=Paper=
{{Paper
|id=Vol-2987/paper11
|storemode=property
|title=On the Parameterized Verification of Abstract Models of Contact Tracing Protocols
|pdfUrl=https://ceur-ws.org/Vol-2987/paper11.pdf
|volume=Vol-2987
|authors=Sylvain Conchon,Giorgio Delzanno,Arnaud Sangnier
|dblpUrl=https://dblp.org/rec/conf/gandalf/ConchonDS21
}}
==On the Parameterized Verification of Abstract Models of Contact Tracing Protocols==
https://ceur-ws.org/Vol-2987/paper11.pdf
On the Parameterized Verification of Abstract
Models of Contact Tracing Protocols
Sylvain Conchon1 , Giorgio Delzanno2 and Arnaud Sangnier3
1
LRI, Universitè Paris, France
2
DIBRIS, University of Genova, Italy
3
IRIF, Universitè Paris Denis Diderot
Abstract
We present an automata-based formal model of distributed systems specifically devised to formalise
abstractions of Contact Tracing Protocols that combine Bluetooth and network communication. The
model combines pure names, read/write operations on first-order and higher-order variables and syn-
chronous communication primitives. The transition system models the interaction between devices in
the same physical location and between a single device and a notification server. To automatically vali-
date protocols in our formalism, we resort to an extension of the Cubicle SMT-based infinite-state model
checker, in which the monotonic abstraction applied during the predecessor computation is strengthen
by introducing abstract predicates obtained via Counting Abstraction.
1. Introduction
Contact tracing protocols, e.g., smartphone apps, are aimed at investigating who could have
been contaminated by a positively diagnosed person and alert them, see e.g. [1]. After the
COVID-19 pandemic, several protocols have been proposed as an automated support for this
task su as PEPP-PT, DP3T, ROBERT4 and NTK5. In general the system architecture is based on
a smart app, a notification server as in Publish/Subscribe architectures, and a possibly trusted
server. In order to reduce the risk of a malicious use of user data (see e.g. the attacks described
in [2, 1]), the protocols are based on frequent rotations of identifiers emitted via bluetooth.
In centralized versions of the protocol ephemeral identifiers are downloaded from a trusted
server. In decentralized versions ephemeral identifiers are generated by user apps. The user
app installed on the user device (e.g. Immuni in Italy) broadcasts the currently valid ephemeral
identifier. The same user app also collects all identifiers emitted in the same bluetooth range
and stores them locally. When users are diagnosed to be infected, they release a report to the
server. One possible implementation consists in sending the report to a central log database.
Users can then consult the database to check if they crossed their way with infected users, i.e.,
they share some ephemeral identifier with one of them.
Based on a preliminary study present at Overlay 2020 [3], in this paper we present an automata-
based formal model of distributed systems specifically devised to formalise abstractions of
Contact Tracing Protocols that combine Bluetooth and network communication. The model
OVERLAY 2021: 3rd Workshop on Artificial Intelligence and Formal Verification, Logic, Automata, and Synthesis,
September 22, 2021, Padova, Italy
Β© 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org)
�combines pure names, read/write operations on first-order and higher-order variables and
synchronous communication primitives. The transition system models the interaction between
devices in the same physical location and between a single device and a notification server.
Violations of safety properties for this kind of protocols typically require universally quantified
conditions on global configurations (e.g. one user detects a contact while no user is positive).
To automatically validate protocols in our formalism, we resort to an extension of the Cubicle
SMT-based infinite-state model checker. Cubicle is a model checker that can be applied to
verify safety properties of array-based systems, a syntactically restricted class of parameterized
transition systems with states represented as arrays indexed by an arbitrary number of processes
[4, 5]. Cubicle integrates the SMT solver Alt-Ergo [6]. Cubicle input language is a typed version
of Murπ [7]. A system is describe in Cubicle by: a set of type, variable, and array declarations;
a formula for the initial states; and a set of transitions. A system execution is defined by an
infinite loop that at each iteration non-deterministically chooses a transition instance whose
guard is true in the current state; and updates state variables according to the action of the fired
transition instance.
