Rigid Tree Automata and Applications

International audienceWe introduce the class of Rigid Tree Automata (RTA), an extension of standard bottom-up automata on ranked trees with distinguished states called rigid. Rigid states define a restriction on the computation of RTA on trees: RTA can test for equality in subtrees reaching the same rigid state. RTA are able to perform local and global tests of equality between subtrees, non-linear tree pattern matching, and some inequality and disequality tests as well. Properties like determinism, pumping lemma, Boolean closure, and several decision problems are studied in detail. In particular, the emptiness problem is shown decidable in linear time for RTA whereas membership of a given tree to the language of a given RTA is NP-complete. Our main result is the decidability of whether a given tree belongs to the rewrite closure of an RTA language under a restricted family of term rewriting systems, whereas this closure is not an RTA language. This result, one of the first on rewrite closure of languages of tree automata with constraints, is enabling the extension of model checking procedures based on finite tree automata techniques, in particular for the verification of communicating processes with several local non rewritable memories, like security protocols. Finally, a comparison of RTA with several classes of tree automata with local and global equality tests, with dag automata and Horn clause formalisms is also provided

Automated Verification of Equivalence Properties of Cryptographic Protocols

Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance against offline guessing attacks, which can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for a bounded number of sessions of cryptographic protocols. As in the applied pi-calculus, our protocol specification language is parametrized by a first-order sorted term signature and an equational theory which allows formalization of algebraic properties of cryptographic primitives. Our procedure is able to verify trace equivalence for determi-nate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under-and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those that can be modeled by an optimally reducing convergent rewrite system. The procedure is based on a fully abstract modelling of the traces of a bounded number of sessions of the protocols into first-order Horn clauses on which a dedicated resolution procedure is used to decide equivalence properties. We have shown that our procedure terminates for the class of subterm convergent equational theories. Moreover, the procedure has been implemented in a prototype tool A-KiSs (Active Knowledge in Security Protocols) and has been effectively tested on examples. Some of the examples were outside the scope of existing tools, including checking anonymity of an electronic voting protocol

SOFTWARE DEFINED NETWORKS: DIALECTING SECURITY

OpenFlow is the standard used in Software Defined Networks. It handles the communication between the network devices. However, there are some weaknesses linked to OpenFlow. With the use of TLS as a security solution, it inherits the vulnerabilities of TLS in downgrade attacks. Furthermore, TLS is optional. To enhance the security in OpenFlow, previous research work provided a solution that comes with the notion of protocol dialects. Protocol dialects are variations of an existing implementation of an open-source protocol, such as OpenFlow. They are implemented either by adding proxies or directly modifying the protocol to the core. The protocol dialect we analyze in this research follows the first approach by manipulating the protocol in such a way that the actual devices continue to function as before, but additional security measures are put in place with the use of proxies. Desired additional functionality, additional security measures, and changes in fields of the actual protocol are performed within the proxies. The devices “think” that they are communicating with each other exactly as before, but in reality a proxy is standing in front of each device, and the actual communication takes place with the proxies' mediation. In this research, we aim to show the enhanced security of the dialected OpenFlow protocol. We follow the computational analysis model to conduct a security proof for the dialect, and we also analyze some difficulties in conducting such a proof.The Office of Naval Research (ONR)Lohagos, Hellenic ArmyApproved for public release. Distribution is unlimited