We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size. 1 Introduction In a distributed computer system, it is necessary to have some mechanism whereby a pair of agents can be assured of each other's identity---they should become sure that they really are talking to each other, rather than to an intruder impersonating the other agent. This is the role of an authentication protocol. In this paper we use the Failures Divergences Refinement Checker (FDR) [11, 5], a model checker for CSP, to analyse the Needham-Schroeder PublicKey Authentication Protocol [8]. FDR takes as input two CSP processes, ...

Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what "authentication" means. In this paper we suggest that the appropriate authentication requirement will depend upon the use to which the protocol is put, and identify several possible definitions of "authentication". We formalize each definition using the process algebra CSP, use this formalism to study their relative strengths, and show how the model checker FDR can be used to test whether a system running the protocol meets such a specification. 1 Introduction Many security protocols have appeared in the academic literature; these protocols often have the aim of achieving authentication, i.e., one agent should become sure of the identity of the other. The protocols are designed to succeed even in the presence of a malicious agent, called an intruder, who has complete control over the communications network, and so can intercept ...

In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different definitions and for evaluating the relative merits. In this paper, many non-interference-like properties proposed for computer security are classified and compared in a unifying framework. The resulting taxonomy is evaluated through some case studies of access control in computer systems. The approach has been mechanized, resulting in the tool CoSeC. Various extensions (e.g., the application to cryptographic protocol analysis) and open problems are discussed. This paper

Abstract not found

We propose a new method and present a tool for the analysis of cryptographic protocols. The method is based on symbolic state space search. It can be used to analyze thoroughly an infinite state space if the infiniteness is caused only by the infiniteness of the enemy but not by an unbounded number of interleaved protocol runs nor unbounded behaviours of single protocol participants. The method is complete for the class of protocols it is defined for and does not require user interaction to work. 1 Introduction In this paper we consider the problem of analyzing cryptographic protocols by using symbolic state space enumeration and model checking. State space enumeration is the act of generating explicitly the state graph of a given system. By model checking we mean the act of verifying that the generated state graph has a certain structure defined by logical formulae. Symbolic state space enumeration is an extension of explicit state space enumeration: individual states are not enumer...

In verification by explicit state enumeration a randomly accessed state table is maintained. In practice, the total main memory available for this state table is a major limiting factor in verification. We describe a version of the explicit state enumeration verifier Mur' that allows using magnetic disk instead of main memory for storing almost all of the state table. The algorithm avoids costly random accesses to disk and amortizes the cost of linearly reading the state table from disk over all states in a certain breadth-first level. The remaining runtime overhead for accessing the disk can be strongly reduced by combining the scheme with hash compaction. We show how to do this combination efficiently and analyze the resulting algorithm. In experiments with three complex cache coherence protocols, the new algorithm achieves memory savings factors of one to two orders of magnitude with a runtime overhead of typically only around 15%. Keywords protocol verification, expli...

This document consists of a slightly revised and corrected version of a dissertation

This document type describes the functions, data and dynamic behaviour of an object associated with a specific level. In addition, boundary conditions restricting the class of possible realisations for the object are documented. (2) Architecture Description: This is a design structure which decomposes the object under consideration and/or refines its data structures. The process of decomposition introduces new objects to be associated with a lower level, as well as interfaces between them. Each new object is associated with its own lower-level requirements description. In this way, the alternation between requirements and architecture documents can be recursively applied to the decomposition tree from system to module level

In this paper we present four similar attacks upon well known authentication protocols, and suggest that similar attacks exist for other protocols. Each of these attacks causes an agent B to think that another agent A is attempting to set up two (or more) simultaneous sessions with B, when in fact A is trying to establish only a single session. We describe how such an attack may have serious consequences. 1 Introduction In a distributed computer system, it is necessary to have some mechanism whereby an agent can be assured of another's identity---the first agent should become sure that it really is talking to the other, rather than to an imposter impersonating the other agent. This is the role of an authentication protocol. In this paper we present attacks upon a number of authentication protocols. All the protocols we consider have a similar objective: in each protocol, an initiator A seeks to establish a session with a responder B, possibly with the help of a trusted server S. Wh...