Relating Process Languages for Security and Communication Correctness (Extended Abstract)

HAL Id: hal-01824820

https://hal.inria.fr/hal-01824820

Submitted on 27 Jun 2018

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

Daniele Nantes, Jorge Pérez

To cite this version:

Daniele Nantes, Jorge Pérez. Relating Process Languages for Security and Communication Correctness

(Extended Abstract). 38th International Conference on Formal Techniques for Distributed Objects,

Components, and Systems (FORTE), Jun 2018, Madrid, Spain. pp.79-100, �10.1007/978-3-319-92612-

4_5�. �hal-01824820�

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

Daniele Nantes0000−0002−1959−87301and Jorge A. P´erez0000−0002−1452−61802 1 Universidade de Bras´ılia, Brazil

2 University of Groningen & CWI, Amsterdam, The Netherlands

Abstract. Process calculi are expressive specification languages for concurrency.

They have been very successful in two research strands: (a) the analysis ofse- curity protocolsand (b) the enforcement of correctmessage-passing programs.

Despite their shared foundations, languages and reasoning techniques for (a) and (b) have been separately developed. Here we connect two representative cal- culi from (a) and (b): we encode a (high-level)π-calculus for multiparty sessions into a (low-level) appliedπ-calculus for security protocols. We establish the cor- rectness of our encoding, and we show how it enables the integrated analysis of security propertiesandcommunication correctness by re-using existing tools.

1 Introduction

This paper connects two distinct formal models of communicating systems: a process language for the analysis ofsecurity protocols[12], and a process language forsession- based concurrency[9,10]. They are representative of two separate research strands:

(a) Process models for security protocols, such as [12] (see also [7]), rely on variants of the appliedπ-calculus [1] to establish properties related to process execution (e.g., secrecy and confidentiality). These models support cryptography and term passing, but lack support for high-level communication structures.

(b) Process models for session-based communication, such as [10] (see also [11]), use π-calculus variants equipped with type systems to enforce correct message-passing programs. Security extensions of these models target properties such as information flow and access control (cf. [2]), but usually abstract away from cryptography.

We present acorrect encodingthat connects two calculi from these two strands:

- A, a (low-level) appliedπ-calculus in which processes explicitly describe term com- munication, cryptographic operations, and state manipulation [12];

- S, a (high-level)π-calculus in which communication actions are organized as multi- party session protocols [10,5].

Our aim is to exploit the complementary strenghts ofAandSto analyze communicating systems that feature high-level communication structures (as in session-based concur- rency [9,10])anduse cryptographic operations and global state in protocol exchanges.

Our encoding ofS into A describes how the structures typical of session-based, asynchronous concurrency can be compiled down, in a behavior-preserving manner, as

?Work partially funded by FAP-DF 0193.001381/2017.

process implementations in which communication of terms takes place exploiting rich equational theories and global state. To our knowledge, ours is the first work to relate process calculi for the analysis of communication-centric programs (S) and of security protocols (A), as developed in disjoint research strands.

We believe our results shed light on both (a) and (b). In one direction, they define a new way to reason about multiparty session processes. Process specifications inScan now integrate cryptographic operations and be analyzed by (re)using existing methods.

In fact, sinceAprocesses can be faithfully translated into multiset rewriting rules using SAPIC [12] (which can in turn be fed into the Tamarin prover [14]), our encoding bridges the gap betweenSprocesses and toolsets for the analysis of security properties:

Sessionπ-calculus(S) High-level Protocol Structures

Appliedπ-calculus(A) Term Passing / Global State

Multiset Rewrite Rules (Input to Tamarin)

[14]

This paper

Interestingly, this connection can help to enforce communication correctness: we show how SAPIC/Tamarin can checklocal formulasrepresenting local session types [10].

In the other direction, our approach allows us to enrich security protocol specifi- cations with communication structures based on sessions. This is relevant because the analysis of security protocols is typically carried out on models such as, e.g., Horn clauses and rewriting rules, which admit efficient analysis but that lead to too low-level specifications. Our developments fit well in this context, as the structures intrinsic to session-based concurrency can conveniently describe communicating systems in which security protocols appear intertwined with higher-level interaction protocols.

This rest of the paper is organized as follows.§2 introduces theTwo-Buyer Contract Signing Protocol, a protocol that is representative of the kind of systems that is hard to specify usingSorAalone.§3 recalls the definitions ofSandA, and also introducesS^?, which is a variant ofSthat is useful in our developments.§4 defines the encoding of S intoA, using S^? as stepping stone, and establishes its correctness (Theorems 1, 2, and 3).§5 shows how our encoding can be used to reduce the enforcement of protocol conformance inSto the model checking of local formulas forA(Theorems 4 and 5).§6 revisits the Two-Buyer Contract Signing Protocol: we illustrate its process specification using S minimally extended with constructs fromA, and show how key correctness properties can be mechanically verified using SAPIC/Tamarin. The paper closes by discussing related works and collecting concluding remarks (§7). Additional technical material and further examples are given in an appendix available online [15].

