# Attack Trees in Isabelle -- CTL semantics, correctness and completeness

In this paper, we present a proof theory for attack trees. Attack trees are a well established and useful model for the construction of attacks on systems since they allow a stepwise exploration of high level attacks in application scenarios. Using the expressiveness of Higher Order Logic in Isabelle, we succeed in developing a generic theory of attack trees with a state-based semantics based on Kripke structures and CTL. The resulting framework allows mechanically supported logic analysis of the meta-theory of the proof calculus of attack trees and at the same time the developed proof theory enables application to case studies. A central correctness result proved in Isabelle establishes a connection between the notion of attack tree validity and a CTL attack statement. The application is illustrated on an insider attack on healthcare IoT systems.

## Authors

• 9 publications
03/17/2018

### Attack Trees in Isabelle

In this paper, we present a proof theory for attack trees. Attack trees ...
01/21/2018

### An Intuitionistic Linear Logical Semantics of SAND Attack Trees

In this paper we introduce a new logical foundation of SAND attack trees...
07/23/2019

### Proof of Compositionality of CFT Correctness

In the paper Compositionality of Component Fault Trees, we present a dis...
10/06/2021

### A Novel Approach for Attack Tree to Attack Graph Transformation: Extended Version

Attack trees and attack graphs are both common graphical threat models u...
06/12/2019

### Hackers vs. Security: Attack-Defence Trees as Asynchronous Multi-Agent Systems

Attack-Defence Trees (ADTs) are well-suited to assess possible attacks t...
12/27/2018

### Attribute Evaluation on Attack Trees with Incomplete Information

Attack trees are considered a useful tool for security modelling because...
12/08/2021

### Dependability Engineering in Isabelle

In this paper, we introduce a process of formal system development suppo...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Attack trees are an intuitive and practical formal method to analyse and quantify attacks on security and privacy. They are very useful to identify the steps an attacker takes through a system when approaching the attack goal. In this paper, we provide a proof calculus to analyse concrete attacks using a notion of attack validity. We define a state based semantics with Kripke models and the temporal logic CTL in the proof assistant Isabelle [1] using its Higher Order Logic (HOL)111In the following, we refer to Isabelle/HOL simply as Isabelle.. We prove the correctness and completeness (adequacy) of attack trees in Isabelle with respect to the model. This generic Kripke model enriched with CTL does not use an action based model contrary to the main stream. Instead, our model of attack trees leaves the choice of the actor and action model to the application. Nevertheless, using the genericity of Isabelle, proofs and concepts of attack trees carry over to the application model.

There are many approaches to provide a mathematical and formal semantics as well as constructing verification tools for attack trees but we pioneer the use of a Higher Order Logic (HOL) tool like Isabelle that allows proof of meta-theory – like adequacy of the semantics – and verification of applications – while being ensured that the formalism is correct.

Attack trees have been investigated on a theoretical level quite intensively; various extensions exist, e.g., to attack-defense trees and probabilistic or timed attack trees. This paper uses preliminary work towards an Isabelle proof calculus for attack trees presented at a workshop [2] but accomplishes the theoretical foundation by defining a formal semantics and providing the proof of correctness and completeness and thereby establishing a feasible link for application verification. The novelty of this proof theoretic approach to attack tree verification is to take a logical approach from the very beginning by imposing the rigorous expressive Isabelle framework as the technical and semantical spine. This approach brings about a decisive advantage which is beneficial for a successful application of the attack tree formalism and consequently also characterizes our contribution: meta-theory and application verification are possible simultaneously. Since Higher Order Logic allows expressing concepts like attack trees within the logic, it enables reasoning about objects like attack trees, Kripke structures, or the temporal logic CTL in the logic (meta-theory) while at the same time applying these formalised concepts to applications like infrastructures with actors and policies (object-logics).

This paper presents the following contributions.

• We provide a proof calculus for attack trees that entails a notion of refinement of attack trees and a notion of valid attack trees.

• Validity of attack trees can be characterized by a recursive function in Isabelle which facilitates evaluation and permits code generation.

• The main theorems show the correctness and completeness of attack tree validity with respect to the state transition semantics based on Kripke structures and CTL. This meta-theorem not only provides a proof for the concepts but is part of the proof calculus for applications.

• The Isabelle attack tree formalisation is applied to the case study of formalising GDPR properties over infrastructures.

In this paper, we first introduce the underlying Kripke structures and CTL logic (Section 2). Next, we present attack trees and their notion of refinement (Section 3). The notion of validity is given by the proof calculus in Section 4 followed by the central theorem of correctness and completeness (adequacy) of attacks in Section 5 including a high level description of the proof. Section 6 shows how the framework is applied to analyse an IoT healthcare system and Section 7 extends by labelled data to enable GDPR compliance verification. We then discuss, consider related work, and draw conclusions (Section 8). All Isabelle sources are available online [3].

## 2 Kripke Structures and CTL in Isabelle

Isabelle is a generic Higher Order Logic (HOL) proof assistant. Its generic aspect allows the embedding of so-called object-logics as new theories on top of HOL. There are sophisticated proof tactics available to support reasoning: simplification, first-order resolution, and special macros to support arithmetic amongst others. The use of HOL has the advantage that it enables expressing even the most complex application scenarios, conditions, and logical requirements and HOL simultaneously enables the analysis of the meta-theory.

