Model-Based Testing of Cryptographic Protocols

Modeling is a popular way of representing the behavior of a system. A very useful type of model in computing is an abstract state machine which describes transitions over first order structures. The general purpose model-based testing tool SpecExplorer (used within Microsoft, also available externally) uses such a model, written in AsmL or Spec#, to perform a search that checks that all reachable states of the model are safe, and also to check conformance of an arbitrary .NET implementation to the model. Spec Explorer provides a variety of ways to cut down the state space of the model, for instance by finitizing parameter domains or by providing predicate abstraction. It has already found subtle bugs in production software. First order structures and abstract state machines over them are also a useful way to think about cryptographic protocols, since models formulated in these terms arise by natural abstraction from computational cryptography. In this paper we explain this abstraction process, ‘experiments as structures’, and argue for its faithfulness. We show how the Dolev–Yao intruder model fits into SpecExplorer. In a word, the actions of the Dolev– Yao intruder are the ‘controllable’ actions of the testing framework, whereas the actions of protocol participants are the ‘observable’ actions of the model. The unsafe states are the states violating say Lowe’s security guarantees. Under this view, the general purpose software testing tool quickly finds known attacks, such as Lowe’s attack on the Needham– Schroeder protocol. Introduction: Why Yet Another Formal Model A new ‘behavioral’ theory of algorithms has been developed in recent years in a series of papers by Y.Gurevich, A.Blass [Gur00,BG03,BG04a,BG04b,Gur05], and also B.Rossman and the authors [RR05]. The gist is that algorithms can be mathematically captured at their own native level of abstraction ex. the native level of abstraction of the Euclidean algorithm is that of Euclidean rings. Algorithms operate over abstract first-order structures, well studied and familiar in mathematical logic, algebra and abstract mathematics in general. The techniques developed for behavioral theory suggest a natural representation of Dolev-Yao assumptions in first-order structures, and a natural mapping of ad-hoc notations present in abstract models of cryptography. Unlike the static abstract models, which necessarily invoke additional proof-theoretic devices to capture dynamic aspects, the behavioral theory explicitly targets the dynamic behavior of algorithms semantically. By recent work on behavioral theory [BG04a,BG04b,RR05,Gur05], this also includes interactive algorithms talking to an environment between steps, and within a step, allowing us to represent the abstract content of oracle algorithms and adversary games typical of computational cryptography directly. In the framework of intra-step interactive algorithms exact abstract representations of computational security notions, defined in terms of adversary games, emerge clearly. The experiments of asymptotic computational cryptography can be naturally represented in terms of interactive algorithms over first-order structures, this is our experiments-as-structures paradigm, providing a setting for soundness/completeness proofs. The abstract content of these proofs gets more clearly separated from the probabilistic aspects. In this paper we execute a small initial segment of this program, in case of confusion-free asymmetric encryption. Abstract models for the standard asymptotic security notions in this case are provided, with proofs of their soundness (under the assumption of acyclicity) and completeness. The relation of these proofs to proofs in the literature [AR02,MW04a,AJ01,Ban04,ABS05] can best be described as extraction of abstract content. We also briefly indicate how the assumptions of confusion-freeness and acyclicity can be relaxed in our setting. Section 1 is a (necessarily cursory) overview of the behavioral theory of algorithms, essentially referring the reader to the literature. Section 2 is a brief summary of the relevant assumptions of asymptotic computational cryptography in the asymmetric (public key) case. Section 3 presents the experiments-asstructures paradigm and our abstract model of cryptographic adversary games. Section 4 contains sketches of soundness and completeness proofs, and how the Abadi-Rogaway expression language variant embeds into our framework. Testing model for public key protocols is in Section 5, together with an example of rediscovery of Lowe’s attack on the Needham–Schroeder protocol by SpecExplorer. In addition to quoted cryptographic literature, some understanding of the framework as presented in [RR05] is expected of the reader. 1 Behavioral Theory of Algorithms The behavioral theory of algorithms is not an attempt to question the ChurchTuring thesis, saying that every computable function over natural numbers can be computed by a Turing machine, or the stronger implicit thesis, actually argued for by Turing, that every algorithm can be simulated by a Turing machine. The aim of the behavioral theory is to make semantical distinctions finer than that precise. While algorithms get implemented (simulated) exclusively over bits these days, they are often intended to operate over much more abstract objects, abstract data-structures of algebraic or geometric or analytic or even not explicitly mathematical character. The behavioral theory aims to capture algorithms as they are intended, at their own level of abstraction.