Where Next for Formal Methods?

In this paper we propose a novel approach to the analysis of security protocols, using the process algebra CSP to model such protocols and verifying security properties using a combination of the FDR model checker and the PVS theorem prover. Although FDR and PVS have enjoyed success individually in this domain, each suffers from its own deficiency: the model checker is subject to state space explosion, but superior in finding attacks in a system with finite states; the theorem prover can reason about systems with massive or infinite states spaces, but requires considerable human direction. Using FDR and PVS together makes for a practical and interesting way to attack problems that would remain out of reach for either tool on its own.

[1]  Steve A. Schneider,et al.  Concurrent and Real-time Systems: The CSP Approach , 1999 .

[2]  Steve A. Schneider,et al.  Using a PVS Embedding of CSP to Verify Authentication Protocols , 1997, TPHOLs.

[3]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[4]  James Heather Oh!... is it really you? : using rank functions to verify authentication protocols , 2000 .

[5]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[6]  Michael Goldsmith,et al.  Hierarchical Compression for Model-Checking CSP or How to Check 1020 Dining Philosophers for Deadlock , 1995, TACAS.

[7]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[8]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[9]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[10]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[11]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[12]  Ali E. Abdallah,et al.  Formal Aspects of Security , 2003, Lecture Notes in Computer Science.

[13]  Lawrence C. Paulson Verifying the SET Protocol: Overview , 2002, FASec.

[14]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[15]  Steve A. Schneider,et al.  Towards automatic verification of authentication protocols on an unbounded network , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[16]  Ernie Cohen TAPS: A First-Order Verifier for Cryptographic Protocols , 2000, CAV.