Theory generation for security protocols

This thesis introduces theory generation, a new general-purpose technique for performing automated verification. Theory generation draws inspiration from, and complements, both automated theorem proving and symbolic model checking, the two approaches that currently dominate mechanical reasoning. At the core of this approach is the notion of producing a finite representation of a theory—all the facts derivable from a set of assumptions. An algorithm is presented for producing compact theory representations for an expressive class of simple logics. Security-sensitive protocols are widely used today, and the growing popularity of electronic commerce is leading to increasing reliance on them. Though simple in structure, these protocols are notoriously difficult to design properly. Since specifications of these protocols typically involve a small number of principals, keys, nonces, and messages, and since many properties of interest can be expressed in “little logics” such as the Burrows-Abadi-Needham (BAN) logic of authentication, this domain is amenable to theory generation. Theory generation enables fast, automated analysis of these security protocols. Given the theory representation generated from a protocol specification, one can quickly test for specific desired properties, as well as directly manipulate the representation to perform other kinds of analysis, such as protocol comparison. This thesis describes applications of theory generation to more than a dozen security protocols using three existing logics of belief; these examples confirm, or in some cases expose flaws in earlier analyses. This thesis introduces a new logic, RV, for security protocol analysis. While drawing on the BAN heritage, RV addresses a common criticism of BAN-like logics: that the idealization step can mask vulnerabilities present in the concrete protocol. By formalizing message interpretation, RV allows the verification of honesty and secrecy properties, in addition to the traditional belief properties. The final contribution of this thesis, the REVERE protocol analysis tool, has a theory generation core with plug-in modules for RV and other logics. Its performance is suitable for interactive use; verification times are under a minute for all examples.

[1]  Volker Kessler,et al.  AUTLOG-an advanced logic of authentication , 1994, Proceedings The Computer Security Foundations Workshop VII.

[2]  Robert O. Pepin,et al.  Evolution of the Martian Atmosphere , 1994 .

[3]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[4]  W. Ward,et al.  I. The formation of planetesimals. II. Tidal friction and generalized Cassini's laws in the solar system , 1973 .

[5]  J. McCue,et al.  Evolution of the spin of Venus , 1993 .

[6]  Rajashekar Kailar Accountability in Electronic Commerce Protocols , 1996, IEEE Trans. Software Eng..

[7]  P. H. Roberts,et al.  On the motion of a liquid in a spheroidal cavity of a precessing rigid body. II , 1965, Mathematical Proceedings of the Cambridge Philosophical Society.

[8]  P. Goldreich,et al.  The obliquity of Venus , 1970 .

[9]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[10]  B. Dreben,et al.  The decision problem: Solvable classes of quantificational formulas , 1979 .

[11]  Roger F. Gans,et al.  Viscosity of the earth's core. , 1972 .

[12]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[13]  Wenbo Mao,et al.  An augmentation of BAN-like logics , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[14]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[15]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[16]  Giampaolo Bella Using Isabelle to Prove Properties of the Kerberos Authentication System , 1997 .

[17]  Charles F. Yoder,et al.  Astrometric and Geodetic Properties of Earth and the Solar System , 1995 .

[18]  J. Laskar Large-scale chaos in the solar system. , 1994 .

[19]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[20]  Jonathan K. Millen,et al.  The Interrogator A Tool for Cryptographic Protocol Security , 1984, 1984 IEEE Symposium on Security and Privacy.

[21]  Thomas A. Herring,et al.  Geodesy by radio interferometry: Studies of the forced nutations of the Earth. II: Interpretation , 1986 .

[22]  Charles F. Yoder,et al.  Venus' Free Obliquity , 1995 .

[23]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Robert Nieuwenhuis,et al.  Saturation of First-Order (Constrained) Clauses with the Saturate System , 1993, RTA.

[25]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[26]  G. Colombo,et al.  Cassini's second and third laws. , 1967 .

[27]  Frederick M. Walter,et al.  Pre- and main-sequence evolution of solar activity , 1991 .

[28]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[29]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[30]  Robin Milner,et al.  Definition of standard ML , 1990 .

[31]  E BryantRandal Graph-Based Algorithms for Boolean Function Manipulation , 1986 .

[32]  Dan M. Nessett,et al.  A critique of the Burrows, Abadi and Needham logic , 1990, OPSR.

[33]  James C. G. Walker Evolution of the Atmosphere of Venus , 1975 .

[34]  Louise E. Moser,et al.  A logic of knowledge and belief for reasoning about computer security , 1989, Proceedings of the Computer Security Foundations Workshop II,.

[35]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[36]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Luke Dones,et al.  On the Origin of Planetary Spins , 1993 .

[38]  J. Laskar,et al.  The chaotic obliquity of the planets , 1993, Nature.

[39]  原田 秀逸 私の computer 環境 , 1998 .

