \leadsto _1 \langle \mathsf {ti} _2,s_2\rangle @\mathsf {tt} _2 \leadsto _2 \cdots \leadsto _{j-1} \langle \mathsf {ti} _j,s_j\rangle @\mathsf {tt} _j \rightarrow \langle \mathsf {p} ',rcv\rangle @\mathsf {tt} ' \end{aligned}$$

Then any satisfying model of $\mathcal {T}(\mathcal {B},\mathsf {td})$ will also satisfy the constraint:

$$\begin{aligned} \mathsf {tt} ' \ge \mathsf {tt} + \mathsf {td}(\mathsf {p},\mathsf {ti} _1) + \mathsf {td}(\mathsf {ti} _1,\mathsf {ti} _2) + \cdots + \mathsf {td}(\mathsf {ti} _{j-1},\mathsf {ti} _j) + \mathsf {td}(ti_j,\mathsf {p} '). \end{aligned}$$

The following specifies the equivalence of two Bundles.

Definition 9

Let $\mathcal {P}$ be a set of participants and $\mathcal {I},\mathcal {I}'$ be two possibly equal sets of Timed Intruders. Let $\mathsf {td} _1 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _\mathcal {I}$ and $\mathsf {td} _2 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _{\mathcal {I}'}$ be Network Topologies. Then we say that a Timed Bundle $\mathcal {B}_1$ over $\mathsf {td_1} $ is equivalent to a Timed Bundle $\mathcal {B}_2$ over $\mathsf {td_2} $, written $\mathcal {B}_1 \cong _{\mathsf {td} _1}^{\mathsf {td} _2} \mathcal {B}_2$, if their Bundles restricted to $\mathcal {P}$ are (syntactically) identical, i.e., $\mathcal {B}_1^\mathcal {P}= \mathcal {B}_2^\mathcal {P}$.^{Footnote 2}

Intuitively, the condition $\mathcal {B}_1^\mathcal {P}= \mathcal {B}_2^\mathcal {P}$ specifies that for the honest participants the two Bundles are equivalent, although they may have different timed intruders in different locations manipulating messages in different ways. Thus, if such a $\mathcal {B}_1$ constitutes an attack, then $\mathcal {B}_2$ also constitutes an attack.

Timed Intruder Completeness Problem:

Let $\mathcal {P}= \{\mathsf {p} _1,\ldots ,\mathsf {p} _n\}$ be a set of participants and $\mathcal {I}= \{\mathsf {ti} _1,\ldots ,\mathsf {ti} _m\}$ be a set of timed intruders. Let $\mathsf {td} _\mathcal {P}$ be a Network Topology of the participants. Is there a subset $\mathcal {I}' \subseteq \mathcal {I}$ and $\mathsf {td} _{\mathcal {I}'}$ such that for any $\mathsf {td} _\mathcal {I}$ and any Bundle $\mathcal {B}_1$ over $\mathsf {td} _1 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _\mathcal {I}$, there is a Bundle $\mathcal {B}_2$ over $\mathsf {td} _2 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _{\mathcal {I}'}$ such that $\mathcal {B}_1 \cong _{\mathsf {td} _1}^{\mathsf {td} _2} \mathcal {B}_2$?

In other words, given a particular scenario with $\mathcal {P}$ participants and a Network Topology for these participants $\mathsf {td} _\mathcal {P}$, is there a Network Topology $\mathsf {td} {_\mathcal {I}'}$ involving a collection of Timed Intruders $\mathcal {I}'$ that can be used to carry out the same observable events for any other Network Topology $\mathsf {td} _\mathcal {I}$ with a possibly larger number of Timed Intruders?

If such an $\mathcal {I}'$ and $\mathsf {td} _{\mathcal {I}'}$ exists then an automated verification tool does not have to guess how many timed intruders there are, and where they are located, but simply can use $\mathcal {I}'$ and $\mathsf {td} _{\mathcal {I}'}$.

