Tamarin Prover Analysis of Security Protocols
Tamarin Prover Analysis of Security Protocols
Tamarin Prover Analysis of Security Protocols
1 Introduction
During the last two decades, there has been considerable research devoted to the
symbolic analysis of security protocols and existing tools have had considerable
success both in detecting attacks on protocols and showing their absence. Never-
theless, there is still a large discrepancy between the symbolic models that one
specifies on paper and the models that can be effectively analyzed by tools.
In this paper, we present the Tamarin prover for the symbolic analysis of
security protocols. Tamarin generalizes the backwards search used by the Scyther
tool [4] to enable: protocol specification by multiset rewriting rules; property
specification in a guarded fragment of first-order logic, which allows quantification
over messages and timepoints; and reasoning modulo equational theories. As
practical examples, these generalizations respectively enable the tool to handle:
protocols with non-monotonic mutable global state and complex control flow such
as loops; complex security properties such as the eCK model [9] for key exchange
protocols; and equational theories such as Diffie-Hellman, bilinear pairings, and
user-specified subterm-convergent theories.
Tamarin provides two ways of constructing proofs: an efficient, fully auto-
mated mode that uses heuristics to guide proof search, and an interactive mode. If
the tool’s automated proof search terminates, it returns either a proof of correct-
ness (for an unbounded number of threads and fresh values) or a counterexample
(e. g., an attack). Due to the undecidable nature of most properties in our setting,
the tool may not terminate. The interactive mode enables the user to explore
the proof states, inspect attack graphs, and seamlessly combine manual proof
guidance with automated proof search.
The theory for Diffie-Hellman exponentiation and the application to Diffie-
Hellman-based two-party key exchange protocols have been published in [13]. In
the theses of Meier [10] and Schmidt [14], the approach is extended with trace
induction and with support for bilinear pairings and AC operators.
2 Tool Description
We first give an example that illustrates Tamarin’s use. Afterwards, we describe
its underlying foundations and implementation.
The constant shk is output on the network and the label Reveal() ensures that
the trace reflects if and when a reveal happens.
The set of protocol traces is defined via multiset rewriting (modulo the
equational theory) with these rules and the builtin rules for fresh name creation,
message reception by the adversary, message deduction, and message sending
by the adversary, which is observable via facts of the form K(m). More precisely,
the trace corresponding to a multiset rewriting derivation is the sequence of the
labels of the applied rules.
Properties. We define the desired security properties of the protocol as trace
properties. The labels of the protocol rules must therefore contain enough infor-
mation to state these properties. In Tamarin, properties are specified as lemmas,
which are then discharged or disproven by the tool.
lemma Accept_Secret:
∀ i j tid key. Accept(tid,key)@i & K(key)@j ⇒ ∃ l. Reveal()@l & l < i
The lemma quantifies over timepoints i, j, and l and messages tid and key. It
uses predicates of the form F @ i to denote that the trace contains the fact F at
index i and predicates of the form i < j to denote that the timepoint i is smaller
than the timepoint j. The lemma states that if a thread tid has accepted a key
key at timepoint i and key is also known to the adversary, then there must be a
timepoint l before i where the shared secret was revealed.
Output. Running Tamarin on this input file yields the following output.
analyzed example.spthy: Accept_Secret (all-traces) verified (9 steps)
The output states that Tamarin successfully verified that all protocol traces
satisfy the formula in Accept_Secret.
systems. For example, a constraint can express that some multiset rewriting step
occurs in an execution or that one step occurs before another step. We can also
directly use formulas as constraints to express that some behavior does not occur
in an execution. Applications of constraint reduction rules, such as simplifications
or case distinctions, correspond to the incremental construction of a satisfying
trace. If no further rules can be applied and no satisfying trace was found, then
no satisfying trace exists. For symbolic reasoning, we exploit the finite variant
property [3] to reduce reasoning modulo E with respect to R to reasoning modulo
AC with respect to the variants of R.
3 Experimental results
Table 1. Selected results of the automated analysis of case studies included in the
public Tamarin repository. Here, KI denotes key independence.
satisfy complex security properties, such as the eCK model [9]. Earlier works had
only considered some of these protocols with respect to weaker adversaries, which
cannot reveal random numbers and both short-term and long-term keys. The
SIGJOUX and RYY protocols use bilinear pairings, which require a specialized
equational theory that extends the Diffie-Hellman theory.
Loops and mutable global state. We also used Tamarin to analyze protocols
with loops and non-monotonic mutable global state. Examples include the TESLA
protocols, the security device and contract signing examples from [1], the keyserver
protocol from [11], and the exclusive secrets and envelope protocol models for
TPMs from [5]. In each case, our results are more general or the analysis is more
efficient than previous results. Additionally, Tamarin was successfully used to
analyze the YubiKey and YubiHSM protocols [7].
4 Related Tools
There are many tools for the symbolic analysis of security protocols. We focus
on those that can provide verification with respect to an unbounded number of
sessions for complex properties. In general, the Tamarin prover offers a novel
combination of features that enables it to verify protocols and properties that
were previously impossible using other automated tools.
Like its predecessor the Scyther tool [4], Tamarin performs backwards rea-
soning. However in contrast to Scyther, it supports equational theories, modeling
complex control flow and mutable global state, an expressive property specification
language, and the ability to combine interactive and automated reasoning.
The Maude-NPA tool [6] supports protocols specified as linear role-scripts,
properties specified as symbolic states, and equational theories with a finite
variant decomposition modulo AC, ACI, or C. It is unclear if our case studies
that use global state, loops, and temporal formulas can be specified in Maude-
NPA. With respect to their support of equational theories, Maude-NPA and
Tamarin are incomparable. For example, Maude-NPA has been applied to XOR
and Tamarin has been applied to bilinear pairing.
The ProVerif tool [2] has been extended to partially handle DH with in-
verses [8], bilinear pairings [12], and mutable global state [1]. From a user
perspective, Tamarin provides a more expressive property specification language
that, e. g., allows for direct specification of temporal properties. The effective-
ness of ProVerif relies largely on its focus on the adversary’s knowledge. It has
more difficulty dealing with properties that depend on the precise state of agent
sessions and mutable global state. The extension [1] for mutable global state is
subject to several restrictions and the protocol models require additional manual
abstraction steps. Similarly, the DH and bilinear pairing extensions work under
some restrictions, e. g., exponents in the specification must be ground.
References
1. Arapinis, M., Ritter, E., Ryan, M.: Statverif: Verification of stateful processes. In:
Proc. CSF. IEEE (2011)
2. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In:
Proc. CSFW. IEEE (2001)
3. Comon-Lundh, H., Delaune, S.: The finite variant property: How to get rid of some
algebraic properties. Term Rewriting and Applications pp. 294–307 (2005)
4. Cremers, C.: The Scyther Tool: Verification, falsification, and analysis of security
protocols. In: Computer Aided Verification. LNCS, vol. 5123. Springer (2008)
5. Delaune, S., Kremer, S., Ryan, M.D., Steel, G.: Formal analysis of protocols based
on TPM state registers. In: Proc. CSF. pp. 66–80. IEEE (2011)
6. Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the
NRL protocol analyzer and its meta-logical properties. TCS 367, 162–202 (2006)
7. Künnemann, R., Steel, G.: YubiSecure? Formal security analysis results for the
YubiKey and YubiHSM. In: Preliminary Proc. STM’12 (2012)
8. Küsters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-free
case in the Horn theory based approach. J. Autom. Reasoning 46(3-4), 325–352
(2011)
9. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key
exchange. In: ProvSec. LNCS, vol. 4784, pp. 1–16. Springer (2007)
10. Meier, S.: Advancing Automated Security Protocol Verification. Ph.D. thesis (2013)
11. Mödersheim, S.: Abstraction by set-membership: verifying security protocols and
web services with databases. In: Proc. CCS. pp. 351–360. ACM (2010)
12. Pankova, A., Laud, P.: Symbolic analysis of cryptographic protocols containing
bilinear pairings. In: Proc. CSF. IEEE (2012)
13. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman
protocols and advanced security properties. In: Proc. CSF. IEEE (2012)
14. Schmidt, B.: Formal Analysis of Key Exchange Protocols and Physical Protocols.
Ph.D. thesis (2012)
15. http://www.infsec.ethz.ch/research/software/tamarin: