Results 1  10
of
19
Psicalculi: Mobile processes, nominal data, and logic
 In Proceedings of LICS 2009
"... A psicalculus is an extension of the picalculus with nominal data types for data structures and for logical assertions representing facts about data. These can be transmitted between processes and their names can be statically scoped using the standard picalculus mechanism to allow for scope migr ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
(Show Context)
A psicalculus is an extension of the picalculus with nominal data types for data structures and for logical assertions representing facts about data. These can be transmitted between processes and their names can be statically scoped using the standard picalculus mechanism to allow for scope migrations. Other proposed extensions of the picalculus can be formulated as psicalculi; examples include the applied picalculus, the spicalculus, the fusion calculus, the concurrent constraint picalculus, and calculi with polyadic communication channels or pattern matching. Psicalculi can be even more general, for example by allowing structured channels, higherorder formalisms such as the lambda calculus for data structures, and a predicate logic for assertions. Our labelled operational semantics and definition of bisimulation is straightforward, without a structural congruence. We establish minimal requirements on the nominal data and logic in order to prove general algebraic properties of psicalculi. The proofs have been checked in the interactive proof checker Isabelle. We are the first to formulate a truly compositional labelled operational semantics for calculi of this calibre. Expressiveness and therefore modelling convenience significantly exceeds that of other formalisms, while the purity of the semantics is on par with the original picalculus. 1
PSICALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC
"... Abstract. The framework of psicalculi extends the picalculus with nominal datatypes for data structures and for logical assertions and conditions. These can be transmitted between processes and their names can be statically scoped as in the standard picalculus. Psicalculi can capture the same ph ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
Abstract. The framework of psicalculi extends the picalculus with nominal datatypes for data structures and for logical assertions and conditions. These can be transmitted between processes and their names can be statically scoped as in the standard picalculus. Psicalculi can capture the same phenomena as other proposed extensions of the picalculus such as the applied picalculus, the spicalculus, the fusion calculus, the concurrent constraint picalculus, and calculi with polyadic communication channels or pattern matching. Psicalculi can be even more general, for example by allowing structured channels, higherorder formalisms such as the lambda calculus for data structures, and predicate logic for assertions. We provide ample comparisons to related calculi and discuss a few significant applications. Our labelled operational semantics and definition of bisimulation is straightforward, without a structural congruence. We establish minimal requirements on the nominal data and logic in order to prove general algebraic properties of psicalculi, all of which have been checked in the interactive theorem prover Isabelle. Expressiveness of psicalculi significantly exceeds that of other formalisms, while the purity of the semantics is on par with the original picalculus. 1.
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Applied pi calculus
 Formal Models and Techniques for Analyzing Security Protocols, chapter 6. IOS
, 2011
"... Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and obs ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and observational equivalence properties, with examples showing how to model secrecy, authentication, and privacy aspects of protocols.
Developing security protocols by refinement
 In Proc. 17th ACM Conference on Computer and Communications Security (CCS
, 2010
"... We propose a development method for security protocols based on stepwise refinement. Our refinement strategy guides the transformation of abstract security goals into protocols that are secure when operating over an insecure channel controlled by a DolevYaostyle intruder. The refinement steps succ ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
We propose a development method for security protocols based on stepwise refinement. Our refinement strategy guides the transformation of abstract security goals into protocols that are secure when operating over an insecure channel controlled by a DolevYaostyle intruder. The refinement steps successively introduce local states, an intruder, communication channels with security properties, and cryptographic operations realizing these channels. The abstractions used provide insights on how the protocols work and foster the development of families of protocols sharing a common structure and properties. In contrast to posthoc verification methods, protocols are developed together with their correctness proofs. We have implemented our method in Isabelle/HOL and used it to develop different entity authentication and key transport protocols. Categories and Subject Descriptors C 2.2 [Computercommunication networks]: Network protocols – Protocol verification; D 2.4 [Software engineering]:
Analysing TLS in the Strand Spaces Model
, 2011
"... In this paper, we analyse the Transport Layer Security (TLS) protocol (in particular, bilateral TLS in publickey mode) within the strand spaces setting. In [BL03] Broadfoot and Lowe suggested an abstraction of TLS. The abstraction models the security services that appear to be provided by the prot ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
In this paper, we analyse the Transport Layer Security (TLS) protocol (in particular, bilateral TLS in publickey mode) within the strand spaces setting. In [BL03] Broadfoot and Lowe suggested an abstraction of TLS. The abstraction models the security services that appear to be provided by the protocol to the highlevel security layers. The outcome of our analysis provides a formalisation of the security services provided by TLS and proves that, under reasonable assumptions, the abstract model suggested by Broadfoot and Lowe is correct. To that end, we reduce the complexity of the protocol using faultpreserving simplifying transformations. We extend the strand spaces model in order to include the cryptographic operations used in TLS and facilitate its analysis. Finally, we use the extended strand spaces model to fully analyse the publickey mode of bilateral TLS with its two main components: the Handshake and Record Layer protocols. 1
Towards Producing Formally Checkable Security Proofs, Automatically
, 2008
"... Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required in, e.g., common criteria at evaluation level 7? We demonstrate that this is surprisingly hard: the problem is nonrecursive in general. On the practical side, we show how we can extract finite models M from a set S of clauses representing π, automatically, in two ways. We then define a modelchecker testing M = S, and show how we can instrument it to output a formally checkable proof, e.g., in Coq. This was implemented in the h1 tool suite. Experience on a number of protocols shows that this is practical.
Finite models for formal security proofs
 JOURNAL OF COMPUTER SECURITY
, 2009
"... Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required in, e.g., common criteria at the highest evaluation level (EAL7)? We demonstrate that this is surprisingly hard in the general case: the problem is nonrecursive. Nonetheless, we show that we can instead extract finite models M from a set S of clauses representing π, automatically, and give two ways of doing so. We then define a modelchecker testing M  = S, and show how we can instrument it to output a formally checkable proof, e.g., in Coq. Experience on a number of protocols shows that this is practical, and that even complex (secure) protocols modulo equational theories have small finite models, making our approach suitable.
ACTA UNIVERSITATIS UPSALIENSIS Uppsala Dissertations from the Faculty of Science and Technology
"... Formalising process calculiAbstract page As the complexity of programs increase, so does the complexity of the models required to reason about them. Process calculi were introduced in the early 1980s and have since then been used to model communication protocols of varying size and scope. Whereas mo ..."
Abstract
 Add to MetaCart
(Show Context)
Formalising process calculiAbstract page As the complexity of programs increase, so does the complexity of the models required to reason about them. Process calculi were introduced in the early 1980s and have since then been used to model communication protocols of varying size and scope. Whereas modeling sophisticated protocols in simple process algebras like CCS or the picalculus is doable, expressing the models required is often gruesome and error prone. To combat this, more advanced process calculi were introduced, which significantly reduce the complexity of the models. However, this simplicity comes at a price – the theories of the calculi themselves instead become gruesome and error prone, and establishing their mathematical and logical properties has turned out to be difficult. Many of the proposed calculi have later turned out to be inconsistent. The contribution of this thesis is twofold. Firstly we provide methodologies to formalise the metatheory of process calculi in an interactive theorem