4.1 Completeness Proof

We are given a set of participants $\mathcal {P}= \{\mathsf {p} _1,\ldots ,\mathsf {p} _n\}$, a set of Timed Intruders $\mathcal {I}= \{\mathsf {ti} _1, \ldots , \mathsf {ti} _m\}$, and a Network Topology $\mathsf {td} _\mathcal {P}$ specifying the time messages take to travel between participants.

A Solution for the Timed Intruder Completeness Problem: For our solution, we assume that there are as many timed intruders as participants. If this is not the case, we can safely add more dummy timed intruders. We associate with each participant $\mathsf {p} _i$ one Timed Intruder $\mathsf {ti} _{\mathsf {p} _i}$. Thus:

$$\begin{aligned} \mathcal {I}'= \{\mathsf {ti} _{\mathsf {p} _1},\ldots , \mathsf {ti} _{\mathsf {p} _n}\}. \end{aligned}$$

Moreover, we assume that the time a message takes to travel between $\mathsf {p} _i$ to $\mathsf {ti} _i$ is 0 (or negligible). Moreover, the time for a message to travel between two Timed Intruders $\mathsf {ti} _{\mathsf {p} _i}$ and $\mathsf {ti} _{\mathsf {p} _j}$ is the same as the time it takes to travel between their corresponding participants $\mathsf {p} _i$ and $\mathsf {p} _j$. Thus:

$$\begin{aligned} \begin{array}{l@{\qquad }l} \mathsf {td} _{\mathcal {I}'}(\mathsf {p} _i,\mathsf {ti} _{\mathsf {p} _i}) = \mathsf {td} _{\mathcal {I}'}(\mathsf {ti} _{\mathsf {p} _i},\mathsf {p} _i) = 0 &{} \text {for all }\mathsf {p} _i\in \mathcal {P};\\ \mathsf {td} _{\mathcal {I}'}(\mathsf {ti} _{\mathsf {p} _i},\mathsf {ti} _{\mathsf {p} _j}) = \mathsf {td} _\mathcal {P}(\mathsf {p} _i,\mathsf {p} _j) &{} \text {for all }\mathsf {p} _i,\mathsf {p} _j \in \mathcal {P}. \end{array} \end{aligned}$$

The Timed Intruders in $\mathcal {I}'$ collude in the following form: whenever a Timed Intruder $\mathsf {t} _{\mathsf {p} _i}$ learns a message $\mathsf {m} $ sent by $\mathsf {p} _i$, it broadcasts this message $\mathsf {m} $ to the remaining Timed Intruders in $\mathcal {I}'\setminus \{\mathsf {ti} _{\mathsf {p} _i}\}$. For example, the Strand for when $\mathsf {p} _1$ sends a message is then as follows:

Notice that the message $\mathsf {m} $ reaches to a Timed Intruder $\mathsf {ti} _{\mathsf {p} _i}$ at time $\mathsf {tt} _{i}$ which is subject to the Time Constraints $\mathsf {tt} _{i} \ge \mathsf {tt} _{1}' + \mathsf {td} _\mathcal {P}(\mathsf {p} _1,\mathsf {p} _i)$ and $\mathsf {tt} _{1}' \ge \mathsf {tt} _1 + \mathsf {td}(\mathsf {p} _1,\mathsf {ti} _{\mathsf {p} _1}) $, which reduces to $\mathsf {tt} _{1}' \ge \mathsf {tt} _1$ as $\mathsf {td}(\mathsf {p} _1,\mathsf {ti} _{\mathsf {p} _1}) = 0$. Thus, $\mathsf {tt} _{i} \ge \mathsf {tt} _{1} + \mathsf {td} _\mathcal {P}(\mathsf {p} _1,\mathsf {p} _i)$. Moreover, if the Timed Intruder $\mathsf {ti} _{\mathsf {p} _i}$ forwards this message to the participant $\mathsf {p} _i$, then this message will be received at a time $\mathsf {tt} _{i}' \ge \mathsf {tt} _{1} + \mathsf {td} _\mathcal {P}(\mathsf {p} _1,\mathsf {p} _i)$, that is, as if the message had traveled directly from $\mathsf {p} _1$ to $\mathsf {p} _i$ without passing through intruders $\mathsf {ti} _{p_1}$ and $\mathsf {ti} _{p_i}$

