Automated Validation of Internet Security Protocols and Applications

The AVISPA Tool is a modular environment for the automatic validation of Internet security protocols and applications. The tool can be employed by external users thanks to the web-interface accessible from the project website (URL: http://www.avispa-project.org), and it is also downloadable as a single "package'' to be installed on the users' local machines. The tool takes as input a specification of a security problem written in AVISPA's High-Level Protocol Specification Language HLPSL (that is, it takes as input the specification of a security protocol and of a security property that the protocol should satisfy) and gives in output the results of the analysis by the four different back-ends of the tool. Users can also select to have only one of the back-ends perform the analysis. More specifically, specifications of security protocols and properties written HLPSL are automatically translated (by the translator HLPSL2IF) into Intermediate Format (IF) specifications, which are then given as input to the different back-ends of the AVISPA Tool: OFMC, CL-AtSe, SATMC, and TA4SP. The back-ends implement a variety of analysis techniques, ranging from falsification (that is, searching for protocol attacks), to bounded verification (that is, proving that the input protocol correctly satisfies the input property in a bounded execution scenario specified by the user), and to unbounded verification. In the latter case, abstraction techniques allow the tool to prove whether protocols satisfy secrecy properties in unbounded execution scenarios, but this comes at the cost of preventing the detection of attacks in some protocols. The IF also provides the interface via which other protocol analysis tools can be connected to the AVISPA environment. Whenever it terminates, each back-end of the AVISPA Tool outputs the result of its analysis using a common and precisely defined format stating whether the input problem was solved (positively or negatively), some of the system resources were exhausted, or the problem was not tackled by the required back-end for some reason. The results are output in AVISPA's Output Format, so that protocol attacks can then also be represented graphically, in the form of message sequence charts or as postscript files. In order to assess proof-of-concept the strength of the AVISPA tool, we have defined the AVISPA library, a set of formalised security problems (protocols and security properties) drawn from Internet protocols that have recently been standardised or are currently undergoing standardisation by industry and standardisation organisations. The experiments that we have carried out on the library during the project demonstrate that the AVISPA Tool is a state-of-the-art protocol analysis tool in terms of coverage (number of different security problems that can be specified), effectiveness (number of different security problems that can be analysed), and performance (amount of time required for the analysis). The AVISPA Tool has been able to re-discover all known attacks to protocols in the library as well as find a number of new attacks. All the project partners will continue to develop the AVISPA technologies and tools: we plan to strengthen the current environment (that is, extending the specification languages and the back-ends) and apply it to a wider spectrum of problems. In particular, we plan to scale up AVISPA from the validation of protocols to the modular design and validation of composed security services, focussing in particular on the development of a framework for the formal specification of security requirements, the formal analysis of security services, and their composition in an automated and validated way.

The TA4SP (Tree Automata based Automatic Approximations for the Analysis of Security Protocols) tool developed by the INRIA-CASSIS Partner from Besancon (FRANCE) takes as input a specification of a security problem written in AVISPA's Intermediate format (IF) and performs an unbounded verification in an automatic way. The IF transition system representing the protocol is translated into a rewriting system and the IF initial state is transformed to a regular tree language. This tree language is also considered as the intruder knowledge. By applying the term rewriting system (representing the protocol steps and intruder abilities), TA4SP is able to compute an over-approximation of the intruder knowledge by means of abstractions and automatic approximations. For a given problem, a secrecy property holds when all terms related to this property are not in the language representing the over-approximated knowledge of the intruder. The TA4SP tool uses a tree automata library named Timbuk developed by Thomas Genet (IRISA-Rennes, FRANCE). We have been improving Timbuk in order to support our automatic approximations. To speed up the computation, some optimisations such as the use of coarser abstractions have also been developed. The counterpart of these coarser abstractions is that the results obtained might be more often inconclusive (a secret is in the over-approximated intruder knowledge). However most of our results have been obtained using this optimisation. Not only is TA4SP able to guarantee the secrecy of data for a given set of sessions but, under some assumptions it is also possible to extend the result for any set of sessions. Although TA4SP has been recently integrated into the AVISPA tool, some promising results have been obtained. Furthermore, we have also started investigating attacks detection in collaboration with Thomas Genet. Indeed, due to the approximations done, TA4SP is not able to deduce whether a data, claimed as secret, is in the real knowledge of the intruder or not. These investigations will allow us to reveal the presence of an attack in some cases. We plan to augment TA4SP scope by adding new features like sets and conditions.

