Section: New Results
Verification of Security Protocols in the Formal Model
The formal model of protocols, or Dolev–Yao model is an abstract model in which messages are represented by terms. Our protocol verifier ProVerif relies on this model. This year, we have written a book chapter on the resolution algorithm at the heart of ProVerif and have implemented several extensions of ProVerif .
Book Chapter on Using Horn Clauses for the Verification of Security Protocols
Keywords : Horn clauses, resolution, automatic verification, security protocols.
Participant : Bruno Blanchet.
We have written a book chapter  that introduces the theory behind the protocol verifier ProVerif . It explains the abstract representation of protocols by Horn clauses used by ProVerif . It also presents and proves correct the resolution algorithm that is used to determine whether a fact is derivable from these clauses. From this information, security properties of the protocol can be inferred; we focus on secrecy in this chapter, but this method can also prove other security properties, including authentication and process equivalences.
Extensions of ProVerif
Keywords : automatic verification, security protocols, attack reconstruction, interface, documentation.
Participants : Bruno Blanchet, Ben Smyth.
In the frame of a contract with CELAR (see Section 7.4 ), we have implemented several extensions of ProVerif .
We have implemented the reconstruction of attacks against injective correspondences. Injective correspondences are properties of the form: for each execution of a certain event e1 , there is a distinct execution of another event e2 . ProVerif could already reconstruct attacks in which e1 is executed without e2 being executed (which also contradict a non-injective correspondence); we have extended it to reconstruct attacks in which e1 is executed twice and e2 is executed only once.
We have also improved the interface of ProVerif . We have implemented a new front-end with types, parametric processes, function macros, and specific constructions for representing tables of keys. The goal of this new front-end is to make it easier for users to model protocols, and to detect some bugs in protocol specifications (in particular thanks to typing). This input language is also closer to the one of CryptoVerif , so that many examples of protocols can be given to both tools with no or little modification.
Finally, we are currently writing a more detailed documentation of ProVerif , including a tutorial with examples of protocols, to facilitate its access to users who are not experts in the pi-calculus or formal methods.