[40]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[41]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[42]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[43]  William F. Clocksin,et al.  Programming in Prolog , 1987, Springer Berlin Heidelberg.

[44]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[45]  C. Chyba,et al.  The cometary contribution to the oceans of primitive Earth , 1987, Nature.

[46]  Yehoshua Sagiv,et al.  Automatic Termination Analysis of Logic Programs , 1997, ICLP.

[47]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[48]  J. Kasting,et al.  Earth's early atmosphere , 1987, Science.

[49]  M. H. Hart,et al.  The evolution of the atmosphere of the earth , 1978 .

[50]  Somesh Jha,et al.  Model Checking for Security Protocols , 1997 .

[51]  E. Clarke,et al.  Symbolic Model Checking : IO * ’ States and Beyond * , 1992 .

[52]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[53]  Jacques Laskar,et al.  The Chaotic Motion of the Solar System , 1993 .

[54]  David R. Musser,et al.  An Overview of AFFIRM: A Specification and Verification System , 1980, IFIP Congress.

[55]  Jonathan K. Millen,et al.  CAPSL: Common Authentication Protocol Specification Language , 1996, NSPW '96.

[56]  C. Z. Zhang,et al.  Dynamical evolution of the rotation of Venus , 1988 .

[57]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[58]  Anny Cazenave,et al.  Possible dynamical evolution of the rotation of Venus since formation , 1979 .

[59]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[60]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[61]  Robert O. Pepin,et al.  On the origin and early evolution of terrestrial planet atmospheres and meteoritic volatiles , 1991 .

[62]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[63]  R. Hide,et al.  Interaction between the Earth's Liquid Core and Solid Mantle , 1969, Nature.

[64]  J. Williams,et al.  Lunar Laser Ranging: A Continuing Legacy of the Apollo Program , 1994, Science.

[65]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[66]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[67]  Eugene Fink,et al.  Integrating planning and learning: the PRODIGY architecture , 1995, J. Exp. Theor. Artif. Intell..

[68]  H. Keisler,et al.  Handbook of mathematical logic , 1977 .

[69]  Charles L. Forgy,et al.  Rete: a fast algorithm for the many pattern/many object pattern match problem , 1991 .

[70]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[71]  James W. Gray,et al.  Using temporal logic to specify and verify cryptographic protocols , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[72]  Catherine A. Meadows A model of computation for the NRL Protocol Analyzer , 1994, Proceedings The Computer Security Foundations Workshop VII.

[73]  Alexander S. Konopliv,et al.  Venusian k2 tidal Love number from Magellan and PVO tracking data , 1996 .

[74]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[75]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[76]  W. Sjogren,et al.  Venus: Global gravity and topography , 1993 .

[77]  Jacques Laskar,et al.  On the long term evolution of the spin of the Earth. , 1995 .

[78]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[79]  Marvin A. Sirbu,et al.  NetBill: An Internet commerce system optimized for network delivered services , 1995, Digest of Papers. COMPCON'95. Technologies for the Information Superhighway.

[80]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[81]  Paul F. Syverson The use of logic in the analysis of cryptographic protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[82]  Eric Rescorla,et al.  The Secure HyperText Transfer Protocol , 1999, RFC.

[83]  Steven Soter,et al.  Q in the solar system , 1966 .

[84]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[85]  Thomas Gold,et al.  Atmospheric tides and the resonant rotation of Venus , 1969 .

[86]  Paul F. Syverson,et al.  On unifying some cryptographic protocol logics , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[87]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[88]  Simon S. Lam,et al.  Authentification for Distributed Systems , 1992, Computer.

[89]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[90]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[91]  Colin Boyd,et al.  Development of authentication protocols: some misconceptions and a new approach , 1994, Proceedings The Computer Security Foundations Workshop VII.

[92]  Joseph A. Burns,et al.  Consequences of the tidal slowing of Mercury , 1976 .

[93]  Charles F. Yoder,et al.  Venusian Spin Dynamics , 1997 .

[94]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[95]  A. Giardini,et al.  The evolution of the Earth's atmosphere and oceans , 1982 .

[96]  Stephen H. Brackin A HOL extension of GNY for automatically analyzing cryptographic protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[97]  Richard C. T. Lee,et al.  Symbolic logic and mechanical theorem proving , 1973, Computer science classics.

[98]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[99]  Andrew P. Ingersoll,et al.  Atmospheric Tides and the Rotation of Venus , 1980 .

[100]  H. J. Melosh,et al.  Impact erosion of the primordial atmosphere of Mars , 1989, Nature.

[101]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[102]  J. Henrard,et al.  Colombo's top , 1987 .

[103]  Jeannette M. Wing,et al.  Model checking electronic commerce protocols , 1996 .

[104]  Michael Yoeli Formal Verification of Hardware Design , 1990 .