The CL-AtSe tool (CL-based Model-Checker), developed by the INRIA-CASSIS Partner from Nancy (FRANCE), provides a translation from any security protocol specification written in the AVISPA's Intermediate format (IF), into a set of constraints which can be effectively used to find attacks to protocols. Both translation and checking are fully automatic and internally performed by CL-AtSe, i.e. no external tool is used. In this approach, each protocol step is modelled by a set of minimal constraints on the adversary's knowledge. For example, a message received by an honest participant is a forgeability constraint for the adversary. Moreover, any conditions like equality, inequality, element or non-element of a list are also constraints. The most important advantages of CL-AtSe are the following: - Input Treatment: First, CL-AtSe reads and interprets the AVISPA's Intermediate Format. That is, each role in the IF file is partially pre-executed to extract an exact and relatively minimal list of constraints modelling it. The participant's states and knowledge are eliminated thanks to the use of global variables, which gives us a very simple and rapidly executable protocol specification. Second, CL-AtSe performs various strong simplifications on this extracted protocol specification. This second treatment of the input is responsible for an important part of the CL-AtSe's outstanding speed. In particular, CL-AtSe can eliminate and merge protocol steps together. It can also decompose sent and received messages, and eliminate parts of them when it can be statically decided if the adversary will be able, or will never be able, to use or create them. In the end, all what remain of the former protocol specification is it's very essence. - Protocol execution: Following the idea of the lazy intruder technique developed for AVISS and extended by the AVISPA group, a protocol state (i.e. both the intruder and honest participant's state) is represented by a set of constraints on the (global) protocol variables. These constraints are not solved immediately, but kept in an appropriate data structure on which only satisfiability is checked. Any protocol step is executed by adding new constraints to the system and reducing/eliminating other constraints accordingly in a lazy way. Finally, at each step the system state is tested against the provided set of security properties. Many optimisations have been included here to be as efficient as possible. For example, a great care was taken to avoid collisions between system states and to avoid useless computations. The analysis algorithm used by CL-AtSe is designed for a bounded number of loops, i.e. a bounded number of protocol steps in any trace. With a bounded number of loop iterations, the search for attacks is correct and complete. - Human-readable output: CL-AtSe tries to produce a very nice attack description (when one is found), in an extension of the output format. It can also produce an output strictly compliant with the official AVISPA's format to be used for the generation of a graphical message sequence chart. - Handling of algebraic properties: CL-AtSe can perform the search for attacks modulo some algebraic properties. While this list is expandable in the future, we have currently a partial associativity of concatenation, some xor and exponential properties. Associativity of concatenation is partial in the sense that all solutions of the unification modulo associativity are found, except those that require the generation of new variable. While incomplete, this already gives many interesting results. For example in the project test suite, CL-AtSe outputs many potential security flaws modulo associativity that other tools don't. CL-AtSe can also validate these protocols without associativity. Recently, a set of properties of algebraic operators has been included in CL-AtSe, namely the ACUN properties of the Xor operator, and some properties of the exponential. Natural extensions of this work is to also implement the intruder deduction rules in a modular way, so that adding a new theory to CL-AtSe only requires adding a new small module to the system. - Tool results: The CL-AtSe tool has proved to be extremely efficient on protocol analysis, especially when the associativity of the concatenation is not required. In such cases, CL-AtSe is usually much faster that all other tools of the test suite. Moreover, CL-AtSe is able to perform verification and validation of security protocols modulo various algebraic properties (partial associativity, xor, exponential). Such theories are intended to be completed by new ones in the future. Also, other decision techniques developed by other groups will be adapted for CL-AtSe, in order to improve the protocol simplification phase or to weaken the restriction of a bounded number of sessions.

The On-the-fly Model-Checker OFMC developed by the ETHZ partner takes as input a specification of a security problem written in AVISPA's Intermediate Format (that is, the IF specification of a security protocol and of a security property that the protocol should satisfy, as generated by the HLPSL2IF translator of the AVISPA Tool from a given security problem specification written in the High-Level Protocol Specification Language HLPSL) and performs both protocol falsification and bounded verification in an automatic way. Whenever it terminates, OFMC outputs the result of the analysis in AVISPA's Output Format, so that protocol attacks can then also be represented graphically, in the form of message sequence charts or as postscript files. The experimental results that we have carried out during the project demonstrate that OFMC is an extremely effective, state-of-the-art protocol analysis tool both in terms of coverage and performance: we have successfully applied it to all the protocols in the AVISPA library and have been able to re-discover known attacks as well as find new attacks. OFMC's effectiveness is due to a number of technical results. First of all, OFMC performs both protocol falsification and bounded verification by exploring the transition system described by an IF specification of a protocol analysis problem in a demand-driven way, that is, on-the-fly, hence the name of the back-end. Second, OFMC integrates a number of symbolic techniques and optimisations, which are correct and complete, in the sense that no attacks are lost nor new ones are introduced. For instance, the "lazy intruder technique", which significantly reduces the search space without excluding any attacks, represents terms symbolically to avoid explicitly enumerating the possible messages the Dolev-Yao intruder can generate. This is achieved by representing intruder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. As another significant example, the "constraint differentiation technique" is a search reduction technique that integrates the lazy intruder with ideas from partial-order reduction, and which can be formally proved to terminate and to be correct and complete, thereby reducing OFMC's search time by a factor of two to several orders of magnitude. Third, OFMC also implements a number of efficient search heuristics. It supports the specification of algebraic properties of cryptographic operators, and typed and untyped protocol models. We plan to continue optimising OFMC by introducing further reduction techniques and strategies, as well as heuristics. Moreover, we have also begun investigating abstraction techniques as a means for automatic protocol verification without bounding the scenario as is done in the case of bounded verification: the idea roughly is to compute an over-approximation of the set of reachable states of the system and if this set does not contain any states representing attacks on the protocol, then the original model also does not contain any attacks and the protocol is verified. We have begun initial experiments with abstraction techniques and have promising preliminary results. Moreover, the abstraction techniques are complementary to the techniques employed in our current tool for falsification. We therefore plan to develop extensions of OFMC that employ the best of both falsification and verification techniques, that is, searching for an attack in the original model while, in parallel, searching for an abstraction of the protocol under which it is safe. We will explore too the possible coupling of these routines, and in particular investigate ways in which the tasks can use each other's partial results as heuristics.

