Position within the page tree

DY*

DY* (pronounced "DY Star") is a formal verification framework for the symbolic analysis of cryptographic protocols.

About DY*

DY* is a formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks.

Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.

DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code.

We have demonstrated the effectiveness of this approach through several in-depth symbolic security analyses. For example, we have carried out the first mechanized proof of Signal that accounts for forward and post-compromise security over an unbounded number of protocol rounds. Please see our GitHub repository for the code.

Case Studies and Impact

We have carried out several in-depth case studies using our DY* framework. Below, you find an overview on these case studies and pointers to the respective publications and code repositories.

ACME – The ACME certificate issuance and management protocol, standardized as RFC 8555 by the IETF, is an essential element of the web public key infrastructure (PKI). It has been used by Let’s Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. We have carried out the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. [CCS2021]
Signal, Double Ratchet, X3DH – The Signal protocol is used in popular messaging applications like WhatsApp and Skype. Signal is notable for its sophisticated use of Diffie-Hellman computations to obtain strong security guarantees against adversaries who can compromise both short-term and long-term secrets. Its innovative multi-round (or ratcheted) protocol design has inspired a line of work on new security definitions and proof techniques for properties like post compromise security.
Thanks to DY*, unlike previous analyses with mechanized provers, our analysis does not have severly restrict the protocol to tame its verification complexity. Furthermore, our work is the first that applies a modular verification technique to analyse Signal.
Our verification target is an interoperable implementation of Signal in F* developed in prior work. This implementation was verified for correctness against a purely functional protocol specification (also in F*), but the security of this protocol specification was not verified in F*. We close this gap by extending this specification code to a full DY* protocol model and proving that it achieves the secrecy and authentication goals of Signal, even for an unbounded number of rounds. [EuroS&P2021]
Needham-Schroeder(-Lowe) – The Needham-Schroeder public key protocol (NS-PK) is one of the most well-known examples for an authentication protocol in the literature. Since its initial proposal in 1978, the security of such cryptographic protocols has become a continuous field of study for the research community. While the first formalization for symbolic protocol analysis has been proposed by Dolev and Yao in 1983, a severe protocol flaw in the NS-PK protocol remained undiscovered for 17 years: Lowe presented an attack that breaks the security of the NS-PK protocol by mixing two concurrent protocol sessions. Lowe also proposed a fix and showed that this fix is indeed sufficient using the symbolic tool FDR. As NS-PK is such a widely used example, we illustrate how to analyse this protocol and Lowe’s fix using DY*. [EuroS&P2021]

History

The first version of DY* was published at [EuroS&P2021]. Throughout further papers we improved and extended DY*. For example, in the [CCS2021] paper, we added a framework to connect abstract DY* protocol models with real-world protocol implementations and used it to demonstrate the high level of detail of our ACME client model.