Proof. We will now show that the $\mathcal {I}'$ and $\mathsf {td} _{\mathcal {I}'}$ defined above provide a solution for the Timed Intruder Completeness Problem. For this, assume given a $\mathsf {td} _\mathcal {I}$ and a Bundle $\mathcal {B}_1$ over $\mathsf {td} _1 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _\mathcal {I}$.

We will construct a Bundle $\mathcal {B}_2$ over $\mathsf {td} _2 = \mathsf {td} _\mathcal {P}\uplus \mathsf {td} _{\mathcal {I}'}$ such that $\mathcal {B}_1 \cong _{\mathsf {td} _1}^{\mathsf {td} _2} \mathcal {B}_2$. We do so by transforming $\mathcal {B}_1$ into $\mathcal {B}_2$.

Let the following be a sub-graph of $\mathcal {B}_1$ restricted to $\mathcal {P}$:

where for all $1 \le i \le n$, $snd_i$ is a Message Output $(+ \mathsf {m} _i)$ or a Timed Message Output $(+\mathsf {m} _i~ \#~\mathsf {tc})$, rcv is a Message Input $(- \mathsf {m})$ or a Timed Message Input $(-\mathsf {m} ~ \#~\mathsf {tc})$.

Let p be an arbitrary path from node $\langle \mathsf {p} _i,snd_i\rangle @\mathsf {tt} _i$ to $\langle \mathsf {p},rcv\rangle @\mathsf {tt} $ path in $\mathcal {B}_1$. From Lemma 1, p has the shape:

$$\begin{aligned} \langle \mathsf {p} _i,snd_i\rangle @\mathsf {tt} _i \rightarrow \langle \mathsf {ti} _1,s_1\rangle @\mathsf {tt} _1 \leadsto _1 \langle \mathsf {ti} _2,s_2\rangle @\mathsf {tt} _2 \leadsto _2 \cdots \leadsto _{j-1} \langle \mathsf {ti} _j,s_j\rangle @\mathsf {tt} _j \rightarrow \langle \mathsf {p} ',rcv\rangle @\mathsf {tt} \end{aligned}$$

Moreover, from Lemma 2, any model satisfying $\mathcal {B}_1$ will also satisfy the constraint:

$$\begin{aligned} \mathsf {tt} \ge \mathsf {tt} _i + \mathsf {td}(\mathsf {p} _i,\mathsf {ti} _1) + \mathsf {td}(\mathsf {ti} _1,\mathsf {ti} _2) + \cdots + \mathsf {td}(\mathsf {ti} _{j-1},\mathsf {ti} _j) + \mathsf {td}(ti_j,\mathsf {p}). \end{aligned}$$

(2)

Given our assumption on the Network Topology (Eq. 1), we also have that

$$\begin{aligned} \mathsf {td}(\mathsf {p} _i,\mathsf {p}) \le \mathsf {td}(\mathsf {p},\mathsf {ti} _1) + \mathsf {td}(\mathsf {ti} _1,\mathsf {ti} _2) + \cdots + \mathsf {td}(\mathsf {ti} _{j-1},\mathsf {ti} _j) + \mathsf {td}(\mathsf {ti} _j,\mathsf {p}) \end{aligned}$$

That is, the time it takes to travel directly from $\mathsf {p} _i$ to $\mathsf {p} $ is less than or equal to the time it takes to travel from $\mathsf {p} _i$ to $\mathsf {p} $ via the timed intruders $\mathsf {ti} _1,\ldots ,\mathsf {ti} _j$.

