DOI 10.1007/s00165-012-0269-9 BCS © 2012 Formal Aspects of Computing (2014) 26: 99–123 Formal Aspects of Computing Formal verification of security protocol implementations: a survey Matteo Avalle 1 , Alfredo Pironti 2 and Riccardo Sisto 1 1 Dipartimento di Automatica e Informatica, Politecnico di Torino, Corso Duca degli Abruzzi, 24, 10129 Torino, Italy 2 Prosecco, INRIA Paris-Rocquencourt, 23, Avenue d’Italie, 75013 Paris, France Abstract. Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in pro- gramming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptogra- phy. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approach. Keywords: Security protocols; Automated formal verification; Software verification; Sound refinement 1. Introduction Background Security protocols are communication protocols that aim to reach some goals despite the hostile activity of attackers that interfere with the protocol (e.g. by having access to the public channels used by protocol actors). Typical goals are concealing information to unauthorized parties or giving one actor assurance about the identity of another actor with which it is communicating. The typical means used for this purpose is cryptography. Security protocols are generally used to protect something valuable. This is why high assurance about their correctness is highly desirable. Unfortunately, despite their simplicity, security protocols are quite difficult to get right. The main difficulties, experienced even by security experts, are not just related to the strength of the cryptographic algorithms employed (even if these problems must be faced too); when designing a novel secu- rity protocol it is necessary to take into consideration all possible behaviors of hypothetical attackers, including Correspondence and offprint requests to: R. Sisto, E-mail: riccardo.sisto@polito.it M. Avalle, E-mail: matteo.avalle@polito.it; A. Pironti, E-mail: alfredo.pironti@inria.fr