2 A Motivating Example: The Trusted Buyers-Seller Protocol

TheTrusted Buyers-Seller Protocolextends the Two-Buyer Protocol [10], and proceeds in two phases. The first phase follows the global session type in [10], which offers a uni- fied description of the way in which two buyers (B₁andB₂) interact to purchase a book from a seller (S). In the second phase, onceB₁andB₂agree in the terms of the pur- chase, the role ofSis delegated to atrusted third party(T), which creates a contract for the transaction and collects the participants’ signatures. This second phase relies on the contract signing protocol[8], which may resolve conflicts (due to unfulfilled promises

Buyer2 NSL12

NSL1S [INIT]s

[INIT]s0

Buyer1 Seller

hItemi hquotei hquote’i

hoki hquotei

NSLST

3 2 1

1 2

hoki

hItemi

[Contract Signing Phase]

hcontracti hcontracti

hpromise1i

hpromise2i

hsignature1i

hsignature2i

success success

hAddressi

hdatei

T

Fig. 1.The Trusted Buyers-Seller Protocol.

fromB1andB2) and abort the conversation altogether. In this protocol, one key secu- rity property isauthentication, which ensures that an attacker cannot impersonateBi, S, orT. Relevant properties of communication correctness includefidelityandsafety:

while the former ensures that processes forBi,S, andT follow the protocols specified by global/local types, the latter guarantees that such processes do not get into errors at runtime. The protocol is illustrated in Fig. 1 and described next:

First Phase B1,B2, andSstart by establishing a session, after executing the Needham- Schroeder-Lowe (NSL) authentication protocol. Subsequently, they interact as follows:

1. B1sends the book title toS. Then,Sreplies back to bothB1andB2the quote for the title. Subsequently,B1tellsB2how much he can contribute.

2. If the amount is within B2’s budget, then he accepts to perform the transaction, informsB1andS, and awaits the contract signing phase. Otherwise, if the amount offered byB1is not enough,B2informsSandB1his intention to abort the protocol.

3. OnceB1andB2have agreed upon the purchase,Swilldelegatethe session to the trusted partyT, which will lead the contract signing phase. Upon completion of this phase,S(implemented byT) sendsB1the delivery date for the book.

Second Phase At this point, the trusted authorityT,B₁, andB₂interact as follows:

4. T creates a new contractctand a new memory cells, useful to record information about the contract.Tsends the contractcttoB1andB2for them to sign.Tcan start

replying to the following requests:success(in case of successful communication), abort(request to abort the protocol), orresolve(request to solve a conflict).

5. Upon reception of contractctfromT,B₁sends toB₂his promise to sign it. Subse- quently,B₁expects to receiveB₂’s promise:

• IfB₁receives a valid response fromB₂, his promise is converted into a signature (hsignature₁i), which is sent back. Now,B₁ expects to receive a valid signature fromB₂: if this occurs,B₁sends toTasuccessmessage; otherwise,B₁sends Taresolverequest, which includes the promise byB₂and his own signature.

• IfB₁does not receive a valid promise fromB₂, thenB₁asksT to cancel the pur- chase (anabortrequest), including his own promise (hpromise₁i) in the request.

6. Upon reception of contractctfromT,B2checks whether he obtained a valid promise fromB₁; in that case,B₂ replies by sending his promise to sign it (hpromise₂i).

Now,B₂expects to receiveB₁’s signature onct: if the response is valid,B₂sends its own signature (hsignature₂i) toB₁; otherwise,B₂asksT to resolve. IfB₂does not receive a valid promise, then it aborts the protocol.

Clearly,SandAoffer complementary advantages in modeling and analyzing the Trusted Buyers-Seller Protocol. On the one hand,Scan represent high-level structures that are typical in the design of multiparty communication protocols. Such structures are essen- tial in, e.g., the exchanges that follow session establishment in the first phase (which involves a step of session delegation to bridge with the second phase) and the handling of requestssuccess,abortandresolvein the second phase. Hence,Sand its type-based verification techniques can be used to establish fidelity and safety proper- ties. However,Sis not equipped with constructs for directly representing cryptographic operations, as indispensable in, e.g., the NSL protocol for session establishment and in the exchanges of signatures/promises in the contract sigining phase. The lack of these constructs prevents the formal analysis of authentication properties. On the other hand, Acompensates for the shortcomings ofS, for it can directly represent cryptographic operations on exchanged messages, as required to properly model the contract signing phase and, ultimately, to establish authentication. WhileAcan represent the high-level communication structures mentioned above, it offers a too low-level representation of them, which makes reasoning about fidelity and safety more difficult than inS.

Our encoding fromS into A, given in §4, will serve to combine the individual strengths of both languages. In§6, we will revisit this example: we will give a process specification using an extension ofSwith some constructs fromA. This is consistent, becauseAis a low-level process language, and our encoding will define how to correctly compileSdown toA(constructs fromAwill be treated homomorphically). Moreover, we will show how to use SAPIC/Tamarin to verify that implementations forB1,B2,S, andT respect their intended local types.

3 Two Process Models: A and S

3.1 The Appliedπ- calculus (A)

Preliminaries As usual in symbolic protocol analysis, messages are modelled by ab- stract terms (t, t⁰, . . .). We assume a countably infinite set of variablesV, a countably

M, N::=x, y|p|n|f(M1, . . . , Mn) (f∈Σ)

P, Q::=0|out(M, N);P |in(M, N);P | P|Q|!P |νn;P|

insert((M, N));P |deleteM;P |lookupMasxinPelseQ| lockM;P |unlockM;P |eventF;P |ifM =NthenPelseQ

Table 1.Syntax ofA: Terms and Processes.

infinite set of namesN =PN∪FN (FN for fresh names, PN for public names), and a signatureΣ(a set of function symbols, each with its arity).