From our solution, we obtain for the sub-graph shown above the following subgraph where all the messages $\mathsf {m} _1,\ldots ,\mathsf {m} _n$ are broadcast to all Timed Intruders including the Timed Intruder $\mathsf {ti} _{p}$:

where the intruder $\mathsf {ti} _{\mathsf {p}}$ receives the messages $\mathsf {m} _1,\ldots ,\mathsf {m} _n$. Notice that for $1 \le i \le n$, we have that $\mathsf {tt} _i'' \ge \mathsf {tt} _i + \mathsf {td}(\mathsf {p} _i,\mathsf {p}) $. At this point the intruder $\mathsf {ti} _{\mathsf {p}}$ has all the information he needs to compose the message $\mathsf {m} $. Moreover, he can do so without losing time. Thus he is able to deliver the message $\mathsf {m} $ to $\mathsf {p} $ at time $\mathsf {tt} $ satisfying the constraints:

$$\begin{aligned} \mathsf {tt} \ge \mathsf {tt} _1 + \mathsf {td}(\mathsf {p} _1,\mathsf {p}) \quad \mathsf {tt} \ge \mathsf {tt} _2 + \mathsf {td}(\mathsf {p} _2,\mathsf {p}) \quad \cdots \quad \mathsf {tt} \ge \mathsf {tt} _n + \mathsf {td}(\mathsf {p} _n,\mathsf {p}). \end{aligned}$$

(3)

As any model of the Time Constraints Set of $\mathcal {B}_1$ satisfies Eq. 2, the same assignment for $\mathsf {tt} _1,\ldots ,\mathsf {tt} _n,\mathsf {tt} $ will also satisfy the time constraints in Eq. 3. Moreover, if any of $snd_1,\ldots ,snd_n$ is a Timed Output $(\mathsf {p} _i,+\mathsf {m} _i~\#~\mathsf {tc} _i)$ or rcv is a Timed Input $(\mathsf {p},- \mathsf {m} ~\#~\mathsf {tc})$ the same assignment will also satisfy $\mathsf {tc} _i$ and $\mathsf {tc} $ because protocol participant strands and timed intruder strands do not share time variable (Time Variable Disjointness Assumption).

By repeating this procedure for each sub-graph in $\mathcal {B}_1$ restricted to $\mathcal {P}$ as shown above, we are able to construct $\mathcal {B}_2$ using $\mathsf {td} _{\mathcal {I}'}$ where the only timed intruder strands are those of the intruders $\mathcal {I}'$ leading to the following result.

Theorem 1

Let $\mathcal {P}$ be participant names and $\mathcal {I}$ be Timed Intruders, such that $|\mathcal {I}| \ge |\mathcal {P}|$. Let $\mathcal {I}'$ and $\mathsf {td} _{\mathcal {I}'}$ be as described above. Then $\mathcal {I}'$ and $\mathsf {td} _{\mathcal {I}'}$ solve the Timed Intruder Completeness Problem.

Remark 2

It should be possible to extend our completeness result for cases with different transmission channels (See Remark 1). For this, our solution would assume that the intruders communicate with the fastest transmission speed available. This is enough to prove Eq. 2 without relying on Eq. 1. We leave a more careful analysis to future work.

Remark 3

Our solution of placing a timed intruder close to each participant might be unrealistic for some scenarios, e.g., when a participant, A, is guaranteed to be alone due to some physical barrier which ensures that intruders are at least d units away. We speculate that by instead of placing a single intruder for A, we would need n intruders, where n is the number of participants. Each intruder would be placed d units away from A in the direction of each other participant. This should be enough to prove a corresponding completeness theorem. We leave this interesting problem to future work.

5 Examples and Preliminary Experimental Results

We illustrate with some examples that our solution is able to identify attacks on CPSP. We are using the terminology of attacks described in [10].

