The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

The Mondex case study about the specification and refinement of an electronic purse as defined in [SCJ00] has recently been proposed as a challenge for formal system-supported verification. This paper reports on the successful verification of the major part of the case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail, we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study. We also provide an alternative formalisation of the communication protocol using abstract state machines. Finally the Mondex case study verifies functional correctness assuming a suitable security protocol. Therefore we propose to extend the case study to include the verification of a suitable security protocol.

[1]  Sebastian Mödersheim,et al.  An On-the-Fly Model-Checker for Security Protocol Analysis , 2003, ESORICS.

[2]  Egon Börger,et al.  The ASM Refinement Method , 2003, Formal Aspects of Computing.

[3]  Marc Spielmann Automatic Verification of Abstract State Machines , 1999, CAV.

[4]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[5]  Wolfgang Ahrendt,et al.  Reasoning about Abstract State Machines: The WAM Case Study , 1997, J. Univers. Comput. Sci..

[6]  Jim Woodcock,et al.  An Electronic Purse: Specification, Refinement and Proof , 2000 .

[7]  Robert Stärk Verification of Abstract State Machines , 2001 .

[8]  Gerhard Schellhorn Verification of ASM Refinements Using Generalized Forward Simulation , 2001, J. Univers. Comput. Sci..

[9]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[10]  Yde Venema,et al.  Dynamic Logic by David Harel, Dexter Kozen and Jerzy Tiuryn. The MIT Press, Cambridge, Massachusetts. Hardback: ISBN 0–262–08289–6, $50, xv + 459 pages , 2002, Theory and Practice of Logic Programming.

[11]  Wolfgang Ahrendt,et al.  The WAM Case Study: Verifying Compiler Correctness for Prolog with KIV , 1998 .

[12]  Eric K. Clemons,et al.  Reengineering Money: The Mondex Stored Value Card and Beyond , 1996, Int. J. Electron. Commer..

[13]  Egon Börger,et al.  Abstract State Machines. A Method for High-Level System Design and Analysis , 2003 .

[14]  Bernhard Beckert,et al.  Dynamic Logic , 2007, The KeY Approach.

[15]  Neil Evans,et al.  Investigating security through proof , 2003 .

[16]  Wolfgang Reif,et al.  Verifying Security Protocols: An ASM Approach , 2005, Abstract State Machines.

[17]  Yuri Gurevich,et al.  Evolving algebras 1993: Lipari guide , 1995, Specification and validation methods.

[18]  R. Lathe Phd by thesis , 1988, Nature.

[19]  Egon Börger,et al.  The WAM - Definition and Compiler Correctness , 1995, Logic Programming: Formal Methods and Practical Applications.

[20]  Jim Woodcock,et al.  Derivation of Refinement Proof Rules for Z: forwards and backwards rules incorporating input/output refinement , 2000 .

[21]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[22]  Moti Yung,et al.  VarietyCash: A Multi-Purpose Electronic Payment System , 1998, USENIX Workshop on Electronic Commerce.

[23]  Eerke Albert Boiten,et al.  Refinement in Z and Object-Z: Foundations and Advanced Applications , 2001 .

[24]  Gregory H. Harris,et al.  Review of "Abstract state machines: a method for high-level system design and analysis" by Egon Börger and Robert Stärk. Springer-Verlag 2003. , 2004, SOEN.

[25]  Perdita Stevens,et al.  Refinement in Z and object-Z: foundations and advanced applications , 2002, Softw. Test. Verification Reliab..

[26]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[27]  Ulf Carlsen Generating formal cryptographic protocol specifications , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[28]  S. Stepney,et al.  Derivation of Z refinement proof rules: Forwards and backwards rules incorporating input/output refi , 2002 .

[29]  Wolfgang Reif Correctness of Generic Modules , 1992, LFCS.

[30]  Lawrence C. Paulson SET Cardholder Registration: The Secrecy Proofs , 2001, IJCAR.

[31]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[32]  William M. Farmer,et al.  Theory Interpretation in Simple Type Theory , 1993, HOA.

[33]  Kurt Stenzel,et al.  Structured Specifications and Interactive Proofs with KIV , 1998 .

[34]  Gerhard Schellhorn,et al.  ASM refinement and generalizations of forward simulation in data refinement: a comparison , 2005, Theor. Comput. Sci..