Object-logics, when added to Isabelle using constant and type definitions, constitute a so-called conservative extension. This means that no inconsistency can be introduced; conceptually, new types are defined as subsets of existing types and properties are proved using a one-to-one relationship to the new type from properties of the existing type.

In this work, we make additional use of the class concept of Isabelle that allows an abstract specification of a set of types and properties to be instantiated later. We use it to abstract from states and state transition in order to create a generic framework for Kripke structures, CTL, and attack trees. Using classes the framework can then be applied to arbitrary object-logics that have a notion of state and state transition by instantiation. Isabelle attack trees have been designed as a generic framework meaning that the formalised theories can be applied to various applications. Figure 1 illustrates how the Isabelle theories in our framework are embedded into each other.

### 2.1 Kripke Structures and CTL

We apply Kripke structures and CTL to model state based systems and analyse properties under dynamic state changes. Snapshots of systems are the states on which we define a state transition. Temporal logic is then employed to express security and privacy properties.

In Isabelle, the system states and their transition relation are defined as a class called state containing an abstract constant state_transition. It introduces the syntactic infix notation I   I’ to denote that system state I and I’ are in this relation over an arbitrary (polymorphic) type .

 class state =
fixes state_transition :: [$$\sigma$$ :: type, $$\sigma$$] $$\Rightarrow$$ bool ("_  $$\to_{i}$$ _")

The above class definition lifts Kripke structures and CTL to a general level. The definition of the inductive relation is given by a set of specific rules which are, however, part of an application like infrastructures (Section 6). Branching time temporal logic CTL is defined in general over Kripke structures with arbitrary state transitions and can later be applied to suitable theories, like infrastructures.

Based on the generic state transition of the type class state, the CTL-operators EX and AX express that property holds in some or all next states, respectively. The CTL formula AG means that on all paths branching from a state the formula is always true (G stands for ‘globally’). It can be defined using the Tarski fixpoint theory by applying the greatest fixpoint operator. In a similar way, the other CTL operators are defined. The formal Isabelle definition of what it means that formula holds in a Kripke structure M can be stated as: the initial states of the Kripke structure init M need to be contained in the set of all states states M that imply .

 M $$\vdash$$ $$f$$ $$\equiv$$  init M $$\subseteq$$ { s $$\in$$ states M. s $$\in$$ $$f$$  }

In an application, the set of states of the Kripke structure will be defined as the set of states reachable by the infrastructure state transition from some initial state, say example_scenario.
  example_states $$\equiv$$ { I. example_scenario $$\to_{i}$$^*  I }

The relation ^* is the reflexive transitive closure – an operator supplied by the Isabelle theory library – applied to the relation .

The Kripke constructor combines the constituents initial state, state set and state transition relation .

 example_Kripke $$\equiv$$ Kripke example_states {example_scenario} $$\to_{i}$$

In Isabelle, the concept of sets and predicates coincide222In general, this is often referred to as predicate transformer semantics.. Thus a property is a predicate over states which is equal to a set of states. For example, we can then try to prove that there is a path (E) to a state in which the property eventually holds (in the Future) by starting the following proof in Isabelle.
  example_Kripke $$\vdash$$  EF property


## 3 Attack Trees and Refinement

Attack Trees [4] are a graphical language for the analysis and quantification of attacks. If the root represents an attack, its children represent the sub-attacks. Leaf nodes are the basic attacks; other nodes of attack trees represent sub-attacks. Sub-attacks can be alternatives for reaching the goal (disjunctive node) or they must all be completed to reach the goal (conjunctive node). Figure 2 is an example of an attack tree taken from a textbook [4] illustrating the attack of opening a safe.

Nodes can be adorned with attributes, for example costs of attacks or probabilities which allows quantification of attacks (not used in the example).

### 3.1 Attack Tree Datatype in Isabelle

The following datatype definition attree defines attack trees. The simplest case of an attack tree is a base attack. The principal idea is that base attacks are defined by a pair of state sets representing the initial states and the attack property – a set of states characterized by the fact that this property holds in them. Attacks can also be combined as the conjunction or disjunction of other attacks. The operator creates or-trees and creates and-trees. And-attack trees and or-attack trees consist of a list of sub-attacks – again attack trees.

 datatype ($$\sigma$$ :: state)attree =
BaseAttack ($$\sigma$$ set)$$\times$$($$\sigma$$ set) ("$${\cal{N}}_{\texttt{ }}$$(_)")
| AndAttack ($$\sigma$$ attree)list ($$\sigma$$ set)$$\times$$($$\sigma$$ set) ("_ $$\oplus_{\wedge}^{(_)}$$")
| OrAttack  ($$\sigma$$ attree)list ($$\sigma$$ set)$$\times$$($$\sigma$$ set) ("_ $$\oplus_{\vee}^{(_)}$$")

