Results 1  10
of
41
Symbolic Model Checking of InfiniteState Systems Using Narrowing
"... Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relatin ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
(Show Context)
Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relating the original system and the symbolic system associated to the narrowing transitions. Since the narrowing graph can be infinite, this lifting simulation only gives us a semidecision procedure for the failure of invariants. However, we propose new methods for folding the narrowing tree that can in practice result in finite systems that symbolically simulate the original system and can be used to algorithmically verify its properties. We also show how both narrowing and folding can be used to symbolically model check systems which, in addition, have state predicates, and therefore correspond to Kripke structures on which ACTL∗ and LTL formulas can be algorithmically verified using such finite symbolic abstractions.
Variant Narrowing and Equational Unification
 In Proc. of WRLA 2008, ENTCS
, 2009
"... Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, ef ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, efficient narrowing strategies such as basic narrowing easily fail to be complete and cannot be used. This poses two challenges to narrowingbased equational unification: (i) finding efficient narrowing strategies that are complete modulo B under mild assumptions on B, and (ii) finding sufficient conditions under which such narrowing strategies yield finitary Eunification algorithms. Inspired by Comon and Delaune’s notion of Evariant for a term, we propose a new narrowing strategy called variant narrowing that has a search space potentially much smaller than full narrowing, is complete, and yields a finitary Eunification algorithm when E has the finite variant property. We furthermore identify a class of equational theories for which the finite bound ensuring the finite variant property can be effectively computed by a generic algorithm. We also discuss applications to the formal analysis of cryptographic protocols modulo the algebraic properties of the underlying cryptographic functions. 1
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Representing the MSR Cryptoprotocol Specification Language in an Extension of Rewriting Logic with Dependent Types
, 2004
"... This paper presents a shallow and hence efficient embedding of the security protocol specification language MSR into rewriting logic with dependent types, an instance of the open calculus of constructions which integrates key concepts from equational logic, rewriting logic, and type theory. MSR is b ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
This paper presents a shallow and hence efficient embedding of the security protocol specification language MSR into rewriting logic with dependent types, an instance of the open calculus of constructions which integrates key concepts from equational logic, rewriting logic, and type theory. MSR is based on a form of firstorder multiset rewriting extended with existential name generation and a flexible type infrastructure centered on dependent types with subsorting. This encoding is intended to serve as the basis for implementing an MSR specification and analysis environment using existing firstorder rewriting engines such as Maude.
State space reduction in the MaudeNRL protocol analyzer
 In ESORICS
, 2008
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which supported equational reasoning in a more limited way. MaudeNPA supports a wide variety of algebraic properties that includes many cryptosystems of interest such as, for example, onetime pads and DiffieHellman. MaudeNPA, like the original NPA, looks for attacks by searching backwards from an insecure attack state, and assumes an unbounded number of sessions. Because of the unbounded number of sessions and the support for different equational theories, it is necessary to develop ways of reducing the search space and avoiding infinite search paths. As a result, we have developed a number of state space reduction techniques. In order for the techniques to prove useful, they need not only to speed up the search, but should not violate soundness so that failure to find attacks still guarantees security. In this paper we describe the state space reduction techniques we use. We also provide soundness proofs, and experimental evaluations of their effect on the performance of MaudeNPA. 1
Equational cryptographic reasoning in the MaudeNRL Protocol Analyzer
 In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher
, 2006
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ ⊎ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Ordersorted Bunification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted Bunifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the MaudeNPA with an example involving the DiffieHellman key agreement protocol. 1
Modular termination of basic narrowing
 In: 19th International Conference on Rewriting Techniques and Applications (RTA). Lecture Notes in Computer Science
, 2008
"... Abstract. Basic narrowing is a restricted form of narrowing which constrains narrowing steps to a set of nonblocked (or basic) positions. Basic narrowing has a number of important applications including equational unification in canonical theories. Another application is analyzing termination of na ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
Abstract. Basic narrowing is a restricted form of narrowing which constrains narrowing steps to a set of nonblocked (or basic) positions. Basic narrowing has a number of important applications including equational unification in canonical theories. Another application is analyzing termination of narrowing by checking the termination of basic narrowing, as done in pioneering work by Hullot. In this work, we study the modularity of termination of basic narrowing in hierarchical combinations of TRSs, including a generalization of proper extensions with shared subsystem. This provides new algorithmic criteria to prove termination of basic narrowing. 1
Unification and Narrowing in Maude 2.4
, 2009
"... Maude is a highperformance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and opensource developer base. This paper introduces novel features of Maude 2.4 incl ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Maude is a highperformance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and opensource developer base. This paper introduces novel features of Maude 2.4 including support for unification and narrowing. Unification is supported in Core Maude, the core rewriting engine of Maude, with commands and metalevel functions for ordersorted unification modulo some frequently occurring equational axioms. Narrowing is currently supported in its Full Maude extension. We also give a brief summary of the most important features of Maude 2.4 that were not part of Maude 2.0 and earlier releases. These features include communication with external objects, a new implementation of its module algebra, and new predefined libraries. We also review some new Maude applications.
A modular Equational Generalization Algorithm
, 2008
"... Abstract. This paper presents a modular equational generalization algorithm, where function symbols can have any combination of associativity, commutativity, and identity axioms (including the empty set). This is suitable for dealing with functions that obey algebraic laws, and are typically mechani ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a modular equational generalization algorithm, where function symbols can have any combination of associativity, commutativity, and identity axioms (including the empty set). This is suitable for dealing with functions that obey algebraic laws, and are typically mechanized by means of equational atributes in rulebased languages such as ASF+SDF, Elan, OBJ, CafeOBJ, and Maude. The algorithm computes a complete set of least general generalizations modulo the given equational axioms, and is specified by a set of inference rules that we prove correct. This work provides a missing connection between least general generalization and computing modulo equational theories, and opens up new applications of generalization to rulebased languages, theorem provers and program manipulation tools such as partial evaluators, test case generators, and machine learning techniques, where function symbols obey algebraic axioms. A Web tool which implements the algorithm has been developed which is publicly available.
Termination of Narrowing Revisited
"... This paper describes several classes of term rewriting systems (TRS’s) where narrowing has a finite search space and is still (strongly) complete as a mechanism for solving reachability goals. These classes do not assume confluence of the TRS. We also ascertain purely syntactic criteria that suffice ..."
Abstract

Cited by 7 (7 self)
 Add to MetaCart
This paper describes several classes of term rewriting systems (TRS’s) where narrowing has a finite search space and is still (strongly) complete as a mechanism for solving reachability goals. These classes do not assume confluence of the TRS. We also ascertain purely syntactic criteria that suffice to ensure the termination of narrowing and include several subclasses of popular TRS’s such as rightlinear TRS’s, almost orthogonal TRS’s, topmost TRS’s, and leftflat TRS’s. Our results improve and/or generalize previous criteria in the literature regarding narrowing termination.