Using transition traces to model a security protocol

Abstract

Security protocols are often difficult to specify formally and hard to prove correct, because of the potentially complex patterns of interaction between processes executing in parallel. Many people have proposed the use of formal methods in such applications (cf. [13, 14, 15, 16, 18, 23, 24]). For example, Roscoe and his colleagues have used the model checker FDR [10], based on the failures-divergences semantics of CSP, to discover bugs in various key-exchange protocols [21]. Schneider and Sidiropoulos [25] used FDR to specify and verify an “anonymity” property of a security protocol known as the “dining cryptographers” [8]. Semantically-based tools and methodologies such as these have tended to be paradigm-specific, based on a particular choice of programming or specification language. It is difficult to adapt tools embedded in one parallel paradigm (like CSP) to problems concerning other parallel paradigms (such as shared-variable programs); at a more abstract level, semantic models for shared-variable programming languages have so far had little in common with semantic models for CSP-like languages. Yet we might want to prove the correctness of a security protocol concerning protection of private data, couched in terms of shared variable parallelism, with respect to a specification phrased in terms of communication patterns and written in CSP. It would be difficult even to say precisely what such a correctness criterion means if the underlying semantic models for the two paradigms differ. This motivates the

2 Figures and Tables

Cite this paper

@inproceedings{Brookes2003UsingTT, title={Using transition traces to model a security protocol}, author={Stephen Brookes}, year={2003} }