A review of Proverif as an automatic security protocol verifier

Recommendations

Info

When studying ProVerif, we have found that the verifier has several desirable properties for protocol verification. First, it can handle an unbounded number of protocol runs. Second, it uses a fairly extensive threat model, the Dolev-Yao model, which means it gives a lot of power to the attacker. The translation from a protocol definition to a protocol specification seems to be difficult at times but mostly straightforward, and two distinct languages, the applied pi calculus and Horn clauses, are provided as specification languages. When analyzing the protocol specification, several assumptions are made which might lead to finding false attacks. However, all these assumptions do not influence the ability to find attacks in unsafe protocols (i.e. the sensitivity), therefore, if an attack exists, ProVerif will find one. The application of Proverif to real-life protocols is very common in academic environments, as testified by the extensive collection of literature in which is it used. In using the verifier, researchers note that they have more difficulty modeling some properties and requirements of protocols in ProVerif compared to other protocol verifiers. ProVerif seems to be otherwise successful in finding new attacks, and even sometimes finds attacks in protocols that have already been analyzed with other protocol verifiers. Currently, one of the major challenges for any protocol verifier is succesfully modelling the algebraic properties of cryptographic primitives such as Diffie- Hellman encryption or the XOR operation. At first glance, ProVerif has difficulties to effectively represent protocols that contain such primitives. However, we found literature that describes techniques for rewriting protocol specifications so that they can represent the algebraic properties involved as well. Tools have been developed and included with the ProVerif distribution package that perform such rewriting tasks automatically. Since ProVerif is open source and licensed under the GNU GPL, such tools could also be merged with ProVerif itself, though performance considerations might dictate otherwise. The developers of ProVerif have made several claims about the verifier, such as its speed and memory usage. Studies that compare ProVerif to other verifiers indeed show that ProVerif performs quite well in these aspects. No conclusive studies that compare the usability for researchers of such tools, but the remarks by researchers about the translation of protocol definitions to specifications seem to indicate that ProVerif is somewhat lacking in this direction. Summing up, ProVerif seems to be a widely applicable tool with a good track record. On the other side, some other verifiers seem to surpass ProVerif on certain points. However, if you require a tool that can quickly verify a protocol in one of the more general threat models, ProVerif is still a very good choice.
References 1. M. Abadi. Security Protocols and their Properties. In Foundations of Secure Computation, NATO Science Series, pages 39–60. IOS Press, 2000. 2. M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. ACM Transactions on Information and System Security, 10(3):9, 2007. 3. A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, Hankes P. Drielsma, P. C. Heám, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. Computer Aided Verification, pages 281–285, 2005. 4. M. Backes, C. Hritcu, and M. Maffei. Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus. In CSF ’08: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, pages 195–209, Washington, 2008. IEEE. 5. M. Baudet, V. Cortier, and S. Delaune. YAPA: A generic tool for computing intruder knowledge. In Rewriting Techniques and Applications, volume 5595 of Lecture Notes in Computer Science, pages 148–163. Springer Berlin / Heidelberg, 2009. 6. S. M. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In IEEE Symposium on Security and Privacy, pages 72–84, 1992. 7. B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In CSFW ’01: Proceedings of the 14th IEEE workshop on Computer Security Foundations, page 82, Washington, 2001. IEEE. 8. B. Blanchet and A. Chaudhuri. Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In Proceedings of the 29th IEEE Symposium on Security and Privacy (S&P’08), pages 417–431. IEEE, 2008. 9. B. Blanchet and C. Fournet. Automated Verification of Selected Equivalences for Security Protocols. In LICS ’05: Proceedings of the 20th Annual IEEE Symposium on Logic in Computer Science, pages 331–340, Washington, 2005. IEEE. 10. O. Cetinkaya and A. Doganaksoy. A Practical Verifiable e-Voting Protocol for Large Scale Elections over a Network. In ARES ’07: Proceedings of the The Second International Conference on Availability, Reliability and Security, pages 432–442, Washington, 2007. IEEE. 11. R. Chang and V. Shmatikov. Formal Analysis of Authentication in Bluetooth Device Pairing. In 1st International Symposium on Leveraging Applications of Formal Methods (ISOLA04), 2007. 12. Y. Chevalier, R. Küsters, M. Rusinowitch, and M. Turuani. Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In FST TCS 2003: Foundations of Software Technology and Theoretical Computer Science, volume 2914 of Lecture Notes in Computer Science, pages 124–135. Springer Berlin / Heidelberg, 2003. 13. W. F. Clocksin and C. S. Mellish. Programming in Prolog. Springer-Verlag, New York, NY, USA, 1987. 14. H. Comon-Lundh and V. Cortier. Computational soundness of observational equivalence. In CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security, pages 109–118, New York, 2008. ACM. 15. V. Cortier, H. Hördegen, and B. Warinschi. Explicit randomness is not necessary when modeling probabilistic encryption. Electronic Notes in Theoretical Computer
Page 1 and 2: A review of ProVerif as an automati
Page 3 and 4: ProVerif uses the concept of a Horn
Page 5 and 6: 3 Practical applications The verifi
Page 7 and 8: Bluetooth 2.1. In Bluetooth 2.1, Si
Page 9 and 10: have also published a tool, XOR-Pro
Page 11 and 12: Most existing protocol verifiers ba
Page 13: 5.3 Usability To our knowledge, no
Page 17: 33. C. Meadows. A Model of Computat

A review of Proverif as an automatic security protocol verifier

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?