# A Spatial-Epistemic Logic for

Reasoning about Security Protocols

###### Abstract

Reasoning about security properties involves reasoning about where the information of a system is located, and how it evolves over time. While most security analysis techniques need to cope with some notions of information locality and knowledge propagation, usually they do not provide a general language for expressing arbitrary properties involving local knowledge and knowledge transfer. Building on this observation, we introduce a framework for security protocol analysis based on dynamic spatial logic specifications. Our computational model is a variant of existing -calculi, while specifications are expressed in a dynamic spatial logic extended with an epistemic operator. We present the syntax and semantics of the model and logic, and discuss the expressiveness of the approach, showing it complete for passive attackers. We also prove that generic Dolev-Yao attackers may be mechanically determined for any deterministic finite protocol, and discuss how this result may be used to reason about security properties of open systems. We also present a model-checking algorithm for our logic, which has been implemented as an extension to the SLMC system.

## 1 Introduction

Among the several artifacts in the field of computer security, security protocols are indubitably a fundamental subject of study and research [13, 12]. Security protocols serve a variety of purposes, ranging from secrecy and authentication to forward secrecy and deniable encryption. A common trait of these protocols is their notoriously difficult design, which often leads to unforeseen vulnerabilities.

Therefore, it becomes essential to develop techniques that ensure the correctness of protocols, with respect to some specification of the properties they aim to establish. A wide range of language-based techniques have been proposed to analyze protocols and their correctness, such as type systems, process calculi or static analysis [4, 7, 3] which in many cases result in successful tools [6, 5, 14, 10].

In this paper we propose a framework for protocol analysis based on process calculus models and logic specifications. While the usage of process calculi and logic in this context is not new [15, 9, 3], our approach stems from the fact that many interesting properties of such systems are often a function of what information the several parts of a system may or may not obtain. While other frameworks (e.g., Avispa [5] and Casper [14]) allow one to efficiently verify a wide range of interesting security properties, these are not usually stated in this high-level knowledge oriented approach.

Our contribution consists of a dynamic spatial epistemic logic that allows reasoning about systems (modelled in a variant of the applied -calculus [3]) at three levels: the dynamics of systems and subsystems, the spatial arrangement of systems and subsystems, and the knowledge (the obtainable information) of systems and subsystems. The goal is to produce an expressive property language with which we can reason about a protocol by separating it into its different agents (malicious and otherwise), and then reason about the knowledge they can obtain and how it can evolve over time. This enables us to express interesting security properties in a very direct way (eg. agents and can obtain value , while agents and cannot). To clarify our approach, consider the example of Fig. 1.

We have a system `Sys`

composed of three processes:
, and a key distribution server .
wishes to exchange a value with . To do so, he requests
’s public key from , which emits in a signed message.
then uses it to encrypt a generated symmetric
session key and sends the key to . Afterwards will send
encrypted with the session key and terminate. will receive the
message, decrypt it to obtain and terminate. We further model
the system running with a malicious agent, defined through the
primitive `Attacker(Sys)`

. This agent consists of a Dolev-Yao
attacker which we discuss in Section 4.1.

For this protocol to be correct, it must be the case that the malicious agent interacting with the system can never know . Consider, however, a slightly stronger property: and want to exchange securely (with respect to the malicious agent) but they also do not completely trust the server . They trust it to at least distribute the appropriate keys, but want some assurances that even though operates according to protocol, it doesn’t obtain the value by observing the data exchanges between and .

This property, while not impossible to state in other frameworks,
would usually require some sort of ad-hoc modification to the
model (e.g, internalizing the server in an attacker, which seems like
an indirect strategy at best and may not necessarily yield the
correct model).
In our framework, the property can be directly stated
by combining our epistemic and spatial operators. A formula that
reflects such a
property is `pqK`

: first we state that the system can evolve
to a configuration where two of its subsystems ( and ) know
, but the remaining parts of the system do not. This illustrates
the expressiveness of the logic in terms of reasoning about the
knowledge of several parts of the complex system. Secondly,
we state that throughout all executions of the system,
a part of it will never know (`2`

indicates that there
must be two agents running with the part that does not know – a
precise definition is given in Section 3).
By combining spatial reasoning with
epistemic reasoning, we can state rich properties of the
knowledge of agents (and groups of agents) – both adversaries and principals – within a
complex system, and how they can share or restrict that knowledge over time.