The AVISPA Selection is a broad collection of 79 practically important Internet protocols and 384 security properties related to them. The AVISPA Library is a large subset of these, namely 66 protocols (including variants) and their properties that have been modelled in the HLPSL and checked with the AVISPA Tool. The AVISPA Selectoin identifies, categorises, and briefly describes a large number of protocols as well as their required properties. It has undergone a thorough coverage and relevance assessment: the protocols have been selected in such a way to be representative of the many protocol groups currently being developed by the IETF and other standardisation bodies. The AVISPA Library comprises a significant part of the AVISPA Selection, formalising in HLPSL the original, more or less informal, protocol specifications, typically given in the form of one or more IETF RFCs or drafts. The formalisations have been carefully reviewed and cross-checked to make sure that they faithfully describe the important aspects within the expressiveness of HLPSL, while keeping them easy to read and model checking feasible. The AVISPA Selection and Library are publicly available and can serve the scientific community as a suite of benchmark problems for protocol formalisation and analysis that can be readily used to assess the coverage, effectiveness, correctness and performance of rival approaches. Note that, in contrast to the AVISPA Tool, no other state-of-the-art approach is able to deal with these protocols.

In the AVISPA project, we have designed the High-Level Protocol Specification Language (HLPSL), with the objective to get a language that is both sufficiently high-level to be accessible to engineers and protocol designers of standardisation bodies (themselves not necessarily experts in the area of formal methods) and also expressive enough to specify modern Internet protocols. It has a formal semantics based on Lamport's Temporal Logic of Actions (TLA) that makes it easily translatable into a declarative lower-level term rewriting based language (the Intermediate Format, IF), well-suited to automated analysis tools. HLPSL thus enjoys significant generality, as other tools can easily be made to employ HLPSL by simply adapting them to accept IF specifications as input. HLPSL is modular and allows for the specification of complex control-flow patterns, data-structures, and different intruder models. Using a formal language with a temporal logic semantics to formalise security properties gives us great generality and expressiveness. Finally, HLPSL is not restricted to logicians, but it is particularly suited for engineers and protocols designers. Indeed, HLPSL has been devised as part of the AVISPA project, with the aim to develop push-button, industrial-strength technology supported by expressive specification languages like HLPSL for the analysis of large-scale Internet security-sensitive protocols and applications. In this context, HLPSL is a good candidate for being use with public domain tools based on formal methods in the design phase at the IETF and other standardisation bodies to hopefully accelerate the standardisation of security protocols and improve their correctness. In more detail, the AVISPA tool takes as input a HLPSL specification that is automatically translated into a corresponding IF specification. The IF is a tool-independent, low-level protocol specification language that supports the specification of sophisticated typed protocol models and that is suitable for automated deduction. IF specifications are then analysed by invoking state-of-the-art back-ends (currently CL-AtSe, OFMC, SATMC and TA4SP are supported) which returns attacks (if any) to the user in an intuitive and readable output format. The decision to base HLPSL on TLA affords us a "best of both worlds" situation in which we can take advantage of an existing language with a rich semantics while also augmenting it with constructs specific to protocol modelling that make it a convenient language in practice. The HLPSL language has already proven itself to be an effective language for modelling security protocols: many protocols of varying levels of complexity from the simple NSPK example to more complex industrial-scale protocols such as IKE and TLS have already been formalised in HLPSL. Features like modularity, control flow patterns, the specification of alternative intruder models, and the generality of temporal-logic based goals give the protocol specifier great flexibility both to construct faithful models and to experiment with different assumptions about the environment in which the protocol should be executed. In our experience, we have found that HLPSL is powerful yet readable and intuitive to work with. The fact that users from varied backgrounds, including students, have found HLPSL easy to use testifies to the language s accessibility, which was one of our primary design objectives from the outset.

The SAT-based Model Checker SATMC developed by UNIGE takes as input a specification of a security problem written in in the AVISPA's Intermediate Format (that is, the IF specification of a security protocol and of a security property that the protocol should satisfy, as generated by the HLPSL2IF translator of the AVISPA Tool from a given security problem specification written in the High-Level Protocol Specification Language HLPSL) and performs both protocol falsification and bounded verification in an automatic way by reducing the input problem to a sequence of invocation to a state-of-the-art SAT-solver. The interface between the SATMC and the SAT solver complies with the DIMACS format (the de facto standard for SAT problems) and therefore SATMC can easy incorporate and exploit new SAT solvers as soon as they will become available. Currently SATMC successfully analyses most protocols in the AVISPA Library whose cryptographic operators do not enjoy any specific algebraic property.