extending proverif s resolution algorithm for verifying
play

Extending ProVerifs Resolution Algorithm for Verifying Group - PowerPoint PPT Presentation

Apr 01, 2023 •131 likes •692 views

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup

  1. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerif’s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup´ erieure June 25, 2010 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 1 / 24

  2. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Contents Introduction 1 Representation with Horn clauses Resolution Group Protocols 2 Generalized Horn Clauses 3 Syntax Resolution algorithm 4 Extension of the definition of Resolution Relation with Horn clauses The Algorithm Conclusions and Further works 5 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 2 / 24

  3. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Cryptographic protocols and their Verification Cryptographic protocols are protocols that perform a security-related function and apply cryptographic methods. The confidence in these protocols can be increased by a formal analysis in order to verify security properties considering cryptographic primitives as black boxes. For an unbounded number of sessions � undecidability. Group protocols are protocols that involve an unbounded number of participants � the number of steps and the form of messages depend on the number of participants. Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 3 / 24

  4. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Overview of ProVerif Properties to prove: Protocol: Pi calculus + cryptography secrecy, authentication,... Automatic translator Derivability queries Horn clauses Resolution with selection The property is true Potential attack Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 4 / 24

  5. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  6. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  7. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  8. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  9. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  10. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  11. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  12. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  13. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  14. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) attacker( pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ]))) ⇒ attacker( sencrypt ( s , y )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  15. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Representation of a protocol Messages are represented by patterns p ::= x | a [ p 1 , . . . , p n ] | f ( p 1 , . . . , p n ) � a , b � , sencrypt ( s , pk ) Properties are represented by facts F ::= attacker( p ) The protocol and the abilities of the attacker are represented by Horn clauses F 1 ∧ · · · ∧ F n ⇒ F attacker( s ) ∧ attacker( pk ) ⇒ attacker( sencrypt ( s , pk )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 6 / 24

  16. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Resolution Resolution Definition (Resolution) H 1 ⇒ C 1 F ∧ H 2 ⇒ C 2 σ ( H 1 ∧ H 2 ) ⇒ σ C 2 where σ is the most general unifier of C 1 and F . The selection function selects: a hypothesis not of the form attacker( x ) if possible, the conclusion otherwise Resolve until a fixpoint is reached. Keep clauses whose conclusion is selected. Theorem The obtained clauses derive the same facts as the initial clauses Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 7 / 24

  17. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Example Asokan-Ginzboorg protocol Let the set of players be { a i , i = 1 , . . . , n + 1 } for n ≥ 1 and a n +1 be the leader. The protocol describes the establishment of a session key between the leader and the other n participants. a n +1 → ALL : � a n +1 , sencrypt ( e , p ) � (1) a i → a n +1 : � a i , sencrypt ( � r i , s i � , e ) � (2) a n +1 → a i : sencrypt ( � s 1 , . . . , s n , s n +1 � , r i ) (3) a i → a n +1 : � a i , sencrypt ( � s i , h ( s 1 , . . . , s n +1 ) � , K ) � , for some i (4) where K = f ( s 1 , . . . , s n +1 ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 8 / 24

  18. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax Generalized Horn Clauses Syntax 1 p G , s , t ::= patterns x ( ι 1 ,...,ι h ) where 0 ≤ h variable f ( p G 1 , . . . , p G l ) function application a ι [ p G 1 , . . . , p G l ] indexed names mpair ( i , p G ) list constructor F G ::= facts attacker( p G ) fact ( i 1 ,..., i h ) ∈ I F G � conjunction fact R G ::= F G 1 ∧ · · · ∧ F G n ∧ δ ⇒ F G generalized Horn clause Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 9 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01]

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01]

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages

727 views • 39 slides
Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

First-order Predicate Logic Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but useless in practice. We upgrade resolution to make it work for predicate logic. 2 Recall: resolution in propositional

790 views • 32 slides
Verifying Richard Birds On building trees of The algorithm Implementation minimum

Verifying Richard Birds On building trees of The algorithm Implementation minimum

The pearl Verifying Richard Birds On building trees of The algorithm Implementation minimum height L.T. van Binsbergen J.P. Pizani Flor Department of Information and Computing Sciences, Utrecht University Wednesday 26 th June, 2013

234 views • 11 slides
Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza,

Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza,

Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza, and J. Rubio Department of Mathematics and Computer Science, University of La Rioja Calculemus 2012 Partially supported by Ministerio de

797 views • 69 slides
Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ? Pros and Cons with respect to Double Parton Analysis. Resolution of the COT Only,SVX Only and COT+SVX Tracks in the Jets Calculating the Jet

326 views • 4 slides
Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, CAS Joint work with Dong Lu, Dingkang Wang and Jie Zhou July 16-19, 2018, City University of New

571 views • 39 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel

Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel

Why coercions? A naive algorithm Constraint-based algorithm Conclusion Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel Stefan Berghofer Tobias Nipkow APLAS 2011 Isabelle nat<:int =

1.23k views • 61 slides
Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Introduction Verifying a Robot Swarm Algorithm Dealing with Uncertainty Conclusions Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of Liverpool, UK cldixon@liverpool.ac.uk in collaboration with

289 views • 25 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN

CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN

CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN RECOVERY AND RESOLUTION SUMMIT Frankfurt, 5 July 2017 David Blache, Deputy Director for Resolution, ACPR (Resolution Authority, France) 1

292 views • 27 slides
Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model

Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model

Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model theory Henri Hansen October 1, 2013 1 Resolution Resolution is a sound and complete algorithm for propositional logic: A formula in clausal

543 views • 40 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Parametric Linear Temporal Logics Joint work with Peter Faymonville, Florian Horn, Wolfgang

Parametric Linear Temporal Logics Joint work with Peter Faymonville, Florian Horn, Wolfgang

Parametric Linear Temporal Logics Joint work with Peter Faymonville, Florian Horn, Wolfgang Thomas, and Nico Wallmeier Martin Zimmermann Saarland University March 10th, 2015 Aalborg University, Aalborg, Denmark Martin Zimmermann Saarland

1.13k views • 89 slides
Jumps and Non-jumps in q -Multigraphs Steve La Fleur (Joint work with Paul Horn and Vojt ech

Jumps and Non-jumps in q -Multigraphs Steve La Fleur (Joint work with Paul Horn and Vojt ech

Preliminary Known Results Jumps and Non-jumps in q -Multigraphs Steve La Fleur (Joint work with Paul Horn and Vojt ech R odl) May 14, 2011 Steve La Fleur (Joint work with Paul Horn and Vojt ech R odl) Jumps and Non-jumps in q

604 views • 32 slides
9-20-18 Our school is a Title I Schoolwide Program What does this mean? Title I Schoolwide

9-20-18 Our school is a Title I Schoolwide Program What does this mean? Title I Schoolwide

HORN ELEMENTARY 2018-2019 TITLE 1 MEETING 9-20-18 Our school is a Title I Schoolwide Program What does this mean? Title I Schoolwide Program means Additional funding for our school- $153,092.00 From the Every Student Succeeds Act

736 views • 7 slides
J-PARC Neutrino Beam Facility , loss 2 2 Data accumulation 6 n e events (indication) Horn ps

J-PARC Neutrino Beam Facility , loss 2 2 Data accumulation 6 n e events (indication) Horn ps

T2K Beam Operation Summary (earthquake recovery and beamline survey) NBI 2012 T. Ishii (KEK) for the T2K beam group 1 J-PARC Neutrino Beam Facility , loss 2 2 Data accumulation 6 n e events (indication) Horn ps maintenance trouble

369 views • 16 slides
Reasoning About the Behavior of Semantic Web Services with Concurrent Transaction Logic 33rd

Reasoning About the Behavior of Semantic Web Services with Concurrent Transaction Logic 33rd

Reasoning About the Behavior of Semantic Web Services with Concurrent Transaction Logic 33rd International Conference on Very Large Data Bases (VLDB) September 23-27 2007, Vienna, Austria Dumitru Roman 1 and Michael Kifer 2 1 University of

803 views • 36 slides
The dimension of the full nonuniformly hyperbolic horseshoe Cao Yongluo Email: ylcao@suda.edu.cn

The dimension of the full nonuniformly hyperbolic horseshoe Cao Yongluo Email: ylcao@suda.edu.cn

The dimension of the full nonuniformly hyperbolic horseshoe Cao Yongluo Email: ylcao@suda.edu.cn Soochow University Cao Yongluo (Suzhou University) The dimension of the full nonuniformly hyperbolic horseshoe 1 / 30 Contents Motivation 1

526 views • 33 slides
Lagrange and Markov spectra & dynamics of horseshoes Carlos Matheus CNRS Ecole

Lagrange and Markov spectra & dynamics of horseshoes Carlos Matheus CNRS Ecole

Introduction Main results Cusick conjecture dim ( M \ L ) < 0 . 888 Lagrange and Markov spectra & dynamics of horseshoes Carlos Matheus CNRS Ecole Polytechnique November 5, 2019 C. Matheus L , M and horseshoes Introduction

739 views • 57 slides
Topological Entropy of Compact Subsystems of Transitive Real Line Maps Martha cka joint work

Topological Entropy of Compact Subsystems of Transitive Real Line Maps Martha cka joint work

Topological Entropy of Compact Subsystems of Transitive Real Line Maps Martha cka joint work with: Dominik Kwietniak (UJ) North Bay, July 23, 2013 M. cka Topological Entropy of Compact Subsystems... Canovas-Rodriguez Entropy CR

893 views • 54 slides

More recommend