## On-the-fly model checking of security protocols

The On-the-fly Model-Checker OFMC developed by the ETHZ partner takes as input a specification of a security problem written in AVISPA's Intermediate Format (that is, the IF specification of a security protocol and of a security property that the protocol should satisfy, as generated by the HLPSL2IF translator of the AVISPA Tool from a given security problem specification written in the High-Level Protocol Specification Language HLPSL) and performs both protocol falsification and bounded verification in an automatic way. Whenever it terminates, OFMC outputs the result of the analysis in AVISPA's Output Format, so that protocol attacks can then also be represented graphically, in the form of message sequence charts or as postscript files.

The experimental results that we have carried out during the project demonstrate that OFMC is an extremely effective, state-of-the-art protocol analysis tool both in terms of coverage and performance: we have successfully applied it to all the protocols in the AVISPA library and have been able to re-discover known attacks as well as find new attacks.

OFMC's effectiveness is due to a number of technical results. First of all, OFMC performs both protocol falsification and bounded verification by exploring the transition system described by an IF specification of a protocol analysis problem in a demand-driven way, that is, on-the-fly, hence the name of the back-end. Second, OFMC integrates a number of symbolic techniques and optimisations, which are correct and complete, in the sense that no attacks are lost nor new ones are introduced. For instance, the "lazy intruder technique", which significantly reduces the search space without excluding any attacks, represents terms symbolically to avoid explicitly enumerating the possible messages the Dolev-Yao intruder can generate. This is achieved by representing intruder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. As another significant example, the "constraint differentiation technique" is a search reduction technique that integrates the lazy intruder with ideas from partial-order reduction, and which can be formally proved to terminate and to be correct and complete, thereby reducing OFMC's search time by a factor of two to several orders of magnitude. Third, OFMC also implements a number of efficient search heuristics. It supports the specification of algebraic properties of cryptographic operators, and typed and untyped protocol models.

We plan to continue optimising OFMC by introducing further reduction techniques and strategies, as well as heuristics. Moreover, we have also begun investigating abstraction techniques as a means for automatic protocol verification without bounding the scenario as is done in the case of bounded verification: the idea roughly is to compute an over-approximation of the set of reachable states of the system and if this set does not contain any states representing attacks on the protocol, then the original model also does not contain any attacks and the protocol is verified. We have begun initial experiments with abstraction techniques and have promising preliminary results. Moreover, the abstraction techniques are complementary to the techniques employed in our current tool for falsification. We therefore plan to develop extensions of OFMC that employ the best of both falsification and verification techniques, that is, searching for an attack in the original model while, in parallel, searching for an abstraction of the protocol under which it is safe. We will explore too the possible coupling of these routines, and in particular investigate ways in which the tasks can use each other's partial results as heuristics.

The experimental results that we have carried out during the project demonstrate that OFMC is an extremely effective, state-of-the-art protocol analysis tool both in terms of coverage and performance: we have successfully applied it to all the protocols in the AVISPA library and have been able to re-discover known attacks as well as find new attacks.

OFMC's effectiveness is due to a number of technical results. First of all, OFMC performs both protocol falsification and bounded verification by exploring the transition system described by an IF specification of a protocol analysis problem in a demand-driven way, that is, on-the-fly, hence the name of the back-end. Second, OFMC integrates a number of symbolic techniques and optimisations, which are correct and complete, in the sense that no attacks are lost nor new ones are introduced. For instance, the "lazy intruder technique", which significantly reduces the search space without excluding any attacks, represents terms symbolically to avoid explicitly enumerating the possible messages the Dolev-Yao intruder can generate. This is achieved by representing intruder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. As another significant example, the "constraint differentiation technique" is a search reduction technique that integrates the lazy intruder with ideas from partial-order reduction, and which can be formally proved to terminate and to be correct and complete, thereby reducing OFMC's search time by a factor of two to several orders of magnitude. Third, OFMC also implements a number of efficient search heuristics. It supports the specification of algebraic properties of cryptographic operators, and typed and untyped protocol models.

We plan to continue optimising OFMC by introducing further reduction techniques and strategies, as well as heuristics. Moreover, we have also begun investigating abstraction techniques as a means for automatic protocol verification without bounding the scenario as is done in the case of bounded verification: the idea roughly is to compute an over-approximation of the set of reachable states of the system and if this set does not contain any states representing attacks on the protocol, then the original model also does not contain any attacks and the protocol is verified. We have begun initial experiments with abstraction techniques and have promising preliminary results. Moreover, the abstraction techniques are complementary to the techniques employed in our current tool for falsification. We therefore plan to develop extensions of OFMC that employ the best of both falsification and verification techniques, that is, searching for an attack in the original model while, in parallel, searching for an abstraction of the protocol under which it is safe. We will explore too the possible coupling of these routines, and in particular investigate ways in which the tasks can use each other's partial results as heuristics.