We denote byT_Σ the set of well-sorted terms built overΣ,N, andV. The set of ground terms (i.e., terms without variables) is denotedMΣ. A substitution is a partial function from variables to terms. We denote byσ={t1/x1, . . . , tn/xn}the substitu- tion whose domain isDom(σ) = {x1, . . . , xn}. We sayσisgroundingfortiftσis ground. We equip the term algebra with an equational theory=E, which is the smallest equivalence relation containing identities inE, a finite set of pairs the form M =N whereM, N ∈ TΣ, that is closed under application of function symbols, renaming of names, and substitution of variables by terms of the same sort. Furthermore, we require Eto distinguish different fresh names, i.e.,∀a, b∈F N:a6=b⇒a6=Eb.

Given a setS, we writeS^∗ andS^# to denote the sets of finite sequences of ele- ments and of finite multisets of elements fromS. We use the superscript#to annotate the usual multiset operations, e.g., S₁ ∪^#S₂ denotes the union of multisets S₁, S₂. Application of substitutions is extended to sets, multisets, and sequences as expected.

The set offactsisF := {F(t₁, . . . , t_k)|t_i ∈ T_Σ, F ∈ Σ_{f act} of arityk}, where Σ_{f act}is an unsorted signature, disjoint fromΣ. Facts will be used to annotate protocols (via events) and to define multiset rewrite rules. A fixed set of fact symbols will be used to encode the adversary’s knowledge, freshness information, and the messages on the network. The remaining fact symbols are used to represent the protocol state. For instance, factK(m)denotes thatmis known by the adversary.

Syntax and Semantics The grammar for terms (M, N) and processes (P, Q), given in Table 1, follows [12]. In addition to usual operators for concurrency, replication, and name creation, the calculusAinherits from the appliedπ-calculus [1] input and output constructs in which terms appear both as communication subjects and objects. Also,A includes a conditional construct based on term equality, as well as constructs for reading from and updating an explicitglobal state:

- insert((M, N));P first binds the value N to a key M and then proceeds asP. Successive inserts may modify this binding;delete M;P simply “undefines” the mapping for the keyM and proceeds asP.

- lookupMasxinPelseQretrieves the value associated toM, binding it to vari- ablexinP. If the mapping is undefined forM then the process behaves asQ.

- lockM;P andunlock M;P allow to gain and release exclusive access to a re- source/keyM, respectively, and to proceed asP afterwards. These operations are essential to specify parallel processes that may read/update a common memory.

Moreover, the constructeventF;PaddsF ∈ F to a multiset of ground facts before proceeding asP. These facts will be used in the transition semantics forA, which is de-

a∈(FN∪PN)\˜n [Name]

νn.σ˜ `a

ν˜n.σ`t t=Et⁰ [Eq]

νn.σ˜ `t⁰

x∈Dom(σ) [Frame]

νn.σ˜ `xσ

νn.σ˜ `ti [App]

νn.σ˜ `fet

Table 2.Deduction rules forA. In Rule [Appl]:et= (t1, . . . , tn).

fined by a labelled relation betweenprocess configurationsof the form(E,S,P, σ,L), where:Pis a multiset of ground processes representing the processes executed in par- allel;E ⊆F Nis the set of fresh names generated by the processes;S:M_Σ → M_Σis a partial function modeling stored information (state);σis a ground substitution model- ing the messages sent to the environment; andL ⊆ MΣis the set of currently acquired locks. We writeS(M) =⊥to denote that there is no information stored forM inS.

Also, notationL\M stands for the setL\{M⁰|M⁰=EM}.

We also require the notions offrameand adeduction relation. A frameν˜n.σconsists of a set of fresh namesn˜ and a substitutionσ: it represents the sequence of messages that have been observed by an adversary during a protocol execution and secrets n˜ generated by the protocol, a priori unknown to the adversary. The deduction relation νn.σ˜ `tmodels the adversary’s ability to compute new messages from observed ones:

it is the smallest relation between frames and terms defined by the rules in Table 2.

Transitions are of the form(E,S,P, σ,L) −−→^F _A (E⁰,S⁰,P⁰, σ⁰,L⁰), whereF is a set of ground facts (see Table 3). We write −→A for −→^∅ A and −−^f→A for −−−→^{f} A. As usual, −−→^∗_A denotes the reflexive, transitive closure of −→A. Transitions denote either standard process operations or operations on the global state; they are sometimes denoted−→_AP and−→_AS, respectively.

3.2 Multiparty Session Processes (S)

Syntax The syntax ofprocesses, ranged over by P, Q, . . .and that of expressions, ranged over bye, e⁰, . . ., is given by the grammar of Table 4, which also shows name conventions. We assume two disjoint countable set of names: one ranges overshared namesa, b, . . .and another ranges oversession namess, s⁰, . . .. Variables range over x, y, . . .;participants(orroles) range over the naturals and are denoted asp,q,p⁰, . . .;

labelsrange overl, l⁰, . . .andconstantsrange overtrue,false, . . .. We writeepto denote a finite sequence of participantsp1, . . . ,pn (and similarly for other elements).

Given a session namesand a participantp, we writes[p]to denote a(session) endpoint.

The intuitive meaning of processes is as in [10,5]. The processesu[p](y).P and u[p](y).Q can respectively request and accept to initiate a session through a shared nameu. In both processes, the bound variableyis the placeholder for the channel that will be used in communications. After initiating a session, each channel placeholder will replaced by an endpoint of the forms[p_i](i.e., the runtime channel ofpiin session s). Within an established session, process may send and receive basic values or session names (session delegation) and select and offer labeled, deterministic choices (cf. con- structsc⊕ hp, li.P andc&(p,{li : Pi}_i∈I)). The input/output operations (including delegation) specify the channel and the sender or the receiver, respectively.

Standard Operations

(E,S,P ∪^#{0}, σ,L) −→_A (E,S,P, σ,L)

(E,S,P ∪^#{P |Q}, σ,L) −→_A (E,S,P ∪^#{P, Q}, σ,L) (E,S,P ∪^#{!P}, σ,L) −→A (E,S,P ∪^#{!P, P}, σ,L) (E,S,P ∪^#{νa;P}, σ,L) −→_A

(E ∪ {a⁰},S,P ∪^#{P{a⁰/a}}, σ,L) C0 (E,S,P, σ,L) −−−−→^K(M) A (E,S,P, σ,L) C1 (E,S,P ∪^#{out(M, N);P}, σ,L) −−−−→^K(M) _A

(E,S,P ∪^#{P}, σ∪{N/x},L) C2 (E,S,P ∪^#{in(M, N);P}, σ,L)−−−−−−−−→^{K(hM,N τi)} _A(E,S,P ∪^#{P τ}, σ,L) C3 (E,S,P ∪^#{out(M, N);P,in(M⁰, N⁰);Q}, σ,L) −→_A (E,S,P ∪^#{P, Qτ}, σ,L)C4 (E,S,P ∪^#{ifM=NthenPelseQ}, σ,L) −→_A (E,S,P ∪^#{P}, σ,L) C5 (E,S,P ∪^#{ifM=NthenPelseQ}, σ,L) −→A (E,S,P ∪^#{Q}, σ,L) C6

(E,S,P ∪^#{eventF;P}, σ,L) −−→^F _A (E,S,P ∪^#{P}, σ,L)

Operations on Global State

(E,S,P ∪^#{insert((M, N));P}, σ,L)−→A(E,S[M7→N],P ∪^#{P}, σ,L) (E,S,P ∪^#{deleteM;P}, σ,L)−→_A(E,S[M7→ ⊥],P ∪^#{P}, σ,L) (E,S,P ∪^#{lookupMasxinPelseQ}, σ,L)−→_A(E,S,P ∪^#{P{V /x}}, σ,L) C7 (E,S,P ∪^#{lookupMasxinPelseQ}, σ,L)−→_A(E,S,P ∪^#{Q}, σ,L) C8 (E,S,P ∪^#{lockM;P}, σ,L)−→_A(E,S,P ∪^#{P}, σ,L ∪ {M}) C9 (E,S,P ∪^#{unlockM;P}, σ,L)−→_A(E,S,P ∪^#{P}, σ,L\M) where:

C0: ifa⁰fresh C5: ifM=EN

C1: ifνE.σ`M C6: ifM6=_EN

C2: ifxis fresh,νE.σ`M C7: if∃N.N=EMandS(N) =_EV

C3: if∃τ.νE.σ`MandνE.σ`N τandτgrounding forN C8: if∀N.N=EM⇒ S(N) =⊥ C4: ifM=EM⁰and∃τ.N=EN⁰τandτgrounding forN⁰ C9: ifM /∈_EL

Table 3.Operational Semantics forA.

u::=x|a (Identifiers) n::=s|a (Names) e::=v|x|e=e⁰| . . . (Expressions) c::=s[p]|x (Channels) v::=a|true|false|s[p] (Values)

m::= (q.p:v)|(q.p:c)|(q.p:l) (Messages) P ::=u[p](y).P (Req)

| u[p](y).P (Acc)

| c!hp, ei.P (Send)

| c?(p, x).P (Recv)

|c!hhp, cii.P (Deleg)

|c?((q, y)).P (Recep)

|c⊕ hp, li.P (Select)

|c&(p,{li:Pi}i∈I) (Branch)

|ifethenPelseQ (Condit.)

|P|Q (Parallel)

|0 (Inaction)

|(νn)P (N.Hiding)

|s[ep] :h (M. Queue) h::=h·m| ∅ (Queue) Table 4.Process syntax and naming conventions forS.

Message queues model asynchronous communication. A message(p.q:v)indi- cates that phas sent a valuev toq. The empty queue is denoted by∅. Byh·mwe denote the queue obtained by concatenating messagemto the queueh. Bys[ep] :hwe

P|0 ≡P P|Q≡Q|P (P|Q)|R≡P|(Q|R) (νa)0≡0 (νs)(s:∅)≡0 (νr)P |Q≡(νr)(P|Q),ifr /∈f n(Q) (νr)(νr⁰)P ≡(νr⁰)(νr)P,where r::=a | s s[ep] :h·(q.p:ζ)·(q⁰.p⁰:ζ⁰)·h⁰≡s[ep] :h·(q⁰.p⁰:ζ⁰)·(q.p:ζ)·h⁰, ifp6=p⁰orq6=q⁰

Table 5.Structural Congruence forSProcesses.

denote the queuehof the sessionsinitiated between participantsep=p1, . . . ,pn; when the participants are clear from the context we shall writes:hinstead ofs[ep] :h.

Request/accept actions bind channel variables, value receptions bind value vari- ables, channel receptions bind channel variables, hidings bind shared and session names.

In(νs)P all occurrences ofs[p]and queuesinsidePare bound. We denote byf n(Q) the set of free names inQ. A process isclosedif it does not contain free variables or free session names. Unless stated otherwise, we only consider closed processes.

Semantics Sprocesses are governed by a reduction semantics, which relies on astruc- tural congruencerelation, denoted≡and defined by addingα-conversion to the rules of Table 5. Reduction rules are given in Table 6; we writeP −→SP⁰for a reduction step.

