- Added feature for multi-party protocols (weaker precondition on Reachable)

2007-01-16 17:22:51 +00:00 · 2007-01-16 17:22:51 +00:00 · eaa6ef1345
commit eaa6ef1345
parent a8cf31973b
8 changed files with 124 additions and 80 deletions
--- a/gui/Changelog.txt
+++ b/gui/Changelog.txt
@ -6,6 +6,11 @@ Scyther 1.0-beta6
 	
 	* Added Mac support (added universal binary)
 	* Fixed bug in scripting backend (e.g. with mpa.py)
+	* Added claim parameter for Reachable claim; Reachable,R means
+	  that role R should be trusted (as well as the actor), but not
+	  any other claim. This can be useful for showing stronger
+	  authentication properties of protocols with more than two
+	  parties.

 Scyther 1.0-beta5 

--- a/gui/Scyther/Bin/scyther-linux
+++ b/gui/Scyther/Bin/scyther-linux
--- a/src/claim.c
+++ b/src/claim.c
@ -707,6 +707,29 @@ arachne_claim_nisynch (const System sys, const int claim_run,
  return arachne_claim_authentications (sys, claim_run, claim_index, 1);
 }

+//! Are all agents trusted of the claim run (as required by the property?)
+int
+pruneClaimRunTrusted (const System sys)
+{
+  if (sys->trustedRoles == NULL)
+    {
+      // all agents need to be trusted
+      if (!isRunTrusted (sys, 0))
+	{
+	  return true;
+	}
+    }
+  else
+    {
+      // a subset is trusted
+      if (!isAgentlistTrusted (sys, sys->trustedRoles))
+	{
+	  return true;
+	}
+    }
+  return false;
+}
+
 //! Prune determination for specific properties
 /**
 * Sometimes, a property holds in part of the tree. Thus, we don't need to explore that part further if we want to find an attack.
@ -716,6 +739,19 @@ arachne_claim_nisynch (const System sys, const int claim_run,
 int
 prune_claim_specifics (const System sys)
 {
+  // generic status of (all) roles trusted or not
+  if (pruneClaimRunTrusted (sys))
+    {
+      if (switches.output == PROOF)
+	{
+	  indentPrint ();
+	  eprintf
+	    ("Pruned because all agents of the claim run must be trusted.\n");
+	}
+      return true;
+    }
+
+  // specific claims
  if (sys->current_claim->type == CLAIM_Niagree)
    {
      if (arachne_claim_niagree (sys, 0, sys->current_claim->ev))
@ -757,6 +793,10 @@ add_claim_specifics (const System sys, const Claimlist cl, const Roledef rd,
  /*
   * different cases
   */
+
+  // per default, all agents are trusted
+  sys->trustedRoles = NULL;
+
  if (cl->type == CLAIM_Secret)
    {
      int newgoals;
@ -791,6 +831,8 @@ add_claim_specifics (const System sys, const Claimlist cl, const Roledef rd,

  if (cl->type == CLAIM_Reachable)
    {
+      int flag;
+
      if (switches.check)
 	{
 	  // For reachability claims in check mode, we restrict the number of runs to the number of roles of this protocol
@ -801,7 +843,28 @@ add_claim_specifics (const System sys, const Claimlist cl, const Roledef rd,
 	  rolecount = termlistLength (protocol->rolenames);
 	  switches.runs = rolecount;
 	}
-      return callback ();
+      if (rd->message != NULL)
+	{
+	  sys->trustedRoles = tuple_to_termlist (rd->message);
+
+#ifdef DEBUG
+	  if (DEBUGL (2))
+	    {
+	      eprintf ("Trusted roles : ");
+	      termlistPrint (sys->trustedRoles);
+	      eprintf ("\n");
+	    }
+#endif
+	}
+
+      flag = callback ();
+
+      if (rd->message != NULL)
+	{
+	  termlistDelete (sys->trustedRoles);
+	  sys->trustedRoles = NULL;
+	}
+      return flag;
    }

  return callback ();
--- a/src/compiler.c
+++ b/src/compiler.c
@ -998,22 +998,7 @@ runInstanceCreate (Tac tc)
  roleInstance (sys, p, r, instParams, NULL);	// technically, we don't need to do this for Arachne [fix later]

  /* after creation analysis */
-  /* AC1: untrusted agents */
-  /*      first: determine whether the run is untrusted,
-   *      by checking whether one of the untrusted agents occurs
-   *      in the run instance  */
-  if (!isAgentlistTrusted (sys, instParams))
-    {
-      /* nothing yet */
-      /* claims handle this themselves */
-
-      /* some reduction might be possible, by cutting of the last few actions
-       * of such an untrusted run */
-
-      /* but most of it might be handled dynamically */
-    }
-
-  /* AC2: originator assumption for CLP ? */
+  /* originator assumption for CLP ? */
  /* TODO */
 }

--- a/src/prune_theorems.c
+++ b/src/prune_theorems.c
@ -246,18 +246,6 @@ prune_theorems (const System sys)
      return true;
    }

-  // Check if all agents of the main run are valid
-  if (!isRunTrusted (sys, 0))
-    {
-      if (switches.output == PROOF)
-	{
-	  indentPrint ();
-	  eprintf
-	    ("Pruned because all agents of the claim run must be trusted.\n");
-	}
-      return true;
-    }
-
  // Check if the actors of all other runs are not untrusted
  if (sys->untrusted != NULL)
    {
--- a/src/system.c
+++ b/src/system.c
@ -74,9 +74,11 @@ systemInit ()
  sys->knowledgedefined = false;	// currently, we have backwards compatibility for empty role knowledge defs (disabling well-formedness rules)
  sys->attackid = 0;		// First attack will have id 1, because the counter is increased before any attacks are displayed.

+  /* arachne assist */
  bindingInit (sys);
  sys->bindings = NULL;
  sys->current_claim = NULL;
+  sys->trustedRoles = NULL;

  /* reset global counters */
  systemReset (sys);
--- a/src/system.h
+++ b/src/system.h
@ -150,6 +150,7 @@ struct system
  /* Arachne assistance */
  List bindings;		//!< List of bindings
  Claimlist current_claim;	//!< The claim under current investigation
+  Termlist trustedRoles;	//!< Roles that should be trusted for this claim (the default, NULL, means all)
 };

 typedef struct system *System;