The attack goal is given by the pair of state sets on the right of the operator , or , respectively. A corresponding projection operator is defined as the function attack.
 primrec attack :: ($$\sigma$$::state)attree $$\Rightarrow$$ ($$\sigma$$ set)$$\times$$($$\sigma$$ set)
where
attack (BaseAttack b) = b
| attack (AndAttack as s) = s
| attack (OrAttack as s) = s


### 3.2 Attack Tree Refinement

When we develop an attack tree, we proceed from an abstract attack, given by an attack goal, by breaking it down into a series of sub-attacks. This proceeding corresponds to a process of refinement. Therefore, as part of the attack tree calculus, we provide a notion of attack tree refinement. This can be done elegantly by defining an infix operator . The intuition of developing an attack tree from the root to the leaves is illustrated in Figure 3. The example attack tree on the left side has a leaf that is expanded by the refinement into an and-attack with two steps.

Formally, we define the semantics of the refinement operator by an inductive definition for the constant , that is, the smallest predicate closed under the set of specified rules.

 inductive refines_to :: [($$\sigma$$ :: state) attree, $$\sigma$$ attree] $$\Rightarrow$$ bool ("_ $$\sqsubseteq$$ _")
where
refI: $$\llbracket$$  A = (l @ [$${\cal{N}}_{\texttt{(s1,s2)}}$$] @ l’’)$$\oplus_{\wedge}^{(s0,s3)}$$; A’ = l’ $$\oplus_{\wedge}^{(s1,s2)}$$;
A’’ = l @ l’ @ l’’ $$\oplus_{\wedge}^{(s0,s3)}$$ $$\rrbracket$$ $$\Longrightarrow$$ A $$\sqsubseteq$$ A’’
| ref_or: $$\llbracket$$ as $$\neq$$ []; $$\forall$$ A’ $$\in$$ set(as). A $$\sqsubseteq$$ A’ $$\land$$ attack A = s
$$\rrbracket$$ $$\Longrightarrow$$ A $$\sqsubseteq$$ as $$\oplus_{\vee}$$s
| ref_trans: $$\llbracket$$ A $$\sqsubseteq$$ A’; A’ $$\sqsubseteq$$ A’’ $$\rrbracket$$ $$\Longrightarrow$$ A $$\sqsubseteq$$ A’’
| ref_refl : A $$\sqsubseteq$$ A

The rule refI captures the intuition expressed in Figure 3: a sequence of leaves in an and-subtree can be refined by replacing a single leaf by a new subsequence (the @ is the list append in Isabelle). Rule ref_or describes or-attack refinement. To refine a node into an or-attack, all sub-trees in the or-attack list need to refine the parent node. The remaining rules define as a pre-order on sub-trees of an attack tree: it is reflexive and transitive.

Refinement of attack trees defines the stepwise process of expanding abstract attacks into more elaborate attacks only syntactically. There is no guarantee that the refined attack is possible if the abstract one is, nor vice-versa. We need to provide a semantics for attacks in order to judge whether such syntactic refinements represent possible attacks. To this end, we now formalise the semantics of attack trees by a proof theory.

## 4 Proof Calculus

A valid attack, intuitively, is one which is fully refined into fine-grained attacks that are feasible in a model. The general model we provide is a Kripke structure, i.e., a set of states and a generic state transition. Thus, feasible steps in the model are single steps of the state transition. We call them valid base attacks. The composition of sequences of valid base attacks into and-attacks yields again valid attacks if the base attacks line up with respect to the states in the state transition. If there are different valid attacks for the same attack goal starting from the same initial state set, these can be summarized in an or-attack.

 fun is_attack_tree :: [($$\sigma$$ :: state) attree] $$\Rightarrow$$ bool  ("$$\vdash$$_")
where
att_base:  $$\vdash$$ $${\cal{N}}_{\texttt{s}}$$ = $$\forall$$ x $$\in$$ fst s. $$\exists$$ y $$\in$$ snd s. x  $$\to_{i}$$ y
| att_and: $$\vdash$$ (As :: ($$\sigma$$::state attree list)) $$\oplus_{\wedge}^{s}$$ =
case As of
[] $$\Rightarrow$$ (fst s $$\subseteq$$ snd s)
|  [a] $$\Rightarrow$$ $$\vdash$$ a $$\land$$ attack a = s
|  a # l $$\Rightarrow$$ $$\vdash$$ a $$\land$$ fst(attack a) = fst s
$$\land$$ $$\vdash$$ l $$\oplus_{\wedge}^{\texttt{(snd(attack a),snd(s))}}$$
| att_or: $$\vdash$$ (As :: ($$\sigma$$::state attree list)) $$\oplus_{\vee}^{s}$$ =
case As of
[] $$\Rightarrow$$ (fst s $$\subseteq$$ snd s)
| [a] $$\Rightarrow$$ $$\vdash$$ a $$\land$$ fst(attack a) $$\supseteq$$ fst s $$\land$$ snd(attack a) $$\subseteq$$ snd s
| a # l $$\Rightarrow$$ $$\vdash$$ a $$\land$$ fst(attack a) $$\subseteq$$ fst s $$\land$$ snd(attack a) $$\subseteq$$ snd s
$$\land$$ $$\vdash$$ l $$\oplus_{\vee}^{\texttt{(fst s - fst(attack a),snd s)}}$$


More precisely, the different cases of the validity predicate are distinguished by pattern matching over the attack tree structure.

