Over-approximating Descendants by Synchronized Tree Languages

Over-approximating the descendants (successors) of a initial set of terms by a rewrite system is used in verification. The success of such verification methods depends on the quality of the approximation. To get better approximations, we are going to use non-regular languages. We present a procedure that always terminates and that computes over-approximation of descendants, using synchronized tree-(tuple) languages expressed by logic programs

Tree Automata for Detecting Attacks on Protocols with Algebraic Cryptographic Primitives

International audienceThis paper extends a rewriting approximations-based theoretical framework in which the security problem -- secrecy preservation against an active intruder -- may be semi-decided through a reachability analysis. In a recent paper, we have shown how to semi-decide whether a security protocol using algebraic properties of cryptographic primitives is safe. In this paper, we investigate the dual - insecurity - problem: we explain how to semi-decide whether a protocol using cryptographic primitive algebraic properties is unsafe. This improvement offers us to draw automatically a complete diagnostic of a security protocol with an unbounded number of sessions. Furthermore, our approach is supported by the tool TA4SP successfully applied for analysing the NSPK-xor protocol and the Diffie-Hellman protocol

Automatic Verification of Security Protocols Using Approximations

Security protocols are widely used in open modern networks to ensure safe communications. It is now recognized that formal analysis can provide the level of assurance required by both developers and users of the protocols. Unfortunately it is generally undecidable to certify whether a protocol is safe or not. However the automatic verification of security protocols can be attempted using abstraction-based approximation. For this purpose, tree automata approximations were introduced by Genet and Klay in 2000. In this paper, we propose an extension of their techniques making the approach efficiently automatic. Our contribution has been implementing in the TA4SP tool with a high level specification language as input format, providing positive practical results on industrial security protocols

Approximation based tree regular model checking

International audienceThis paper addresses the following general problem of tree regular model-checking: decide whether $\R^*(L)\cap L_p =\emptyset$ where $\R^*$ is the reflexive and transitive closure of a successor relation induced by a term rewriting system $\R$, and $L$ and $L_p$ are both regular tree languages. We develop an automatic approximation-based technique to handle this -- undecidable in general -- problem in most practical cases, extending a recent work by Feuillade, Genet and Viet Triem Tong. We also make this approach fully automatic for practical validation of security protocols

Automatic Abstraction Generation : How to Make an Expert Verification Technique for Security Protocols available to Non-expert Users

The security problem for protocols with an unbounded number of sessios is in general undecidable. However, a solution may consist of performing reachability analysis on safety-preserving abstractions of security protocols. In order to make this technique available for high level specification languages like HLPSL and PROUVE, we define safe and sound abstractions of protocol transition systems into rewriting systems. These abstractions allow the automated generation of approximation functions to ensure soundness of the reachability analysis. As our main purpose is to automate in so far as possible the analysis of protocols for an unbounded number of sessions, our abstraction/approximation based approach provides an efficient verification tool, TA4SP. This way, the requirement of an expert user can be removed from the verification chain

Handling Algebraic Properties in Automatic Analysis of Security Protocols

This paper extends the approximation-based theoretical framework in which the security problem secrecy preservation against an intruder may be semi-decided through a reachability verification. We explain how to cope with algebraic properties for an automatic approximation-based analysis of security protocols. We prove that if the initial knowledge of the intruder is a regular tree language, then the security problem may by semi-decided for protocols using cryptographic primitives with algebraic properties. More precisely, an automatically generated approximation function enables us 1) an automatic normalization of transitions, and 2) an automatic completion procedure. The main advantage of our approach is that the approximation function makes it possible to verify security protocols with an arbitrary number of sessions. The concepts are illustrated on an example of the view-only protocol using a cryptographic primitive with the exclusive or algebraic property

Handling Non Left-Linear Rules When Completing Tree Automata

International audienceThis paper addresses the following general problem of tree regular model-checking: decide whether the intersection of R*(L) and Lp is empty, where R* is the reflexive and transitive closure of a successor relation induced by a term rewriting system R, and L and Lp are both regular tree languages. We develop an automatic approximation-based technique to handle this -- undecidable in general -- problem in the case when term rewriting system rules are non left-linear

Handling Left-Quadratic Rules When Completing Tree Automata

International audienceThis paper addresses the following general problem of tree regular model-checking: decide whether the intersection of R*(L) and Lp is empty, where R* is the reflexive and transitive closure of a successor relation induced by a term rewriting system R, and L and Lp are both regular tree languages. We develop an automatic approximation-based technique to handle this -- undecidable in general -- problem in the case when term rewriting system rules are left-quadratic. The most common practical case is handled this way

Finer is better: Abstraction Refinement for Rewriting Approximations

International audienceTerm rewriting systems are now commonly used as a modeling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. For disproving reachability (i.e. proving non reachability of a term) on non terminating and non confluent rewriting models, Knuth-Bendix completion and other usual rewriting techniques do not apply. Using the tree automaton completion technique, it has been shown that the non reachability of a term t can be shown by computing an over-approximation of the set of reachable terms and prove that t is not in the over-approximation. However, when the term t is in the approximation, nothing can be said. In this paper, we improve this approach as follows: given a term t, we try to compute an over-approximation which does not contain t by using an approximation refinement that we propose. If the approximation refinement fails then t is a reachable term. This semi-algorithm has been prototyped in the Timbuk tool. We present some experiments with this prototype showing the interest of such an approach w.r.t. verification on rewriting models

Handling Algebraic Properties in Automatic Analysis of Security Protocols

This paper extends the approximation-based theoretical framework in which the security problem secrecy preservation against an intruder may be semi-decided through a reachability verification. We explain how to cope with algebraic properties for an automatic approximation-based analysis of security protocols. We prove that if the initial knowledge of the intruder is a regular tree language, then the security problem may by semi-decided for protocols using cryptographic primitives with algebraic properties. More precisely, an automatically generated approximation function enables us 1) an automatic normalization of transitions, and 2) an automatic completion procedure. The main advantage of our approach is that the approximation function makes it possible to verify security protocols with an arbitrary number of sessions. The concepts are illustrated on an example of the view-only protocol using a cryptographic primitive with the exclusive or algebraic property