We rely on the following syntax for contexts:E::= [ ]|P|(νa)E|(νs)E|E|E.

We briefly discuss the reduction rules. Rule [Init] describes the initiation of a new session amongnparticipants that synchronize over the shared namea. After session initiation, the participants will share a private session name (sin the rule), and an empty queue associated to it (s[ep] :∅in the rule). Rules [Send], [Deleg] and [Sel] add values, channels and labels, respectively, into the message queue; in Rule [Send],e↓vdenotes the evaluation of the expressioneinto a valuev. Rules [Recv], [SRecv] and [Branch]

perform complementary de-queuing operations. Other rules are self-explanatory.

3.3 The CalculusS^?

We now introduceS^?, a variant ofSwhich will simplify the definition of our encoding intoA. The syntax ofS^?processes is as follows:

P, Q::=0|u[p](y).Pe |u[p](ey).P |P |Q|(νn)P |ifethenPelseQ

| c_pq!he:msgi.P |c_pq?((y)).P |c_pq?(x).P |c_pq!hhc⁰_p0q⁰ :chanii.P |

| c_pq⊕ hl:lbli.P |c_pq&({li:Pi}_i∈I)|s_pq:h

wherec_pqdenotes a channel annotated with participant identities,h ::= h·m| ∅and m::=hmsg, vi | hchan, s_pqi | hlbl, li. The main differences betweenSandS^?are:

- Intra-session communication relies on annotated channels, and output prefixes in- clude asort for the communicated messages (msg for values,chan for delegated sessions,lblfor labels).

- While S uses a single queue per session, in S^? for each pair of participants there will be two queues, one in each direction. This simplifies the definition of structural congruence≡forS^?, which results from that forSas expected and is omitted.

- Constructs for session request and acceptance inS^? depend on a sequence of vari- ables, rather than on a single variable. In these constructs, denotedu[p](y).Pe and u[p](y).Pe , respectively,yeis a sequence of variables of the formy_pq, for somep,q.

a[p1](y)P1| . . .|a[pn−1](y)Pn−1|a[pn](y).Pn−→_S [Init]

(νs)(P1{s[p1]/y} | . . . |Pn−1{s[pn−1]/y} |Pn{s[pn]/y} |s[ep] :∅)

s[p]!hq, ei.P|s:h−→_SP|s:h·(p.q:v) (e↓v) [Send]

s[p]!hhq, s⁰[p⁰]ii.P|s:h−→_SP|s:h·(p.q:s⁰[p⁰]) [Deleg]

s[p]⊕ hq, li.P|s:h−→SP|s:h·(p.q:l) [Sel]

s[p]?(q, x).P|s: (q.p:v)·h−→_SP{v/x} |s[ep] :h [Recv]

s[p]?((q, y)).P|s: (q.p:s⁰[p⁰])·h−→_SP{s⁰[p⁰]/y} |s[ep] :h [SRecv]

s[p] &(q,{l_i:Pi}i∈I)|s: (q.p:lj)·h−→_SPj|s:h(j∈I) [Branch]

ifethenPelseQ−→_SP (e↓true) [If-T]

P≡P⁰and P⁰−→SQ⁰andQ≡Q⁰⇒P −→SQ [Str]

P −→_SP⁰⇒E[P]−→_SE[P⁰] [Ctx]

Table 6. Reduction rules forS(Rule [If-F] omitted).

With these differences in mind, the reduction semantics forS^?, denoted−→S^?, follows that forS(Table 6). Reduction rules forS^?include the following:

a[1](ye1).P1| . . . |a[n−1](y]n−1).Pn−1|a[n](fyn).Pn−→S^? [Init^∗] (νs)(P1{s/y} | . . . |Pn−1{s/y} |Pn{s/y} |ye1{s/y}:∅ | . . . |fyn{s/y}:∅)

ypq!he:msgi.P|ypq:h−→S^?P |ypq:h· hmsg, vi (e↓v) [Send^∗] ypq?(x).P |yqp:hmsg, vi ·h−→S^?P{v/x} |yqp:h [Recv^∗] Notice that in Rule [Init^∗], we only need to writeP_i{s/y}: after reduction, these vari- ables will be of the forms_pq. In that rule, eachye_i{s/y}:∅denotes several queues (one for each namey_pq∈yei), rather than a single queue.

It is straightforward to define an auxiliary encoding([·]) :S7→S^?. For instance:

([s[p]!hq, ei.P]) =s_pq!he:msgi.([P]) ([s[p]?(q, x).P]) =s_qp?(x).([P]) ([s[p]!hhq, z_p⁰ii.P]) =s_pq!hhzp⁰ :chanii.([P]) ([s[p]?((q, x)).P]) =s_qp?((x)).([P]) The full encoding, given in [15], enjoys the following property:

Theorem 1. LetP ∈S. Then: (a) IfP−→S P⁰, then([P])−→S^? ([P⁰]).

(b) If([P])−→S^?R, then there existsP⁰∈Ssuch thatP −→SP⁰and([P⁰]) =R.

Given the encoding([·]) :S7→S^?and Theorem 1 above, we now move on to define an encodingJ·K:S^∗7→A. By composing these encodings (and their correctness results—

Theorems 2 and 3), we will obtain a behavioral-preserving compiler ofSintoA.

