/* * Returns true if the order is correct */ int correctLocalOrder (const System sys) { int flag; int checkRun (int r1) { int checkTerm (Term t) { if (!isTermVariable (t)) { int r2; int e1, e2; // t is a term from r2 that occurs in r1 r2 = TermRunid (t); e1 = firstOccurrence (sys, r1, t, ANYEVENT); if (e1 >= 0) { if (roledef_shift (sys->runs[r1].start, e1)->type == RECV) { e2 = firstOccurrence (sys, r2, t, SEND); if (e2 >= 0) { // thus, it should not be the case that e1 occurs before e2 if (isDependEvent (r1, e1, r2, e2)) { // That's not good! if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because ordering for term "); termSubstPrint (t); eprintf (" cannot be correct: the first send r%ii%i occurs after the receive r%ii%i.\n", r2, e2, r1, e1); } flag = false; return false; } } } } else { globalError++; eprintf ("error: term "); termSubstPrint (t); eprintf (" from run %i should occur in run %i, but it doesn't.\n", r2, r1); globalError--; error ("Abort"); } } return true; } return iterateLocalToOther (sys, r1, checkTerm); }
/** * Currently, inequality constraints are encoded using "NotEqual" claims. * * Here we check that their arguments have not become equal. If they are not * equal, there always exists a solution in which the values are different. The * solution generated by the algorithm that grounds the trace (for * visualisation) yields a compatible solution. * * Return true if okay - constraints can be met * Return false if not okay - at least one constraint violated * * Note that this function performs its own proof output if needed. * This allows it to pinpoint the exact constraint that is violated. * * Speed: this is certainly not the most efficient way to solve this. We are * looping over all regular events, even if there are not negative constraints * at all. Instead, we could simply collect a list of all negative constraints, * which would speed up iterating over it. */ int inequalityConstraints (const System sys) { int run; for (run = 0; run < sys->maxruns; run++) { if (sys->runs[run].protocol != INTRUDER) { int e; Roledef rd; rd = sys->runs[run].start; for (e = 0; e < sys->runs[run].step; e++) { if (rd->type == CLAIM) { // It's a claim if (isTermEqual (rd->claiminfo->type, CLAIM_Notequal)) { // TODO ASSERT: Message should be a pair for NotEqual claims if (isTermEqual (TermOp1 (rd->message), TermOp2 (rd->message))) { // Inequality violated, no solution exists that makes them inequal anymore. if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the pattern violates an inequality constraint based on the term "); termPrint (TermOp1 (rd->message)); eprintf (".\n"); } return false; } } } rd = rd->next; } } } return true; }
/** * When something is pruned here, the state space is not complete anymore. * *@returns true iff this state is invalid for some reason */ int prune_bounds (const System sys) { /* prune for time */ if (passed_time_limit ()) { // Oh no, we ran out of time! if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: ran out of allowed time (-T %i switch)\n", get_time_limit ()); } // Pruned because of time bound! sys->current_claim->timebound = 1; return 1; } /* prune for number of attacks if we are actually outputting them */ if (enoughAttacks (sys)) { // Oh no, we ran out of possible attacks! if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: we already found the maximum number of attacks.\n"); } return 1; } /* prune for proof depth */ if (proofDepth > switches.maxproofdepth) { // Hardcoded limit on proof tree depth if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: proof tree too deep: %i (-d %i switch)\n", proofDepth, switches.maxproofdepth); } return 1; } /* prune for trace length */ if (switches.maxtracelength < INT_MAX) { int tracelength; int run; /* compute trace length of current semistate */ tracelength = 0; run = 0; while (run < sys->maxruns) { /* ignore intruder actions */ if (sys->runs[run].protocol != INTRUDER) { tracelength = tracelength + sys->runs[run].step; } run++; } /* test */ if (tracelength > switches.maxtracelength) { // Hardcoded limit on proof tree depth if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: trace too long: %i (-l %i switch)\n", tracelength, switches.maxtracelength); } return 1; } } /* prune for runs */ if (sys->num_regular_runs > switches.runs) { // Hardcoded limit on runs if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: too many regular runs (%i).