ProVerif: Cryptographic protocol verifier in the formal model

Project participants:

Former participants:

Xavier Allamigeon, Ben Smyth, Marc Sylvestre

ProVerif is an automatic cryptographic protocol verifier, in the formal model (so called Dolev-Yao model). This protocol verifier is based on a representation of the protocol by Horn clauses. Its main features are:

It can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key agreements, specified both as rewrite rules or as equations.
It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen approximations. This means that the verifier can give false attacks, but if it claims that the protocol satisfies some property, then the property is actually satisfied. The considered resolution algorithm terminates on a large class of protocols (the so-called "tagged" protocols). When the tool cannot prove a property, it tries to reconstruct an attack, that is, an execution trace of the protocol that falsifies the desired property.

ProVerif can prove the following properties:

secrecy (the adversary cannot obtain the secret)
authentication and more generally correspondence properties
strong secrecy (the adversary does not see the difference when the value of the secret changes)
equivalences between processes that differ only by terms

A survey of ProVerif with references to other papers is available at

Bruno Blanchet. Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif. Foundations and Trends in Privacy and Security, 1(1-2):1-135, October 2016. http://dx.doi.org/10.1561/3300000004

Downloads

To install ProVerif, you need to download:
- Either:
  - the source package ProVerif version 2.04 source (gzipped tar file) under the GNU General Public License
  - or the binary package ProVerif version 2.04, for Windows, under the GNU General Public License
- and the documentation package ProVerif version 2.04, documentation.
README (please read this, it contains important information)
User manual (also included in the documentation package)
For Opam users, ProVerif can also be installed via Opam (opam install proverif).
For StatVerif users: StatVerif is distributed as a patch for ProVerif 1.86pl4, so we still make ProVerif 1.86pl4 sources available under the GNU General Public License. (For all other usages, we recommend using the most recent version of ProVerif.)

Demo

An online demo for ProVerif is available (by Sreekanth Malladi and Bruno Blanchet).

Mailing List

A mailing list is available for general discussions on ProVerif. I post announcements for new releases of ProVerif on this list.

To subscribe to the list, send an email to sympa-AT-inria.fr (replace -AT- with @) with subject "subscribe proverif <your name>" (without quotes) or use this web form.
To post on the list, send an email to proverif-AT-inria.fr (replace -AT- with @. Note: to avoid spam, you must subscribe to the list in order to be allowed to post.)

Applications of ProVerif

ProVerif has been tested on protocols of the literature with very encouraging results: many examples of protocols can be verified by this tool with small resources, often in less than 1 s.
Certified email protocol (SAS'03), with Martín Abadi.
JFK (ESOP'04), with Martín Abadi and Cédric Fournet.
Plutus filesystem (S&P'08), with Avik Chaudhuri.
Signal (EuroS&P'17), with Nadim Kobeissi and Karthikeyan Bhargavan
TLS 1.3 Draft 18 (S&P'17), with Karthikeyan Bhargavan and Nadim Kobeissi
ARINC823 avionic protocols (CSF'17)
References of papers, tools, courses by other authors that use ProVerif

ProVerif editors

A ProVerif editor (in Python) by Joeri de Ruiter.
A ProVerif mode for the text editor Atom by Vincent Cheval.
A Vim mode for several protocol verification tools, including ProVerif and CryptoVerif.
Eclipse plug-in by Rémi Garcia and Paolo Modesti
Extension for Visual Studio Code by Georgio Nicolas
There is also a ProVerif mode for emacs, included in the ProVerif distribution.

Your feedback and bug reports are welcome.