• A base attack is valid if from all states in the pre-state set s0 we can get with a single step of the state transition relation to a state in the post-state set s1. Note, that it is sufficient for a post-state to exist for each pre-state. After all, we are aiming to validate attacks, that is, possible attack paths to some state that fulfills the attack property.

• An and-attack As is a valid attack if either of the following cases holds:

• empty attack sequence As: in this case all pre-states in s0 must already be attack states in s1, i.e., s0  s1;

• attack sequence As is singleton: in this case, the singleton element attack a in [a], must be a valid attack and it must be an attack with pre-state s0 and post-state s1;

• otherwise, As must be a list matching a # l for some attack a and tail of attack list l such that a is a valid attack with pre-state identical to the overall pre-state s0 and the goal of the tail l is s1 the goal of the overall attack. The pre-state of the attack represented by l is snd(attack a) since this is the post-state set of the first step a.

• An or-attack As is a valid attack if either of the following cases holds:

• the empty attack case is identical to the and-attack above: s0  s1;

• attack sequence As is singleton: in this case, the singleton element attack a must be a valid attack and its pre-state must include the overall attack pre-state set s0 (since a is singleton in the or) while the post-state of a needs to be included in the global attack goal s1;

• otherwise, As must be a list a # l for an attack a and a list l of alternative attacks. The pre-states can be just a subset of s0 (since there are other attacks in l that can cover the rest) and the goal states snd(attack a) need to lie all in the overall goal state set s1. The other or-attacks in l need to cover only the pre-states fst s - fst(attack a) (where - is set difference) and have the same goal snd s.

The proof calculus is thus completely described by one recursive function. This is a major improvement to the inductive definition provided in the preliminary workshop paper [2] that inspired this paper. Our notion of attack tree validity is more concise hence less prone to stating inconsistent definitions and still allows to infer properties important for proofs. The increase of consistency is because other important or useful algebraic properties can be derived from the recursive function definition. Note, that preliminary experiments on a proof calculus for attack trees in Isabelle [2] used an inductive definition that had a larger number of rules than the three cases we have in our recursive function definition is_attack_tree. The earlier inductive definition integrated a fair number of properties as inductive rules which are now proved from the three cases of is_attack_tree.

It might appear that Kripke semantics interprets conjunction as sequential (ordered) conjunction instead of parallel (unordered) conjunction. However, this is not the case: the ordering of events or actions is implicit in the states. Therefore, any kind of interleaving (or true parallelism) of state changing actions is possible. This is inserted as part of the application -- for example in the Infrastructures definition of the state transition in Section 6. There the order of actions between states depends on the pre-states and post-states only.

Given the proof calculus, the notion of validity of an attack tree can be used to identify valid refinements already at a more abstract level. The notion denotes that the refinement of the attack tree on the left side is to a valid attack tree on the right side.

  A $$\sqsubseteq_{V}$$ A’ $$\equiv$$  ( A $$\sqsubseteq$$ A’ $$\land$$  $$\vdash$$ A’)

Taking this one step further, we can say that an abstract attack tree is valid if there is a valid attack tree it refines to.
 $$\vdash_{V}$$ A  $$\equiv$$  ($$\exists$$ A’. A $$\sqsubseteq_{V}$$ A’)


## 5 Correctness and Completeness of Attack Trees

The novel contribution of this paper is to equip attack trees with a Kripke semantics. Thereby, a valid attack tree corresponds to an attack sequence. The following theorem provides this.

 theorem AT_EF: $$\vdash$$ A :: ($$\sigma$$ :: state) attree) $$\Longrightarrow$$ (I, s) = attack A
$$\Longrightarrow$$ Kripke {s . $$\exists$$ i $$\in$$ I. i $$\to_{i}$$^* s } I $$\vdash$$  EF s

It is not only an academic exercise to prove this theorem. Since we use an embedding of attack trees into Isabelle, this kind of proof about the embedded notions of attack tree validity and CTL formulas like EF is possible. At the same time, the established relationship between these notions can be applied to case studies. Consequently, if we apply attack tree refinement to spell out an abstract attack tree for attack s into a valid attack sequence, we can apply theorem AT_EF and can immediately infer that EF s holds.

Theorem AT_EF also extends to validity of abstract attack trees. That is, if an ‘‘abstract’’ attack tree A can be refined to a valid attack tree, correctness in CTL given by AT_EF applies also to the abstract tree as expressed in the following theorem.

 theorem ATV_EF: $$\vdash_{V}$$ A :: ($$\sigma$$ :: state) attree) $$\Longrightarrow$$ (I, s) = attack A
$$\Longrightarrow$$ Kripke {s . $$\exists$$ i $$\in$$ I. i $$\to_{i}$$^* s } I $$\vdash$$  EF s


The inverse direction of theorem ATV_EF is a completeness theorem.

 theorem Completeness: I $$\neq$$ {} $$\Longrightarrow$$ finite I $$\Longrightarrow$$
Kripke {s . $$\exists$$ i $$\in$$ I. i $$\to_{i}$$^* s } I $$\vdash$$  EF s
$$\Longrightarrow$$ $$\exists$$ A :: ($$\sigma$$::state)attree. $$\vdash_{V}$$ A $$\land$$ (I, s) = attack A


## 6 Application to Infrastructures, Policies, and Actors

The Isabelle Infrastructure framework supports the representation of infrastructures as graphs with actors and policies attached to nodes. These infrastructures are the states of the Kripke structure.

