Results 1  10
of
34
A RewritingBased Inference System for the NRL Protocol Analyzer and its MetaLogical Properties
, 2005
"... The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attem ..."
Abstract

Cited by 32 (20 self)
 Add to MetaCart
The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on lowlevel algebraic properties of the functions used in a protocol. Indeed, it has been used successfully to either reproduce or discover a number of such attacks. In this paper we give for the first time a precise formal specification of the main features of the NPA inference system: its grammarbased techniques for invariant generation and its backwards reachability analysis method. This formal specification is given within the wellknown rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved. We then use this formalization to prove some important metalogical properties about the NPA inference system, including the soundness and completeness of the search algorithm and soundness of the grammar generation algorithm. The formalization and soundness and completeness theorems not only provide also a better understanding of the NPA as it currently operates, but provide a modular basis which can be used as a starting point for increasing the types of equational theories it can handle.
Symbolic Model Checking of InfiniteState Systems Using Narrowing
"... Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relatin ..."
Abstract

Cited by 17 (12 self)
 Add to MetaCart
(Show Context)
Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relating the original system and the symbolic system associated to the narrowing transitions. Since the narrowing graph can be infinite, this lifting simulation only gives us a semidecision procedure for the failure of invariants. However, we propose new methods for folding the narrowing tree that can in practice result in finite systems that symbolically simulate the original system and can be used to algorithmically verify its properties. We also show how both narrowing and folding can be used to symbolically model check systems which, in addition, have state predicates, and therefore correspond to Kripke structures on which ACTL∗ and LTL formulas can be algorithmically verified using such finite symbolic abstractions.
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Natural narrowing for general term rewriting systems
 Proc. of 16th International Conference on Rewriting Techniques and Applications, RTA’05, Lecture Notes in Computer Science
, 2005
"... Abstract. For narrowing to be an efficient evaluation mechanism, several lazy narrowing strategies have been proposed, although typically for the restricted case of leftlinear constructor systems. These assumptions, while reasonable for functional programming applications, are too restrictive for a ..."
Abstract

Cited by 10 (7 self)
 Add to MetaCart
(Show Context)
Abstract. For narrowing to be an efficient evaluation mechanism, several lazy narrowing strategies have been proposed, although typically for the restricted case of leftlinear constructor systems. These assumptions, while reasonable for functional programming applications, are too restrictive for a much broader range of applications to which narrowing can be fruitfully applied, including applications where rules have a nonequational meaning either as transitions in a concurrent system or as inferences in a logical system. In this paper, we propose an efficient lazy narrowing strategy called natural narrowing which can be applied to general term rewriting systems with no restrictions whatsoever. An important consequence of this generalization is the wide range of applications that can now be efficiently supported by narrowing. We highlight a few such applications including symbolic model checking, theorem proving, programming languages, and partial evaluation. What thus emerges is a general and efficient unified mechanism based on narrowing, that seamlessly integrates a very wide range of applications in programming and proving. 1
Variant Narrowing and Equational Unification
 In Proc. of WRLA 2008, ENTCS
, 2009
"... Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, ef ..."
Abstract

Cited by 10 (8 self)
 Add to MetaCart
Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, efficient narrowing strategies such as basic narrowing easily fail to be complete and cannot be used. This poses two challenges to narrowingbased equational unification: (i) finding efficient narrowing strategies that are complete modulo B under mild assumptions on B, and (ii) finding sufficient conditions under which such narrowing strategies yield finitary Eunification algorithms. Inspired by Comon and Delaune’s notion of Evariant for a term, we propose a new narrowing strategy called variant narrowing that has a search space potentially much smaller than full narrowing, is complete, and yields a finitary Eunification algorithm when E has the finite variant property. We furthermore identify a class of equational theories for which the finite bound ensuring the finite variant property can be effectively computed by a generic algorithm. We also discuss applications to the formal analysis of cryptographic protocols modulo the algebraic properties of the underlying cryptographic functions. 1
State space reduction in the MaudeNRL protocol analyzer
 In ESORICS
, 2008
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which supported equational reasoning in a more limited way. MaudeNPA supports a wide variety of algebraic properties that includes many cryptosystems of interest such as, for example, onetime pads and DiffieHellman. MaudeNPA, like the original NPA, looks for attacks by searching backwards from an insecure attack state, and assumes an unbounded number of sessions. Because of the unbounded number of sessions and the support for different equational theories, it is necessary to develop ways of reducing the search space and avoiding infinite search paths. As a result, we have developed a number of state space reduction techniques. In order for the techniques to prove useful, they need not only to speed up the search, but should not violate soundness so that failure to find attacks still guarantees security. In this paper we describe the state space reduction techniques we use. We also provide soundness proofs, and experimental evaluations of their effect on the performance of MaudeNPA. 1
Termination of Narrowing Revisited
"... This paper describes several classes of term rewriting systems (TRS’s) where narrowing has a finite search space and is still (strongly) complete as a mechanism for solving reachability goals. These classes do not assume confluence of the TRS. We also ascertain purely syntactic criteria that suffice ..."
Abstract