While our framework is aimed at reasoning about closed systems, meaningful analyses of security protocols must necessarily consider attackers. Traditionally, attackers are modelled by an adversarial environment which interacts with the protocol. In our closed system approach, we develop a way internalizing an arbitrary attacker within a closed system by automatically (or semi-automatically) deriving a process representation of such an attacker. This representation makes use of special primitives built into the process calculus to greatly simplify the actual modelling of the attacker, to the extent that even if the attacker generation is done semi-automatically, it never requires us to actually encode specific attacks. In this work, we show that it is possible to automatically derive an attacker (behaving as a Dolev-Yao adversarial environment) for any finite protocol. To fully automate our technique (at the implementation level), further work is needed (as discussed in Section 4.1); the focus of the current paper being essentially on the expressiveness issues. In any case, we already provide tool support for arbitrary passive attackers and for bounded Dolev-Yao attackers (where the bound concerns the size of generated messages); this technique can already be used to automatically find attacks, eg., as illustrated in the example of Section 4.2.

The technical contributions of this work are as follows. We develop a process calculus model for security protocols (Section 2.2), inspired in existing -calculi, supporting explicit modeling of adversarial agents, at an adequate level of abstraction. We introduce a new dynamic spatial epistemic logic (Section 3), oriented for reasoning about spatial distribution of information. We develop a logic-based theory of knowledge deduction (Section 3.2) for our models, proved sound, complete and decidable. This presentation was used in our model-checking algorithms. We discuss attacker representations (Section 4.1), and how it is possible to produce a generic Dolev-Yao attacker for finite protocols. We also show how to model and verify correspondence assertions (Section 4.2) in our framework. Finally, we implemented a model-checking algorithm for the logic as an extension to the SLMC tool, producing the first proof of concept tool aimed at security protocol analysis using spatial logic model checking. The proofs of our technical results are detailed in [18].

## 2 Process Model

In this section we introduce our process model, starting with some preliminary notions on terms and equational theory and then introducing our process calculus.

### 2.1 Terms and Equational Theories

Data exchanged by processes is modeled by terms of a term algebra. In order to capture cryptographic operations and data structuring, we will consider term algebras with equational theories (cf. [3]).

We assume an infinite set of variables ranged over by , an infinite set of names ranged over by and range over terms with . Terms are defined from names and variables by applying function symbols. We thus consider a given term algebra to be defined from a signature and an equational theory that defines the “semantics” of the function symbols in . An equational theory is a congruence relation defined by a set of equations of form .

In certain circumstances, an equational theory may give rise to a set of rewrite rules by orienting each equation to produce the rule , in such a way that two terms are equal modulo whenever that have a common reduct under rewriting. This is the case of subterm convergent equational theories [2], which are the ones that we will focus on in this work (other equational theories, such as AC theories, can also be applied in this fashion, however with a slightly different formal treatment as detailed in [2]). A subterm convergent system is a convergent rewrite system in which in every rewrite rule the right-hand side is a proper subterm of the left-hand side. In this paper, we will assume a general rewrite theory subject to the conditions above. Given a rewrite rule , we call the outermost function symbol in a destructor, since the application of the rule may open the internal structure of inner terms in to produce the term . We classify the remaining function symbols, that never occur as a destructor, as constructors. For example, for signature and equational theory , is a destructor and a constructor. We range over constructors with and destructors with .

We denote the set of names of a term by and the depth of a term as (the depth is the length of the longest path in the tree representation of the term). We state that a term is ground if it does not contain variables. We denote by the usual congruence relation induced by the set of equations (which can be decided through term rewriting since is convergent). We write for the DY (Dolev-Yao) equational closure of a set of terms , that is, the set of all values (destructor-free terms) generated by terms of through function application, modulo the equational theory. This closure represents all possible information that may be produced from a set of terms while following the rules of the equational theory, which if we interpret a set of terms as a set of messages, is the usual notion of knowledge from the Dolev-Yao model.

###### Definition 2.1 (Equational Closure)

Given a rewrite theory , the DY equational closure of a set of terms , noted , is the least set of terms such that:

When interpreting the DY equational closure of a set of terms as obtainable knowledge, we can state knowledge derivation through term derivation.