The transition between states is triggered by non-parametrized actions get, move, eval, and put executed by actors. Actors are given by an abstract type actor and a function Actor that creates elements of that type from identities (of type string). Policies are given by pairs of predicates (conditions) and sets of (enabled) actions.

 type_synonym policy = ((actor $$\Rightarrow$$ bool) $$\times$$ action set)

Actors are contained in an infrastructure graph.
 datatype igraph = Lgraph (location $$\times$$ location)set
location $$\Rightarrow$$ identity set
actor $$\Rightarrow$$ (string set $$\times$$ string set)
location $$\Rightarrow$$ (string $$\times$$ acond)

An igraph contains a set of location pairs representing the topology of the infrastructure as a graph of nodes and a list of actor identities associated to each node (location) in the graph. Also an igraph associates actors to a pair of string sets by a pair-valued function whose first range component is a set describing the credentials in the possession of an actor and the second component is a set defining the roles the actor can take on. More importantly in this context, an igraph assigns locations to a pair of a string that defines the state of the component and an element of type acond. This type acond is defined as a set of labelled data representing a condition on that data. Corresponding projection functions for each of these components of an igraph are provided; they are named gra for the actual set of pairs of locations, agra for the actor map, cgra for the credentials, and lgra for the state of a location and the data at that location.

Infrastructures are given by the following datatype that contains an infrastructure graph of type igraph and a policy given by a function that assigns local policies over a graph to all locations of the graph.

datatype infrastructure = Infrastructure igraph
igraph $$\Rightarrow$$ location $$\Rightarrow$$ policy set

There are projection functions graphI and delta when applied to an infrastructure return the graph and the policy, respectively. Policies specify the expected behaviour of actors of an infrastructure. They are defined by the enables predicate: an actor h is enabled to perform an action a in infrastructure I, at location l if there exists a pair (p,e) in the local policy of l (delta I l projects to the local policy) such that the action a is a member of the action set e and the policy predicate p holds for actor h.
enables I l h a $$\equiv$$ $$\exists$$ (p,e) $$\in$$ delta I l. a $$\in$$ e $$\land$$ p h

We now flesh out the abstract state transition introduced in Section 2.1 by defining an inductive relation for state transition between infrastructures. This state transition relation is dependent on actions but also on enabledness and the current state of the infrastructure. For illustration purposes we consider the rule for get_data only (see the complete source code [3] for full details of other rules)333We deliberately omit here the DLM constraints for illustration purposes (see below).
get_data : G = graphI I $$\Longrightarrow$$ a $$@_{G}$$ l $$\Longrightarrow$$
enables I l’ (Actor a) get $$\Longrightarrow$$
I’ = Infrastructure
(Lgraph (gra G)(agra G)(cgra G)
((lgra G)(l := (fst (lgra G l),
snd (lgra G l) $$\cup$$ {new}))))
(delta I)
$$\Longrightarrow$$ I $$\to_{n}$$ I’


### 6.1 Application Example from IoT Healthcare

The example of an IoT healthcare systems is from the CHIST-ERA project SUCCESS [5] on monitoring Alzheimer’s patients. Figure 4 illustrates the system architecture where data collected by sensors in the home or via a smart phone helps monitoring bio markers of the patient. The data collection is in a cloud based server to enable hospitals (or scientific institutions) to access the data which is controlled via the smart phone.

We show the encoding of the igraph for this system architecture in the Infrastructure model.

ex_graph $$\equiv$$ Lgraph {(home, cloud), (sphone, cloud), (cloud,hospital)}
($$\lambda$$ x. if x = home then {’’Patient’’}
else (if x = hospital then {’’Doctor’’} else {}))
ex_creds ex_locs

The identities Patient and Doctor represent patients and their doctors; double quotes ’’s’’ indicate strings in Isabelle/HOL. The global policy is ‘only the patient and the doctor can access the data in the cloud’:
 fixes global_policy::[infrastructure, identity] $$\Rightarrow$$ bool
defines  global_policy I a $$\equiv$$  a $$\notin$$ gdpr_actors $$\longrightarrow$$
$$\neg$$(enables I cloud (Actor a) get)


Local policies are represented as a function over an igraph G that additionally assigns each location of a scenario to its local policy given as a pair of requirements to an actor (first element of the pair) in order to grant him actions in the location (second element of the pair). The predicate checks whether an actor is at a given location in the graph .