Literature and Publications

2023
1. Karthikeyan Bhargavan, Abhishek Bichhawat, Pedram Hosseyni, Ralf Küsters, Klaas Pruiksma, Guido Schmitz, Clara Waldmann, and Tim Würtele, “Layered Symbolic Security Analysis in DY*,” in 28th European Symposium on Research in Computer Security (ESORICS 2023), Springer, 2023, pp. 3--21.
  Abstract
  While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY* protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F* modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY* with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.
  BibTeX
  @inproceedings{Bhargavanetal-ESORICS-2023, abstract = {While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY* protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F* modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY* with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Hosseyni, Pedram and K{\"u}sters, Ralf and Pruiksma, Klaas and Schmitz, Guido and Waldmann, Clara and W{\"u}rtele, Tim}, booktitle = {{28th European Symposium on Research in Computer Security (ESORICS 2023)}}, doi = {10.1007/978-3-031-51479-1_1}, pages = {3--21}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, title = {{Layered Symbolic Security Analysis in DY*}}, url = {https://publ.sec.uni-stuttgart.de/bhargavanetal-iacr-2023-1329.pdf}, volume = 14346, year = 2023 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanetal-iacr-2023-1329.pdf
  DOI
  10.1007/978-3-031-51479-1_1
2. Karthikeyan Bhargavan, Abhishek Bichhawat, Pedram Hosseyni, Ralf Küsters, Klaas Pruiksma, Guido Schmitz, Clara Waldmann, and Tim Würtele, “Layered Symbolic Security Analysis in DY*,” Cryptology ePrint Archive, Technical Report 2023/1329, 2023.
  Abstract
  While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY* protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F* modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY* with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.
  BibTeX
  @techreport{Bhargavanetal-IACR-2023-1329, abstract = {While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY* protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F* modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY* with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Hosseyni, Pedram and K{\"u}sters, Ralf and Pruiksma, Klaas and Schmitz, Guido and Waldmann, Clara and W{\"u}rtele, Tim}, institution = {Cryptology ePrint Archive}, number = {2023/1329}, title = {{Layered Symbolic Security Analysis in DY*}}, type = {Technical Report}, url = {https://publ.sec.uni-stuttgart.de/bhargavanetal-iacr-2023-1329.pdf}, year = 2023 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanetal-iacr-2023-1329.pdf
2021
1. Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc Huy Do, Pedram Hosseyni, Ralf Küsters, Guido Schmitz, and Tim Würtele, “An In-Depth Symbolic Security Analysis of the ACME Standard,” Cryptology ePrint Archive, Technical Report 2021/1457, 2021.
  Abstract
  The ACME certificate issuance and management protocol, standardized as IETF RFC 8555, is an essential element of the web public key infrastructure (PKI). It has been used by Let's Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. Despite its importance, however, the security of ACME has not been studied at the same level of depth as other protocol standards like TLS 1.3 or OAuth. Prior formal analyses of ACME only considered the cryptographic core of early draft versions of ACME, ignoring many security-critical low-level details that play a major role in the 100 page RFC, such as recursive data structures, long-running sessions with asynchronous sub-protocols, and the issuance for certificates that cover multiple domains.We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY⋆, which in turn is based on the F⋆ programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY* with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.
  BibTeX
  @techreport{BhargavanBichhavatDoHosseyniKuestersSchmitzWuertele-IACR-2021-1457, abstract = {The ACME certificate issuance and management protocol, standardized as IETF RFC 8555, is an essential element of the web public key infrastructure (PKI). It has been used by Let's Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. Despite its importance, however, the security of ACME has not been studied at the same level of depth as other protocol standards like TLS 1.3 or OAuth. Prior formal analyses of ACME only considered the cryptographic core of early draft versions of ACME, ignoring many security-critical low-level details that play a major role in the 100 page RFC, such as recursive data structures, long-running sessions with asynchronous sub-protocols, and the issuance for certificates that cover multiple domains.We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY⋆, which in turn is based on the F⋆ programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY* with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and K{\"u}sters, Ralf and Schmitz, Guido and W{\"u}rtele, Tim}, institution = {Cryptology ePrint Archive}, number = {2021/1457}, title = {{An In-Depth Symbolic Security Analysis of the ACME Standard}}, type = {Technical Report}, url = {https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-iacr-2021-1457.pdf}, year = 2021 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-iacr-2021-1457.pdf
2. Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc Huy Do, Pedram Hosseyni, Ralf Küsters, Guido Schmitz, and Tim Würtele, “A Tutorial-Style Introduction to DY*,” in Protocols, Strands, and Logic: Essays Dedicated to Joshua Guttman on the Occasion of His 66.66 Birthday., D. Dougherty, J. Meseguer, S. A. Mödersheim, and P. Rowe (Eds.). Springer, 2021, pp. 77--97.
  Abstract
  DY* is a recently proposed formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, DY* accounts for advanced protocol features like unbounded loops and mutable recursive data structures as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Protocols modeled in DY* can be executed, and hence, tested, and they can even interoperate with real-world counterparts. DY* extends a long line of research on using dependent type systems but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. With this, one can uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. In this paper, we provide a tutorial-style introduction to DY*: We illustrate how to model and prove the security of the ISO-DH protocol, a simple key exchange protocol based on Diffie-Hellman.
