Verification of Mondex electronic purses with KIV: from transactions to a security protocol

The Mondex case study about the specification and refinement of an electronic purse as defined in the Oxford Technical Monograph PRG-126 has recently been proposed as a challenge for formal system-supported verification. In this paper we report on two results.First, on the successful verification of the full case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory, as well as the formal proofs of the case study.Second, the original Mondex case study verifies functional correctness assuming a suitable security protocol. We extend the case study here with a refinement to a suitable security protocol that uses symmetric cryptography to achieve the necessary properties of the security-relevant messages. The definition is based on a generic framework for defining such protocols based on abstract state machines (ASMs). We prove the refinement using a forward simulation.

[1]  Gerhard Schellhorn,et al.  ASM refinement and generalizations of forward simulation in data refinement: a comparison , 2005, Theor. Comput. Sci..

[2]  Wolfgang Reif,et al.  Verifying Concurrent Systems with Symbolic Execution , 2002, J. Log. Comput..

[3]  Wolfgang Reif,et al.  A Systematic Verification Approach for Mondex Electronic Purses Using ASMs , 2009, Rigorous Methods for Software Construction and Analysis.

[4]  Ulf Carlsen Generating formal cryptographic protocol specifications , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  J. Davenport Editor , 1960 .

[6]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[7]  Egon Börger,et al.  The ASM Refinement Method , 2003, Formal Aspects of Computing.

[8]  Yuri Gurevich,et al.  Evolving algebras 1993: Lipari guide , 1995, Specification and validation methods.

[9]  Perdita Stevens,et al.  Refinement in Z and object-Z: foundations and advanced applications , 2002, Softw. Test. Verification Reliab..

[10]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[11]  Egon Börger,et al.  The WAM - Definition and Compiler Correctness , 1995, Logic Programming: Formal Methods and Practical Applications.

[12]  Jim Woodcock,et al.  Derivation of Refinement Proof Rules for Z: forwards and backwards rules incorporating input/output refinement , 2000 .

[13]  Jim Woodcock,et al.  An Electronic Purse: Specification, Refinement and Proof , 2000 .

[14]  Eerke Albert Boiten,et al.  Refinement in Z and Object-Z: Foundations and Advanced Applications , 2001 .

[15]  Dominik Haneberg Sicherheit von Smart-Card-Anwendungen , 2007 .

[16]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[17]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[18]  Kurt Stenzel,et al.  Object oriented verification kernels for secure Java applications , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[19]  S. Stepney,et al.  Derivation of Z refinement proof rules: Forwards and backwards rules incorporating input/output refi , 2002 .

[20]  Peter D. Mosses,et al.  Casl Reference Manual , 2004, Lecture Notes in Computer Science.

[21]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[22]  Higher-Order Algebra, Logic, and Term Rewriting , 1995, Lecture Notes in Computer Science.

[23]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[24]  Wolfgang Reif,et al.  Verifying Smart Card Applications: An ASM Approach , 2007, IFM.

[25]  Egon Börger,et al.  Abstract State Machines. A Method for High-Level System Design and Analysis , 2003 .

[26]  Tahina Ramananandro,et al.  Mondex, an electronic purse: specification and refinement checks with the Alloy model-finding method , 2007, Formal Aspects of Computing.

[27]  Kazuhiro Ogata,et al.  Algebraic Approaches to Formal Analysis of the Mondex Electronic Purse System , 2007, IFM.

[28]  Gerhard Schellhorn Verification of ASM Refinements Using Generalized Forward Simulation , 2001, J. Univers. Comput. Sci..

[29]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[30]  Wolfgang Reif,et al.  Verifying Security Protocols: An ASM Approach , 2005, Abstract State Machines.

[31]  Wolfgang Reif,et al.  The Mondex Challenge: Machine Checked Proofs for an Electronic Purse , 2006, FM.

[32]  Christoph Beierle,et al.  Logic Programming: Formal Methods and Practical Applications , 1994 .

[33]  Egon Börger Specification and validation methods , 1995 .

[34]  Wolfgang Ahrendt,et al.  Reasoning about Abstract State Machines: The WAM Case Study , 1997, J. Univers. Comput. Sci..

[35]  Martin Große-Rhode Integration of Software Specification Techniques for Applications in Engineering , 2004, Lecture Notes in Computer Science.

[36]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[37]  Wolfgang Ahrendt,et al.  The WAM Case Study: Verifying Compiler Correctness for Prolog with KIV , 1998 .

[38]  Jim Woodcock,et al.  On the Refinement and Simulation of Data Types and Processes , 1999, IFM.

[39]  John Derrick,et al.  Refinement in Z and Object-Z , 2001 .

[40]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[41]  Kurt Stenzel,et al.  Developing Provable Secure M-Commerce Applications , 2006, ETRICS.

[42]  Eerke A. Boiten,et al.  Relational concurrent refinement part II: Internal operations and outputs , 2009, Formal Aspects of Computing.

[43]  Robert Stärk Verification of Abstract State Machines , 2001 .

[44]  W. Bibel,et al.  Automated deduction : a basis for applications , 1998 .

[45]  Wolfgang Reif,et al.  A Modeling Framework for the Development of Provably Secure E-Commerce Applications , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[46]  Kurt Stenzel,et al.  A Refinement Method for Java Programs , 2007, FMOODS.

[47]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[48]  Sebastian Mödersheim,et al.  An On-the-Fly Model-Checker for Security Protocol Analysis , 2003, ESORICS.

[49]  Marc Spielmann Automatic Verification of Abstract State Machines , 1999, CAV.

[50]  Kurt Stenzel A Formally Verified Calculus for Full Java Card , 2004, AMAST.

[51]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[52]  Jim Woodcock,et al.  Z/Eves and the Mondex Electronic Purse , 2006, ICTAC.

[53]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[54]  William M. Farmer,et al.  Theory Interpretation in Simple Type Theory , 1993, HOA.

[55]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[56]  Kurt Stenzel,et al.  Structured Specifications and Interactive Proofs with KIV , 1998 .

[57]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[58]  Jerzy Tiuryn,et al.  Dynamic logic , 2001, SIGA.

[59]  Frank Ortmeier,et al.  Interactive Verification of Statecharts , 2004, SoftSpez Final Report.