local_policies G $$\equiv$$
($$\lambda$$ x. if x = home then {($$\lambda$$ y. True, {put,get,move,eval})}
else (if x = sphone then
{(($$\lambda$$ y. has G (y, ’’PIN’’)), {put,get,move,eval})}
else (if x = cloud then {($$\lambda$$ y. True, {put,get,move,eval})}
else (if x = hospital then
{(($$\lambda$$ y. ($$\exists$$ n. (n $$@_{G}$$ hospital) $$\land$$ Actor n = y $$\land$$
has G (y, ’’skey’’))), {put,get,move,eval})} else {}))))


### 6.2 Using Attack Tree Calculus

Since we consider a predicate transformer semantics, we use sets of states to represent properties. For example, the attack property is given by the following set sgdpr.

  sgdpr $$\equiv$$ {x. $$\neg$$ (global_policy x ’’Eve’’)}

The attack we are interested in is to see whether for the scenario
 gdpr_scenario $$\equiv$$  Infrastructure ex_graph local_policies

from the initial state Igdpr {gdpr_scenario}, the critical state sgdpr can be reached, i.e., is there a valid attack (Igdpr,sgdpr)?

For the Kripke structure

 gdpr_Kripke $$\equiv$$ Kripke { I. gdpr_scenario $$\to_{i}^{*}$$ I } Igdpr

we first derive a valid and-attack using the attack tree proof calculus.
$$\vdash$$ [$${\cal{N}}_{\texttt{(Igdpr,GDPR)}}$$,$${\cal{N}}_{\texttt{(GDPR,sgdpr)}}$$]$$\oplus_{\wedge}^{\texttt{(Igdpr,sgdpr)}}$$

The set GDPR is an intermediate state where Eve accesses the cloud. We can then simply apply the Correctness theorem AT_EF to immediately prove the following CTL statement.
 gdpr_Kripke $$\vdash$$  EF sgdpr

This application of the meta-theorem of Correctness of attack trees saves us proving the CTL formula tediously by exploring the state space.

## 7 Data Protection by Design for GDPR compliance

### 7.1 General Data Protection Regulation (GDPR)

From 26th May 2018, the GDPR will become mandatory within the European Union and hence also for any supplier of IT products. Breaches of the regulation will be fined with penalties of 20 Million EUR. For this paper, we use the final proposal [6] as our source. Despite the relatively large size of the document of 209 pages, the technically relevant portion for us is only about 30 pages (Pages 81--111, Chapters I to Chapter III, Section 3). In summary, Chapter III specifies that the controller must give the data subject read access (1) to any information, communications, and ‘‘meta-data’’ of the data, e.g., retention time and purpose. In addition, the system must enable deletion of data (2) and restriction of processing.

An invariant condition for data processing resulting from these Articles is that the system functions must preserve any of the access rights of personal data (3).

### 7.2 Security and Privacy by Labeling Data

The Decentralised Label Model (DLM) [7] introduced the idea to label data by owners and readers. We pick up this idea and formalize a new type to encode the owner and the set of readers.

 type_synonym dlm = actor $$\times$$ actor set

Labelled data is then just given by the type dlm  data where data can be any data type. Additional meta-data, like retention time and purpose, can be encoded as part of this type data. We omit these detail here for conciseness of the exposition.

Using labeled data, we can now express the essence of Article 4 Paragraph (1): ’personal data’ means any information relating to an identified or identifiable natural person (’data subject’). Since we have a more constructive system view, we express this by defining the owner of a data item d of type dlm as the actor that is the first element in the pair that is the first of the pair d. Then, we use this function to express the predicate ‘‘owns’’.

 definition owner :: dlm $$\times$$ data $$\Rightarrow$$ actor
where owner d $$\equiv$$ fst(fst d)

definition owns :: [igraph, location, actor, dlm $$\times$$ data] $$\Rightarrow$$ bool
where owns G l a d $$\equiv$$ owner d = a

The introduction of a similar function for readers projecting the second element of a dlm label
 definition readers :: dlm $$\times$$ data $$\Rightarrow$$ actor set
where readers d $$\equiv$$ snd (fst d)

enables specifying whether an actor may access a data item.
 definition has_access :: [igraph, location, actor, dlm $$\times$$ data] $$\Rightarrow$$ bool
where has_access G l a d $$\equiv$$ owns G l a d $$\lor$$ a $$\in$$ readers d


For our example of an IoT health care monitoring system, the data and its privacy access control definition is given by the parameter ex_locs specifying that the data 42, for example some bio marker’s value, is owned by the patient and can be read by the doctor (’’free’’ is the state of the cloud component).

ex_locs $$\equiv$$ ($$\lambda$$ x. if x = cloud
then (’’free’’, {((Actor ’’Patient’’,{Actor ’’Doctor’’}),42)})
else (’’’’,{}))


### 7.3 Privacy Preserving Functions

The labels of data must not be changed by processing: we have identified this finally as an invariant (3) resulting from the GDPR in Section 7. This invariant can be formalized in our Isabelle model by a type definition of functions on labeled data that preserve their labels.

 typedef label_fun = {f :: dlm$$\times$$data $$\Rightarrow$$ dlm$$\times$$data. $$\forall$$ x. fst x = fst (f x)}

We also define an additional function application operator on this new type. Then we can use this restricted function type to implicitly specify that only functions preserving labels may be applied in the definition of the system behaviour in the state transition rule for action eval (see [3]).