4 Encoding S

Into A

We now present our encodingJ·K :S^∗ 7→ Aand establish its correctness. The encod- ing is defined in Table 7; it uses the set of factsFS = {honest,sndnonce,rcvnonce,

sndchann,rcvchann,out,inp,dels,recs,sel,bra,close}.Facts will be used as event an- notations in process executions, and also for model checking communication correct- ness via trace formulas in the following section. Our encoding will rely on the equa- tional theory forpairing, which is embedded in Tamarin prover [14], and includes function symbolsh, i,fstandsnd, for pairing and projection of first and second pa- rameters of a pair. Communication within a secure established session is expressed by the manipulation of queues, which will be stored in the set of statesS. In SAPIC, we implement queuesy_pq andy_qp as q(y,p,q)andq(y,q,p), respectively, whereq is a function symbol for queues. Also,s_pq:∅is implemented asinsert((s_pq,init)).

Implementing Session Establishment Ja[3](ye3).PK=νs;P31;P32;insert((sfij,∅));eventinit(sfij);

eventsndchann(pk(ska31), pk(y1), s);out(u1, s);

eventsndchann(pk(ska32), pk(y2), s);out(u2, s);JPK

P3i=νska3i;out(c, pk(ska3i));eventhonest(pk(ska3i));in(c, pk(yi));

νn31;eventsndnonce(pk(ska3i), pk(yi),aenc(hn_3i, pk(ska3i)i, pk(y_i))) out(c,aenc(hn_3i, pk(ska3i)i, pk(y_i))));in(c,aenc(hn_3i, ui, pk(yi)i, pk(ska_3i)));

eventrcvnonce(pk(yi), pk(ska3i), aenc(hn3i, ui, pk(yi)i, pk(ska3i)))

Ja[i](yei).PK=ν skai;in(c, pk(xi));eventhonest(pk(skai));in(c, aenc(hy, pk(x_i)i, pk(ska_i)));

eventrcvnonce(pk(xi), pk(skai),aenc(hy, pk(x_i)i, pk(ska_i))) νni;eventsndnonce(pk(skai), pk(xi),aenc(hy, ni, pk(skai)i, pk(xi))) out(c,aenc(hy, n_i, pk(skai)i, pk(x_i)));in(ni, z);

eventrcvchann(pk(xi), pk(skai), z);JPK

Implementing Intra-Session Communication

Jcpq!he:msgi.PK=lockcpq;lookupcpqasxin(insert((cpq, x· hmsg, vi)));

eventout(cpq, v);unlockcpq;JPK e↓v

Jcpq?(x).PK=lockcqp;lookupcqpaszv in(iffst(zv) =hmsg, zithen

(insert((cqp,snd(zv)));eventinp(cpq,fst(zv));unlockcqp;JP{z/x}K))

Jcpq!hhc⁰:chanii.PK=lockcpq;lookupcpqasxin(insert((cpq, x· hchan, c⁰i)));

eventdels(cpq, c⁰);unlockcpq;JPK

Jcpq?((x)).PK=lockcqp;lookupcqpaszv in(iffst(zv) =hchan, zithen

(insert((cqp,snd(zv)));eventrecs(cpq,fst(zv));unlockcqp;JP{z/x}K) Jcpq⊕ hl:lbli.PK=lockcpq;lookupcpqasxin(insert((cpq, x· hlbl, li)));

eventsel(cpq, l);unlockcpq;JPK

Jcpq&({li:Pi})K=lockcqp;lookupcqpasz_lin iffst(z_l) =hlbl, l1ithen insert((cqp,snd(zl)));eventbra(cpq, l1);unlockcpq;JP1K else iffst(zl) =hlbl, l₂ithen

insert((cqp,snd(zl)));eventbra(cpq, l2);unlockcqp;JP2K J0K=eventclose Js[ep] :hK=0

J(νs)PK=νs;JPK JP |QK=JPK|JQK JifethenPelseQK=ifethenJPKelseJQK Table 7.Encoding fromS^?toA.

Session Initiation. The (high-level) mechanism of session initiation of Rule [Init] in S^? (Table 6) is implemented inAby following the Needham-Schroeder-Lowe (NSL) authentication protocol [13]; see Table 7 (top). We use NSL because it is simple, and it has already been formalized in SAPIC. For simplicity, we present the implementa- tion for three participants; the extension tonparticipants is as expected. The encoding creates queues for intra-session communication using processesinsert((sf_ij,∅)). The security verification uses the built-in libraryasymmetric-encryption available in Tamarin [14], and assumes the usual signature and equational theory for public keys pk, secret keyssk, asymmetric encryptionaencand decryptiondec.

Intra-session Communication. ProcessJc_pq!he : msgi.PKfirst acquires a lock in the queuec_pqto avoid interference. Then, alookup as process checks the state ofc_pq

and enqueues messagehmsg, viat its end. Finally, the encoding signals this operation by executingevent out(c_pq, v)before unlockingc_pq and proceeding as as JPK. The encoding of session delegationJc_pq!hhc:chanii.PKis very similar: the only differences are the sort of the communicated object and the event signaled at the end (dels(c_pq, c⁰)).

As above, processJc_pq?(x).PK first acquires a lock and checks the queuec_qp. If it is of the formhmsg,−i then it stores it in a variablezv: it consumes the first part (fst(zv)) and updatesc_qpwith the second part. The implementation then signals an event eventinp(c_pq, zv)before unlockingc_qpand proceeding asJPK. ProcessJc_pq?((x)).PK (reception of a delegated session) is similar; in this case, the queue should contain a value of sortchanand the associated event isrecs(c_pq,fst(zv)).

