State space reduction in the Maude-NRL Protocol Analyzer

The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which supported equational reasoning in a more limited way. Maude-NPA supports a wide variety of algebraic properties that includes many crypto-systems of interest such as, for example, one-time pads and Diffie–Hellman. Maude-NPA, like the original NPA, looks for attacks by searching backwards from an insecure attack state, and assumes an unbounded number of sessions. Because of the unbounded number of sessions and the support for different equational theories, it is necessary to develop ways of reducing the search space and avoiding infinite search paths. In order for the techniques to prove useful, they need not only to speed up the search, but should not violate completeness, so that failure to find attacks still guarantees security. In this paper we describe some state space reduction techniques that we have implemented in Maude-NPA. We also provide completeness proofs, and experimental evaluations of their effect on the performance of Maude-NPA.We would like to thank Antonio Gonzalez for his help in providing several protocol specifications in Maude-NPA. S. Escobar and S. Santiago have been partially supported by the EU (FEDER) and the Spanish MEC/MICINN under grant TIN 2010-21062-C02-02, and by Generalitat Valenciana PROMETEO2011/052. J. Meseguer and S. Escobar have been partially supported by NSF grants CNS 09-04749, and CCF 09-05584.Escobar Román, S.; Meadows, C.; Meseguer, J.; Santiago Pinazo, S. (2014). State space reduction in the Maude-NRL Protocol Analyzer. Information and Computation. 238:157-186. https://doi.org/10.1016/j.ic.2014.07.007S15718623

Effective symbolic protocol analysis via equational irreducibility conditions

We address a problem that arises in cryptographic protocol analysis when the equational properties of the cryptosystem are taken into account: in many situations it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the equational theory. We give a tool-independent methodology for state exploration, based on unification and narrowing, that generates states that obey these irreducibility constraints, called contextual symbolic reachability analysis, prove its soundness and completeness, and describe its implementation in the Maude-NPA protocol analysis tool. Contextual symbolic reachability analysis also introduces a new type of unification mechanism, which we call asymmetric unification, in which any solution must leave the right side of the solution irreducible. We also present experiments showing the effectiveness of our methodology.S. Escobar and S. Santiago have been partially supported by the EU (FEDER) and the Spanish MEC/MICINN under grant TIN 2010-21062-C02-02, and by Generalitat Valenciana PROMETEO2011/052. The following authors have been partially supported by NSF: S. Escobar, J. Meseguer and R. Sasse under grants CCF 09- 05584, CNS 09-04749, and CNS 09-05584; D. Kapur under grant CNS 09-05222; C. Lynch, Z. Liu, and C. Meadows under grant CNS 09-05378, and P. Narendran and S. Erbatur under grant CNS 09-05286.Erbatur, S.; Escobar Román, S.; Kapur, D.; Liu, Z.; Lynch, C.; Meadows, C.; Meseguer, J.... (2012). Effective symbolic protocol analysis via equational irreducibility conditions. En Computer Security - ESORICS 2012. Springer Verlag (Germany). 7459:73-90. doi:10.1007/978-3-642-33167-1_5S73907459IEEE 802.11 Local and Metropolitan Area Networks: Wireless LAN Medium Access Control (MAC) and Physical (PHY) Specifications (1999)Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci. 367(1-2), 2–32 (2006)Arapinis, M., Bursuc, S., Ryan, M.: Privacy Supporting Cloud Computing: ConfiChair, a Case Study. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 89–108. Springer, Heidelberg (2012)Basin, D., Mödersheim, S., Viganò, L.: An On-the-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)Baudet, M., Cortier, V., Delaune, S.: YAPA: A Generic Tool for Computing Intruder Knowledge. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 148–163. Springer, Heidelberg (2009)Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: CSFW, pp. 82–96. IEEE Computer Society (2001)Blanchet, B.: Using horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. IOS Press (2011)Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Log. Algebr. Program. 75(1), 3–51 (2008)Ciobâcă, Ş., Delaune, S., Kremer, S.: Computing Knowledge in Security Protocols under Convergent Equational Theories. In: Schmidt, R.A. (ed.) CADE-22. LNCS (LNAI), vol. 5663, pp. 355–370. Springer, Heidelberg (2009)Comon-Lundh, H., Delaune, S.: The Finite Variant Property: How to Get Rid of Some Algebraic Properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)Comon-Lundh, H., Delaune, S., Millen, J.: Constraint solving techniques and enriching the model with equational theories. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, pp. 35–61. IOS Press (2011)Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: LICS, pp. 271–280. IEEE Computer Society (2003)Ciobâcă, Ş.: Knowledge in security protocolsDolev, D., Yao, A.C.-C.: On the security of public key protocols (extended abstract). In: FOCS, pp. 350–357 (1981)Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoretical Computer Science 367(1-2), 162–202 (2006)Escobar, S., Meadows, C., Meseguer, J.: State Space Reduction in the Maude-NRL Protocol Analyzer. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 548–562. Springer, Heidelberg (2008)Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: State space reduction in the maude-nrl protocol analyzer. Information and Computation (in press, 2012)Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program (in press, 2012)Thayer Fabrega, F.J., Herzog, J., Guttman, J.: Strand Spaces: What Makes a Security Protocol Correct? Journal of Computer Security 7, 191–230 (1999)Jouannaud, J.-P., Kirchner, H.: Completion of a set of rules modulo a set of equations. SIAM J. Comput. 15(4), 1155–1194 (1986)Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: CSF, pp. 157–171. IEEE Computer Society (2009)Küsters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-free case in the horn theory based approach. Journal of Automated Reasoning 46(3-4), 325–352 (2011)Liu, Z., Lynch, C.: Efficient General Unification for XOR with Homomorphism. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 407–421. Springer, Heidelberg (2011)Lowe, G., Roscoe, B.: Using csp to detect errors in the tmn protocol. IEEE Transactions on Software Engineering 23, 659–669 (1997)Lucas, S.: Context-sensitive computations in functional and functional logic programs. J. Functl. and Log. Progr. 1(4), 446–453 (1998)Meseguer, J.: Conditional rewriting logic as a united model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)Meseguer, J., Thati, P.: Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols. Higher-Order and Symbolic Computation 20(1-2), 123–160 (2007)Mödersheim, S.: Models and methods for the automated analysis of security protocols. PhD thesis, ETH Zurich (2007)Mödersheim, S., Viganò, L., Basin, D.A.: Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols. Journal of Computer Security 18(4), 575–618 (2010)Tatebayashi, M., Matsuzaki, N., Newman Jr., D.B.: Key Distribution Protocol for Digital Mobile Communication Systems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 324–334. Springer, Heidelberg (1990)TeReSe (ed.): Term Rewriting Systems. Cambridge University Press, Cambridge (2003)Viry, P.: Equational rules for rewriting logic. Theor. Comput. Sci. 285(2), 487–517 (2002)Zhang, H., Remy, J.-L.: Contextual Rewriting. In: Jouannaud, J.-P. (ed.) RTA 1985. LNCS, vol. 202, pp. 46–62. Springer, Heidelberg (1985

Partial Order Reduction for Security Protocols

Security protocols are concurrent processes that communicate using cryptography with the aim of achieving various security properties. Recent work on their formal verification has brought procedures and tools for deciding trace equivalence properties (e.g., anonymity, unlinkability, vote secrecy) for a bounded number of sessions. However, these procedures are based on a naive symbolic exploration of all traces of the considered processes which, unsurprisingly, greatly limits the scalability and practical impact of the verification tools. In this paper, we overcome this difficulty by developing partial order reduction techniques for the verification of security protocols. We provide reduced transition systems that optimally eliminate redundant traces, and which are adequate for model-checking trace equivalence properties of protocols by means of symbolic execution. We have implemented our reductions in the tool Apte, and demonstrated that it achieves the expected speedup on various protocols

A Reduced Semantics for Deciding Trace Equivalence

Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e., without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M\"odersheim et al. have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called APTE. We conducted complete benchmarks showing dramatic improvements.Comment: Accepted for publication in LMC

An Optimizing Protocol Transformation for Constructor Finite Variant Theories in Maude-NPA

[EN] Maude-NPA is an analysis tool for cryptographic security protocols that takes into account the algebraic properties of the cryptosystem. Maude-NPA can reason about a wide range of cryptographic properties. However, some algebraic properties, and protocols using them, have been beyond Maude-NPA capabilities, either because the cryptographic properties cannot be expressed using its equational unification features or because the state space is unmanageable. In this paper, we provide a protocol transformation that can safely get rid of cryptographic properties under some conditions. The time and space difference between verifying the protocol with all the crypto properties and verifying the protocol with a minimal set of the crypto properties is remarkable. We also provide, for the first time, an encoding of the theory of bilinear pairing into Maude-NPA that goes beyond the encoding of bilinear pairing available in the Tamarin toolPartially supported by the EU (FEDER) and the Spanish MCIU under grant RTI2018-094403-B-C32, by the Spanish Generalitat Valenciana under grant PROMETEO/2019/098, and by the US Air Force Office of Scientific Research under award number FA9550-17-1-0286. Julia Sapiña has been supported by the Generalitat Valenciana APOSTD/2019/127 grantAparicio-Sánchez, D.; Escobar Román, S.; Gutiérrez Gil, R.; Sapiña-Sanchis, J. (2020). An Optimizing Protocol Transformation for Constructor Finite Variant Theories in Maude-NPA. Springer Nature. 230-250. https://doi.org/10.1007/978-3-030-59013-0_12S230250Maude-NPA manual v3.1. http://maude.cs.illinois.edu/w/index.php/Maude_Tools:_Maude-NPAThe Tamarin-Prover Manual, 4 June 2019. https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdfAl-Riyami, S.S., Paterson, K.G.: Tripartite authenticated key agreement protocols from pairings. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 332–359. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_27Baader, F., Snyder, W.: Unification theory. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, vol. 1, pp. 447–533. Elsevier Science (2001)Baelde, D., Delaune, S., Gazeau, I., Kremer, S.: Symbolic verification of privacy-type properties for security protocols with XOR. In: 30th IEEE Computer Security Foundations Symposium, CSF 2017, pp. 234–248. IEEE Computer Society (2017)Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends Privacy Secur. 1(1–2), 1–135 (2016)Clavel, M., et al.: Maude manual (version 3.0). Technical report, SRI International, Computer Science Laboratory (2020). http://maude.cs.uiuc.eduComon-Lundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-32033-3_22Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_38Dreier, J., Duménil, C., Kremer, S., Sasse, R.: Beyond subterm-convergent equational theories in automated verification of stateful protocols. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 117–140. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_6Escobar, S., Hendrix, J., Meadows, C., Meseguer, J.: Diffie-Hellman cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proceedings of 2nd International Workshop on Security and Rewriting Techniques (SecReT 2007) (2007)Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theor. Comput. Sci. 367(1–2), 162–202 (2006)Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_1Escobar, S., et al.: Protocol analysis in Maude-NPA using unification modulo homomorphic encryption. In: Proceedings of PPDP 2011, pp. 65–76. ACM (2011)Escobar, S., Meadows, C.A., Meseguer, J., Santiago, S.: State space reduction in the Maude-NRL protocol analyzer. Inf. Comput. 238, 157–186 (2014)Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7–8), 898–928 (2012)Fabrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: Proceedings of IEEE Symposium on Security and Privacy, pp. 160–171 (1998)Guttman, J.D.: Security goals and protocol transformations. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 130–147. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_8Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–393. Springer, Heidelberg (2000). https://doi.org/10.1007/10722028_23Kim, Y., Perrig, A., Tsudik, G.: Communication-efficient group key agreement. In: Dupuy, M., Paradinas, P. (eds.) SEC 2001. IIFIP, vol. 65, pp. 229–244. Springer, Boston, MA (2002). https://doi.org/10.1007/0-306-46998-7_16Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: IEEE Computer Security Foundations, pp. 157–171 (2009)Küsters, R., Truderung, T.: Reducing protocol analysis with XOR to the XOR-free case in the horn theory based approach. J. Autom. Reason. 46(3–4), 325–352 (2011)Meadows, C.: The NRL protocol analyzer: an overview. J. Logic Program. 26(2), 113–131 (1996)Meier, S., Cremers, C., Basin, D.: Strong invariants for the efficient construction of machine-checked protocol security proofs. In: 2010 23rd IEEE Computer Security Foundations Symposium, pp. 231–245 (2010)Meseguer, J.: Conditional rewriting logic as a united model of concurrency. Theoret. Comput. Sci. 96(1), 73–155 (1992)Meseguer, J.: Variant-based satisfiability in initial algebras. Sci. Comput. Program. 154, 3–41 (2018)Meseguer, J.: Generalized rewrite theories, coherence completion, and symbolic methods. J. Log. Algebr. Meth. Program. 110, 100483 (2020)Mödersheim, S., Viganò, L.: The open-source fixed-point model checker for symbolic analysis of security protocols. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 166–194. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_6Sasse, R., Escobar, S., Meadows, C., Meseguer, J.: Protocol analysis modulo combination of theories: a case study in Maude-NPA. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 163–178. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22444-7_11Schmidt, B., Sasse, R., Cremers, C., Basin, D.A.: Automated verification of group key agreement protocols. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 179–194. IEEE Computer Society (2014)Skeirik, S., Meseguer, J.: Metalevel algorithms for variant satisfiability. J. Log. Algebraic Methods Program. 96, 81–110 (2018)TeReSe: Term Rewriting Systems. Cambridge University Press, Cambridge (2003)Yang, F., Escobar, S., Meadows, C.A., Meseguer, J., Narendran, P.: Theories of homomorphic encryption, unification, and the finite variant property. In: Proceedings of PPDP 2014, pp. 123–133. ACM (2014

Programming and symbolic computation in Maude

[EN] Rewriting logic is both a flexible semantic framework within which widely different concurrent systems can be naturally specified and a logical framework in which widely different logics can be specified. Maude programs are exactly rewrite theories. Maude has also a formal environment of verification tools. Symbolic computation is a powerful technique for reasoning about the correctness of concurrent systems and for increasing the power of formal tools. We present several new symbolic features of Maude that enhance formal reasoning about Maude programs and the effectiveness of formal tools. They include: (i) very general unification modulo user-definable equational theories, and (ii) symbolic reachability analysis of concurrent systems using narrowing. The paper does not focus just on symbolic features: it also describes several other new Maude features, including: (iii) Maude's strategy language for controlling rewriting, and (iv) external objects that allow flexible interaction of Maude object-based concurrent systems with the external world. In particular, meta-interpreters are external objects encapsulating Maude interpreters that can interact with many other objects. To make the paper self-contained and give a reasonably complete language overview, we also review the basic Maude features for equational rewriting and rewriting with rules, Maude programming of concurrent object systems, and reflection. Furthermore, we include many examples illustrating all the Maude notions and features described in the paper.Duran has been partially supported by MINECO/FEDER project TIN2014-52034-R. Escobar has been partially supported by the EU (FEDER) and the MCIU under grant RTI2018-094403-B-C32, by the Spanish Generalitat Valenciana under grant PROMETE0/2019/098, and by the US Air Force Office of Scientific Research under award number FA9550-17-1-0286. MartiOliet and Rubio have been partially supported by MCIU Spanish project TRACES (TIN2015-67522-C3-3-R). Rubio has also been partially supported by a MCIU grant FPU17/02319. Meseguer and Talcott have been partially supported by NRL Grant N00173 -17-1-G002. Talcott has also been partially supported by ONR Grant N00014-15-1-2202.Durán, F.; Eker, S.; Escobar Román, S.; NARCISO MARTÍ OLIET; José Meseguer; Rubén Rubio; Talcott, C. (2020). Programming and symbolic computation in Maude. Journal of Logical and Algebraic Methods in Programming. 110:1-58. https://doi.org/10.1016/j.jlamp.2019.100497S158110Alpuente, M., Escobar, S., Espert, J., & Meseguer, J. (2014). A modular order-sorted equational generalization algorithm. Information and Computation, 235, 98-136. doi:10.1016/j.ic.2014.01.006K. Bae, J. Meseguer, Predicate abstraction of rewrite theories, in: [36], 2014, pp. 61–76.Bae, K., & Meseguer, J. (2015). Model checking linear temporal logic of rewriting formulas under localized fairness. Science of Computer Programming, 99, 193-234. doi:10.1016/j.scico.2014.02.006Bae, K., Meseguer, J., & Ölveczky, P. C. (2014). Formal patterns for multirate distributed real-time systems. Science of Computer Programming, 91, 3-44. doi:10.1016/j.scico.2013.09.010P. Borovanský, C. Kirchner, H. Kirchner, P.E. Moreau, C. Ringeissen, An overview of ELAN, in: [77], 1998, pp. 55–70.Bouhoula, A., Jouannaud, J.-P., & Meseguer, J. (2000). Specification and proof in membership equational logic. Theoretical Computer Science, 236(1-2), 35-132. doi:10.1016/s0304-3975(99)00206-6Bravenboer, M., Kalleberg, K. T., Vermaas, R., & Visser, E. (2008). Stratego/XT 0.17. A language and toolset for program transformation. Science of Computer Programming, 72(1-2), 52-70. doi:10.1016/j.scico.2007.11.003Bruni, R., & Meseguer, J. (2006). Semantic foundations for generalized rewrite theories. Theoretical Computer Science, 360(1-3), 386-414. doi:10.1016/j.tcs.2006.04.012M. Clavel, F. Durán, S. Eker, S. Escobar, P. Lincoln, N. Martí-Oliet, C.L. Talcott, Two decades of Maude, in: [86], 2015, pp. 232–254.Clavel, M., Durán, F., Eker, S., Lincoln, P., Martı́-Oliet, N., Meseguer, J., & Quesada, J. F. (2002). Maude: specification and programming in rewriting logic. Theoretical Computer Science, 285(2), 187-243. doi:10.1016/s0304-3975(01)00359-0Clavel, M., & Meseguer, J. (2002). Reflection in conditional rewriting logic. Theoretical Computer Science, 285(2), 245-288. doi:10.1016/s0304-3975(01)00360-7F. Durán, S. Eker, S. Escobar, N. Martí-Oliet, J. Meseguer, C.L. Talcott, Associative unification and symbolic reasoning modulo associativity in Maude, in: [121], 2018, pp. 98–114.Durán, F., Lucas, S., Marché, C., Meseguer, J., & Urbain, X. (2008). Proving operational termination of membership equational programs. Higher-Order and Symbolic Computation, 21(1-2), 59-88. doi:10.1007/s10990-008-9028-2F. Durán, J. Meseguer, An extensible module algebra for Maude, in: [77], 1998, pp. 174–195.Durán, F., & Meseguer, J. (2003). Structured theories and institutions. Theoretical Computer Science, 309(1-3), 357-380. doi:10.1016/s0304-3975(03)00312-8Durán, F., & Meseguer, J. (2007). Maude’s module algebra. Science of Computer Programming, 66(2), 125-153. doi:10.1016/j.scico.2006.07.002Durán, F., & Meseguer, J. (2012). On the Church-Rosser and coherence properties of conditional order-sorted rewrite theories. The Journal of Logic and Algebraic Programming, 81(7-8), 816-850. doi:10.1016/j.jlap.2011.12.004F. Durán, P.C. Ölveczky, A guide to extending Full Maude illustrated with the implementation of Real-Time Maude, in: [116], 2009, pp. 83–102.S. Escobar, Multi-paradigm programming in Maude, in: [121], 2018, pp. 26–44.Escobar, S., Meadows, C., Meseguer, J., & Santiago, S. (2014). State space reduction in the Maude-NRL Protocol Analyzer. Information and Computation, 238, 157-186. doi:10.1016/j.ic.2014.07.007Escobar, S., Sasse, R., & Meseguer, J. (2012). Folding variant narrowing and optimal variant termination. The Journal of Logic and Algebraic Programming, 81(7-8), 898-928. doi:10.1016/j.jlap.2012.01.002H. Garavel, M. Tabikh, I. Arrada, Benchmarking implementations of term rewriting and pattern matching in algebraic, functional, and object-oriented languages – the 4th rewrite engines competition, in: [121], 2018, pp. 1–25.Goguen, J. A., & Burstall, R. M. (1992). Institutions: abstract model theory for specification and programming. Journal of the ACM, 39(1), 95-146. doi:10.1145/147508.147524Goguen, J. A., & Meseguer, J. (1984). Equality, types, modules, and (why not?) generics for logic programming. The Journal of Logic Programming, 1(2), 179-210. doi:10.1016/0743-1066(84)90004-9Goguen, J. A., & Meseguer, J. (1992). Order-sorted algebra I: equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theoretical Computer Science, 105(2), 217-273. doi:10.1016/0304-3975(92)90302-vR. Gutiérrez, J. Meseguer, Variant-based decidable satisfiability in initial algebras with predicates, in: [61], 2018, pp. 306–322.Gutiérrez, R., Meseguer, J., & Rocha, C. (2015). Order-sorted equality enrichments modulo axioms. Science of Computer Programming, 99, 235-261. doi:10.1016/j.scico.2014.07.003Horn, A. (1951). On sentences which are true of direct unions of algebras. Journal of Symbolic Logic, 16(1), 14-21. doi:10.2307/2268661Katelman, M., Keller, S., & Meseguer, J. (2012). Rewriting semantics of production rule sets. The Journal of Logic and Algebraic Programming, 81(7-8), 929-956. doi:10.1016/j.jlap.2012.06.002Kowalski, R. (1979). Algorithm = logic + control. Communications of the ACM, 22(7), 424-436. doi:10.1145/359131.359136Lucanu, D., Rusu, V., & Arusoaie, A. (2017). A generic framework for symbolic execution: A coinductive approach. Journal of Symbolic Computation, 80, 125-163. doi:10.1016/j.jsc.2016.07.012D. Lucanu, V. Rusu, A. Arusoaie, D. Nowak, Verifying reachability-logic properties on rewriting-logic specifications, in: [86], 2015, pp. 451–474.Lucas, S., & Meseguer, J. (2016). Normal forms and normal theories in conditional rewriting. Journal of Logical and Algebraic Methods in Programming, 85(1), 67-97. doi:10.1016/j.jlamp.2015.06.001N. Martí-Oliet, J. Meseguer, A. Verdejo, A rewriting semantics for Maude strategies, in: [116], 2009, pp. 227–247.Martí-Oliet, N., Palomino, M., & Verdejo, A. (2007). Strategies and simulations in a semantic framework. Journal of Algorithms, 62(3-4), 95-116. doi:10.1016/j.jalgor.2007.04.002Meseguer, J. (1992). Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96(1), 73-155. doi:10.1016/0304-3975(92)90182-fMeseguer, J. (2012). Twenty years of rewriting logic. The Journal of Logic and Algebraic Programming, 81(7-8), 721-781. doi:10.1016/j.jlap.2012.06.003Meseguer, J. (2017). Strict coherence of conditional rewriting modulo axioms. Theoretical Computer Science, 672, 1-35. doi:10.1016/j.tcs.2016.12.026J. Meseguer, Generalized rewrite theories and coherence completion, in: [121], 2018, pp. 164–183.Meseguer, J. (2018). Variant-based satisfiability in initial algebras. Science of Computer Programming, 154, 3-41. doi:10.1016/j.scico.2017.09.001Meseguer, J., Goguen, J. A., & Smolka, G. (1989). Order-sorted unification. Journal of Symbolic Computation, 8(4), 383-413. doi:10.1016/s0747-7171(89)80036-7Meseguer, J., & Ölveczky, P. C. (2012). Formalization and correctness of the PALS architectural pattern for distributed real-time systems. Theoretical Computer Science, 451, 1-37. doi:10.1016/j.tcs.2012.05.040Meseguer, J., Palomino, M., & Martí-Oliet, N. (2008). Equational abstractions. Theoretical Computer Science, 403(2-3), 239-264. doi:10.1016/j.tcs.2008.04.040Meseguer, J., & Roşu, G. (2007). The rewriting logic semantics project. Theoretical Computer Science, 373(3), 213-237. doi:10.1016/j.tcs.2006.12.018Meseguer, J., & Roşu, G. (2013). The rewriting logic semantics project: A progress report. Information and Computation, 231, 38-69. doi:10.1016/j.ic.2013.08.004Meseguer, J., & Skeirik, S. (2017). Equational formulas and pattern operations in initial order-sorted algebras. Formal Aspects of Computing, 29(3), 423-452. doi:10.1007/s00165-017-0415-5Meseguer, J., & Thati, P. (2007). Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols. Higher-Order and Symbolic Computation, 20(1-2), 123-160. doi:10.1007/s10990-007-9000-6C. Olarte, E. Pimentel, C. Rocha, Proving structural properties of sequent systems in rewriting logic, in: [121], 2018, pp. 115–135.Ölveczky, P. C., & Meseguer, J. (2007). Semantics and pragmatics of Real-Time Maude. Higher-Order and Symbolic Computation, 20(1-2), 161-196. doi:10.1007/s10990-007-9001-5Ölveczky, P. C., & Thorvaldsen, S. (2009). Formal modeling, performance estimation, and model checking of wireless sensor network algorithms in Real-Time Maude. Theoretical Computer Science, 410(2-3), 254-280. doi:10.1016/j.tcs.2008.09.022Rocha, C., Meseguer, J., & Muñoz, C. (2017). Rewriting modulo SMT and open system analysis. Journal of Logical and Algebraic Methods in Programming, 86(1), 269-297. doi:10.1016/j.jlamp.2016.10.001Şerbănuţă, T. F., Roşu, G., & Meseguer, J. (2009). A rewriting logic approach to operational semantics. Information and Computation, 207(2), 305-340. doi:10.1016/j.ic.2008.03.026Skeirik, S., & Meseguer, J. (2018). Metalevel algorithms for variant satisfiability. Journal of Logical and Algebraic Methods in Programming, 96, 81-110. doi:10.1016/j.jlamp.2017.12.006S. Skeirik, A. Ştefănescu, J. Meseguer, A constructor-based reachability logic for rewrite theories, in: [61], 2018, pp. 201–217.Strachey, C. (2000). Higher-Order and Symbolic Computation, 13(1/2), 11-49. doi:10.1023/a:1010000313106A. Ştefănescu, S. Ciobâcă, R. Mereuta, B.M. Moore, T. Serbanuta, G. Roşu, All-path reachability logic, in: [36], 2014, pp. 425–440.Tushkanova, E., Giorgetti, A., Ringeissen, C., & Kouchnarenko, O. (2015). A rule-based system for automatic decidability and combinability. Science of Computer Programming, 99, 3-23. doi:10.1016/j.scico.2014.02.00

Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA

The area of formal analysis of cryptographic protocols has been an active one since the mid 80’s. The idea is to verify communication protocols that use encryption to guarantee secrecy and that use authentication of data to ensure security. Formal methods are used in protocol analysis to provide formal proofs of security, and to uncover bugs and security flaws that in some cases had remained unknown long after the original protocol publication, such as the case of the well known Needham-Schroeder Public Key (NSPK) protocol. In this thesis we tackle problems regarding the three main pillars of protocol verification: modelling capabilities, verifiable properties, and efficiency. This thesis is devoted to investigate advanced features in the analysis of cryptographic protocols tailored to the Maude-NPA tool. This tool is a model-checker for cryptographic protocol analysis that allows for the incorporation of different equational theories and operates in the unbounded session model without the use of data or control abstraction. An important contribution of this thesis is relative to theoretical aspects of protocol verification in Maude-NPA. First, we define a forwards operational semantics, using rewriting logic as the theoretical framework and the Maude programming language as tool support. This is the first time that a forwards rewriting-based semantics is given for Maude-NPA. Second, we also study the problem that arises in cryptographic protocol analysis when it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the protocol equational theory. We also study techniques to extend Maude-NPA capabilities to support the verification of a wider class of protocols and security properties. First, we present a framework to specify and verify sequential protocol compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a theoretical framework to specify and verify protocol indistinguishability in Maude-NPA. This kind of properties aim to verify that an attacker cannot distinguish between two versions of a protocol: for example, one using one secret and one using another, as it happens in electronic voting protocols. Finally, this thesis contributes to improve the efficiency of protocol verification in Maude-NPA. We define several techniques which drastically reduce the state space, and can often yield a finite state space, so that whether the desired security property holds or not can in fact be decided automatically, in spite of the general undecidability of such problems.Santiago Pinazo, S. (2015). Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/4852