An Experiment in Interoperable Cryptographic Protocol Implementation Using Automatic Code Generation

Spi2Java is a tool that enables semi-automatic generation of cryptographic protocol implementations, starting from verified formal models. This paper shows how the last version of spi2Java has been enhanced in order to enable interoperability of the generated implementations. The new features that have been added to spi2Java are reported here. A case study on the SSH transport layer protocol, along with some experiments and measures on the generated code, is also provided. The case study shows, with facts, that reliable and interoperable implementations of standard security protocols can indeed be obtained by using a code generation tool like spi2Jav

Safe abstractions of data encodings in formal security protocol models

When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants. In order to address this issue, this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev-Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified model

Formally based semi-automatic implementation of an open security protocol

International audienceThis paper presents an experiment in which an implementation of the client side of the SSH Transport Layer Protocol (SSH-TLP) was semi-automatically derived according to a model-driven development paradigm that leverages formal methods in order to obtain high correctness assurance. The approach used in the experiment starts with the formalization of the protocol at an abstract level. This model is then formally proved to fulfill the desired secrecy and authentication properties by using the ProVerif prover. Finally, a sound Java implementation is semi-automatically derived from the verified model using an enhanced version of the Spi2Java framework. The resulting implementation correctly interoperates with third party servers, and its execution time is comparable with that of other manually developed Java SSH-TLP client implementations. This case study demonstrates that the adopted model-driven approach is viable even for a real security protocol, despite the complexity of the models needed in order to achieve an interoperable implementation

Provably correct Java implementations of Spi Calculus security protocols specifications

Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to formalize the refinement of a Spi Calculus specification into a Java implementation. The Java implementation generated by the translation function uses a custom Java library. Formal conditions on such library are stated, so that, if the library implementation code satisfies such conditions, then the generated Java implementation correctly simulates the Spi Calculus specification. A verified implementation of part of the custom library is further presente

Warfare to Welfare: World War I and the Development of Social Legislation in Italy

The First World War and the social policies supporting its victims played an essential role in the development of the Italian welfare state, its spectrum of benefits, and its organization. The relief programs for millions of soldiers and their families as well as disabled veterans and survivors led to a new dimension of state intervention in the field of social policy. The influence these programs have had on the successive reforms of the post-war period is clearly visible. An obvious example are the measures to increase the employment of disabled veterans, which were precursors of the 1919 compulsory insurance against unemployment and represented the first concrete state intervention in the labor market, meant to even out some of its flaws and help particularly disadvantaged groups of employees. Another wartime legislation that inspired post-war measures was the law supporting the Great War’s widows and orphans. It paved the way for the first and most important social law of the Italian fascist regime of the 1920s: the Law on Protection of Mothers and Children. Additionally, the modernization of relief services during the war diminished the importance of traditional charitable and confessional assistance and resulted at the same time in a nationalization of social policy. This in turn brought about the bureaucratization and technocratization of welfare services throughout state departments and public agencies. The nexus between warfare and welfare, a relationship which can be identified in several belligerent countries after the Great War, was particularly evident in Italy. During the war, a pronounced process of “compensatory state building” gripped the country, with the consolidation of new social rights guaranteed by the state going hand in hand with the limitation of several political and civil rights. This paper will, based on these considerations, analyze the connections and continuities of Italy’s social legislation during the war and post-war period. It will include modernization factors and limits and contradictory developments of the Italian welfare state between World War I, the Civil War, and the rise of fascism

Asymptotic analysis of the Friedkin-Johnsen model when the matrix of the susceptibility weights approaches the identity matrix

In this paper we analyze the Friedkin-Johnsen model of opinions when the coefficients weighting the agent susceptibilities to interpersonal influence approach 1. We will show that in this case, under suitable assumptions, the model converges to a quasi-consensus condition among the agents. In general the achieved consensus value will be different to the one obtained by the corresponding DeGroot mode

Visual Model-Driven Design, Verification and Implementation of Security Protocols

A novel visual model-driven approach to security protocol design, verification, and implementation is presented in this paper. User-friendly graphical models are combined with rigorous formal methods to enable protocol verification and sound automatic code generation. Domain-specific abstractions keep the graphical models simple, yet powerful enough to represent complex, realistic protocols such as SSH. The main contribution is to bring together aspects that were only partially available or not available at all in previous proposal