\n", sys->num_regular_runs); } return 1; } /* prune for role instances max */ if (tooManyOfRole (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: too many instances of a particular role.\n"); } return 1; } // This needs some foundation. Probably * 2^max_encryption_level //!@todo Remove later /** * This should be removed once the hidelevel lemma works correctly */ if (switches.experimental & 1) { if ((switches.match < 2) && (sys->num_intruder_runs > ((double) switches.runs * max_encryption_level * 8))) { // Hardcoded limit on iterations if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: %i intruder runs is too much. (max encr. level %i)\n", sys->num_intruder_runs, max_encryption_level); } return 1; } } // Limit on exceeding any attack length if (get_semitrace_length () >= attack_length) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: attack length %i.\n", attack_length); } return 1; } /* prune for cheaper */ if (switches.prune != 0 && attack_leastcost <= attackCost (sys)) { // We already had an attack at least this cheap. if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: attack cost exceeds a previously found attack.\n"); } return 1; } // Pruning involving the number of intruder actions { // Count intruder actions int actioncount; actioncount = countIntruderActions (); // Limit intruder actions in any case if (!switches.intruder) { if (actioncount > 0) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: no intruder allowed.\n", switches.maxIntruderActions); } return 1; } } // Limit on intruder events count if (actioncount > switches.maxIntruderActions) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: more than %i encrypt/decrypt events in the semitrace.\n", switches.maxIntruderActions); } return 1; } } // No pruning because of bounds return 0; }
/** * When something is pruned because of this function, the state space is still * considered to be complete. * *@returns true iff this state is invalid because of a theorem */ int prune_theorems (const System sys) { List bl; int run; // Check all types of the local agents according to the matching type if (!checkAllSubstitutions (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because some local variable was incorrectly substituted.\n"); } return true; } // Prune if agents are disallowed from performing multiple roles if (switches.oneRolePerAgent != 0) { if (multipleRolePrune (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because an agent may not perform multiple roles.\n"); } return true; } } // Prune if any initiator run talks to itself /** * This effectively disallows Alice from talking to Alice, for all * initiators. We still allow it for responder runs, because we assume the * responder is not checking this. */ if (switches.initUnique) { if (selfInitiators (sys) > 0) { // XXX TODO // Still need to fix proof output for this // // Pruning because some agents are equal for this role. return true; } } if (switches.respUnique) { if (selfResponders (sys) > 0) { // XXX TODO // Still need to fix proof output for this // // Pruning because some agents are equal for this role. return true; } } if (switches.roleUnique) { if (!agentsUniqueRoles (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because agents are not performing unique roles.\n"); } return true; } } /* The semantics imply that create event chose agent names, i.e., the range of rho is a subset of Agent. For chosen name attacks we may want to loosen that. However, this requires inserting receive events for the non-actor role variables of responders, and we don't have that yet, so technically this is a bug. Don't use. */ if (switches.chosenName) { // Check if all actors are agents for responders (initiators come next) run = 0; while (run < sys->maxruns) { if (!sys->runs[run].role->initiator) { Term actor; actor = agentOfRun (sys, run); if (!goodAgentType (actor)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the actor "); termPrint (actor); eprintf (" of run %i is not of a compatible type.\n", run); } return true; } } run++; } // Prune wrong agents type for initators if (!initiatorAgentsType (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: an initiator role does not have the correct type for one of its agents.\n"); } return true; } } else { // Prune wrong agents type for runs if (!allAgentsType (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned: some run does not have the correct type for one of its agents.