User Identification Procedures with Human Mutations: Formal Analysis and Pilot Study

Megha Quamara; Luca Viganò

User Identification Procedures with Human Mutations: Formal Analysis and Pilot Study

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

30 Downloads (Pure)

Abstract

User identification procedures, essential to the information security of systems, enable system-user interactions by exchanging data through communication links and interfaces to validate and confirm user authenticity. However, human errors can introduce vulnerabilities that may disrupt the intended identification workflow and thus impact system behavior. Therefore, ensuring the integrity of these procedures requires accounting for such erroneous behaviors. We follow a formal, human-centric approach to analyze user identification procedures by modeling them as security ceremonies and apply proven techniques for automatically analyzing such ceremonies. The approach relies on mutation rules to model potential human errors that deviate from expected interactions during the identification process, and is implemented as the X-Men tool, an extension of the Tamarin prover, which automatically generates models with human mutations and implements matching mutations to other ceremony participants for analysis. As a proof-of-concept, we consider a real-life pilot study involving an AI-driven, virtual receptionist kiosk for
authenticating visitors.

Original language	English
Title of host publication	ICSA 2025 Companion proceedings
Publisher	IEEE Xplore
Number of pages	10
Publication status	Accepted/In press - 20 Jan 2025

Access to Document

FAACS2025

Cite this

@inbook{f8f1836a067e4bb8a92deef5000f16ae,

title = "User Identification Procedures with Human Mutations: Formal Analysis and Pilot Study",

abstract = "User identification procedures, essential to the information security of systems, enable system-user interactions by exchanging data through communication links and interfaces to validate and confirm user authenticity. However, human errors can introduce vulnerabilities that may disrupt the intended identification workflow and thus impact system behavior. Therefore, ensuring the integrity of these procedures requires accounting for such erroneous behaviors. We follow a formal, human-centric approach to analyze user identification procedures by modeling them as security ceremonies and apply proven techniques for automatically analyzing such ceremonies. The approach relies on mutation rules to model potential human errors that deviate from expected interactions during the identification process, and is implemented as the X-Men tool, an extension of the Tamarin prover, which automatically generates models with human mutations and implements matching mutations to other ceremony participants for analysis. As a proof-of-concept, we consider a real-life pilot study involving an AI-driven, virtual receptionist kiosk forauthenticating visitors. ",

author = "Megha Quamara and Luca Vigan{\`o}",

year = "2025",

month = jan,

day = "20",

language = "English",

booktitle = "ICSA 2025 Companion proceedings",

publisher = "IEEE Xplore",

}

TY - CHAP

T1 - User Identification Procedures with Human Mutations: Formal Analysis and Pilot Study

AU - Quamara, Megha

AU - Viganò, Luca

PY - 2025/1/20

Y1 - 2025/1/20

N2 - User identification procedures, essential to the information security of systems, enable system-user interactions by exchanging data through communication links and interfaces to validate and confirm user authenticity. However, human errors can introduce vulnerabilities that may disrupt the intended identification workflow and thus impact system behavior. Therefore, ensuring the integrity of these procedures requires accounting for such erroneous behaviors. We follow a formal, human-centric approach to analyze user identification procedures by modeling them as security ceremonies and apply proven techniques for automatically analyzing such ceremonies. The approach relies on mutation rules to model potential human errors that deviate from expected interactions during the identification process, and is implemented as the X-Men tool, an extension of the Tamarin prover, which automatically generates models with human mutations and implements matching mutations to other ceremony participants for analysis. As a proof-of-concept, we consider a real-life pilot study involving an AI-driven, virtual receptionist kiosk forauthenticating visitors.

AB - User identification procedures, essential to the information security of systems, enable system-user interactions by exchanging data through communication links and interfaces to validate and confirm user authenticity. However, human errors can introduce vulnerabilities that may disrupt the intended identification workflow and thus impact system behavior. Therefore, ensuring the integrity of these procedures requires accounting for such erroneous behaviors. We follow a formal, human-centric approach to analyze user identification procedures by modeling them as security ceremonies and apply proven techniques for automatically analyzing such ceremonies. The approach relies on mutation rules to model potential human errors that deviate from expected interactions during the identification process, and is implemented as the X-Men tool, an extension of the Tamarin prover, which automatically generates models with human mutations and implements matching mutations to other ceremony participants for analysis. As a proof-of-concept, we consider a real-life pilot study involving an AI-driven, virtual receptionist kiosk forauthenticating visitors.

M3 - Conference paper

BT - ICSA 2025 Companion proceedings

PB - IEEE Xplore

ER -

User Identification Procedures with Human Mutations: Formal Analysis and Pilot Study

Abstract

Access to Document

Fingerprint

Cite this