A Reduced Semantics for Deciding Trace Equivalence

Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e., without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M\"odersheim et al. have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called APTE. We conducted complete benchmarks showing dramatic improvements.

[1]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[2]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[3]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[4]  Somesh Jha,et al.  Partial Order Reductions for Security Protocol Verification , 2000, TACAS.

[5]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[6]  Koushik Sen,et al.  Automated Systematic Testing of Open Distributed Programs , 2006, FASE.

[7]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[8]  Somesh Jha,et al.  Efficient verification of security protocols using partial-order reductions , 2003, International Journal on Software Tools for Technology Transfer.

[9]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[10]  Doron A. Peled,et al.  Ten Years of Partial Order Reduction , 1998, CAV.

[11]  Axel Legay,et al.  TransDPOR: A Novel Dynamic Partial-Order Reduction Technique for Testing Actor Programs , 2012, FMOODS/FORTE.

[12]  Cas J. F. Cremers,et al.  Checking Secrecy by Means of Partial Order Reduction , 2004, SAM.

[13]  Parosh Aziz Abdulla,et al.  Optimal dynamic partial order reduction , 2014, POPL.

[14]  Vincent Cheval,et al.  A procedure for deciding symbolic equivalence between sets of constraint systems , 2017, Inf. Comput..

[15]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[16]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[17]  Muhammad Torabi Dashti,et al.  Partial Order Reduction for Branching Security Protocols , 2010, 2010 10th International Conference on Application of Concurrency to System Design.

[18]  JEAN-MARC ANDREOLI,et al.  Logic Programming with Focusing Proofs in Linear Logic , 1992, J. Log. Comput..

[19]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ACM Trans. Comput. Log..

[20]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[21]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[22]  Peter Niebert,et al.  Partial Order Reductions for Bisimulation Checking , 1998, FSTTCS.

[23]  David Baelde,et al.  A reduced semantics for deciding trace equivalence using constraint systems , 2014, POST.

[24]  Sebastian Mödersheim,et al.  Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols , 2010, J. Comput. Secur..

[25]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[26]  Martín Abadi,et al.  Private authentication , 2004, Theor. Comput. Sci..

[27]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[28]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[29]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[30]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[31]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[32]  Stéphanie Delaune,et al.  A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols , 2017, J. Log. Algebraic Methods Program..

[33]  Sebastian Mödersheim,et al.  The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures , 2012, TACAS.

[34]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[35]  Vincent Cheval APTE: An Algorithm for Proving Trace Equivalence , 2014, TACAS.

[36]  Yannick Chevalier,et al.  Decidability of Equivalence of Symbolic Derivations , 2012, Journal of Automated Reasoning.

[37]  Vincent Cheval,et al.  Automatic verification of cryptographic protocols : privacy-type properties. (Vérification automatique des protocoles cryptographiques : propriétés d'équivalence) , 2012 .

[38]  Patrice Godefroid Using Partial Orders to Improve Automatic Verification Methods , 1990, CAV.

[39]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[40]  David Baelde,et al.  Partial Order Reduction for Security Protocols , 2015, CONCUR.

[41]  José Meseguer,et al.  A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA , 2014, STM.