ProcessJ0Ksimply executes an eventclose. In the prototype SAPIC implementation of our encoding, this event mentions the name of the corresponding sessionc_qp.

Finally, processJc_pq :hKis0because we implement queues using the global state inA. The implementation of the remaining constructs inAis self-explanatory.

Remark 1. Since our encoding operates onuntypedprocesses, we could have sort mis- matches in queues (cf. Rule [If-F]). To avoid this, encodings of input-like processes (e.g.,s_pq?(x).P), use the input of adummyvalue that allows processes to reduce.

Correctness ofJ·K. We first associate to each ground processP ∈S^∗a process config- uration via the encoding in Table 7. Below we assume thats,˜ I, andI⁰ may be empty, allowing the encoding of communicating processes (obtained after session initiation);

we also assume that the set of (free) variables inP(denotedvar(P)) can be instantiated with ground terms that can be deduced from the current frame.

Definition 1 Suppose anS^? processR ≡(νs)(Q

i∈IP_i| Q

j,k∈I⁰s_pjqk : h_j,k), with var(R) ={x₁, . . . , x_n}. A process configuration forR, denotedC[JRK], is defined as:

(E ∪{s},S ∪ {s_pjqk:hj,k|j, k∈I⁰},n Y

i∈I

JPiK o

, σ,L),

wherevar(R)⊆dom(σ)andσis grounding forxi,i= 1, . . . , n.

With some abuse of notation we say thatCis a process configuration forR. Observe that different process configurationsC, C⁰, . . .can be associated to a same processR ∈ S once one considers variations ofE,S, σ,L.

Theorem 2 (Completeness).LetP ∈S^?. IfP −→S^?P⁰then for all process configu- rationC, there exists a process configurationC⁰such thatC[JPK]−−→^∗_AC⁰[JP⁰K].

Proof. The proof is by structural induction, analyzing the rule applied inP −→_S? P⁰ via encoding in Table 7 and the rules in Table 3. See [15] for details. ut To prove soundness, we rely on a Labeled Transition System forS^?, denotedP−→^λ P⁰. Such an LTS, and the proof of the theorem below, can be found in [15].

Theorem 3 (Soundness).LetP ∈S^?andCbe such thatC[JPK]−→AP R. Then there existP⁰∈S^?, aC⁰, andλsuch thatR−−→^∗_AC⁰[JP⁰K]andP −→^λ P⁰.

S::=bool|nonce|msg|temp| . . . |G Sorts U ::=S|T Exchange Types (Global Types)G::=p→q:hUi.G|p→q:{li:Gi}i∈I|end

(Local Types) T::=!hp, Ui.T|?(p, U).T | ⊕ hp,{li:Ti}i |&(p,{li:Ti})|end Table 8.Global and Local Types [10].

5 Multiparty Session Types and Their Local Formulas

Using([·])andJ·K, in this section we connect well-typedness of processes inS[10] with the satisfiability oflocal formulas, which model the execution ofAprocesses.

5.1 Global and Local Types

Rather than defining multiparty session types forAprocesses, we would like to model checking local types by re-using existing tools for A: SAPIC [12] and Tamarin [14].

Concretely, next we shall connect typability forSprocesses with satifiability forApro- cesses. To formalize these results, we first recall some essential notions for multiparty session types; the reader is referred to [10,5] for an in-depth presentation.

Global typesG, G⁰describe multiparty session protocols from a vantage point; they offer a complete perspective on how two or more participants should interact. On the other hand,local (session) typesT, T⁰describe how each participant contributes to the multiparty protocol. Aprojection functionrelates global and local types: the projection ofGonto participantnis denotedG|n. The syntax for global and local types, given in Table 8 is standard [10]. A complete description of session types can found in [15].

Example 1. Fig. 2 gives three global types for the protocol in§2: whileGinitrepresents the first phase, bothG_contractandG_signare used to represent the second. InG_sign, we use G_resolveito denote a global protocol for resolving conflicts; see [15] for details.

Typing judgements for expressions and processes are of the formΓ ` e:S or Γ `P .∆, whereΓ ::=∅ |Γ, x:Sand∆::=∅ |∆, c:T. Thestandard environment Γ assigns variables to sorts and service names to closed global types; thesession envi- ronment∆associates channels to local types. We writeΓ, x:Sonly ifx /∈dom(Γ), wheredom(Γ)denotes the domain ofΓ. We adopt the same convention fora:Gand c:T, and write∆, ∆⁰only ifdom(∆)∩dom(∆⁰) =∅. Typing rules are as in [10,5]; as discussed in those works, typability forSprocesses ensure communication correctness in terms of session fidelity(well-typed processes respect prescribed local protocols) andcommunication safety(well-typed processes do not feature communication errors), among other properties.

5.2 Satisfiability of Local Formulas fromA

Following the approach in [12], properties of processes in Awill be established via analysis oftraces, which describe the possible executions of a process. This will allow us to prove communication correctness ofSprocesses, using encodingJ·K.

Ginit: (I.1) 3→1 : hTitlei (I.2) 1→ {2,3}:hquotei (I.3) 3→2 : hquote’i (I.4) 2→ {1,3}:

ok :Gcontract

¬ok:end

Gb:

(1⁰) 1→2 :hTi T= (Gcontract)|1

Gcontract: (c.1) 1→ {2,3}:hcontracti (c.2) 3→2 : hpromisei

(c.3) 2→3 :











ok: 2→3 :hpromisei 3→2 :

ok:Gsign

¬ok: 3→1 :abort

¬ok:end Gsign: (s.1) 3→2 :hsignature₁i

(s.1) 2→3 :











ok: 2→3 :hsignature₂i 3→1 :







success: 3→1 :haddressi 1→3 :hdatei

¬success: 1→3 :Gresolve₁

¬ok: 2→1 :Gresolve2

Fig. 2.Global Types for the Trusted Buyer-Seller Protocol (§2).