\n"); } return true; } } // Check if the actors of all other runs are not untrusted if (sys->untrusted != NULL) { int run; run = 1; while (run < sys->maxruns) { if (sys->runs[run].protocol != INTRUDER) { if (sys->runs[run].rho != NULL) { Term actor; actor = agentOfRun (sys, run); if (actor == NULL) { error ("Agent of run %i is NULL", run); } if (!isAgentTrusted (sys, actor)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the actor of run %i is untrusted.\n", run); } return true; } } else { Protocol p; globalError++; eprintf ("error: Run %i: ", run); role_name_print (run); eprintf (" has an empty agents list.\n"); eprintf ("protocol->rolenames: "); p = (Protocol) sys->runs[run].protocol; termlistPrint (p->rolenames); eprintf ("\n"); error ("Aborting."); globalError--; return true; } } run++; } } // Check for redundant patterns { if (!non_redundant ()) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the pattern is redundant.\n"); } return true; } } // Check for violation of inequality constraints if (!inequalityConstraints (sys)) { // Prune, because violated return true; } /* * Check for correct orderings involving local constants * * TODO: Clarify how this works with agent name variables in a non strict-typed setting. */ if (!(switches.experimental & 8)) { if (!correctLocalOrder (sys)) { if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because this does not have the correct local order.\n"); } return true; } } /** * Check whether the bindings are valid */ bl = sys->bindings; while (bl != NULL) { Binding b; b = bl->data; // Check for "Hidden" interm goals //! @todo in the future, this can be subsumed by adding TERM_Hidden to the hidelevel constructs if (termInTerm (b->term, TERM_Hidden)) { // Prune the state: we can never meet this if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because intruder can never construct "); termPrint (b->term); eprintf ("\n"); } return true; } if (switches.experimental & 4) { // Check for SK-type function occurrences //!@todo Needs a LEMMA, although this seems to be quite straightforward to prove. // The idea is that functions are never sent as a whole, but only used in applications. //! @todo Subsumed by hidelevel lemma later if (isTermFunctionName (b->term)) { if (!inKnowledge (sys->know, b->term)) { // Not in initial knowledge of the intruder if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the function "); termPrint (b->term); eprintf (" is not known initially to the intruder.\n"); } return true; } } } // Check for encryption levels /* * if (switches.match < 2 *! @todo Doesn't work yet as desired for Tickets. Prove lemma first. */ if (switches.experimental & 2) { if (!hasTicketSubterm (b->term)) { if (term_encryption_level (b->term) > max_encryption_level) { // Prune: we do not need to construct such terms if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the encryption level of "); termPrint (b->term); eprintf (" is too high.\n"); } return true; } } } // To be on the safe side, we currently limit the encryption level. /** * This is valid *only* if there are no ticket-type variables. */ if (term_encryption_level (b->term) > max_encryption_level) { // Prune: we do not need to construct such terms if (sys->hasUntypedVariable) { sys->current_claim->complete = false; } if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the encryption level of "); termPrint (b->term); eprintf (" is too high.\n"); } return true; } /** * Prune on the basis of hidelevel lemma */ if (hidelevelImpossible (sys, b->term)) { // Prune: we do not need to construct such terms if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the hidelevel of "); termPrint (b->term); eprintf (" is impossible to satisfy.\n"); } return true; } bl = bl->next; } /* check for singular roles */ run = 0; while (run < sys->maxruns) { if (sys->runs[run].role->singular) { // This is a singular role: it therefore should not occur later on again. int run2; Term rolename; rolename = sys->runs[run].role->nameterm; run2 = run + 1; while (run2 < sys->maxruns) { Term rolename2; rolename2 = sys->runs[run2].role->nameterm; if (isTermEqual (rolename, rolename2)) { // This is not allowed: the singular role occurs twice in the semitrace. // Thus we prune. if (switches.output == PROOF) { indentPrint (); eprintf ("Pruned because the singular role "); termPrint (rolename); eprintf (" occurs more than once in the semitrace.\n"); } return true; } run2++; } } run++; } return false; }