###### Definition 2.2

(Knowledge Derivation). Given sets of terms and , we say that may be derived from (written ) if and only if .

The general idea is that one may can derive a piece of information if it can be generated by combining pieces of information using the rules of the equational theory. Given these basic notions relative to terms, equational theories, and knowledge derivation, we may now present our process calculus model.

### 2.2 Process Calculus

It is known that the high level of abstraction of the -calculus, convenient from a foundational perspective, is not suitable for modeling cryptographic techniques as necessary for analyzing security protocols.

We therefore adopt an extension to the -calculus that extends the base values of the language with functional terms (cf. Section 2.1), that can be seen as a fragment of the Applied -calculus [3]. We choose this calculus over the applied -calculus mainly for simplicity reasons, not requiring active substitutions nor frames given that our goal is to use our logic to observe terms.

We model cryptographic operations by defining such operations in a term algebra. The calculus is thus aimed at the explicit modeling of agents involved in security protocols, both principals and adversaries. Principals are modeled standardly, using terms to model cryptographic terms. Adversaries are modeled as processes (cf. Section 4.1) using the attacker output prefix - a non-deterministic output of terms that can be generated from known values, which enables reasoning directly about attacker knowledge using our logic.

###### Definition 2.3 (Processes)

Given a signature , an infinite set of names ranged over by , and an infinite set of variables ranged over by , the set of processes , of actions and of terms are defined in Fig. 2.

Before introducing the semantics of our calculus, we present some definitions that pertain to obtaining the relevant terms of a process that are necessary for our semantics.

A destructor function symbol denotes computation at the term level. If such computations are valid (under the equational theory), then the term containing the destructor can be rewritten as one that only has constructors. On the other hand, if such a term cannot be reduced (e.g ), it has no interesting meaning and has no place being communicated. To obtain the values (destructor free normal forms) of a process, we define a relation that extracts the set of values that occur in a process (). However, some care is needed in the definition of since a term may contain bound names or variables. For instance, in the process , the term is not a proper value since it contains the variable . In these situations, our extraction has to be such that it will produce a set containing but not (nor ). Similarly, when we consider the terms that are to be the object of our attacker output, while it is true that outputting a term containing a variable would be senseless, it is correct to output a term that contains a restricted name, even though the attacker may not be able to use the name in other messages.

To take all this into account, we define a procedure that extracts the relevant subterms (not containing variables or destructors) of a term, and a procedure used to eliminate terms with restricted names.

###### Definition 2.4 (Relevant Subterms)

Given a term we define the set of its relevant subterms, written , by the rules of Fig. 3.

###### Definition 2.5 (Name Occurrence Term Removal)

We define the removal of terms from a set in which the name occurs, , as: .

###### Definition 2.6 (Relevant Term Extraction)

Given a process , the set of relevant terms of , written , is defined by the rules of Fig. 4.

For our attacker output we collect all ground terms that occur in the process, which we denote by .

The semantics of our calculus are defined standardly, modulo -conversion of bound names and variables, by a structural congruence relation, labelled transition and reduction, as follows. We denote by and the set of free-names and free-variables of process , respectively.

###### Definition 2.7 (Structural Congruence)

Structural congruence is the least congruence relation on processes defined by the rules of Fig. 5.

We augment the standard structural congruence laws of the -calculus with rules that equate processes modulo the equality of the equational theory. These laws are essential in our semantics because they allow us to block processes performing actions that use terms that are not values (i.e. terms that contain destructors).

Our semantics, which we now present, capture these destructor freedom conditions. If a process is attempting to use a term that contains a destructor, we use structural congruence to rewrite the term destructor-free and reduction proceeds. If the term cannot be rewritten destructor-free, reduction halts. These restrictions ensure that all received terms are actual values, and not some arbitrary erroneous term. Note the semantics of our attacker output, expressed in the Attacker rule, that enable the output to emit any message that can be generated by the process, given its ground terms and some fresh values.

###### Definition 2.8 (Reduction Semantics)

The reduction relation over closed processes is defined as the least relation closed under the rules of Fig. 6.

###### Definition 2.9 (Labelled Transition Semantics)

The labelled transition relation is the least relation on closed processes closed under the rules of Fig. 7.