External Distance Fraud. Assume two honest participants $\mathsf {p} _1$ (Verifier) and $\mathsf {p} _2$ (Prover). They exchange some information, normally to authenticate $\mathsf {p} _2$, for example [24], using a standard Needham-Schroeder-Lowe protocol session [17], and then carry-out a distance bounding protocol session. The following Timed Strand captures the attack where the intruder $\mathsf {ti} _{p_1}$ fools player $\mathsf {p} _1$ that $\mathsf {p} _2$ is closer than he actually is by completing the distance bounding challenge:

Notice that the timed intruder $\mathsf {ti} _{\mathsf {p} _1}$ is able to complete the distance bounding session as he is very close to the verifier $\mathsf {p} _1$. This is captured by the Time Constraint Set of this Bundle. Moreover, here we assume that they exchange a nonce, but if we allow equational theories specifying, for example xor operations $\oplus $ as done in [13], a similar Timed Bundle would be obtained.

Attack-in-Between-Ticks. The In-Between-Ticks attack [15] is an instance of a Lone Distance Fraud attack [10], where the prover is dishonest but is not colluding with other Timed Intruders. This attack exploits the fact that real verifiers are running on a processor with a slow clock speed. When the verifier receives the response from the prover, he is only able to record the time of receival in the following clock cycle. This is captured by using the Time Constraint $(\mathsf {floor} (\mathsf {cur}) + 1)$ as illustrated by the following Timed Strand:

It is possible to show that the Time Constraint Set of this Timed Strand, $\mathcal {T}$, is satisifiable although the distance between $\mathsf {p} _1$ and $\mathsf {p} _2$ is greater than the distance bound 4. That is, it is possible to show that the set $\mathcal {T}\cup \{\mathsf {td}(\mathsf {p} _1,\mathsf {p} _2)> 4, \mathsf {td}(\mathsf {p} _2,\mathsf {p} _1) > 4\}$ is satisfiable.

Distance Hijacking. In our technical report [21], we show the Timed Bundle with the Distance Hijacking attack described in [24] on the protocol that combines the traditional Needham-Schroeder-Lowe protocol and a distance bounding session.

5.1 Prototype Implementation

We developed a prototype implementation, which can be found at [22], of this strategy in a version of Maude [8] integrated with the SMT solver CVC4 [2]. Our preliminary results seem quite promising.

In addition to symbolic time constraints we implemented a symbolic constraint solver in order to tackle the state-space explosion due to the fact that a timed intruder can generate an unbounded number of messages. It works along the same lines as in usual implementations of such constraint solvers used by tools assuming the standard Dolev-Yao intruder by not instantiating messages generated by the intruder, but rather using symbolic constraints.

Our prototype used and implements mechanisms for the main contributions of this paper:

Network Topology as a Constraint Set: While here we assume that the Network Topology is given by a function $\mathsf {td} $ which completely determines the time messages take to travel between agents, our implementation allows the user to specify the Network Topology as a set of constraints. For example, the constraint $\mathsf {td}(\mathsf {p} _1,\mathsf {p} _2) > 4$ specifies the set of Network Topologies where the time it takes for a message to travel from $\mathsf {p} _1$ to $\mathsf {p} _2$ is greater than 4. This reduces even further the decision choices needed when specifying some scenario as one does not need to consider grounded Network Topologies.
Time Variables and Time Constraints: As described here, we use time variables and keep track of the Time Constraints of the constructed Timed Strand, which is initially empty. Whenever a command in our protocol language is executed, we add the corresponding constraint to the set of constraints following Definition 5. We then call the SMT solver to check whether the set of constraints is satisfiable. If it is not, then search on this branch of the search tree is aborted.
Timed Intruders: Our prototype also implements the solution described in Sect. 4.1 for the configuration of timed intruders. This greatly simplifies the number of decisions needed when specifying a verification scenario. Whenever a message is sent by a participant, his corresponding timed intruder broadcasts this message to all other Timed Intruders. A timed intruder is only able to learn such a message when enough time has elapsed. This is implemented also using the SMT solver and adding appropriate time constraints.

