The formal analysis of security protocols is dominated by automated protocol verification tools. They are based on abstract interpretation techniques and other over-approximations and their implementations are highly optimised and complex. Such a complex verification tool may suffer from bugs resulting in accepting some incorrect protocols as correct.

These risks of errors are also present, but considerably smaller, when using an LCF-style theorem prover like Isabelle. The interactive security proof, however, requires a lot of expertise and time.

To address these problems, we work on combining the advantages of both worlds by using the representation of the over-approximated search space computed by the automated tools as a “proof idea” in Isabelle. Thus, we devise proof tactics for Isabelle that generate the correctness proof of the protocol from the output of the automated tools. In the worst case, these tactics fail to construct a proof, namely when the representation of the search space is for some reason incorrect. However, when they succeed, the correctness only relies on the basic model and the Isabelle core.

A first prototypical implementation is available as free software in our Protocol Security git organization.

Important Publications

1. Brucker, A. D. and Mödersheim, S. A. “Integrating Automated and Interactive Protocol VerificationWorkshop on formal aspects in security and trust (fast 2009) (2009): 248–262. doi:10.1007/978-3-642-12459-4_18, URL:

2. Hess, A. V., Mödersheim, S. A., and Brucker, A. D. “Stateful Protocol CompositionESORICS (2018): URL: