Teoría del tráfico y dimensionado de canales Estado actual de la planta

TRS are a convenient formal way to model cryptographic protocols. As far as we know the first work using TRS for this purpose is (Denker et al., 1998) for attack detection. Then, it was followed by many other works like (Jacquemard et al., 2000) and (Genet and Klay, 2000) where the rewriting models are used for security proof. Those works use a set of rewrite rules for the intruder close to deduction rules of Figure 5.1. Encoding those deduction rules into a TRS needs to overcome a technical detail: deduction rules operate on sets and rewrite rules on terms. Though sets are difficult to encode as terms, multisets are enough and can be encoded into terms using an associative and commutative symbol. This is the case, for instance, in (Genet and Klay, 2000) with the symbol t2 and also in (Jacquemard et al., 2000). The encoding is even clearer in (Rusinowitch and Turuani, 2001). The set of deduction rules of 5.1 can thus be encoded by the following set of rewrite rules where t is supposed to be an associative and commutative operator. Those rules rewrite a term (a multiset) representing the knowledge of the intruder.

(Decryption) {M }Kt K−1→ M t {M }Kt K−1

(Encryption) M t K → {M }Kt M t K

(U npairingL) hX, Y i → X t hX, Y i (U npairingR) hX, Y i → Y t hX, Y i (P airing) X t Y → hX, Y i t X t Y

This is for the representation of the Dolev-Yao intruder with TRS. For the verification part, the aim is to finitely represent the infinite set of messages that an intruder is able to construct. For that purpose, tree automata are now a very commonly used technique. The idea of using tree automata for verifying those specific softwares was independently pro- posed by (Monniaux, 1999; Genet and Klay, 2000; Goubault-Larrecq, 2000). The common intuition behind those works is the following: represent the potentially infinite knowledge of the intruder as a tree automaton. (Monniaux, 1999) encodes the disassembly of the messages using TRS. The concerned TRS is thus restricted to the rules:

(Decryption) {M }Kt K−1→ M t {M }Kt K−1

(U npairingL) hX, Y i → X t hX, Y i (U npairingR) hX, Y i → Y t hX, Y i

In (Monniaux, 1999), pairing and encryption operations of the intruder (the other rules) are simulated by the tree automaton itself. This requires a separated manual proof. How- ever, in this case, the knowledge of the intruder can entirely be represented by a regular set of non associative and commutative terms, and the operator t becomes useless. The TRS used in (Monniaux, 1999) uses explicit decryption and unpairing operators as follows: (Decryption) decrypt({x}k, k−1) → x

(U npairingL) proj1(hx, yi) → x (U npairingR) proj2(hx, yi) → y

The set of reachable terms w.r.t. to this TRS is over-approximated using a tree automa- ton. However, though it is not mentioned by Monniaux, the above TRS is in the RL-M class and reachable terms can thus be exactly computed.

The technique proposed in (Genet and Klay, 2000) and (Goubault-Larrecq, 2000) goes further and represent the entire protocol execution and intruder activity using a TRS. In this case, the corresponding TRS is no longer in a regular class of Section 2.1.1 and the set of reachable terms needs to be approximated. These two works use a tree automata completion algorithm close to the one presented in Section 3.1 to perform the verification. In (Genet and Klay, 2000), the case study was the Needham-Schroeder public key pro- tocol (Needham and Schroeder, 1978) (NSPK for short) which was, at that time, the typical benchmark of security protocol verification techniques. On this protocol, once the normal- ization rules are defined, secrecy can be verified automatically on an unbounded number of agents, protocol sessions and intruder’s basic actions. As far as we know, (Genet and Klay, 2000) was one of the first technique able to prove such a general result in a (semi- )automatic way. Before that, D. Bolignano (Bolignano, 1996) proposed to prove protocols using abstract interpretation, and thus approximations. However, proofs were essentially manual and done in the Coq proof assistant.

Another interest of tree automata based verification, that aroused during this experi- ment, is that it eases the minimization of models. For instance, on the NSPK example, if we achieve an exact completion after 4 steps the completed automaton has already more than 4500 states and is, of course, not complete. This shows the state explosion problem we face on such specifications. On the same initial tree automaton and TRS, with a very rough approximation, completion terminates after 6 steps and obtain a fixpoint automaton with only 16 states. In such an approximation, for instance, we even forget the message struc- ture itself, i.e. the ordering of components in the messages is lost. Although this fixpoint is imprecise, it is still sufficient to prove the security property. The benefit of this experiment was thus to show that the fine tuning of approximations is a good way to scale-up verifica- tion by tree automata completion to real-size problem. This is illustrated in Section 5.1.3 on an industrial cryptographic protocol and in Section 5.2 on Java bytecode verification.