Table 1 summarizes some preliminary experimental results.

Table 1. Preliminary experimental results

Full size table

The External Distance Fraud and Attack-in-Between-Ticks are as described above. The number of states traversed is quite small for finding these. The distance bounding protocol scheme is used by many other protocols, such as the protocol described in [24] (NSL + Distance Bounding) and the lack of its use leads to an attack on the Paywave protocol [6]. We implemented these to check how our tool scales to larger protocols. We implemented a simplified version of the Paywave protocol omitting some of the steps taken and only concentrating on the core part of the protocol. Our tool was able to find the attack in 8s traversing around 3.2k states. Finally, we implemented the whole Paywave protocol and our tool was also able to find the attack, but now in 78s traversing 20.8k states.

The use of the SMT solver was essential to reduce the number of states. However, it seems that it is possible to reduce the overhead caused by each call of the SMT solver.

We also experimented with protocols that fall outside of our language fragment. The NSL + Distance Bounding protocol described in [24] with a small modification carries out a standard Needham-Schroeder-Lowe protocol session, followed by a distance bounding protocol using xor. Since our tool does not support yet equational theories, a subject for future work, we modeled the distance bounding session with a pair. Our tool was able to find a terrorist attack in 108 ms traversing 86 states. This attack was not reported in [24] as they did not assume that intruders are close to the participants.

Finally, we also obtained preliminary results on using the tool for checking whether there is a privacy attack on a protocol [7]. In order to check for such an attack, we need to enumerate all possible executions. (The formal definitions are out of the scope of this paper.) In order to have an idea of how big this set of executions is, we implemented the protocol used for RFID in European passports. The total number of states was only 10 states. This is a promising result for extending this work to check for properties that rely on observational equivalence [5].

6 Related and Future Work

Meadows et al. [19] and Pavlovic and Meadows in [23] propose and use a logic called Protocol Derivation Logic (PDL) to formalize and prove the safety of a number of cyber-physical protocols. In particular, they specify the assumptions and protocol executions in the form of axioms, specifying the allowed order of events that can happen, and show that safety properties are implied by the axiomatization used. They do not formalize an intruder model. Another difference between their work and ours is that their PDL specification is not an executable specification.

Another approach similar to [19], in the sense that it uses a theorem proving approach, is given by Basin et al. [3]. They formalize an intruder model that is similar to ours in Isabelle, and also formalize some cyber-physical security protocols. They then prove the correctness of these protocols under some specific conditions and also identify attacks when some conditions are not satisfied. Their work has been a source of inspiration for our intruder model specified in Sect. 3. However, they do not propose or investigate the Timed Intruder Completeness Problem.

Chothia et al. [6] investigate empirically the execution times of commands of CPSP which are carried out by limited resource devices and then, based on these measurements, they propose the inclusion of a distance bounding session to mitigate relay attacks. They proved the security of CPSP by modeling the protocol in different phases. As we illustrate in Example 2, our language allows the inclusion of the measurements themselves. We leave a more detailed analysis to future work.

Cheval and Cortier [5] propose a way to prove the observational equivalence with time by reducing it to the observational equivalence based on the length of inputs. They are able to automatically show that RFID protocols used by passports suffer a privacy attack. Their approach is, therefore, different as they do not investigate the Timed Intruder Completeness Problem. Also it is not clear whether from their language one can capture attacks such as the Attack-in-Between Ticks which exploits the time constraints of the verifier. Finally, from our initial experiments with the Passport RFID protocol, we believe that it is also feasible to check for privacy attacks given the very low number of states encountered by our tool. This is left for future work.

Corin et al. [9] propose using timed automata to model check security protocols taking into account retransmission and error states of security protocols. This is an early contribution on the analysis of timing aspects of security protocols which did not consider CPSP nor the completeness of timed intruders.

