BMC4TimeSec: Verification Of Timed Security Protocols

We present BMC4TimeSec, an end-to-end tool for verifying Timed Security Protocols (TSP) based on SMT-based bounded model checking and multi-agent modelling in the form of Timed Interpreted Systems (TIS) and Timed Interleaved Interpreted Systems (TIIS). In BMC4TimeSec, TSP executions implement the TIS/TIIS environment (join actions, interleaving, delays, lifetimes), and knowledge automata implement the agents (evolution of participant knowledge, including the intruder). The code is publicly available on \href{https://github.com/agazbrzezny/BMC4TimeSec}{GitHub}, as is a \href{https://youtu.be/aNybKz6HwdA}{video} demonstration.

💡 Research Summary

BMC4TimeSec is an end‑to‑end verification tool for timed security protocols (TSPs) that combines SMT‑based bounded model checking (BMC) with multi‑agent semantics expressed as Timed Interpreted Systems (TIS) and Timed Interleaved Interpreted Systems (TIIS). The authors observe that many existing protocol verifiers either ignore temporal constraints or treat them in an oversimplified manner, which leaves a gap for attacks that exploit freshness windows, replay opportunities, and message lifetimes. To fill this gap, BMC4TimeSec models the environment as execution automata that control interleaving of multiple protocol sessions, step‑wise delays, and the clocks governing tickets or timestamps together with their validity periods. Each participant, including the Dolev‑Yao intruder, is represented by a knowledge automaton K(a,t) that records when the agent a learns term t. The intruder’s actions are gated by knowledge prerequisites, faithfully reflecting the feasibility of constructing messages in the classic intruder model.

The input to the tool consists of three parts: (i) a protocol description written in the familiar Alice‑Bob notation, (ii) a JSON file that encodes scenario‑specific overrides such as message spoofing, sender/receiver swaps, deadline changes, or explicit intruder injections, and (iii) a parameter k indicating the number of concurrent sessions to be generated. The pipeline proceeds as follows: (1) generate execution traces for k sessions and instantiate the JSON‑defined interpretations, (2) enrich the traces with explicit step delays and lifetime constraints, (3) automatically translate the enriched model into SMT‑LIB2 formulas that express reachability properties of the form EF(ψ), where ψ combines session termination conditions with knowledge predicates (e.g., K(I, secret)), (4) invoke an SMT solver (Z3) to check satisfiability, (5) if the property is violated, extract a counter‑example trace, and (6) visualise the trace in a web‑based GUI that steps through TIS/TIIS state changes and knowledge updates.

Technically, BMC4TimeSec extends prior work (VerSecTis, VerSecTis‑T, and earlier TIS papers) in five major ways. First, it integrates dense‑time execution modeling with epistemic knowledge modeling within a single formalism. Second, it supports true interleaving of multiple sessions, enabling detection of attacks that only manifest when sessions overlap or when timing constraints interact across sessions. Third, the JSON‑based scenario language allows users to add new attack variants without modifying the core generator code, dramatically improving usability and extensibility. Fourth, the use of SMT‑BMC on TIIS provides a scalable method for exploring bounded traces while preserving the expressive power needed for dense‑time reasoning. Fifth, the tool supplies a visual counter‑example explorer and automatic report generation, making the results accessible to non‑experts.

The authors demonstrate the tool on a broad library of classic protocols, including the Needham‑Schroeder Public‑Key protocol (and Lowe’s fix), Wide‑Mouthed Frog, Denning‑Sacco, Kao‑Chow, Carlsen’s secret‑key initiator, Needham‑Schroeder Symmetric‑Key, Yahalom (and its variants), BAN, Woo‑Lam, Andrew, MobInfoSec, and SNEP. For each protocol they provide a “fair” (i.e., intended) variant and a collection of attack scenarios that go beyond those previously covered by VerSecTis. New attack classes include multi‑session replay, time‑dependent mix‑up attacks, non‑injective authentication violations (reuse of freshness elements), and long‑term key compromise scenarios.

Implementation-wise, the system consists of a Python‑based Alice‑Bob parser, a Python TIIS generator, a C++ SMT‑LIB2 formula generator, a Z3 launcher, and a Flask‑based GUI. The architecture is modular, allowing the same protocol specification to be re‑used across many interpretations and increasing numbers of sessions, thereby supporting reproducible experiments.

In the discussion, the authors acknowledge the late Prof. Mi­rek Kurkowski for inspiring the work and outline future directions: scaling to larger protocols, benchmarking against alternative SMT solvers, integrating with live network simulators for dynamic verification, and developing educational interfaces. Overall, BMC4TimeSec represents a significant step forward in the formal analysis of timed security protocols, offering a practical, extensible, and user‑friendly platform that bridges the gap between theoretical timed models and real‑world protocol engineering.