Cited by 6 (6 self)
 Add to MetaCart
This paper describes several classes of term rewriting systems (TRS’s) where narrowing has a finite search space and is still (strongly) complete as a mechanism for solving reachability goals. These classes do not assume confluence of the TRS. We also ascertain purely syntactic criteria that suffice to ensure the termination of narrowing and include several subclasses of popular TRS’s such as rightlinear TRS’s, almost orthogonal TRS’s, topmost TRS’s, and leftflat TRS’s. Our results improve and/or generalize previous criteria in the literature regarding narrowing termination.
Unification and Narrowing in Maude 2.4
, 2009
"... Maude is a highperformance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and opensource developer base. This paper introduces novel features of Maude 2.4 incl ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Maude is a highperformance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and opensource developer base. This paper introduces novel features of Maude 2.4 including support for unification and narrowing. Unification is supported in Core Maude, the core rewriting engine of Maude, with commands and metalevel functions for ordersorted unification modulo some frequently occurring equational axioms. Narrowing is currently supported in its Full Maude extension. We also give a brief summary of the most important features of Maude 2.4 that were not part of Maude 2.0 and earlier releases. These features include communication with external objects, a new implementation of its module algebra, and new predefined libraries. We also review some new Maude applications.
Learning to Verify Systems
, 2006
"... Making high quality and reliable software systems remains a difficult problem. One approach to address this problem is automated verification which attempts to demonstrate algorithmically that a software system meets its specification. However, verification of software systems is not easy: such sys ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Making high quality and reliable software systems remains a difficult problem. One approach to address this problem is automated verification which attempts to demonstrate algorithmically that a software system meets its specification. However, verification of software systems is not easy: such systems are often modeled using abstractions of infinite structures such as unbounded integers, infinite memory for allocation, unbounded space for call stack, unrestricted queue sizes and so on. It can be shown that for most classes of such systems, the verification problem is actually undecidable (there exists no algorithm which will always give the correct answer for arbitrary inputs). In spite of this negative theoretical result, techniques have been developed which are successful on some practical examples although they are not guaranteed to always work. This dissertation is in a similar spirit and develops a new paradigm for automated verification of large or infinite state systems. We observe that even if the state space of a system is infinite, for practical examples, the set of reachable states (or other fixpoints needed for verification) is often expressible in a simple representation. Based on this observation, we propose an entirely new approach to verification: the idea is to use techniques from computational learning theory to identify the reachable states (or other fixpoints) and then verify the property of interest. To use learning techniques, we solve key problems of
Termination of Narrowing in LeftLinear Constructor Systems
"... Narrowing extends rewriting with logic capabilities by allowing logic variables in terms and replacing matching with unification. Narrowing has been widely used in different contexts, ranging from theorem proving (e.g., protocol verification) to language design (e.g., it forms the basis of functiona ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Narrowing extends rewriting with logic capabilities by allowing logic variables in terms and replacing matching with unification. Narrowing has been widely used in different contexts, ranging from theorem proving (e.g., protocol verification) to language design (e.g., it forms the basis of functional logic languages). Surprisingly, the termination of narrowing has been mostly overlooked. In this paper, we present a new approach for analyzing the termination of narrowing in leftlinear constructor systems—a widely accepted class of systems—that allows us to reuse existing methods in the literature on termination of rewriting.