Finally, Malladi et al. [18] formalize distance bounding protocols in strand spaces. They then construct an automated tool for protocol verification using a constraint solver to verify a number of examples. There are some similarities between their goals and the goal we want to achieve, namely, the automated verification of CPSP and in the use of SMT solvers to do so. However, there are some important differences. Firstly, we formalize and provide a solution to the Timed Intruder Completeness Problem and, secondly, our language seems to have more expressive features, e.g., our time constraints.

The definition of restricted bundle to characterize executions from the protocol participants perspective is inspired by the notions of skeleton and shape in strand space based protocol analysis [11, 12].

Arnaud et al. [1] propose a model for specifying and reasoning about secured routing protocols where nodes communicate in a direct way with their neighbors. It seems possible to represent our network model using time constraints as they do and not only reason about the routing of packets, but also the time when these arrive, which is important for cyber-physical systems where agents use some routing protocol to communicate. We leave this to future work.

We are currently investigating methods to control even further the state space explosion, for example, using more elaborate symbolic constraint systems for messages and investigating how to support backward Narrowing as in Maude-NPA [14]. Moreover, we are extending our implementation to support message signatures with equational theories using the library available in Maude [13]. Finally, we are investigating definitions of observational equivalence which involve time and that can be implemented using SMT-solvers.

Notes

1.
For readability we display graph nodes using the player’s id paired with the node term, rather than using the strand identifier and trace position.
2.
It is possible to relax this definition so that they are identical modulo time variable names, but this is not needed here.

References

Arnaud, M., Cortier, V., Delaune, S.: Modeling, verifying ad hoc routing protocols. Inf. Comput. 238, 30–67 (2014). Special Issue on Security and Rewriting Techniques
Article MathSciNet MATH Google Scholar
Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanović, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011)
Chapter Google Scholar
Basin, D.A., Capkun, S., Schaller, P., Schmidt, B.: Formal reasoning about physical properties of security protocols. ACM Trans. Inf. Syst. Secur. 14(2), 16 (2011)
Article Google Scholar
Cervesato, I.: Data access specification and the most powerful symbolic attacker in MSR. In: Okada, M., Babu, C.S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 384–416. Springer, Heidelberg (2003)
Chapter Google Scholar
Cheval, V., Cortier, V.: Timing attacks in security protocols: symbolic framework and proof techniques. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 280–299. Springer, Heidelberg (2015)
Google Scholar
Chothia, T., Garcia, F.D., de Ruiter, J., van den Breekel, J., Thompson, M.: Relay cost bounding for contactless EMV payments. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 189–206. Springer, Heidelberg (2015)
Chapter Google Scholar
Chothia, T., Smirnov, V.: A traceability attack against e-passports. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 20–34. Springer, Heidelberg (2010)
Chapter Google Scholar
Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: All About Maude: A High-Performance Logical Framework. Springer, Heidelberg (2007)
MATH Google Scholar
Corin, R., Etalle, S., Hartel, P.H., Mader, A.: Timed model checking of security protocols. In: FMSE. ACM (2004)
Google Scholar
Cremers, C.J.F., Rasmussen, K.B., Schmidt, B., Capkun, S.: Distance hijacking attacks on distance bounding protocols. In: IEEE Symposium on Security and Privacy, SP (2012)
Google Scholar
Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007)
Chapter Google Scholar
Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Skeletons, homomorphisms, shapes, characterizing protocol executions. In: Mathematical Foundations of Program Semantics (2007)
Google Scholar
Durán, F., Eker, S., Escobar, S., Martí-Oliet, N., Meseguer, J., Talcott, C.: Built-in variant generation and unification, and their applications in Maude 2.7. In: Olivetti, N., Tiwari, A. (eds.) IJCAR 2016. LNCS, vol. 9706, pp. 183–192. Springer, Heidelberg (2016). doi:10.1007/978-3-319-40229-1_13
Chapter Google Scholar
Escobar, S., Meadows, C.A., Meseguer, J.: Maude-NPA, cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)
Chapter Google Scholar
Kanovich, M., Kirigin, T.B., Nigam, V., Scedrov, A., Talcott, C.: Discrete vs. dense times in the analysis of cyber-physical security protocols. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 259–279. Springer, Heidelberg (2015)
Google Scholar
Kanovich, M.I., Kirigin, T.B., Nigam, V., Scedrov, A., Talcott, C.L.: Towards timed models for cyber-physical security protocols. Available in Nigam’s homepage (2014)
Google Scholar
Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)
Chapter Google Scholar
Malladi, S., Bruhadeshwar, B., Kothapalli, K.: Automatic analysis of distance bounding protocols. CoRR, abs/1003.5383 (2010)
Google Scholar
Meadows, C., Poovendran, R., Pavlovic, D., Chang, L., Syverson, P.F.: Distance bounding protocols, authentication logic analysis and collusion attacks. In: Poovendran, R., Roy, S., Wang, C. (eds.) Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks. Advances in Information Security, vol. 30, pp. 279–298. Springer, New York (2007)
Chapter Google Scholar
Millen, J.K.: A necessarily parallel attack. In: Workshop on Formal Methods and Security Protocols (1999)
Google Scholar
Nigam, V., Talcott, C., Urquiza, A.A.: Towards the automated verification of cyber-physical security protocols, Bounding the number of timed intruders. CoRR, abs/1605.08563 (2016)
Google Scholar
Nigam, V., Talcott, C., Urquiza, A.A.: https://github.com/SRI-CSL/VCPublic.git (2016)
Pavlovic, D., Meadows, C.: Deriving ephemeral authentication using channel axioms. In: Security Protocols, Workshop, pp. 240–261 (2009)
Google Scholar
Santiago, S., Escobar, S., Meadows, C.A., Meseguer, J.: Effective sequential protocol composition in Maude-NPA. CoRR, abs/1603.00087 (2016)
Google Scholar
Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(1), 191–230 (1999)
Article Google Scholar