  BibTeX
  @incollection{BhargavanBichhavatDoHosseyniKuestersSchmitzWuertele-Guttmanfest-2021, abstract = {DY* is a recently proposed formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, DY* accounts for advanced protocol features like unbounded loops and mutable recursive data structures as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Protocols modeled in DY* can be executed, and hence, tested, and they can even interoperate with real-world counterparts. DY* extends a long line of research on using dependent type systems but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. With this, one can uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. In this paper, we provide a tutorial-style introduction to DY*: We illustrate how to model and prove the security of the ISO-DH protocol, a simple key exchange protocol based on Diffie-Hellman.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and K{\"u}sters, Ralf and Schmitz, Guido and W{\"u}rtele, Tim}, booktitle = {{Protocols, Strands, and Logic: Essays Dedicated to Joshua Guttman on the Occasion of His 66.66 Birthday.}}, doi = {10.1007/978-3-030-91631-2_4}, editor = {Dougherty, Daniel and Meseguer, Jos{\'e} and M{\"o}dersheim, Sebastian Alexander and Rowe, Paul}, pages = {77--97}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, title = {{A Tutorial-Style Introduction to DY*}}, url = {https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-guttmanfest-2021.pdf}, volume = 13066, year = 2021 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-guttmanfest-2021.pdf
  DOI
  10.1007/978-3-030-91631-2_4
3. Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc Huy Do, Pedram Hosseyni, Ralf Küsters, Guido Schmitz, and Tim Würtele, “An In-Depth Symbolic Security Analysis of the ACME Standard,” in ACM Conference on Computer and Communications Security (CCS 2021), ACM, 2021, pp. 2601–2617.
  Abstract
  The ACME certificate issuance and management protocol, standardized as IETF RFC 8555, is an essential element of the web public key infrastructure (PKI). It has been used by Let's Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. Despite its importance, however, the security of ACME has not been studied at the same level of depth as other protocol standards like TLS 1.3 or OAuth. Prior formal analyses of ACME only considered the cryptographic core of early draft versions of ACME, ignoring many security-critical low-level details that play a major role in the 100 page RFC, such as recursive data structures, long-running sessions with asynchronous sub-protocols, and the issuance for certificates that cover multiple domains.We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY⋆, which in turn is based on the F⋆ programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY* with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.
  BibTeX
  @inproceedings{BhargavanBichhavatDoHosseyniKuestersSchmitzWuertele-CCS-2021, abstract = {The ACME certificate issuance and management protocol, standardized as IETF RFC 8555, is an essential element of the web public key infrastructure (PKI). It has been used by Let's Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. Despite its importance, however, the security of ACME has not been studied at the same level of depth as other protocol standards like TLS 1.3 or OAuth. Prior formal analyses of ACME only considered the cryptographic core of early draft versions of ACME, ignoring many security-critical low-level details that play a major role in the 100 page RFC, such as recursive data structures, long-running sessions with asynchronous sub-protocols, and the issuance for certificates that cover multiple domains.We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY⋆, which in turn is based on the F⋆ programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY* with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and K{\"u}sters, Ralf and Schmitz, Guido and W{\"u}rtele, Tim}, booktitle = {{ACM Conference on Computer and Communications Security (CCS 2021)}}, doi = {10.1145/3460120.3484588}, pages = {2601-2617}, publisher = {{ACM}}, title = {{An In-Depth Symbolic Security Analysis of the ACME Standard}}, url = {https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-ccs-2021.pdf}, year = 2021 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-ccs-2021.pdf
  DOI
  10.1145/3460120.3484588
4. Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc Huy Do, Pedram Hosseyni, Ralf Küsters, Guido Schmitz, and Tim Würtele, “DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code,” in IEEE European Symposium on Security and Privacy (EuroS&P 2021), IEEE, 2021, pp. 523–542.
  Abstract
  We present DY*, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.
  BibTeX
  @inproceedings{BhargavanBichhavatDoHosseyniKuestersSchmitzWuertele-EuroSP-2021, abstract = {We present DY*, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.}, author = {Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and K{\"u}sters, Ralf and Schmitz, Guido and W{\"u}rtele, Tim}, booktitle = {{IEEE European Symposium on Security and Privacy (EuroS{\&}P 2021)}}, doi = {10.1109/EuroSP51992.2021.00042}, pages = {523-542}, publisher = {IEEE}, title = {{DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code}}, url = {https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-eurosp-2021.pdf}, year = 2021 }
  Link
  https://publ.sec.uni-stuttgart.de/bhargavanbichhavatdohosseynikuestersschmitzwuertele-eurosp-2021.pdf
  DOI
  10.1109/EuroSP51992.2021.00042

Acknowledgements

This work has been supported by Deutsche Forschungsgemeinschaft (DFG).

DY*

About DY*

Case Studies and Impact

History

Literature and Publications

2023

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

2021

Abstract

BibTeX

Link

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

DOI

Acknowledgements

Ralf Küsters

Audience

Formalities

Services

Organization

DY*

About DY*

Case Studies and Impact

History

Literature and Publications

2023

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

2021

Abstract

BibTeX

Link

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

DOI

Abstract

BibTeX

Link

DOI

Acknowledgements

Ralf Küsters

Here you can reach us

Audience

Formalities

Services

Organization