To validate instances of our model, we will exhibit a general encoding in the Cubicle array-
based language and propose to refine the overapproximation of universally quantified precondi-
tions applied in the Cubicle backward procedure by introducing abstract predicates obtained
via Counting Abstraction.
2. Contact Tracing Systems
In this section we introduce a possible general formal model for contact tracing protocol. To
specify the protocol rules and behavior (computation), we will use a transition system defined
on configurations consisting of a set of states of individual users. User configurations contain a
local memory needed to store the list of emitted and received identifiers. System configurations
contain a global memory that can be used to gather and a set of user states that corresponds to
the current number of registered indivuals.
We will use the following general definitions: β is a denumerable set of pure names (identifiers)
containing the undefined label β₯; π is a finite set of message labels (π, π, π, . . . ); π is a finite set
of first order variables (identifiers) that are part of the local state of users (π₯, π¦, . . . ); π is a finite
set of second order variables (set of identifiers) that are part of the local state of users (π , π‘, . . . ).
We then define Act(π, π, π) the set of actions defined as follows: ππ(π₯, π¦) and πππ‘ππ(π₯, π¦),
where π₯, π¦ β π , ππ(π₯, π) and πππ‘ππ(π₯, π), where π₯ β π and π β π (Conditions); πππππ,
πππ€(π₯), where π₯ β π , ππππ π‘(π, π₯) and πππ(π, π₯), where π β π, π₯ β π ; πππ(π₯, π ), where
π₯ β π, π β π, πππ ππ‘(π ), where π β π, πππ(π, π ), where π β π, π β π (Operations).
A protocol is defined as a Data Automaton π = β¨π, π, π, π, π
, π0 β©, where π0 β π and
π
β π Γ Act(π, π, π ) Γ π. We assume here that ππππ π‘ and πππ actions are always defined
on distinct labels in π . Consider a protocol π = β¨π, π, π, π, π
, π0 β©. A process configuration
of π is a triple ππ = β¨π, πΏ, πΎβ© where: π β π is the current user state; πΏ : π β β is the current
evaluation of first order variables; πΎ : π β π«(β) is the current evaluation of second order
variables. We denote by π«π the set of process configurations. A global configuration of π is then
a pair (πΎ, Ξ), where πΎ β Nπ«π is a finite multiset of process configurations and Ξ : π β¦β π«(β)
�corresponds to a centralized memory. π’π denotes the set of global configurations. For π β π’π,
we will use πππ (π) to denote the set of pure names occurring in π. The operational semantics is
then defined as the minimal relation ββ π’ Γ π’ that satisfies the following property definitions
in which will use β to denote multiset union:
- π = β¨{β¨π, πΏ, πΎβ©} β πΎ, Ξβ© β β¨{β¨π β² , πΏ, πΎβ©} β πΎ, Ξβ© if one of the following conditions is satis-
fied: β¨π, πππππ, π β² β© β π
, β¨π, ππ(π₯, π¦), π β² β© β π
and πΏ(π₯) = πΏ(π¦) [for πππ‘ππ(π₯, π¦),πΏ(π₯) ΜΈ= πΏ(π¦)],
β¨π, ππ(π₯, π), π β² β© β π
and πΏ(π₯) β Ξ(π) [for πππ‘ππ(π₯, π¦) πΏ(π₯) ΜΈβ Ξ(π)].
- π = β¨{β¨π, πΏ, πΎβ©} β πΎ, Ξβ© β β¨{β¨π β² , πΏ β² , πΎβ©} β πΎ, Ξβ© if β¨π, πππ€(π₯), π β² β© β π
and πΏ β² (π₯) = ππ ΜΈβ
πππ (π), ππ ΜΈ= β₯, and πΏ β² (π¦) = πΏ(π¦) for π₯ ΜΈ= π¦.
- π = β¨{β¨π, πΏ, πΎβ©} β πΎ, Ξβ© β β¨{β¨π β² , πΏ, πΎ β² β©} β πΎ, Ξβ© if β¨π, πππ(π₯, π ), π β² β© β π
and πΎ β² (π ) =
πΎ(π ) βͺ {πΏ(π₯)} and πΎ β² (π‘) = πΎ(π‘) for π‘ ΜΈ= π .