Download references

Acknowledgments

We thank the anonymous reviewers for their valuable comments and observations. Talcott was partially supported by NSF grant CNS-1318848 and ONR grant N00014-15-1-2202. Nigam and Talcott were partially supported by Capes Science without Borders grant 88881.030357/2013-01. Nigam was partially supported by Capes and CNPq.

Author information

Authors and Affiliations

Federal University of Paraíba, João Pessoa, Brazil
Vivek Nigam & Abraão Aires Urquiza
SRI International, Menlo Park, USA
Carolyn Talcott

Authors

Vivek Nigam
View author publications
You can also search for this author in PubMed Google Scholar
Carolyn Talcott
View author publications
You can also search for this author in PubMed Google Scholar
Abraão Aires Urquiza
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vivek Nigam .

Editor information

Editors and Affiliations

Institute of Computer Science, Found for Research & Technology - Hellas Institute of Computer Science, Heraklion, Crete, Greece
Ioannis Askoxylakis
Technology - Hellas, Foundation for Research and Technology - Hellas, Heraklion, Greece
Sotiris Ioannidis
Norwegian Univ. of Science & Technology , Gjøvik, Norway
Sokratis Katsikas
Naval Research Laboratory , Washington, District of Columbia, USA
Catherine Meadows

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nigam, V., Talcott, C., Aires Urquiza, A. (2016). Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds) Computer Security – ESORICS 2016. ESORICS 2016. Lecture Notes in Computer Science(), vol 9879. Springer, Cham. https://doi.org/10.1007/978-3-319-45741-3_23

Download citation

DOI: https://doi.org/10.1007/978-3-319-45741-3_23
Published: 15 September 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45740-6
Online ISBN: 978-3-319-45741-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics