Formal Analysis of Protocols Based on TPM State Registers
The authors present a Horn-clause-based framework for analyzing security protocols that use Platform Configuration Registers (PCRs), which are registers for maintaining state inside the Trusted Platform Module (TPM). In their model, the PCR state space is unbounded, and their experience shows that a naive analysis using ProVerif or SPASS does not terminate. To address this, they extract a set of instances of the Horn clauses of their model, for which ProVerif does terminate on their examples. They prove the soundness of this extraction process: no attacks are lost, that is, any query derivable in the more general set of clauses is also derivable from the extracted instances.