36 research outputs found
Hierarchical combination of intruder theories
International audienceRecently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for non-disjoint intruder theories and to show decidability results for the deduction problem in these theories. We have also shown that under natural hypotheses hierarchical intruder constraints can be decided. This result applies to an exponentiation theory that appears to be more general than the one considered before
Hierarchical Combination of Intruder Theories
Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory.
Approximation based tree regular model checking
International audienceThis paper addresses the following general problem of tree regular model-checking: decide whether where is the reflexive and transitive closure of a successor relation induced by a term rewriting system , and and are both regular tree languages. We develop an automatic approximation-based technique to handle this -- undecidable in general -- problem in most practical cases, extending a recent work by Feuillade, Genet and Viet Triem Tong. We also make this approach fully automatic for practical validation of security protocols
A Proof Theoretic Analysis of Intruder Theories
We consider the problem of intruder deduction in security protocol analysis:
that is, deciding whether a given message M can be deduced from a set of
messages Gamma under the theory of blind signatures and arbitrary convergent
equational theories modulo associativity and commutativity (AC) of certain
binary operators. The traditional formulations of intruder deduction are
usually given in natural-deduction-like systems and proving decidability
requires significant effort in showing that the rules are "local" in some
sense. By using the well-known translation between natural deduction and
sequent calculus, we recast the intruder deduction problem as proof search in
sequent calculus, in which locality is immediate. Using standard proof
theoretic methods, such as permutability of rules and cut elimination, we show
that the intruder deduction problem can be reduced, in polynomial time, to the
elementary deduction problem, which amounts to solving certain equations in the
underlying individual equational theories. We show that this result extends to
combinations of disjoint AC-convergent theories whereby the decidability of
intruder deduction under the combined theory reduces to the decidability of
elementary deduction in each constituent theory. To further demonstrate the
utility of the sequent-based approach, we show that, for Dolev-Yao intruders,
our sequent-based techniques can be used to solve the more difficult problem of
solving deducibility constraints, where the sequents to be deduced may contain
gaps (or variables) representing possible messages the intruder may produce.Comment: Extended version of RTA 2009 pape
Average-energy games
Two-player quantitative zero-sum games provide a natural framework to
synthesize controllers with performance guarantees for reactive systems within
an uncontrollable environment. Classical settings include mean-payoff games,
where the objective is to optimize the long-run average gain per action, and
energy games, where the system has to avoid running out of energy.
We study average-energy games, where the goal is to optimize the long-run
average of the accumulated energy. We show that this objective arises naturally
in several applications, and that it yields interesting connections with
previous concepts in the literature. We prove that deciding the winner in such
games is in NP inter coNP and at least as hard as solving mean-payoff games,
and we establish that memoryless strategies suffice to win. We also consider
the case where the system has to minimize the average-energy while maintaining
the accumulated energy within predefined bounds at all times: this corresponds
to operating with a finite-capacity storage for energy. We give results for
one-player and two-player games, and establish complexity bounds and memory
requirements.Comment: In Proceedings GandALF 2015, arXiv:1509.0685
Parikh One-Counter Automata
Counting abilities in finite automata are traditionally provided by two orthogonal extensions: adding a single counter that can be tested for zeroness at any point, or adding ?-valued counters that are tested for equality only at the end of runs. In this paper, finite automata extended with both types of counters are introduced. They are called Parikh One-Counter Automata (POCA): the "Parikh" part referring to the evaluation of counters at the end of runs, and the "One-Counter" part to the single counter that can be tested during runs.
Their expressiveness, in the deterministic and nondeterministic variants, is investigated; it is shown in particular that there are deterministic POCA languages that cannot be expressed without nondeterminism in the original models. The natural decision problems are also studied; strikingly, most of them are no harder than in the original models. A parametric version of nonemptiness is also considered
Reasoning about recognizability in security protocols
Although verifying a message has long been recognized as an important concept, which has been used explicitly or implicitly in security protocol analysis, there is no consensus on its exact meaning. Such a lack of formal treatment of the concept makes it extremely difficult to evaluate the vulnerability of security protocols.
This dissertation offers a precise answer to the question: What is meant by saying that a message can be "verified''? The core technical innovation is a third notion of knowledge in security protocols -- recognizability. It can be considered as intermediate between deduction and static equivalence, two classical knowledge notions in security protocols. We believe that the notion of recognizability sheds important lights on the study of security protocols. More specifically, this thesis makes four contributions.
First, we develop a knowledge model to capture an agent's cognitive ability to understand messages. Thanks to a clear distinction between de re/dicto interpretations of a message, the knowledge model unifies both computational and symbolic views of cryptography gracefully.
Second, we propose a new notion of knowledge in security protocols -- recognizability -- to fully capture one's ability or inability to cope with potentially ambiguous messages. A terminating procedure is given to decide recognizability under the standard Dolev-Yao model.
Third, we establish a faithful view of the attacker based on recognizability. This yields new insights into protocol compilations and protocol implementations. Specifically, we identify two types of attacks that can be thawed through adjusting the protocol implementation; and show that an ideal implementation that corresponds to the intended protocol semantics does not always exist. Overall, the obtained attacker's view provides a path to more secure protocol designs and implementations.
Fourth, we use recognizability to provide a new perspective on type-flaw attacks. Unlike most previous approaches that have focused on heuristic schemes to detect or prevent type-flaw attacks, our approach exposes the enabling factors of such attacks. Similarly, we apply the notion of recognizability to analyze off-line guessing attacks. Without enumerating rules to determine whether a guess can be "verified'', we derive a new definition based on recognizability to fully capture the attacker's guessing capabilities. This definition offers a general framework to reason about guessing attacks in a symbolic setting, independent of specific intruder models. We show how the framework can be used to analyze both passive and active guessing attacks
Revisiting Synthesis for One-Counter Automata
We study the (parameter) synthesis problem for one-counter automata with
parameters. One-counter automata are obtained by extending classical
finite-state automata with a counter whose value can range over non-negative
integers and be tested for zero. The updates and tests applicable to the
counter can further be made parametric by introducing a set of integer-valued
variables called parameters. The synthesis problem for such automata asks
whether there exists a valuation of the parameters such that all infinite runs
of the automaton satisfy some omega-regular property. Lechner showed that (the
complement of) the problem can be encoded in a restricted one-alternation
fragment of Presburger arithmetic with divisibility. In this work (i) we argue
that said fragment, called AERPADPLUS, is unfortunately undecidable.
Nevertheless, by a careful re-encoding of the problem into a decidable
restriction of AERPADPLUS, (ii) we prove that the synthesis problem is
decidable in general and in N2EXP for several fixed omega-regular properties.
Finally, (iii) we give a polynomial-space algorithm for the special case of the
problem where parameters can only be used in tests, and not updates, of the
counter