- π = β¨{β¨π, πΏ, πΎβ©} β πΎ, Ξβ© β β¨{β¨π β² , πΏ, πΎ β² β©} β πΎ, Ξβ© if β¨π, πππ ππ‘(π ), π β² β© β π
and πΎ β² (π ) = β
and
πΎ β² (π‘) = πΎ(π‘) for π‘ ΜΈ= π .
- π = β¨{β¨π, πΏ, πΎβ©} β πΎ, Ξβ© β β¨{β¨π β² , πΏ, πΎβ©} β πΎ, Ξβ² β© if β¨π, πππ(π, π ), π β² β© β π
and Ξβ² (π) =
Ξ(π) βͺ πΎ(π ) and Ξβ² (π) = Ξ(π) for π ΜΈ= π.
- π = β¨{β¨π, πΏ, πΎβ©, β¨π1 , πΏ1 , πΎ1 β©, . . . , β¨ππ , πΏπ , πΎβ©π } β πΎ, Ξβ© β β¨πΎ β² , Ξβ© where
πΎ β² = {β¨π β² , πΏ, πΎβ©, β¨π1β² , πΏ1β² , πΎ1 β©, . . . , β¨ππβ² , πΏπβ² , πΎπ β©} β πΎ if π β₯ 0 and β¨π, ππππ π‘(π, π₯), π β² β© β π
and
for all π β [1, π], we have β¨ππ , πππ(π, π₯π ), ππβ² β© β π
and πΏπβ² (π₯π ) = πΏ(π₯) and πΏπβ² (π¦) = πΏπ (π¦) for
π¦ ΜΈ= π₯π .
For the resulting model, we are interested in safety properties for parameterized version
of a protocol instance. More specifically, given a protocol definition π and a given process
state ππ β π that denotes an error state, we would like to verify that global configurations that
contain occurrences of ππ are unreachable starting from any possibile initial configuration (i.e.
independently from the number of process instances). A similar property can be formulated
by adding an error flags to the server state instead of selecting a special error state in π. We
are also interested in properties expressed by violations in which global configurations contain
a process in state ππ while all other processes are in states contained in These properties are
referred to as control state reachability and constrained control state reachabiliy, respectively.
Violations of this kind of properties can be defined using quantified assertions, such as there
exists a process π in control state ππ and, for constrained properties, universally quantified
conditions on the control states of other processes. In the rest of the paper we will illustrate
how to encode our formalism in Cubicle and how to verify control state reachability problems
using the corresponding symbolic exploration procedure provided by the tool.
3. Case Studies: Contact Tracing Protocols
We present below a formal specifications of the protocol scheme of Contact Tracing applications
abstracting away identifier creation, i.e., assuming that user app generate fresh identifiers, and
reasoning within the validity epoch of identifiers, i.e., those maintained in local memory. The
system is composed of a finite but arbitrary number of user apps and of a server modeled via
a centralized memory. Each user apps has local variables π = {π₯, π¦, π§} and π = {ππ, ππ’π‘}.
Furthermore, π = {π, π} where π denotes beacon messages broadcasted by user apps, and
�π denotes report messages sent to the centralized memory. The user app starts their part of
protocol in state π0 and operate in three different modes.
In emitter mode the app generates and emits fresh beacons: β¨π0 , πππ€(π₯), π1 β©, the user app
generates a fresh identifier and stores it in the local variable π₯; β¨π1 , πππ(π₯, ππ’π‘), π2 β©, in π1 the
fresh identifier stored in π₯ is added to the local memory ππ’π‘; β¨π2 , ππππ π‘(π, π₯), π2 β©, β¨π2 , πππππ, π0 β©,
in π2 the user app either emits the message (π, π₯) or returns to the initial state in order to apply
a rotation scheme for the beacon identifiers or perform other steps. In reception mode the app,
while in any state π0 β π β {π1 , π 2 }, receives a beacon, stores it in the local memory ππ, and
then returns to the current state: β¨π0 , πππ(π, π¦), π1 β© in state π0 the user is always ready to receive
beacons; β¨π1 , πππ(π¦, ππ), π0 β©, in state π1 the beacon is stored in the local memory ππ. In report
mode, enabled only in state π0 = π0 , the app sends its local memory ππ’π‘ to the server and
moves to the halt state π1 : β¨π0 , π πππ(π, ππ’π‘), π1 β©. In query mode, enabled only in state π 0 = π0 ,
the user app selects a beacon π§ from the local memory ππ, i.e., β¨π 0 , π ππ(ππ, π§), π 1 β©, sends it to
the server to check whether it has been reported by another app or not. In the former case it
moves to the halting state π 2 , i.e, β¨π 1 , ππ(π, π₯), π 2 β©. In the latter case it returns to state π 0 , i.e,
β¨π 1 , πππ‘ππ(π, π₯), π 0 β©.
4. From Data Automata to Cubicle
Let us now discuss how to model a protocol definition π = β¨π, π, π, π, π
, π0 β© in Cubicle. A
global configuration is a pair (πΎ, Ξ), where πΎ is a finite multiset of process configurations
and Ξ corresponds to a centralized memory. The encoding if Ξ is quite immediate since we
can represent the global memory as a finite set of unbounded arrays π΄π1 , . . . , π΄ππ with cells
of Boolean type one for each ππ β π . The array π΄π is such that π΄π [π₯] = π ππ’π if and only
if π₯ β Ξ(π) for each pair π₯, π. For the encoding of πΎ we can proceed in several different
ways. Remember that a process configuration is a triple ππ = β¨π, πΏ, πΎβ©, in which π β π but is
the current user state, πΏ is the current evaluation of first order variables; and πΎ is the current
evaluation of second order variables. One possible encoding is defined as follows: To represent
control states, we introduce an unbounded array π π‘ππ‘π that associates an enumerative type
associated to π to represent the current state of each process, i.e., π π‘ππ‘π[π] = π if process π is in
state π. To represent the current state of a first order variable π£ we can introduce an unbounded
array π£πππ£ such that π£πππ£ [π] = π if πΏ(π£) = π holds in πππ (in process π). To represent the current
state of a second order variable π we can introduce an unbounded bidimensional array π£πππ such
that π£πππ [π, π] = π ππ’π if and only if π β πΎ(π ) holds in πππ (in process π). Transition rules can
then be expressed via Cubicle transition rules. In particular, to model send operation involving
second order variables, we can use global operations on arrays, in which all cells of an arrays
are copied into another one (whole-place operations in Petri net languages).
The Cubicle verification engine is based on symbolic backward exploration. Cubicle operates
over sets of existentially quantified formulas called cubes. Formulas containing universally
quantified formulas (generated during the computation of predecessors) are over-approximated
by existentially quantified formulas. In other words Cubicle applies monotone abstraction [8]
and over-approximates predecessors via upward-closed sets of configurations. Infinite sets of
unsafe states (bad configurations) are symbolically defined by using π’ππ ππ π constraints in
�which all variables are implicitly existentially quantified. In our case studies we are interested
in checking the consistency between local and global information. More specifically, when user
π queries the server, she/he supposed to receive a notification only in presence of at least one
positive user who emitted a beacon that has been received by π . The server does not maintain
any association between identities and beacons collected in the log. Consistency of global and
local states combined with the privacy preservation property of the protocol can be tested by
adding an Error state and a special rule in which we only compare local states of different users.
Namely, the rule generates an error whenever there exist a user π in the Contact state without
any positive user in the global system. If this happens the protocol does not trace physical
contacts in correct way. The property is expressed by adding a global Error flag
Error: bool
together with the following rule:
transition bad(v)
requires { Contact[v] = True && forall_other u. (Pos[u] = False) }
{ Error := True; }
To validate the considered properties, we define the following assertion that specifies bad
configurations in the sense of control state reachability,
unsafe () { Error = True }
i.e., configurations of any size in which Error is True. Due to the presence of universally
quantified conditions both in the protocol rule and in the precondition of the error rule, there
is no termination guarantee on the execution of the verification task in Cubicle. Furthermore,
when terminating the tool may return spurious traces as in our case study. Indeed , Cubicle,
after visiting 41 cubes, detects a spurious trace of the form: start(#3, #2) -> in(#1, #2) -> end(#1,
#2) -> report(#3) -> query(#1, #2) -> bad(#1) -> unsafe.