Publications on this topic

[1]: Bruno Blanchet, Vincent Cheval, and Véronique Cortier. ProVerif with lemmas, induction, fast subsumption, and much more. In IEEE Symposium on Security and Privacy (S&P'22), pages 205-222, San Francisco, CA, May 2022. IEEE Computer Society.
[2]: Bruno Blanchet. The Security Protocol Verifier ProVerif and its Horn Clause Resolution Algorithm. In 9th Workshop on Horn Clauses for Verification and Synthesis, EPTCS. Open Publishing Association, 2022. To appear.
[3]: Bruno Blanchet and Ben Smyth. Automated reasoning for equivalences in the applied pi calculus with barriers. Journal of Computer Security, 26(3):367-422, 2018.
[4]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. The Applied Pi Calculus: Mobile Values, New Names, and Secure Communication. Journal of the ACM, 65(1):1:1-1:41, October 2017.
[5]: Bruno Blanchet. Symbolic and Computational Mechanized Verification of the ARINC823 Avionic Protocols. In 30th IEEE Computer Security Foundations Symposium (CSF'17), pages 68-82, Santa Barbara, CA, USA, August 2017. IEEE.
[6]: Bruno Blanchet. Symbolic and computational mechanized verification of the ARINC823 avionic protocols. Research Report RR-9072, Inria, May 2017. Available at https://hal.inria.fr/hal-01527671.
[7]: Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. Verified models and reference implementations for the TLS 1.3 standard candidate. Research Report RR-9040, Inria, May 2017. Available at https://hal.inria.fr/hal-01528752.
[8]: Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. In IEEE Symposium on Security and Privacy (S&P'17), pages 483-503, San Jose, CA, May 2017. IEEE. Distinguished paper award.
[9]: Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach. In 2nd IEEE European Symposium on Security and Privacy (EuroS&P'17), pages 435-450, Paris, France, April 2017. IEEE.
[10]: Bruno Blanchet. Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif. Foundations and Trends in Privacy and Security, 1(1-2):1-135, October 2016.
[11]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. The applied pi calculus: Mobile values, new names, and secure communication. Report arXiv:1609.03003, September 2016. Revised July 2017. Available at http://arxiv.org/abs/1609.03003.
[12]: Bruno Blanchet and Ben Smyth. Automated reasoning for equivalences in the applied pi calculus with barriers. In 29th IEEE Computer Security Foundations Symposium (CSF'16), pages 310-324, Lisboa, Portugal, June 2016. IEEE.
[13]: Bruno Blanchet and Ben Smyth. Automated reasoning for equivalences in the applied pi calculus with barriers. Research report RR-8906, Inria, April 2016. Available at https://hal.inria.fr/hal-01306440.
[14]: Bruno Blanchet. Automatic Verification of Security Protocols in the Symbolic Model: the Verifier ProVerif. In Alessandro Aldini, Javier Lopez, and Fabio Martinelli, editors, Foundations of Security Analysis and Design VII, FOSAD Tutorial Lectures, volume 8604 of Lecture Notes in Computer Science, pages 54-87. Springer, 2014.
[15]: Vincent Cheval and Bruno Blanchet. Proving More Observational Equivalences with ProVerif. In David Basin and John Mitchell, editors, 2nd Conference on Principles of Security and Trust (POST 2013), volume 7796 of Lecture Notes in Computer Science, pages 226-246, Rome, Italy, March 2013. Springer.
[16]: Bruno Blanchet. Using Horn Clauses for Analyzing Security Protocols. In Véronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols, volume 5 of Cryptology and Information Security Series, pages 86-111. IOS Press, March 2011.
[17]: Bruno Blanchet. Automatic Verification of Correspondences for Security Protocols. Journal of Computer Security, 17(4):363-434, July 2009.
[18]: Martín Abadi (invited speaker), Bruno Blanchet, and Hubert Comon-Lundh. Models and Proofs of Protocol Security: A Progress Report. In Ahmed Bouajjani and Oded Maler, editors, 21st International Conference on Computer Aided Verification (CAV'09), volume 5643 of Lecture Notes in Computer Science, pages 35-49, Grenoble, France, June 2009. Springer.
[19]: Bruno Blanchet. Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model. Mémoire d'habilitation à diriger des recherches, Université Paris-Dauphine, November 2008. En français avec publications en anglais en annexe. In French with publications in English in appendix.
