A Security Protocol Animator Tool for AVISPA

Avispa is now a commonly used verification tool for cryptographic protocols. The main advantage of this tool is the ability to use different verification techniques on the same protocol specification. In this paper, we present a protocol animator designed to help protocol developers in writing AVISPA specifications. This is the result of an ongoing joint experiment with Thomson R&D to use AVISPA at early stages of protocol development. 1 The Need for a protocol animator in AVISPA System In the AVISPA tool, protocols are specified using the High Level Protocol Specification Language (HLPSL for short [1]). Then, the HLPSL specification is translated into an Intermediate Format (IF) which is used by the various verification tools embedded in AVISPA : OFMC the Onthe-Fly Model-Checker [2], CL Constraint-Logic-based model-checker [3], SATMC SAT-based Model-Checker [4], and TA4SP Tree Automata based on automatic approximations For the analysis of Security Protocols [5]. Figure 1 depicts the overall architecture of the system. Since HLPSL is a far more expressive language than basic ”Alice & Bob” notation, writing HLPSL specification is still not an easy task. In HLPSL, protocols are defined role by role rather than message by message like it is done using ”Alice & Bob” notation. As a result, HLPSL specifications are far less ambiguous but more difficult to read. Thus, it is sometimes difficult for the protocol designers to figure out if the HLPSL specification they wrote corresponds to the ”Alice & Bob” protocol they had in mind. In this paper, we present a tool for animating HLPSL specifications, i.e. interactively produce Message Sequence Charts (MSC for short) which can be seen as an ”Alice & Bob” trace from an HLPSL specification. Fig. 1. The overall AVISPA system architecture. 2 The protocol animator Protocol specifications in HLPSL are divided into roles. The basic roles, describe the actions of principals in an execution of the protocol. Other roles, namely composed roles, instantiate several of these basic roles to model sessions of the protocol. Finally, the environment role defines the effective principals and sessions whose execution is to consider. Here is an example of a basic role decalaration extracted from the HLPSL specification of the Needham-Shroeder protocol with symmetric keys : role a(A : agent, Ka, Kb : symmetric_key, SND, RCV : channel(dy)) played_by A def= local State : nat, Na, Nb : text, B : agent init State:=0 transition step1. State=0 /\ RCV(start) =|> State’:=1 /\ Na’:=new() /\ SND({Na’.A}_Kb) step2. State=1 /\ RCV({Na.Nb’}_Ka) =|> State’:=2 /\ SND({Nb’}_Kb) end role role b(B : agent, Ka, Kb : symmetric_key, SND, RCV : channel(dy)) played_by B def= local State : nat, Na,Nb : text, A : agent init State:=0 transition step1. State=0 /\ RCV({Na’.A’}_Kb) =|> State’:=1 /\ SND({Na’.Nb’}_Ka) step2. State=1 /\ RCV({Nb}_Kb) =|> State’:=2 end role Two decalarations of composed role : role session(A, B : agent, KaA, KbA, KaB, KbB : symmetric_key) def= local S_A, R_A, S_B, R_B : channel(dy) composition a(A, KaA, KbB, S_A, R_A) /\ b(B, KaB, KbB, S_B, R_B) end role role environment() def= const alice, bob : agent, ka, kb : symmetric_key intruder_knowledge={alice, bob} composition session(alice, bob, ka, kb, ka, kb) /\ session(alice, bob, ka, kb, ka, kb) end role environment() In the example, the composed role session describes a single session of the protocol. The composed role environment defines two parallel sessions. Starting from such an HLPSL specification, the protocol animator helps to build one possible MSC corresponding to that specification. The animator can represent one or more sessions of the protocol in parallel according to the informations given in the role environment. Then, MSCs are produced interactively with the user. At every moment, the animator proposes to the user to choose between all the transitions for which a message can be sent by a principal and received by another. This approach makes it possible to resolve interactively all the choices that may arise during the construction of MSC (Non-deterministic protocols, choices between two transitions to trigger in two different sessions etc...). The execution of a protocol’s transition generally adds a transition on the MSC. The protocol animator also includes the possibility to check the values, at every moment, of the variables of each principals : the user chooses the variables of each roles he wants to monitor. The tool can save an execution trace corresponding to the execution of the protocol supervised by the user, and it is possible to reload it. The MSC can be exported in postscript format or PDF format.