## Constraint logic based verification of security protocols

The CL-AtSe tool (CL-based Model-Checker), developed by the INRIA-CASSIS Partner from Nancy (FRANCE), provides a translation from any security protocol specification written in the AVISPA's Intermediate format (IF), into a set of constraints which can be effectively used to find attacks to protocols. Both translation and checking are fully automatic and internally performed by CL-AtSe, i.e. no external tool is used. In this approach, each protocol step is modelled by a set of minimal constraints on the adversary's knowledge. For example, a message received by an honest participant is a forgeability constraint for the adversary. Moreover, any conditions like equality, inequality, element or non-element of a list are also constraints.

The most important advantages of CL-AtSe are the following:

- Input Treatment: First, CL-AtSe reads and interprets the AVISPA's Intermediate Format. That is, each role in the IF file is partially pre-executed to extract an exact and relatively minimal list of constraints modelling it. The participant's states and knowledge are eliminated thanks to the use of global variables, which gives us a very simple and rapidly executable protocol specification. Second, CL-AtSe performs various strong simplifications on this extracted protocol specification. This second treatment of the input is responsible for an important part of the CL-AtSe's outstanding speed. In particular, CL-AtSe can eliminate and merge protocol steps together. It can also decompose sent and received messages, and eliminate parts of them when it can be statically decided if the adversary will be able, or will never be able, to use or create them. In the end, all what remain of the former protocol specification is it's very essence.

- Protocol execution: Following the idea of the lazy intruder technique developed for AVISS and extended by the AVISPA group, a protocol state (i.e. both the intruder and honest participant's state) is represented by a set of constraints on the (global) protocol variables. These constraints are not solved immediately, but kept in an appropriate data structure on which only satisfiability is checked. Any protocol step is executed by adding new constraints to the system and reducing/eliminating other constraints accordingly in a lazy way. Finally, at each step the system state is tested against the provided set of security properties. Many optimisations have been included here to be as efficient as possible. For example, a great care was taken to avoid collisions between system states and to avoid useless computations. The analysis algorithm used by CL-AtSe is designed for a bounded number of loops, i.e. a bounded number of protocol steps in any trace. With a bounded number of loop iterations, the search for attacks is correct and complete.

- Human-readable output: CL-AtSe tries to produce a very nice attack description (when one is found), in an extension of the output format. It can also produce an output strictly compliant with the official AVISPA's format to be used for the generation of a graphical message sequence chart.

- Handling of algebraic properties: CL-AtSe can perform the search for attacks modulo some algebraic properties. While this list is expandable in the future, we have currently a partial associativity of concatenation, some xor and exponential properties. Associativity of concatenation is partial in the sense that all solutions of the unification modulo associativity are found, except those that require the generation of new variable. While incomplete, this already gives many interesting results. For example in the project test suite, CL-AtSe outputs many potential security flaws modulo associativity that other tools don't. CL-AtSe can also validate these protocols without associativity. Recently, a set of properties of algebraic operators has been included in CL-AtSe, namely the ACUN properties of the Xor operator, and some properties of the exponential. Natural extensions of this work is to also implement the intruder deduction rules in a modular way, so that adding a new theory to CL-AtSe only requires adding a new small module to the system.

- Tool results: The CL-AtSe tool has proved to be extremely efficient on protocol analysis, especially when the associativity of the concatenation is not required. In such cases, CL-AtSe is usually much faster that all other tools of the test suite. Moreover, CL-AtSe is able to perform verification and validation of security protocols modulo various algebraic properties (partial associativity, xor, exponential). Such theories are intended to be completed by new ones in the future. Also, other decision techniques developed by other groups will be adapted for CL-AtSe, in order to improve the protocol simplification phase or to weaken the restriction of a bounded number of sessions.

The most important advantages of CL-AtSe are the following:

- Input Treatment: First, CL-AtSe reads and interprets the AVISPA's Intermediate Format. That is, each role in the IF file is partially pre-executed to extract an exact and relatively minimal list of constraints modelling it. The participant's states and knowledge are eliminated thanks to the use of global variables, which gives us a very simple and rapidly executable protocol specification. Second, CL-AtSe performs various strong simplifications on this extracted protocol specification. This second treatment of the input is responsible for an important part of the CL-AtSe's outstanding speed. In particular, CL-AtSe can eliminate and merge protocol steps together. It can also decompose sent and received messages, and eliminate parts of them when it can be statically decided if the adversary will be able, or will never be able, to use or create them. In the end, all what remain of the former protocol specification is it's very essence.

- Protocol execution: Following the idea of the lazy intruder technique developed for AVISS and extended by the AVISPA group, a protocol state (i.e. both the intruder and honest participant's state) is represented by a set of constraints on the (global) protocol variables. These constraints are not solved immediately, but kept in an appropriate data structure on which only satisfiability is checked. Any protocol step is executed by adding new constraints to the system and reducing/eliminating other constraints accordingly in a lazy way. Finally, at each step the system state is tested against the provided set of security properties. Many optimisations have been included here to be as efficient as possible. For example, a great care was taken to avoid collisions between system states and to avoid useless computations. The analysis algorithm used by CL-AtSe is designed for a bounded number of loops, i.e. a bounded number of protocol steps in any trace. With a bounded number of loop iterations, the search for attacks is correct and complete.

- Human-readable output: CL-AtSe tries to produce a very nice attack description (when one is found), in an extension of the output format. It can also produce an output strictly compliant with the official AVISPA's format to be used for the generation of a graphical message sequence chart.

- Handling of algebraic properties: CL-AtSe can perform the search for attacks modulo some algebraic properties. While this list is expandable in the future, we have currently a partial associativity of concatenation, some xor and exponential properties. Associativity of concatenation is partial in the sense that all solutions of the unification modulo associativity are found, except those that require the generation of new variable. While incomplete, this already gives many interesting results. For example in the project test suite, CL-AtSe outputs many potential security flaws modulo associativity that other tools don't. CL-AtSe can also validate these protocols without associativity. Recently, a set of properties of algebraic operators has been included in CL-AtSe, namely the ACUN properties of the Xor operator, and some properties of the exponential. Natural extensions of this work is to also implement the intruder deduction rules in a modular way, so that adding a new theory to CL-AtSe only requires adding a new small module to the system.

- Tool results: The CL-AtSe tool has proved to be extremely efficient on protocol analysis, especially when the associativity of the concatenation is not required. In such cases, CL-AtSe is usually much faster that all other tools of the test suite. Moreover, CL-AtSe is able to perform verification and validation of security protocols modulo various algebraic properties (partial associativity, xor, exponential). Such theories are intended to be completed by new ones in the future. Also, other decision techniques developed by other groups will be adapted for CL-AtSe, in order to improve the protocol simplification phase or to weaken the restriction of a bounded number of sessions.

## Información relacionada

## Contacto

Michael RUSINOWITCH, (Directeur de Recherche)

Tel.: +33-3-83593020

Fax: +33-3-83278319

Correo electrónico

Tel.: +33-3-83593020

Fax: +33-3-83278319

Correo electrónico