Definition 1 (Traces ofP [12]).Given a ground processP ∈A, we define theset of traces ofP, denoted bytraces(P), as

traces(P) =

[F1, . . . , Fn]

(∅,{P},∅,∅)===^F1⇒. . .===^Fn⇒(En,Sn,Pn, σn,Ln)

We will denote bytrP, a trace from a settraces(P), for some processP. We will write trwhenP is clear from the context. Notice that,trP =trQdoes not necessarily imply thatP =Q: each process may implement more than one session in different ways.

SAPIC and Tamarin [14] consider two sorts:tempandmsg. Each variable of sort swill be interpreted in the domainD(s); in particular, we will denote byV_tempthe set of temporal variables, which is interpreted in the domainD(temp) =Q; also,V_msgis the set of message variables, which is interpreted in the domainD(msg) =M. Below, we will adopt a functionθ: V → M ∪ Qthat maps variables to terms respecting the variable’s sorts, that isθ(x:s)∈D(s).

Definition 2 (Trace atoms [12]).Atrace atomhas of one of the forms:

A::=⊥ |t1≈t2|ilj |i .

=k|F@i

denoting, respectively, false, term equality, timepoint ordering, timepoint equality, or an action for a factF and a timepointi. The construction oftrace formulaϕrespects the usual first-order convention:

ϕ, ψ::=A| ¬ϕ|ϕ∧ψ|ϕ∨ψ|ϕ→ψ|ϕ↔ψ|(∃x:s).ϕ|(∀x:s).ϕ Given a processP, in the definition below,trdenotes a trace intraces(P),idx(tr) denotes the positions intr, andtridenotes thei-th position intr.

Definition 3 (Satisfaction relation [12]).The satisfaction relation(tr, θ)ϕbetween a tracetr, a valuationθ, and a trace formulaϕis defined as follows

(tr, θ)⊥ never

(tr, θ)ilj iff θ(i)< θ(j) (tr, θ)i .

=j iff θ(i) =θ(j)

(tr, θ)t1≈t2 iff t1θ=Et2θ (tr, θ)¬ϕ iff not(tr, θ)ϕ

(tr, θ)ϕ₁∧ϕ₂ iff (tr, θ)ϕ₁and(tr, θ)ϕ₂ (tr, θ)F@i iff θ(i)∈idx(tr)andF θ=_Etr_θ(i)

(tr, θ)(∃x:s).ϕ iff there existsu∈D(s)such that(tr, θ[x7→u])ϕ Satisfaction of(∀x:s)ϕ,ϕ∨ψandϕ⇒ψcan be obtained from the cases above.

5.3 From Local Types to Local Formulas

Below we assumesis an established session between participantspandq. Givenk : tempand a trace formulaϕ, we writeϕ(k)to say that there is a factF such thatF@k is an atom inϕ. Below we assume thatSis a subsort ofmsg.

Definition 4 (Local Formula).Given a local typeT and an endpoints[p], its local formulaΦ_s[p](T)is defined inductively as follows:

Φ_s[p](!hq, Si.T) =∃i, z.(out(s_pq, z)@i∧ψ(Φ_s[p](T)) Φ_s[p](?(q, U).T) =∃i, z.(inp(s_pq, z)@i∧ψ(Φ_s[p](T)) Φ_s[p](⊕hq,{li:Ti}i∈Ii) =∃i.W

j∈I(sel(s_pq, lj)@i∧ψ(Φ_s[p](Tj)) Φ_s[p](&(q,{li:Ti}_i∈I)) =∃i.W

j∈I(bra(s_pq, lj)@i∧ψ(Φ_s[p](Tj))

Φ_s[p](end) =∃i.close@i.

whereψ(Φ_s[p](T)) :=∀k.(Φ_s[p](T)(k)⇒ilk))the quantified variables have sorts i, j, k:tempandz:S, and variablesiandzare fresh. The extension ofΦ( )tosession environments, denotedΦ( ), is as expected:b Φ(∆, s[p] :b T) =Φ(∆)b ∧Φ_s[p](T).

Remark 2. Since each local type is associated to a unique local formula, the mapping Φ( )is invertible. That said, from a local formulaϕwe can obtain the correspond- ing typeΦ⁻¹(ϕ). For instance, for the local formula ϕ_out := ∃iz.(out(s_pq, z)@i∧ ψ(Φs[p](T)),one hasΦ⁻¹(ϕ_out) =s[p] :!hq, Si.Φ⁻¹_s[p](ϕ⁰). The other cases are similar.

The following theorems give a bi-directional connection between (a) well-typednesss and (b) satisfiability of the corresponding local formulas (see [15]):

Theorem 4. LetΓ `P . ∆be a well-typedSprocess. Also, lettr∈traces(J([P])K).

Then there exists aθsuch that(tr, θ)Φ(∆).b

Theorem 5. Lettrandϕbe a trace and a local formula, respectively. Supposeθis an instantiation such that(tr, θ)ϕ. Then there is aP ∈Ssuch that

Γϕ`P . Φ⁻¹(ϕ) whereΓϕ={θ(x) :sort(x)|x∈dom(θ)}