The imprecision here is due to the over-approximation introduced via monotone abstraction.
Preconditions with universally quantified guards are transformed into post-conditions, and
thus they are not propagated through different steps of predecessor computations. Since in the
correctness property of the protocol local states are put in relation via hidden data (not explicitly
mentioned in control states) stored in the server memory, it seems necessary to strengthen
the symbolic reasoning procedure with some form of propagation of universally quantified
conditions. One solutions comes from the combination of the existentially quantified formulas
used to represent sets of states in Cubicle (cubes) with other forms of constraints on the global
configuration e.g. constraints inspired to counting abstraction used in Petri nets. More in detail,
we enrich our assertions by adding counters that keep track of the number of users in a given
state. For our purposes, we will focus only on a counter associated to the Pos flag. We now
add a global variable Count whose initial state is defined as Count=0. The counter is updated
in the report rule (πΆππ’ππ‘ β₯ 0 is added to the guard and πΆππ’ππ‘ := πΆππ’ππ‘ + 1 is added to the
body off the transition) and used as precondition in the error rule as specified below.
transition bad(v)
requires { Pos[v] = False && Contact[v] = True && Count = 0 }
{ Error := True; }
�The enriched assertional language combining array formulas (for expressing precise properties
of individual processes and of global variables) and Presburger constraints (for expressing global
constraints via the counting abstraction) is the key point in order to enforce termination and
prove correctness for the desired property. When executed on the refined model, Cubicle proves
the model SAFE after visiting 10 cubes and performing 138 fixpoint tests and 41 SMT solver
calls.
Although not yet implemented, the above mentioned strategy could be incorporated into
the Cubicle algorithm for instance by associating counters to specific control states and by
generating counter manipulation operations in each transition rule via a preliminary static
analysis of the Cubicle specification as done in our example via human ingenuity.
References
[1] S. Vaudenay, Centralized or decentralized? the contact tracing dilemma, IACR Cryptol.
ePrint Arch. 2020 (2020) 531. URL: https://eprint.iacr.org/2020/531.
[2] G. Avitabile, V. Botta, V. Iovino, I. Visconti, Towards defeating mass surveillance and sars-
cov-2: The pronto-c2 fully decentralized automatic contact tracing system, IACR Cryptol.
ePrint Arch. 2020 (2020) 493.
[3] P. A. Abdulla, M. F. Atig, G. Delzanno, M. Montali, A. Sangnier, On the formalization of
decentralized contact tracing protocols, in: Proceedings of the 2nd Workshop on Artificial
Intelligence and Formal Verification, Logic, Automata, and Synthesis hosted by the Bolzano
Summer of Knowledge 2020 (BOSK 2020), September 25, 2020, volume 2785 of CEUR
Workshop Proceedings, CEUR-WS.org, 2020, pp. 65β70.
[4] S. Conchon, A. Goel, S. Krstic, A. Mebsout, F. ZaΓ―di, Cubicle: A parallel smt-based model
checker for parameterized systems - tool paper, in: Computer Aided Verification - 24th
International Conference, CAV 2012, Berkeley, CA, USA, July 7-13, 2012 Proceedings, 2012,
pp. 718β724.
[5] A. Mebsout, InfΓ©rence dβinvariants pour le model checking de systΓ¨mes paramΓ©trΓ©s. (Invari-
ants inference for model checking of parameterized systems), Ph.D. thesis, University of
Paris-Sud, Orsay, France, 2014.
[6] https://alt-ergo.ocamlpro.com/, 2021.
[7] D. L. Dill, The murphi verification system, in: Computer Aided Verification, 8th International
Conference, CAV β96, New Brunswick, NJ, USA, July 31 - August 3, 1996, Proceedings,
volume 1102 of Lecture Notes in Computer Science, 1996, pp. 390β393.
[8] P. A. Abdulla, G. Delzanno, N. B. Henda, A. Rezine, Monotonic abstraction: on efficient
verification of parameterized systems, Int. J. Found. Comput. Sci. 20 (2009) 779β801. doi:10.
1142/S0129054109006887.
