Reading Tamarin Prover Output

2025-04-29 · Ryan Williams FORMAL METHODS TUTORIAL SECURITY

Learn to interpret attack traces, proof trees, and counterexample graphs in Tamarin's interactive UI — using a simple key-exchange protocol. No prior Tamarin knowledge required.

Tamarin Prover is a tool for formally verifying security protocols. It either proves a property holds for all possible executions, or finds a concrete attack that violates it. This tutorial teaches you to read its visual output.

The Protocol

Alice wants to send Bob a secret. Bob publishes a public key, Alice encrypts with it, Bob decrypts with his private key.

Message Flow

Alice Bob │ │ │ 1. Bob publishes pk(sk) │ │◄───────────────────────────────│ │ │ │ 2. aenc(secret, pk(sk)) ───► │ │ │ │ 3. Bob decrypts with sk │

What We Verify

VERIFIED executable

Can this protocol actually complete? (Sanity check — the answer should be yes.)

VERIFIED secrecy

Can the adversary learn the secret? (No — the encryption protects it.)

The Complete Theory

Hover over highlighted elements for explanations.

Anatomy of a Tamarin Rule

Every rule has three parts. Click each zone to learn what it does.

Click a zone above

Each rule has premises (consumed), actions (logged), and conclusions (produced).

The Theory Overview Page

When you load a theory in the interactive UI, you see rules on the left and lemmas on the right. Badges show proof status.

Rules

Generate_Keypair
[ Fr(~sk) ] --[ KeyGen ]-> [ !Sk, !Pk, Out ]
Alice_Send
[ Fr(~s), !Pk ] --[ Secret, Sent ]-> [ Out ]
Bob_Receive
[ !Sk, In ] --[ Received ]-> [ ]

Lemmas

VERIFIED executable
exists-trace · Click to see the trace →
VERIFIED secrecy
all-traces · Click to see the proof tree →

Reading Attack Traces

For exists-trace lemmas, Tamarin finds a concrete execution and displays it as a dependency graph. Time flows top to bottom. Boxes are rule firings, arrows show which facts flow between them.

Step 0 of 3

Click "Step Through" to walk through the trace one rule at a time.

Key Observations

  • Solid arrows = linear facts (consumed on use)
  • Dashed arrows = persistent facts (!Sk, !Pk — read by many rules)
  • Yellow boxes inside rules = action facts (what lemmas reason about)

Reading Proof Trees

For all-traces lemmas that are VERIFIED, Tamarin shows a proof tree — backward reasoning that exhaustively closes all possible attacks. Click nodes to expand.

Proof Tree: secrecy

Click any node to expand or collapse it. Green leaves are contradictions — the adversary fails. When all leaves are green, the property holds.

Introducing a Bug

What if Bob accidentally leaks the secret after decrypting it? Toggle between the clean and broken protocol to see what changes.

✓ Clean Protocol
✗ Broken Protocol

Bob's Rule

Impact

Reading Counterexample Traces

When an all-traces lemma is FALSIFIED, the graph shows a concrete attack — the same format as an attack trace, but with an adversary derivation showing how the secret leaks.

Step 0 of 4

Click "Step Through" to see how the adversary learns the secret.

Fact Types Reference

Quick reference for the visual elements in Tamarin graphs.

From Tutorial to IAMReach

IAMReach uses exactly the same Tamarin structure. Here's how concepts map:

TutorialIAMReach
Generate_KeypairLegitLambdaInit — entity gets role credentials
Alice_SendAssume_X_to_Y — sts:AssumeRole call
!Pk($B, pk(~sk))!ExternalId('Vendor', 'Target', id) — shared secret
MFAAuth(e, token) as premiseMFA gate on a trust relationship
!LegitMarker(e)Entity is legitimate (not an adversary)
K(~secret)Adversary reaches a target role
Counterexample traceThe IAM role chain violating a property
Proof treeExhaustive proof that isolation holds

When a FALSIFIED lemma appears in an IAMReach theory, read the counterexample trace the same way: boxes are role assumptions, arrows are credential flows, and the adversary derivation shows the attack path.