Our labelled semantics is not intended to characterize a complete notion of behavioral equivalence as could be expected, but rather to allow the observation of actions in our logic. Despite not belonging to the scope of this work, we can point out that our labelled semantics do not allow for a complete characterization of behavioral equivalence, in the sense that our rules reveal information in a way that induces a higher discriminative power then that of behavioral equivalence.

## 3 Logic

Considering it is common to reason about security by reasoning about the knowledge of principals, we explore key aspects of dynamic spatial logics, such as local reasoning, to develop a logic that can reason about epistemic, dynamic and spatial properties of agents.

We propose an extension to a dynamic spatial logic [8] to enable reasoning at the term level. Our extension consists of adding two epistemic modalities: denotes the ability of an agent to derive from its knowledge, and allows us to mention values that are only known by an agent (e.g. secrets). Our intent is to couple the ability to reason about properties of space and behavior with that of reasoning about derivable information modulo the equational theory. Our notion of knowledge is therefore the ability of an agent to derive terms from the information it possesses.

### 3.1 Syntax and Semantics

The syntax and semantics of our logic are presented in Fig. 8.

We refer to as knowledge formulas and ambivalently use to denote both knowledge formulas and finite sets of terms. The boolean connectives are standard. denotes the empty process; denotes a process that can be partitioned in two components, one satisfying and the other satisfying ; allows us to mention restricted names of processes in formulas; denotes a process can perform action and continue as a process satisfying ; and denote “always in the future” and “sometime in the future”, respectively. holds of a process that has the ability to derive the terms denoted by , that is, the ability to know ; holds of a process that satisfies property that depends on a value that is secret to a process – a term containing a restricted name. It is also useful to define an auxiliary counting predicate (written as , where is a natural number), that allows us to count the number of sub-processes within a process. For instance, a process consisting of a single thread would satisfy the formula defined as , while a process consisting of two sub-processes would satisfy the formula defined as , and so on.

With this logic, we can state properties about the knowledge of agents (and not only adversarial ones) over time, such as “it is never the case that the secret key is known by 3 subsystems”:

or “it is always the case that 2 agents know the key and one does not”: . Since the semantics of our logic blur together processes that are structurally congruent (e.g. and ), we can use the free-name predicate to “tag” specific subsystems and reason about their knowledge explicitly: which denotes “it is always the case that an agent with the free name tag knows the key” (this subsumes the need for an indexed knowledge operator such as that in [16]).

Notice how the expressiveness of the logic arises from the ability to combine the three types of modalities: dynamic (), spatial () and epistemic (). The dynamic connectives allow us to range over a specific execution or all possible executions, the spatial connectives allow us to mention restricted names (usually used to model keys and nonces) and to refer to subsystems, and the epistemic connectives allow us to analyze derivable terms of a process.

The semantics for pose a challenge in the sense that they use the notion of knowledge derivation from Section 2.1. While this definition is adequate from a semantic perspective, it makes use of the DY equational closure of a set which is not stable by reduction of terms, and thus doesn’t provide a clear way of algorithmically determining if . We approach the problem with a purely logical approach and characterize knowledge derivation with a structural proof system for knowledge formulas, unlike the approach of [2].

### 3.2 Proof System for Knowledge Formulas

Our proof system, formulated as a sequent calculus, is equipped with rules from the equational theory in order to consider the ability to combine terms to generate new information. Each rule of our calculus represents a possible computational step that an agent can perform on terms to produce a new term. Intuitively, if a sequent is derivable, the knowledge formula is deducible from the knowledge represented by .

###### Definition 3.1 (Proof System K for Knowledge Formulas)

The sequent calculus formulation of our proof system for knowledge formulas is defined by the rules of Fig. 9.

For every constructor function symbol with arity n, such that :

For every equation :

The rules for identity and conjunction are standard. Rule funRight states that we are justified in concluding a complex term if we can derive its subterms. Rule AttLeft states that all that can be derived from a complex term can also be derived from its subterms; rule DestrLeft reflects the equalities of the equational theory: what can be deduced from can also be deduced from terms equal to under the equational theory.

For the sequent calculus , we establish the results of soundness, completeness and decidability.

###### Theorem 3.2 (Soundness of K)

Given a set of terms S and a term , if then .

Proof: By induction on the derivation of \qed

###### Theorem 3.3 (Completeness of K)

Given a set of terms S and a term , if then .

###### Theorem 3.4 (Decidability of K)

For any set of terms S and term , is decidable.

The proofs of completeness and decidability rely on a finite approximation result for the DY equational closure of a set of terms. More concretely, for each finite set of terms and equational theory, it is possible to build a finite set from which all terms in the DY equational closure of may be determined.

###### Proposition 3.5 (Approximation of )

Let be a finite set of terms. We may construct in polynomial time an approximation to , named , a finite set with the following property:

where is a functional context solely built out of constructors.

Proof:
The finite approximation is built from the terms of by interpreting the
rewrite rules of the theory as contexts of a bounded size.
Therefore, applying
function symbols to terms of up to the bound of the context
produces a new term by then applying the rewrite rule.
This procedure is iterated, eventually reaching a fix-point, due to the subterm
convergency property of the equational theories (the idea is that each time
we produce a new term, the term will be smaller then the terms
used to generate it). The resulting computable set has the
property that defines our approximation [18]. \qed

The approximation is such that all terms of can be built from terms of just by applying constructors, no longer requiring the equations from the theory. Completeness follows from the fact that our proof system is able to emulate the computation steps required to generate the approximation. Given a set of terms , is generated by applying functions to terms of , applying a rewrite rule to the resulting term and iterating. Thus, our proof system is complete since the computation steps of may be emulated by the rules of proof system K, and we may then apply function symbols to terms of to produce terms of . The latter is trivial due to funRight and AttLeft. The former we prove through the following lemma.

###### Lemma 3.6

(Completeness of K i.r.t the Approximation).
Given a set of terms ,if then .

Proof:
Through instances of AttLeft it is possible to apply
functions to terms of up to the bound of the context used in .
Through an instance of DestrLeft the corresponding rewrite rule can applied,
and through Id the new term is derived at the root of the proof tree [18].\qed

To emulate the iteration with the proof system, that is, to perform similar computations with and the new term, the auxiliary result of reasoning with cuts is required.

###### Lemma 3.7

(Cut Admissibility in K).
If and then .

Proof: See [18].

Using Cut, the proof system is able to emulate the iterative procedure by building the previously described proof tree that allows the derivation of a new term, and using the new term as the cut formula. This technique can then be applied to produce any term of , as required. Since the computation of always terminates, Theorem 3.4 holds.

### 3.3 Model-Checking

We know that model-checking is decidable for the logic without the new modalities [8], for the class of bounded processes. Therefore, we need only show that our two modalities preserve decidability.

###### Proposition 3.8 (Decidability of model-checking )

Let be a finite set of terms. Checking that is decidable.

The above proposition holds since for any process it is possible to collect its set of relevant terms (), compute the finite approximation and check that each term in can be constructed from terms of by application of constructors.

###### Proposition 3.9 (Decidability of model-checking )

Checking that is decidable.

Decidability of follows from the fact that if , it is possible to collect the set of relevant terms of process Q, pick some term from that contains the name and check that . Given that model-checking the core logic with is decidable, it follows that checking is decidable and therefore model-checking for our logic is decidable for the class of bounded processes.

###### Theorem 3.10 (Decidability of Model-Checking)

Checking that is decidable for the class of bounded processes.

## 4 Expressiveness and Extensions

Having presented our framework, we discuss some extensions to our work that can be used to model and analyze systems. In particular, we discuss the representation of attackers and modeling and verification of correspondence assertions [19] in our framework.

### 4.1 Modeling Attackers

To analyze a security protocol one usually needs to consider how it behaves in any possible environment. While our logic focuses on the analysis of closed systems, it is possible to verify properties of a system in an arbitrary environment, by internalizing an arbitrary attacker in the system. The general idea is that, for any process , we may determine a process (making essential use of the attacker prefix construct) such that reaches some state whenever reaches an equivalent state when placed in an arbitrary environment. While the explicit specification of an attacker for a given protocol may not be easy, our approach to represent the attacking environment is quite different and general, and may indeed be used to find attacks (see example in Section 4.2). We can generically model a Dolev-Yao [13] attacker in our framework by considering the number of message exchanges and the communication channels used in a protocol.

Considering an arbitrary protocol modeled as a process, the role of an attacker is to intercept all communications of the principals and be able to inject any message it can produce, given its knowledge at the time, at any point where a principal expects to receive a message (cf. our attacker output). Thus, a Dolev-Yao attacker consists of a process that for all outputs of the protocol performs an input (storing the received message) and for all inputs performs an attacker output. For instance, consider the following protocol, where is a shared key, a fresh value and a session key generated by :

In our process model, such a protocol would be represented as done in Fig. 10 (we omit the signature and equational theory).

An attacker for this protocol, following our attacker schema is presented in Fig. 11. We can then state that it is never the case that the attacker can know one of the keys used in the protocol.

While some minor effort of representing an attacker is necessary, we can easily represent a generic attacker for a protocol by following a pre-determined schema.

We currently only consider finite protocols, modeled as processes in our calculus that use a communication channel as their communication medium (written ). We have not pursued infinite protocols as of yet, but we believe it to possible to extend our approach to infinite protocols by defining the attacker as a recursive process with a parallel store (that is used to store the messages of the protocol). To analyze such a system, we would then employ recursive formulas by using the fixpoint operators of the logic.

Our attacker for finite protocols is defined as follows: For each output on , the attacker performs an input on (and stores the message). For each input on , the attacker performs an attacker output.

###### Definition 4.1 (Attacker Generation Procedure)

Given a process that models a finite protocol, the set that tracks the attacker memory, an attacker for can be generated by procedure defined in Fig. 12 ( and are fresh in and the attacker).

The generation procedure produces the necessary actions by inspection of the process dynamics: if an output can occur in the process, the attacker intercepts the message and memorizes it; if an input can occur in the process, the attacker injects any message it can produce from its knowledge; in the case where the protocol has no more actions, we represent the attacker memory with an output , modeling the attacker’s memory throughout the protocol run. We thus show how an attacker can be extracted by inspection of the considered protocol. We can show that this attacker is general in our framework, in the sense that it can simulate the behavior expected from an adversarial medium (c.f. Dolev-Yao attacker). Note that this result does not yet fully apply to our tool implementation, as we discuss later in this section.

###### Definition 4.2 (K-Set)

Given a process , we define its K-Set , the set of all terms known by as:

###### Theorem 4.3 (Monotonicity of K-Sets under Synchronization)

Let and be a processes such that and . We have that .

We begin with the K-Set of a process, the set of all terms known by the process that we observe in our logic, and we show that the evolution of arbitrary processes’ K-Sets through synchronization is monotonic: the resulting process’ knowledge will be a subset of the initial process’ knowledge, plus any received messages. We state a similar property of our generated attacker’s K-Set. Over time, the attacker’s K-Set captures all messages exchanged in the protocol.

###### Theorem 4.4 (Monotonicity of Attacker Storage)

Let and be processes such that

,
and .
We have that .

Our Attacker Simulation (Lemma 4.5) and Process Knowledge (Lemma 4.6) lemmas provide some insight on the expressiveness of our attacker. Lemma 4.5 shows that a generated attacker, can obtain as much knowledge as an arbitrary process interacting with a finite protocol. Lemma 4.6 states a similar property, regarding the knowledge a finite protocol may obtain while interacting with our attacker.

###### Lemma 4.5 (Attacker Simulation)

Let and be processes.

If and with
then such that

and and
.

###### Lemma 4.6 (Process Knowledge)

Let , be processes and a knowledge formula.

If and with
then such that
and .

Furthermore, from Lemma 4.6 follows that, in our logic, a finite protocol interacting with an arbitrary process is indistinguishable from one interacting with our attacker. Combining these results, we can show that our attacker can behave as one would expect of an adversarial Dolev-Yao agent.

###### Theorem 4.7 (Preservation of Satisfaction)

Let and be processes and any formula. If

and with
then such that
and .

Notice that this result follows from the fact that message size for the attacker output prefix is unbounded. Our implementation currently bounds the generated message, to ensure tractability, and thus sacrificing completeness. However, as shown in [17], it is possible to compute a finite bound on the message size required to find an attack. The implementation of this result we leave for future work. It is anyway important to note that our method is already sound and complete for passive attackers, even for the case of non finite processes (eg. we may consider any finite control system, or bounded in the sense of [8]).

### 4.2 Modeling Correspondence Assertions

Correspondence assertions are a technique for verifying authentication properties in protocols [19]. The idea is that the model of each principal in a protocol is refined with begin/end events, named correspondence assertions, at each stage of an authentication procedure. Authentication will be established if, for every run of the protocol, all end events for each stage are preceded by a matching begin event. To illustrate the idea, consider the following protocol:

Principals and share a symmetric key , is a fresh value and is a one-way hash function. When B receives it asserts the beginning of the run of the protocol. sends message so that can verify the freshness of the run, by comparing the received value with its own hash of . If the test succeeds, asserts the reception of and the end of the run. To check correspondence, one has to check that every run of the protocol, in the presence of an adversary, would be such that ’s end assertion is always preceded by ’s begin assertion, that is, only ends if was involved in the protocol.

Using our framework, we can model correspondence assertions by
representing the assertion as an output on a channel that is
irrelevant to the protocol, and then observing the existence of such
outputs with our logic. For instance, our example could be modeled as
done in Fig. 13 (note the `attacker_depth`

parameter set to 2 due to the size of the second message). We can also
successfully handle the case where we consider a faulty system that
leaks to the attacker (and thus correspondence does not hold), as
presented in Fig. 14.

## 5 Concluding Remarks and Related Work

In this paper we have introduced a dynamic spatial epistemic logic for a variant of the applied -calculus aimed at reasoning about security protocols. We explore the application of spatial and epistemic reasoning to the several agents involved in a security protocol, be they principals or adversaries. In our work, we can reason about the knowledge of the several agents of a protocol and how it can evolve over time. Model-checking for the logic is shown to be decidable for an interesting class of processes and cryptographic primitives.

Our framework allows an interesting degree of freedom in the analyses it can perform, not only allowing one to reason directly about knowledge of principals and attackers but also enabling reasoning with correspondence assertions, which is an important addition to the range of available techniques. Moreover, our internalization of attackers, which does not require a complete behavioral specification, is able to accurately emulate the behavior of a Dolev-Yao attacker, enabling reasoning about the dynamics and knowledge of such an attacker.

Finally, the decidability result for our logic allowed us to implement a model-checking algorithm as a proof of concept extension to the SLMC tool. The main difference between the tool and the theory is that our attacker outputs are parametrized with a maximum message size, to bound the state space. This is the main limitation of the current version of our tool, since it does not yet fully capture the expressiveness of our attacker modeling, given that our results employ a more powerful version of the attacker output.

Overall, we have produced an interesting framework for protocol analysis, the first employing dynamic spatial logics. enabling a very natural (yet precise) way of reasoning about security protocols, all the while allowing reasoning with previously established techniques. Note, however, that our tool is merely a proof of concept of the developed framework, not aimed to compete with more mature tools for protocol analysis such as Avispa [5], Scyther [10], Casper [14] or ProVerif [6]. The main point of divergence of our approach and the ones mentioned before is that instead of mainly focusing on a set of built-in properties, we focus on a generic property language (our logic) and explore its expressiveness.

In terms of related logics, Kremer et al. [9] have proposed an epistemic logic for the applied -calculus. However, their logic lacks the ability to reason about spatial properties, which is a key element in allowing reasoning about individual agents. Their epistemic modalities focus solely on attacker knowledge, not allowing one to state a property such as that of our introductory example where we care about the knowledge of the attacker but also of the agents within the system.

Another closely related logic is Datta et al.’s PCL [11]. PCL is a well established protocol analysis logic that allows one to verify properties of protocols modelled in a CCS style calculus by reasoning about events that occur in traces of the protocol run. While we focus on the combined reasoning about knowledge and spatial distribution of a protocol, PCL is designed to reason about the composition of several protocols and thus its analyses are more sophisticated than ours (reasoning about invariants in the protocol composition interleavings).

Mardare and Priami have also proposed a dynamic epistemic spatial logic [16] without the issues of security in mind. Their logic is hence substantially different from ours, interpreting knowledge as the possibility of observing actions of other processes and not as the ability to know some piece of information. Being based on CCS, such an approach is not suitable for reasoning about the flow of messages within a system, which is one of our main goals.

For future work we wish to further study the problem of attacker representations, aiming at an expressiveness result along the lines of Theorem 4.6 that does not require the attacker to be able to produce a message of an arbitrary size (this should follow from the result of [17]). This result will be key in removing the previously discussed limitation of our tool.

#### Acknowledgments

The first author acknowledges support for this research provided by the Fundação para a Ciência e a Tecnologia through the Carnegie Mellon Portugal Program under Grant SFRH / BD / 33763 / 2009. We thank Mário Pires and Pedro Adão for their interesting comments on some version of this work. We also acknowledge the anonymous reviewers for their comments and suggestions.

## References

- [1]
- [2] Martín Abadi & Véronique Cortier (2006): Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci. 367(1), pp. 2–32.
- [3] Martín Abadi & Cédric Fournet (2001): Mobile values, new names, and secure communication. In: POPL ’01: Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, ACM, New York, NY, USA, pp. 104–115.
- [4] Martín Abadi & Andrew D. Gordon (1997): A calculus for cryptographic protocols: the spi calculus. In: CCS ’97: Proceedings of the 4th ACM conference on Computer and communications security, ACM, New York, NY, USA, pp. 36–47.
- [5] A. Armando, David A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuéllar, P. H. Drielsma, P.-C. Héam, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò & L. Vigneron (2005): The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: CAV, pp. 281–285. Available at http://dx.doi.org/10.1007/11513988_27.
- [6] Bruno Blanchet (2001): An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), IEEE Computer Society, Cape Breton, Nova Scotia, Canada, pp. 82–96.
- [7] Michael Burrows, Martin Abadi & Roger Needham (1990): A logic of authentication. ACM Trans. Comput. Syst. 8(1), pp. 18–36.
- [8] Luis Caires (2004): Behavioral and Spatial Observations in a Logic for the Pi-Calculus. FoSSaCS 2004 .
- [9] Rohit Chadha, Stéphanie Delaune & Steve Kremer (2009): Epistemic Logic for the Applied Pi Calculus. In: D. Lee, A. Lopes & A. Poetzsch-Heffter, editors: Proceedings of IFIP FMOODS/FORTE’09, Lecture Notes in Computer Science, Springer, pp. 182–197.
- [10] C.J.F. Cremers (2008): The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In: Computer Aided Verification, 20th International Conference, CAV 2008, Princeton, USA, Proc., Lecture Notes in Computer Science 5123/2008, Springer, pp. 414–418.
- [11] Anupam Datta, Ante Derek, John C. Mitchell & Arnab Roy (2007): Protocol Composition Logic (PCL). Theor. Comput. Sci. 172(1-3), pp. 311–358.
- [12] Dorothy E. Denning & Giovanni Maria Sacco (1981): Timestamps in key distribution protocols. Commun. ACM 24(8), pp. 533–536.
- [13] Danny Dolev & Andrew C. Yao (1981): On the security of public key protocols. Technical Report, Stanford University, Stanford, CA, USA.
- [14] Gavin Lowe (1998): Casper: A Compiler for the Analysis of Security Protocols. In: Journal of Computer Security, Society Press, pp. 53–84.
- [15] Étienne Lozes & Jules Villard (2008): A Spatial Equational Logic for the Applied -Calculus. In: CONCUR ’08: Proceedings of the 19th international conference on Concurrency Theory, Springer-Verlag, Berlin, Heidelberg, pp. 387–401.
- [16] Radu Mardare & Corrado Priami (2006): Dynamic Epistemic Spatial Logic. Technical Report, Center for Computational and Systems Biology, University of Trento.
- [17] Michaël Rusinowitch & Mathieu Turuani (2003): Protocol insecurity with a finite number of sessions and composed keys is NP-complete. Theor. Comput. Sci. 299(1-3), pp. 451–475.
- [18] Bernardo Toninho & Luis Caires (2009): A Spatial-Epistemic Logic and Tool for Reasoning about Security Protocols. Technical Report, Departamento de Informática, FCT/UNL.
- [19] Thomas Y. C. Woo & Simon S. Lam (1993): A Semantic Model for Authentication Protocols. In: SP ’93: Proceedings of the 1993 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, DC, USA, p. 178.