### 7.4 Policy Enforcement

We can now use the labeled data to encode the privacy constraints of the GDPR in the rules. For example, the get_data rule has now labelled data ((Actor a’, as), n) and used the labeling in the precondition to guarantee that only entitled users can get data.

get_data : G = graphI I $$\Longrightarrow$$ a $$@_{G}$$ l $$\Longrightarrow$$ enables I l’ (Actor a) get $$\Longrightarrow$$
((Actor a’, as), n) $$\in$$ snd (lgra G l’) $$\Longrightarrow$$ Actor a $$\in$$ as $$\Longrightarrow$$
I’ = Infrastructure
(Lgraph (gra G)(agra G)(cgra G)
((lgra G)(l := (fst (lgra G l),
snd (lgra G l) $$\cup$$ {((Actor a’, as), new)}))))
(delta I)
$$\Longrightarrow$$ I $$\to_{n}$$ I’

Using the formal model of infrastructures, we can now prove privacy by design for GDPR compliance of the specified system. We can show how the properties relating to data ownership, processing and deletion can be formally captured using Kripke structures and CTL and the Infrastructure framework. As an example, consider the preservation of data ownership.

#### 7.4.1 Processing preserves privacy

We can prove that processing preserves ownership as defined in the initial state for all paths globally (AG) within the Kripke structure and in all locations of the graph.

 theorem GDPR_three: h $$\in$$ gdpr_actors $$\Longrightarrow$$ l $$\in$$ gdpr_locations $$\Longrightarrow$$
owns (Igraph gdpr_scenario) l (Actor h) d $$\Longrightarrow$$
gdpr_Kripke $$\vdash$$
AG {x. $$\forall$$ l $$\in$$ gdpr_locations. owns (Igraph x) l (Actor h) d }

Note, that it would not be possible to express this property in Modelcheckers since they only allow propositional logic within states. This generalisation is only possible since we use Higher Order Logic.

The proved meta-theory for attack trees can be applied to facilitate the proof. The contraposition of the Completeness property grants that if there is no attack on (I,), then (EF ) does not hold in the Kripke structure. This yields the theorem since the AG statement corresponds to (EF ).

## 8 Conclusions

### 8.1 Summary and Discussion

In this paper, we have presented a proof theory for attack trees in Isabelle’s Higher Order Logic (HOL). We have shown the incremental and generic structure of this framework, presented correctness and completeness results equating valid attacks to EF formulas. The proof theory has been illustrated on an IoT healthcare infrastructure where the meta-theorem of completeness could be directly applied to infer the existence of an attack tree from CTL. The practical relevance has been demonstrated on GDPR compliance verification.

The use of an expressive proof assistant like Isabelle comes at a cost: all proofs have to be done in interaction with the user. On the application side this seems to be much inferior to using fully automated techniques like SMT solvers or model checkers that have been employed heavily in security applications including attack tree analysis, for example [8]. However, and this is the advantage that we claim for our approach, none of these related works can claim the same level of consistency of the used concepts and formalisms. Since HOL is so expressive, we combine meta-theoretic reasoning with application level verification in one logical theory. Thereby, we can prove meta-theorems, like the presented correctness results, and simultaneously use the formalised concepts of attack trees and temporal logic on applications. This can be done in a nicely generic and structured way using type classes and instantiation in Isabelle. Powerful concepts like recursive function in HOL and simplification and other proof tactics in Isabelle furthermore facilitate the application.

### 8.2 Related Work

There are excellent foundations available based on graph theory [9]. They provide a very good understanding of the formalism, various extensions (like attack-defense trees [10]) and differentiations of the operators (like sequential conjunction (SAND) versus parallel conjunction [11]) and are amply documented in the literature. These theories for attack trees provide a thorough foundation for the formalism and its semantics. The main problem that adds complexity to the semantical models is the abstractness of the descriptions in the nodes. This leads to a variety of approaches to the semantics, e.g. propositional semantics, multiset semantics, and equational semantics for ADtrees [10]. The theoretical foundations allow comparison of different semantics, and provide a theoretical framework to develop evaluation algorithms for the quantification of attacks.

More practically oriented formalisations, e.g. [8], focus on an action based-approach where the attack goals are represented as labels of attack tree nodes which are actions that an attacker has to execute to arrive at the goal.

A notable exception that uses, like our approach, a state based semantics for attack trees is the recent work [12]. However, this work is aiming at assisted generation of attack trees from system models. The tool ATSyRA supports this process. The paper [12] focuses on describing a precise semantics of attack tree in terms of transition systems using ‘‘under-match’’, ‘‘over-match’’, and ‘‘match’’ to arrive at a notion of correctness. In comparison, we use additionally CTL logic to describe the correctness relation precisely. Also we use a fully formalised and proved Isabelle model.

