The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex real-life protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on low-level algebraic properties of the functions used in a protocol. Indeed, it has been used successfully to either reproduce or discover a number of such attacks. In this paper we give for the first time a precise formal specification of the main features of the NPA inference system: its grammar-based techniques for invariant generation and its backwards reachability analysis method. This formal specification is given within the well-known rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved. We then use this formalization to prove some important meta-logical properties about the NPA inference system, including the soundness and completeness of the search algorithm and soundness of the grammar generation algorithm. The formalization and soundness and completeness theorems not only provide also a better understanding of the NPA as it currently operates, but provide a modular basis which can be used as a starting point for increasing the types of equational theories it can handle.

Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the Dolev-Yao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1

Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relating the original system and the symbolic system associated to the narrowing transitions. Since the narrowing graph can be infinite, this lifting simulation only gives us a semi-decision procedure for the failure of invariants. However, we propose new methods for folding the narrowing tree that can in practice result in finite systems that symbolically simulate the original system and can be used to algorithmically verify its properties. We also show how both narrowing and folding can be used to symbolically model check systems which, in addition, have state predicates, and therefore correspond to Kripke structures on which ACTL∗ and LTL formulas can be algorithmically verified using such finite symbolic abstractions.

Abstract. For narrowing to be an efficient evaluation mechanism, several lazy narrowing strategies have been proposed, although typically for the restricted case of left-linear constructor systems. These assumptions, while reasonable for functional programming applications, are too restrictive for a much broader range of applications to which narrowing can be fruitfully applied, including applications where rules have a non-equational meaning either as transitions in a concurrent system or as inferences in a logical system. In this paper, we propose an efficient lazy narrowing strategy called natural narrowing which can be applied to general term rewriting systems with no restrictions whatsoever. An important consequence of this generalization is the wide range of applications that can now be efficiently supported by narrowing. We highlight a few such applications including symbolic model checking, theorem proving, programming languages, and partial evaluation. What thus emerges is a general and efficient unified mechanism based on narrowing, that seamlessly integrates a very wide range of applications in programming and proving. 1

This paper describes several classes of term rewriting systems (TRS’s) where narrowing has a finite search space and is still (strongly) complete as a mechanism for solving reachability goals. These classes do not assume confluence of the TRS. We also ascertain purely syntactic criteria that suffice to ensure the termination of narrowing and include several subclasses of popular TRS’s such as right-linear TRS’s, almost orthogonal TRS’s, topmost TRS’s, and left-flat TRS’s. Our results improve and/or generalize previous criteria in the literature regarding narrowing termination.

Making high quality and reliable software systems remains a difficult problem. One approach to address this problem is automated verification which attempts to demonstrate algorithmically that a software sys-tem meets its specification. However, verification of software systems is not easy: such systems are often modeled using abstractions of infinite structures such as unbounded integers, infinite memory for allocation, unbounded space for call stack, unrestricted queue sizes and so on. It can be shown that for most classes of such systems, the verification problem is actually undecidable (there exists no algorithm which will always give the correct answer for arbitrary inputs). In spite of this negative theoretical result, techniques have been developed which are successful on some practical examples although they are not guaranteed to always work. This dissertation is in a similar spirit and develops a new paradigm for automated verification of large or infinite state systems. We observe that even if the state space of a system is infinite, for practi-cal examples, the set of reachable states (or other fixpoints needed for verification) is often expressible in a simple representation. Based on this observation, we propose an entirely new approach to verification: the idea is to use techniques from computational learning theory to identify the reachable states (or other fixpoints) and then verify the property of interest. To use learning techniques, we solve key problems of

Narrowing extends rewriting with logic capabilities by allowing logic variables in terms and replacing matching with unification. Narrowing has been widely used in different contexts, ranging from theorem proving (e.g., protocol verification) to language design (e.g., it forms the basis of functional logic languages). Surprisingly, the termination of narrowing has been mostly overlooked. In this paper, we present a new approach for analyzing the termination of narrowing in left-linear constructor systems—a widely accepted class of systems—that allows us to reuse existing methods in the literature on termination of rewriting.

Abstract. Maude is a high-performance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and open-source developer base. This paper introduces novel features of Maude 2.4 including support for unification and narrowing. Unification is supported in Core Maude, the core rewriting engine of Maude, with commands and metalevel functions for order-sorted unification modulo some frequently occurring equational axioms. Narrowing is currently supported in its Full Maude extension. We also give a brief summary of the most important features of Maude 2.4 that were not part of Maude 2.0 and earlier releases. These features include communication with external objects, a new implementation of its module algebra, and new predefined libraries. We also review some new Maude applications. 1

Narrowing extends rewriting with logic capabilities by allowing logic variables in terms and by replacing matching with unification. Narrowing has been widely used in different contexts, ranging from theorem proving (e.g., protocol verification) to language design (e.g., it forms the basis of functional logic languages). Surprisingly, the termination of narrowing has been mostly overlooked. In this work, we present a novel approach for analyzing the termination of narrowing in left-linear constructor systems—a widely accepted class of systems—that allows us to reuse existing methods in the literature on termination of rewriting.

Abstract. An equational theory decomposed into a set B of equational axioms and a set ∆ of rewrite rules has the finite variant (FV) property in the sense of Comon-Lundh and Delaune iff for each term t there is a finite set {t1,..., tn} of →∆,B-normalized instances of t so that any instance of t normalizes to an instance of some ti modulo B. This is a very useful property for cryptographic protocol analysis, and for solving both unification and disunification problems. Yet, at present the property has to be established by hand, giving a separate mathematical proof for each given theory: no checking algorithms seem to be known. In this paper we give both a necessary and a sufficient condition for FV from which we derive, both an algorithm ensuring the sufficient condition, and thus FV, and another disproving the necessary condition, and thus disproving FV. These algorithms can check automatically a number of examples and counterexamples of FV known in the literature. 1