A review of Proverif as an automatic security protocol verifier

Recommendations

Info

obtained from these practical examples tell us how ProVerif is used in the field and what problems researchers encountered using the tool. But what about the limitations of ProVerif itself? What are protocols or parts or properties of protocols which we might want to model in ProVerif, but are unable to? For instance, it is difficult to model algebraic properties like XOR [28] and Diffie-Hellman key exchange [29] in ProVerif. We compare ProVerif to Scyther[17], YAPA[5] and the AVISPA[3] toolkit, primarily focusing on the efficiency of the verification of protocols. ProVerif uses a technique called unification to prune the state space of the protocol. Unification allows ProVerif to assert that some property holds for a larger part of the state space without examining all the states, effectively reducing the state space. We think that our review will lead to a better understanding of the reasons that motivate the use of ProVerif for verifying security protocols. Organisation of the paper. In Section 2 we formulate what it means for ProVerif to be successful. With this definition in mind, we look at practical examples where ProVerif is used as the verifier in Section 3, to determine the role it plays in the actual verification of protocols. Section 4 describes limitations found by other researchers and how these can be resolved. Section 5 summarizes literature that describes how ProVerif compares to other automatic verifiers. We provide a conclusion to this paper in Section 6. 2 Description of ProVerif The protocol verifier ProVerif was developed by Bruno Blanchet [7]. Because other protocol verifiers already existed before ProVerif 2 , the author claims that it distinguishes itself from the competition in three ways[7]: – ProVerif models attacks that an attacker can perform. Such an attack might consist of multiple concurrent executions of the protocol. ProVerif does not limit the number of concurrent protocol runs that a modelled attacker may execute. It therefore is able to find attacks that require any number of concurrent protocol runs. – It is fully automatic, i.e. after starting the verifier, it does not need any user input to complete its task. – It does not significantly suffer from state space explosion. Security protocol researchers define protocols with the arrow notation as described in [1]. When a user wishes to employ any protocol verifier, he takes this protocol definition in arrow notation and translates it into instructions that are readable for his verifier. This set of instructions is called the protocol specification. Afterwards, the user provides the verifier with the specification, and after some calculations, the verifier announces whether certain assertions about the protocol were valid. 2 For example NRL ([33]) and Isabelle ([37])
ProVerif uses the concept of a Horn clause 3 as the unit of its specification language. In this context, a Horn clause is an inference rule about knowledge of the adversary. An example of such a Horn clause might be “If one has a ciphertext and the corresponding key, one might also know the plaintext”. A set of Horn clauses is called a Horn theory. Therefore, one could say that protocol specifications in ProVerif are Horn theories. The developers of ProVerif created the possibility to specify the protocol in an alternative language, the applied pi calculus 4 , which is convenient for people already familiar with this specification framework. When a user translates a protocol definition to a ProVerif protocol specification, he specifies the possible ways an attacker can gather more knowledge. In ProVerif, this amounts to three different types of declaration: – The user models initial knowledge of the attacker as a tautology, a logical statement without conditions. An example of such a clause would be initial knowledge of the public keys of all participants of the protocol. – Computational capabilities are modelled in separate clauses. For example, if the attacker has posession of a (decryption) key and a ciphertext, he may use it to decrypt the ciphertext if it is encrypted with that key. – A protocol definition that is written in the arrow notation contains a list of protocol steps which necessesarily occur in that order. The user adds rules that describe these steps - one for each step in the protocol definition. To ensure the proper order of messages is preserved, the application of such a rule may only occur if the previous steps have already occurred. The first and the third step in the translation of the protocol definition are straightforward. Each element in the protocol definition corresponds with a rule in the protocol specification. However, the second step might require some additional work, especially if mathematical properties are directly related to the functionality of the protocol. Examples of such constructs are Diffie-Hellman key exchange and the use of the XOR-operator. The difficulties and limitations of the implementation of such constructs is discussed at length in 4. The user formulates an assertion about the knowledge of the attacker, such as ‘The attacker knows the secret s’. Now, ProVerif will try to construct a sequence of steps for the attacker to achieve the fact that is stated in the assertion. The idea behind the algorithm at the heart of ProVerif is that it applies the rules stated in the protocol specification in an efficient way. However, for the algorithm to terminate when no attack exists, it is necessary to apply some unification, i.e. to recognize when two states of protocol execution are effectively ‘the same’. If we merge two such effectively identical states, we could limit the space we need to search. The intermediate representation of the states of the protocol run in ProVerif are simple enough to enable it to effectively unify such states [7]. 3 Horn clauses are a concept from Prolog programming and are introduced at length in [13]. 4 Fournet and Abadi describe the applied pi calculus in [23].
Page 1: A review of ProVerif as an automati
Page 5 and 6: 3 Practical applications The verifi
Page 7 and 8: Bluetooth 2.1. In Bluetooth 2.1, Si
Page 9 and 10: have also published a tool, XOR-Pro
Page 11 and 12: Most existing protocol verifiers ba
Page 13 and 14: 5.3 Usability To our knowledge, no
Page 15 and 16: References 1. M. Abadi. Security Pr
Page 17: 33. C. Meadows. A Model of Computat

A review of Proverif as an automatic security protocol verifier

Create successful ePaper yourself

Delete template?

Save as template?