Surprisingly, the use of an automated proof assistant, like Isabelle, has not been considered before despite its potential of providing a theory and analysis of attacks simultaneously. The essential attack tree mechanism of disjunction and conjunction in tree refinement is relatively simple. The complexity in the theories is caused by the attempt to incorporate semantics to the attack nodes and relate the trees to actual scenarios. This is why we consider the formalisation of a foundation of attack trees in the interactive prover Isabelle since it supports logical modeling and definitions of datatypes very akin to algebraic specification but directly supported by semi-automated analysis and proof tools.

The workshop paper [2] has inspired the present work but is vastly superseded by it. The novelties are:

• Attack trees have a formal state based semantics that is formalised in the framework.

• Correctness and completeness are proved with respect to the formal semantics.

• The Isabelle framework is generic using type classes, that is, works for any state model. Infrastructures with actors and policies are an instantiation.

• The semantics, correctness and completeness theorems facilitate application verification.

### 8.3 Outlook

The high level analysis of infrastructures including humans and high level policies specifying the (desired) behaviour of systems and humans alike is a great challenge to formal methods. The approach taken in the Isabelle insider framework and prolonged in the attack tree proof theory presented in this paper follows an approach akin to formal software engineering but integrating high level ideas from sociology and tapping into results from psychology [13]. We believe that the current presented attack tree proof calculus is an important step towards complementing this endeavour by providing a generic yet rigorous frame to allow the use of the established and easily understandable attack tree concept to be used within the wider framework. This is particularly relevant for transparency of security and privacy, one of the goals of the SUCCESS project [5] supporting this research.

The genericity of the attack tree formalisation presented here will permit the extension of the CTL temporal logic to specialised modal logics like the actor logic ATL [14] or by adding probabilities. The extension by defences to attack-defence trees, implies the change of the Kripke model. Since Kripke models are first class citizen of the logic, we can integrate Kripke model transformations into the framework to allow defences to detected attacks by model refinement. This can be considered as yet another avenue for future research.

## References

• [1] T. Nipkow, L. C. Paulson, and M. Wenzel, Isabelle/HOL -- A Proof Assistant for Higher-Order Logic, ser. LNCS.   Springer-Verlag, 2002, vol. 2283.
• [2] F. Kammüller, ‘‘A proof calculus for attack trees,’’ in Data Privacy Management, DPM’17, 12th Int. Workshop, ser. LNCS, vol. 10436.   Springer, 2017, co-located with ESORICS’17.
• [3] ------, ‘‘Isabelle infrastructure framework with iot healthcare s&p application,’’ 2018, available at https://github.com/flokam/IsabelleAT.
• [4] B. Schneier, Secrets and Lies: Digital Security in a Networked World.   John Wiley & Sons, 2004.
• [5] CHIST-ERA, ‘‘Success: Secure accessibility for the internet of things,’’ 2016, http://www.chistera.eu/projects/success.
• [6] E. Union, ‘‘The eu general data protection regulation (gdpr),’’ Accessed 20.3. 2018, proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [first reading] - Analysis of the final compromise text with a view to agreement, Brussels, 15 December 2015. [Online]. Available: http://www.eugdpr.org
• [7] A. C. Myers and B. Liskov, ‘‘Complete, safe information flow with decentralized labels,’’ in Proceedings of the IEEE Symposium on Security and Privacy.   IEEE, 1999.
• [8] Z. Aslanyan, F. Nielson, and D. Parker, ‘‘Quantitative verification and synthesis of attack-defence scenarios,’’ in 29th IEEE Computer Security Foundations Symposium, CSF’16, 2016.
• [9] B. Kordy, L. Piètre-Cambacédés, and P. Schweitzer, ‘‘Dag-based attack and defense modeling: Don’t miss the forest for the attack trees,’’ Computer Science Review, vol. 13--14, pp. 1--38, 2014.
• [10] B. Kordy, S. Mauw, S. Radomirovic, and P. Schweitzer, ‘‘Attack-defense trees,’’ Journal of Logic and Computation, vol. 24, no. 1, pp. 55--87, 2014.
• [11] R. Jhawar, B. Kordy, S. Mauw, S. Radomirovic, and R. Trujillo-Rasua, ‘‘Attack trees with sequential conjunction,’’ in 30th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection (IFIP SEC’15), ser. IFIP Advances in Information and Communication Technology, vol. 455.   Springer, 2015, pp. 339--353.
• [12] M. Audinot, S. Pinchinat, and B. Kordy, ‘‘Is my attack tree correct?’’ in 22nd European Symposium on Research in Computer Security, ESORICS’2017, ser. LNCS, vol. 10492.   Springer, 2017, pp. 83--102.
• [13] F. Kammüller and C. W. Probst, ‘‘Modeling and verification of insider threats using logical analysis,’’ IEEE Systems Journal, Special issue on Insider Threats to Information Security, Digital Espionage, and Counter Intelligence, vol. 11, no. 2, pp. 534--545, 2017. [Online]. Available: http://dx.doi.org/10.1109/JSYST.2015.2453215
• [14] R. Alur, T. A. Henzinger, and O. Kupfermann, ‘‘Alternating-time temporal logic,’’ Journal of the ACM, vol. 49, pp. 672--713, September 2002.