[20]: Bruno Blanchet and Avik Chaudhuri. Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In IEEE Symposium on Security and Privacy, pages 417-431, Oakland, CA, May 2008. IEEE.
[21]: Bruno Blanchet. Automatic verification of correspondences for security protocols. Report arXiv:0802.3444v1, February 2008. Available at http://arxiv.org/abs/0802.3444v1.
[22]: Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming, 75(1):3-51, February-March 2008.
[23]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. ACM Transactions on Information and System Security (TISSEC), 10(3):1-59, July 2007.
[24]: Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming, 58(1-2):3-27, October 2005. Special issue SAS'03.
[25]: Bruno Blanchet. Security Protocols: From Linear to Classical Logic by Abstract Interpretation. Information Processing Letters, 95(5):473-479, September 2005.
[26]: Bruno Blanchet. An Automatic Security Protocol Verifier based on Resolution Theorem Proving (invited tutorial). In 20th International Conference on Automated Deduction (CADE-20), Tallinn, Estonia, July 2005.
[27]: Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pages 331-340, Chicago, IL, June 2005. IEEE Computer Society.
[28]: Xavier Allamigeon and Bruno Blanchet. Reconstruction of Attacks against Cryptographic Protocols. In 18th IEEE Computer Security Foundations Workshop (CSFW-18), pages 140-154, Aix-en-Provence, France, June 2005. IEEE Computer Society.
[29]: Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. Theoretical Computer Science, 333(1-2):67-90, March 2005. Special issue FoSSaCS'03.
[30]: Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM, 52(1):102-146, January 2005.
[31]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. Technical Report MPI-I-2004-NWG1-001, Max-Planck-Institut für Informatik, Saarbrücken, Germany, July 2004.
[32]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In IEEE Symposium on Security and Privacy, pages 86-100, Oakland, California, May 2004.
[33]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. In David Schmidt, editor, Programming Languages and Systems: Proceedings of the 13th European Symposium on Programming (ESOP'04), volume 2986 of Lecture Notes in Computer Science, pages 340-354, Barcelona, Spain, March 2004. Springer.
[34]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In Dagstuhl seminar Language-Based Security, October 2003.
[35]: Bruno Blanchet. Automatic Verification of Cryptographic Protocols: A Logic Programming Approach (invited talk). In 5th ACM-SIGPLAN International Conference on Principles and Practice of Declarative Programming (PPDP'03), pages 1-3, Uppsala, Sweden, August 2003. ACM.
[36]: Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. In Radhia Cousot, editor, Static Analysis, 10th International Symposium (SAS'03), volume 2694 of Lecture Notes in Computer Science, pages 316-335, San Diego, California, June 2003. Springer.
[37]: Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. In Andrew Gordon, editor, Foundations of Software Science and Computation Structures (FoSSaCS'03), volume 2620 of Lecture Notes in Computer Science, pages 136-152, Warsaw, Poland, April 2003. Springer.
[38]: Bruno Blanchet. From Secrecy to Authenticity in Security Protocols. In Manuel Hermenegildo and Germán Puebla, editors, 9th International Static Analysis Symposium (SAS'02), volume 2477 of Lecture Notes in Computer Science, pages 342-359, Madrid, Spain, September 2002. Springer.
[39]: Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. In 29th Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages (POPL 2002), pages 33-44, Portland, Oregon, January 2002. ACM Press.
[40]: Bruno Blanchet. Abstracting Cryptographic Protocols by Prolog Rules (invited talk). In Patrick Cousot, editor, 8th International Static Analysis Symposium (SAS'2001), volume 2126 of Lecture Notes in Computer Science, pages 433-436, Paris, France, July 2001. Springer.
[41]: Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82-96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society.

Bruno Blanchet