To run the analyser, compile everything and link together... cfa2.ml is the
main file.

There is no input language for protocols to be analysed. To give inputs to
the analyser, you must include the protocol in the source code as a syntax
tree.

The analyser outputs the result of the analysis. To find out whether the
protocol is secure, you should verify that the five conditions in [1] are
satisfied.

The constraint variables in the analyser differ somewhat from [1] (reason:
the analyser came first and the paper [1] afterwards; when writing the
paper, deviations from the analyser helped in the presentation). In
particular, there are no constraint variables R^*_*. The constraint
variables S^*_* in [1] are called VVF(...) in the analyser. Constraints for
them are the composition of constraints for R^*_* and S^*_*. Additionally,
there are variables VVI(...) in the analyser for which no variable
corresponds in [1]. The variables VVI(...) are the "initial analysis
information" at some program point. In [1], they are usually denoted with
I (but it is a placeholder, not a constraint variable). The constraints for
VVI(...) are very simple.

The analyser is able to also analyse signatures. The constraint variables
VS(l,b) record the texts that have been signed with the signature key
created at the program point (l,b).

[1] M. Backes, P. Laud. Computationally Sound Secrecy Proofs by Mechanized
Flow Analysis. In ACM CCS 2006.
