old asm specification using ins statuswords all-nonces generate-nonce USER attacker-abilities ready-agent SEND DISCONNECT CONNECT+INIT cindy-step ticket-in-issued customer-db tickets-issued-to-ex-agents smartcard-knowledge ASM-INIT target procedures CINDY : documentset × (agent → documentset) × (agent → nat → documentlist) × (nat → nonce) × nat × (agent → bool) × (agent → customer-db) × (agent → documentlist) × connections × (agent → documentlist) × (agent → noncelist) × (agent → noncelist) × (agent → noncelist) × (agent → documentlist) × (agent → documentlist) × (agent → documentlist) × (agent → document) × (agent → nonce) × bool nonfunctional indeterministic; CINDY-STEP (nat → nonce) × (agent → customer-db) : documentset × (agent → documentset) × (agent → nat → documentlist) × nat × (agent → documentlist) × connections × (agent → documentlist) × (agent → noncelist) × (agent → noncelist) × (agent → noncelist) × (agent → documentlist) × (agent → documentlist) × (agent → documentlist) × (agent → document) × (agent → nonce) × bool nonfunctional indeterministic; CLIENT agent × connections : documentset × (agent → nat → documentlist) × (agent → documentlist) nonfunctional indeterministic; CELL-PHONE agent × connections : documentset × (agent → nat → documentlist) × (agent → documentlist) × (agent → documentlist) × (agent → documentlist) nonfunctional indeterministic; CINEMA agent × (nat → nonce) × (agent → customer-db) × connections : documentset × (agent → nat → documentlist) × nat × (agent → noncelist) × (agent → noncelist) × (agent → noncelist) × (agent → documentlist) × (agent → documentlist) × (agent → document) × (agent → nonce) nonfunctional indeterministic; variables receiver : int; attacker-known, attacker-known0 : documentset; user-known, user-known0 : agent → documentset; customers, customers0 : agent → customer-db; the-customer-db : customer-db; tickets : agent → documentlist; connections : connections; passedOn : agent → documentlist; accepted, rejected, presented : agent → noncelist; issued, booked : agent → documentlist; newTicket : agent → document; newNonce, newNonce0 : agent → nonce; stop : bool; all-nonces0 : nat → nonce; send-mode : transport-mode; inmsg : document; inport : nat; indoc : document; accepted-with-presenter : agent → documentlist; declaration asm : CINDY ( var attacker-known, user-known, inputs, all-nonces, next-nonce, newConnection, customers, tickets, connections, passedOn, accepted, rejected, presented, accepted-with-presenter, issued, booked, newTicket, newNonce, stop ) begin INIT(; attacker-known, user-known, inputs, all-nonces, next-nonce, newConnection, customers, tickets, connections, passedOn, accepted, rejected, presented, accepted-with-presenter, issued, booked, newTicket, newNonce, stop ) ; while ¬ stop ∨ ¬ real-issued(issued(cinema)) ⊆ presented(cinema) do CINDY-STEP(all-nonces, customers ; attacker-known, user-known, inputs, next-nonce, tickets, connections, passedOn, accepted, rejected, presented, accepted-with-presenter, issued, booked, newTicket, newNonce, stop ) end; CINDY-STEP : CINDY-STEP (all-nonces, customers ; var attacker-known, user-known, inputs, next-nonce, tickets, connections, passedOn, accepted, rejected, presented, accepted-with-presenter, issued, booked, newTicket, newNonce, stop ) begin var cindy-step with ( (cindy-step = connect → connect-possible(connections)) ∧ (cindy-step = disconnect → disconnect-possible(connections)) ∧ (cindy-step = attacker-st → (∃ agent. attacker?(agent) ∧ ready?(agent, connections, inputs))) ∧ (cindy-step = user-st → (∃ agent. user?(agent) ∧ ready?(agent, connections, inputs))) ∧ (cindy-step = client-st → ready?(ticket-client, connections, inputs)) ∧ (cindy-step = cell-phone-st → (∃ agent. cell-phone?(agent) ∧ ready?(agent, connections, inputs))) ∧ (cindy-step = cinema-st → ready?(cinema, connections, inputs))) in if cindy-step = connect then CONNECT(; connections, inputs) else if cindy-step = disconnect then DISCONNECT(; connections, inputs) else if cindy-step = attacker-st then var agent with (attacker?(agent) ∧ ready?(agent, connections, inputs)) in ATTACKER-SEND(agent, connections, attacker-known; inputs) else if cindy-step = user-st then var agent with (user?(agent) ∧ ready?(agent, connections, inputs)) in USER(agent, connections; user-known, inputs) else if cindy-step = client-st then var agent with (client?(agent) ∧ ready?(agent, connections, inputs)) in CLIENT(agent, connections; attacker-known, inputs, booked) else if cindy-step = cell-phone-st then var agent with (cell-phone?(agent) ∧ ready?(agent, connections, inputs)) in CELL-PHONE(agent, connections; attacker-known, inputs, tickets, passedOn, booked) else if cindy-step = cinema-st then var agent with (cinema?(agent) ∧ ready?(agent, connections, inputs)) in CINEMA(agent, all-nonces, customers, connections ; attacker-known, inputs, next-nonce, accepted, rejected, presented, accepted-with-presenter, issued, newTicket, newNonce ) ; stop := [?] end; CLIENT : CLIENT (agent, connections; var attacker-known, inputs, booked) begin var outdoc = ⊥, outport = 1, inmsg = ⊥, inport = 0, send-mode = normal, receiver = 0 in var inport with inputs(agent)(inport) ≠ [] in var inmsg = inputs(agent)(inport) .first in var indoc = get-part(inmsg, 2) in begin inputs(agent) := (inputs(agent))[inport ; inputs(agent)(inport) .rest] ; if is-comdoc(indoc) ∧ indoc .inst = buyInternet ∧ inport = 1 ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 3 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-secdoc(get-part(indoc .data, 2)) ∧ is-intdoc(get-part(indoc .data, 3)) then begin booked(agent) := booked(agent) + indoc .data ' ; send-mode := normal ; outport := 2 ; outdoc := indoc end ; if outdoc ≠ ⊥ then SEND(send-mode, outdoc, outport, receiver, agent, connections; attacker-known, inputs) end end; CELL-PHONE : CELL-PHONE (agent, connections; var attacker-known, inputs, tickets, passedOn, booked) begin var outdoc = ⊥, outport = 1, inmsg = ⊥, inport = 0, send-mode = normal, receiver = 0 in begin var inport with inputs(agent)(inport) ≠ [] in var inmsg = inputs(agent)(inport) .first in var indoc = get-part(inmsg, 2) in begin inputs(agent) := (inputs(agent))[inport ; inputs(agent)(inport) .rest] ; if is-comdoc(indoc) ∧ inport = 1 ∧ indoc .inst = passon ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 2 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-intdoc(get-part(indoc .data, 2)) ∧ get-int(get-part(indoc .data, 1)) ≥ 0 ∧ i→n(get-int(get-part(indoc .data, 1))) < # tickets(agent) then begin passedOn(agent) := passedOn(agent) + doclist ( get-part(indoc .data, 2) ' + get-part(tickets(agent)[i→n(get-int(get-part(indoc .data, 1)))], 2) ') ' ; send-mode := direct ; receiver := get-int(get-part(indoc .data, 2)) ; outport := 2 ; outdoc := comdoc(loadTicket, get-part(tickets(agent)[i→n(get-int(get-part(indoc .data, 1)))], 2)) end else if is-comdoc(indoc) ∧ indoc .inst = loadTicket ∧ inport = 2 ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 2 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-noncedoc(get-part(indoc .data, 2)) ∧ # tickets(agent) < MAX-NO-TICKETS then tickets(agent) := tickets(agent) + doclist(get-part(inmsg, 1) ' + indoc .data ') ' else if is-comdoc(indoc) ∧ inport = 1 ∧ indoc .inst = buyCell-Phone ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 2 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-intdoc(get-part(indoc .data, 2)) then begin booked(agent) := booked(agent) + indoc .data ' ; send-mode := direct ; receiver := n→i(MAX-NORMAL-PHONE-NUMBER + 1) ; outport := 2 ; outdoc := comdoc(buyCell-Phone, indoc .data) end else if is-comdoc(indoc) ∧ indoc .inst = present ∧ inport = 1 ∧ is-intdoc(indoc .data) ∧ get-int(indoc .data) ≥ 0 ∧ i→n(get-int(indoc .data)) < # tickets(agent) then begin send-mode := direct ; receiver := n→i(MAX-NORMAL-PHONE-NUMBER + 1) ; outport := 3 ; outdoc := get-part(get-part(tickets(agent)[i→n(get-int(indoc .data))], 2), 2) end end ; if outdoc ≠ ⊥ then SEND(send-mode, outdoc, outport, receiver, agent, connections; attacker-known, inputs) end end; CINEMA : CINEMA (agent, all-nonces, customers, connections ; var attacker-known, inputs, next-nonce, accepted, rejected, presented, accepted-with-presenter, issued, newTicket, newNonce ) begin var outdoc = ⊥, outport = 1, inmsg = ⊥, inport = 0, send-mode = normal, receiver = 0 in begin var inport with inputs(agent)(inport) ≠ [] in var inmsg = inputs(agent)(inport) .first in var indoc = get-part(inmsg, 2) in begin inputs(agent) := (inputs(agent))[inport ; inputs(agent)(inport) .rest] ; if is-noncedoc(indoc) ∧ inport = 3 then begin presented(agent) := presented(agent) + get-nonce(indoc) ' ; if get-nonce(indoc) ∈ issued(agent) ∧ ¬ get-nonce(indoc) ∈ accepted(agent) then begin accepted(agent) := accepted(agent) + get-nonce(indoc) ' ; accepted-with-presenter(agent) := accepted-with-presenter(agent) + inmsg ' end else rejected(agent) := rejected(agent) + get-nonce(indoc) ' end else if is-comdoc(indoc) ∧ inport = 1 ∧ indoc .inst = buyInternet ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 3 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-secdoc(get-part(indoc .data, 2)) ∧ is-intdoc(get-part(indoc .data, 3)) then if get-secret(get-part(indoc .data, 2)) ∈ customers(agent) then begin var nonce = mknonce(0) in begin GENERATE-NONCE(all-nonces; next-nonce, nonce) ; newNonce(agent) := nonce end ; newTicket(agent) := doclist(get-part(indoc .data, 3) ' + noncedoc(newNonce(agent)) ') ; issued(agent) := issued(agent) + doclist ( intdoc(buyInternet) ' + intdoc(customers(agent)[get-secret(get-part(indoc .data, 2))]) ' + get-part(indoc .data, 1) ' + newTicket(agent) ') ' ; send-mode := direct ; receiver := get-int(get-part(indoc .data, 1)) ; outport := 2 ; outdoc := comdoc(loadTicket, newTicket(agent)) end else if is-comdoc(indoc) ∧ inport = 2 ∧ indoc .inst = buyCell-Phone ∧ is-doclist(indoc .data) ∧ # indoc .data .list = 2 ∧ is-intdoc(get-part(indoc .data, 1)) ∧ is-intdoc(get-part(indoc .data, 2)) then begin var nonce = mknonce(0) in begin GENERATE-NONCE(all-nonces; next-nonce, nonce) ; newNonce(agent) := nonce end ; newTicket(agent) := doclist(get-part(indoc .data, 2) ' + noncedoc(newNonce(agent)) ') ; issued(agent) := issued(agent) + doclist ( intdoc(buyCell-Phone) ' + get-part(inmsg, 1) ' + get-part(indoc .data, 1) ' + newTicket(agent) ') ' ; send-mode := direct ; receiver := get-int(get-part(indoc .data, 1)) ; outport := 2 ; outdoc := comdoc(loadTicket, newTicket(agent)) end end ; if outdoc ≠ ⊥ then SEND(send-mode, outdoc, outport, receiver, agent, connections; attacker-known, inputs) end end; end asm specification