The aforementioned formal methods described so far support the formal specica-tion and vericaspecica-tion for security protocols. In this secspecica-tion, further useful formal approaches for protocol synthesis and repairing are described.
2.8.1 Approaches of Protocol Design and Synthesis
Gong and Syverson in [188] have developed a methodology to facilitate the design and analysis of security protocols. They dened a notion for a fail-stop protocol,
which should then be veried. The authors have come out with a method that produces protocols that are fail-stop and whenever a protocol is not, their method suggests changes to turn into one that is. They have claimed, if a protocol is fail-stop protocol, it is guaranteed to satisfy secrecy assumptions. To validate this claim, BAN logic has been used.
Perrig and Song in [291] have developed Automatic Protocol Generation (APG) system for automatically generating security protocols. APG automatically gener-ates protocols, step by step, taking into account the desired security requirements (authentication and secrecy). APG generates a collection of candidate security pro-tocols that satisfy the specied security requirements. In the nal step, APG applies Athena tool for analyzing the candidate protocols, discards the awed protocols, and outputs the correct protocols that satisfy the desired security requirements. The search space of this approach is of order 1012 according to the authors.
Clark and Jacob in [122] presented a framework for automatic designing and syn-thesis of security protocols based on forward evolutionary search techniques. They used a sort of genetic algorithm (GA) as a heuristic search technique. BAN logic style was used to specify the design goals, from which a collection of abstract pro-tocols were generated. The generated propro-tocols were analyzed in relation to their BAN logic specications. Furthermore, the tool is able to derive sets of assump-tions (specication synthesis), which is usually done informally by designers of real protocols.
Saidi in [313] developed a method for automatically generating security protocols from their logical specication. This method is based on the well-known BAN logic [95], for describing protocol goals, and extended by protocol derivation rules that allow the derivation of messages from logical statements. A prototype of the method is implemented using OCaml language as it is claimed by the author.
Guttman in [194] developed a method for designing security protocols based on the authentication tests method [193]. This is illustrated by creating a ATSPECT (Authentication Test-based Secure Protocol for Electronic Commerce Transactions) design process. The design process is based on authentication tests and the veri-cation method is based on the strand space theory. The steps of the design process are: (1) precise formulation of the protocol goals, (2) selecting an authentication test pattern to achieve each goal, design sub-protocols that achieve each goal, verify that the sub-protocols achieve the individual goals and ensure that the sub-protocols are independent, and (3) construction of a single protocol by combining the sub-protocols and justifying its correctness. This method is illustrated by generating a SET-like three-party protocol.
Foley and Zhou in [359,175] proposed an automatic security protocol generator called ASPB ( Automatic Synthesis Protocol Builder). The generator combines and automates the manual synthesis rules from the logic (BSW logic) proposed in [96]
with Guttman manual design process ( called Authentication Tests) [193]. The syn-thesis rules of the BSW logic are used to guide an automatic backwards search for a sub-protocol from a single goal. The tool combines the generated sub-protocols into one candidate protocol that matches the given goals. A time comparison between
ASPB and APG [291] based on the examples of protocols generated, was also given by the authors.
Chen in [198] developed a heuristic search framework that extended the Clark-Jacob approach [122] for synthesizing symmetric key BAN protocols to allow public key and hybrid cryptographic schemes and using SVO logic [333] - more realistic belief logic - to specify security requirements.
Xue et al. [351] used an articial immune algorithm (AIA) to automate the design of security protocols. the cord calculus is applied as a specication formalism of security protocols. This approach is limited for simple goals.
Bela [183] developed a method for generating security protocols by composing them from other protocols. This method is called Preconditions and eects (PE) composition. For automating this method, an enriched protocol model that con-tains enough information to compose the protocol preconditions and eects and a verication approach of the correctness of the nal composed protocol, are needed.
Preconditions denote the set of properties that must be satised for the protocol to be executed, while the eects denote the set of properties resulting from the protocol execution. By composing preconditions and eects (i.e. PE composition), a new protocol sequence that ensures the satisfaction of the protocol preconditions and the propagation of generated information through eects, is generated. The proto-col sequence generated by the PE composition must be correct, in the sense that it must maintain the security properties of the original protocols. The independence of the involved protocols is veried using the method in [61]. Protocol independence ensures that the intruder can not replay messages from one protocol to another to construct new attacks while running the protocols in the same environment. This property also ensures the correctness of the composed protocol.
2.8.2 Approaches of Protocol Repairing
The verication of security protocols has received a lot of attention from the formal methods community, yielding two main verication approaches: (i) sate exploration (model checking) methods, e.g. FDR, AVISPA, etc; and (ii) theorem proving, e.g.
Isabelle, SPASS, etc . Furthermore, the complementary principles and guidelines of Abadi and Needham [20] of security protocol design aim to make security protocols simple and, hopefully, correct. These principles try to avoid common features (of protocols), which are hard to analyze.
The automated repairing (patching) of faulty security protocols is related to verication but less explored. To this end, Lopez et al. [297] proposed a method for patching security protocols that are susceptible to an interleaving-replay attack.
This method is based on Abadi and Needham's principles of the prudent engineering practice for cryptographic protocols. Additionally, Lopez et al. in [214] developed SHRIMP, a tool which relies on existing verication tools, capable of automatically repairing faulty security protocols. SHRIMP analyzes the protocol and an attack to this protocol in order to pinpoint faulty steps in the protocol and then suggests appropriate changes to x them. This yields an improved version of the protocol
that should be analyzed and possibly repaired again until no further aws can be detected.
In this approach, Lopez et al. introduced a collection of rules, they called patch methods, each of which is able to deal with a class of faults. To identify and patch a protocol aw, each rule makes use of Abadi and Needham's design principles, which Lopez et al. translated into formal requirements on sets of protocol steps. SHRIMP deals with the full class of replay attacks proposed by Syverson [331] (the only exception being the type aw subclass). SHRIMP has been tested on 36 protocols, 21 out of which were borrowed from the Clark and Jacob library [124], obtaining a repair rate of 90%.
Another work targeting the automated repairing of security protocols is done by R. Choo [115]. He uses an adversary model from the computational complexity paradigm (i.e., Bellare and Rogaway adversarial model [67]) and an automated tool (i.e., Simple Homomorphism Verication Tool (SHVT) [279]) from the space exploration paradigm. The model checker (SHVT) is used to perform state-space analysis on protocol model, which is encoded using Asynchronous Product Automata (APA). If the protocol is faulty, Choo's approach automatically repairs it.