Formally Linking Security Protocol Models and Implementations

Similar documents
Verfying the SSH TLP with ProVerif

Code Generation for network software with formal safety guarantees

for Compound Authentication

The automatic security protocol verifier ProVerif

From CryptoVerif Specifications to Computationally Secure Implementations of Protocols

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Authenticated Encryption in TLS

Security Protocol Verification: Symbolic and Computational Models

Apache Commons Crypto: Another wheel of Apache Commons. Dapeng Sun/ Xianda Ke

Meta-programming with Names and Necessity p.1

Goals of Modern Cryptography

Ref:

Plaintext Awareness via Key Registration

Towards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA

Formal Methods and Cryptography

SPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

Embedding Cryptol in Higher Order Logic

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Protecting TLS from Legacy Crypto

Implementing Cryptography: Good Theory vs. Bad Practice

Verification of Security Protocols

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Formal methods for software security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptography (Overview)

NIST Cryptographic Toolkit

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

Breaking and Fixing Public-Key Kerberos

Key Encryption as per T10/06-103

Lecture 3: Recursion; Structural Induction

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Tracing Ambiguity in GADT Type Inference

Verified Interoperable Implementations of Security Protocols

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications

A messy state of the union:

VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Secure Multiparty Computation

FIPS Security Policy UGS Teamcenter Cryptographic Module

Refining Computationally Sound Mech. Proofs for Kerberos

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Study Guide for the Final Exam

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Cryptography and Network Security

Encryption 2. Tom Chothia Computer Security: Lecture 3

SMPTE Standards Transition Issues for NIST/FIPS Requirements

Computer Security: Principles and Practice

Automotive Security An Overview of Standardization in AUTOSAR

CSE 127: Computer Security Cryptography. Kirill Levchenko

Classifying Encrypted Traffic with TLSaware

Chapter 8 Web Security

What is Suite B? How does it relate to Government Certifications?

VisiBroker for Visual Studio 2013

Complex Systems Design &DistributedCalculusandCoordination

Crypto Basics: History, Applied Cryptography in IT Security Today and in the Next Year

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

APNIC elearning: Cryptography Basics

Uses of Cryptography

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

Deploying a New Hash Algorithm. Presented By Archana Viswanath

CS 161 Computer Security

Security in ECE Systems

CS 565: Programming Languages. Spring 2008 Tu, Th: 16:30-17:45 Room LWSN 1106

Not-quite-so-broken TLS 1.3 mechanised conformance checking

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Alice and Bob: Reconciling Formal Models and Implementation

A Remote Biometric Authentication Protocol for Online Banking

Lecture 1 Applied Cryptography (Part 1)

The design of a programming language for provably correct programs: success and failure

Cryptographic Hash Functions

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

U.S. E-Authentication Interoperability Lab Engineer

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Computationally Sound Mechanized Proof of PKINIT for Kerberos

Technological foundation

Verified Interoperable Implementations of Security Protocols

Com S 541. Programming Languages I

Lecture 11 Lecture 11 Nov 5, 2014

Mechanized Proofs for a Recursive Authentication Protocol

VisiBroker Release Notes

CS 4110 Programming Languages & Logics. Lecture 28 Recursive Types

Transport Level Security

Encryption. INST 346, Section 0201 April 3, 2018

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Programming Languages Lecture 15: Recursive Types & Subtyping

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

Random Oracles - OAEP

CSE509: (Intro to) Systems Security

Security Protocols and Infrastructures

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

1 Introduction. 3 Syntax

A FAST HANDSHAKE CACHING PROTOCOL WITH CACHING CENTER

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

About FIPS, NGE, and AnyConnect

IBM Education Assistance for z/os V2R1

Transcription:

Formally Linking Security Protocol Models and Implementations Alfredo Pironti Microsoft Research INRIA http://alfredo.pironti.eu/research/ Politecnico di Torino Formal Methods for Security Protocol Engineering 28 th October, 2011 Alfredo Pironti Formal Methods for Security Protocols Engineering 1 / 26

Security Protocols In a nutshell Protect exchange of valuable assets E-banking, e-mail, e-voting... Communication protocols based on cryptographic primitives Base for reliable, pervasive and dependable services Concise, yet difficult to get right Exhaustive testing not feasible The TLS example Design and crypto Since 1996, 4 revisions, 1 extension patch, attacks still found Implementation About 2-3 OpenSSL security advisories per year Alfredo Pironti Formal Methods for Security Protocols Engineering 2 / 26

Formal Methods for Security Protocols The weapon... Unambiguous specifications Rigorous proofs of correctness Possibly automatic... without silver bullet Full protocol implementations too complex Need to consider models instead of programs Dolev-Yao cryptography: {M} k is the symbolic encryption of M under key k; M can be retrieved only if k is available High level message exchange: A B : {M} k Don t care about cryptographic algorithms (3DES, AES... ) or message format Alfredo Pironti Formal Methods for Security Protocols Engineering 3 / 26

Bridging the Gap Motivation From protocol informal specification (e.g. TLS 1.2, RFC 5246) Researchers verify formal models (π-calculus, CSP, HLPSL... ) Developers write implementations (C, C#, Java... ) No link between models and implementations No verification of details neglected in models Alfredo Pironti Formal Methods for Security Protocols Engineering 4 / 26

How to Bridge the Gap Possible approaches Model extraction [ASPIER; Elyjah; fs2pv... ] From code, abstract a model Doesn t work yet on legacy code Code generation [AGC-C#; AGVI; CACE; Spi2Java... ] From model, refine to code Need to know modeling language Alfredo Pironti Formal Methods for Security Protocols Engineering 5 / 26

How to Bridge the Gap Possible approaches Code/model conformance (refinement types) [Jif; F7; F*... ] Given code and model, (type-)check code against model Need to specify the model Executable models [JavaSPI] The model is itself an executable program Still a relation with a verifiable model is needed Approach detailed in this lecture Alfredo Pironti Formal Methods for Security Protocols Engineering 6 / 26

Agenda Writing Java models What is a Java model? Model execution, verification, refinement Linking Java to π-calculus Define semantics of both languages Relate the two semantics Theorem of simulation Alfredo Pironti Formal Methods for Security Protocols Engineering 7 / 26

Background A specific extended pi calculus Fixed set of operators Easier to reason about and to implement Backs up the Java model Asymmetric key cryptography fun PubPart/1. fun PriPart/1. fun PriEncrypt/2. fun PubEncrypt/2. reduc PriDecrypt(PriPart(Key),PubEncrypt(PubPart(Key),M)) = M. reduc PubDecrypt(PubPart(Key),PriEncrypt(PriPart(Key),M)) = M. data true/0. reduc SignCheck(PriEncrypt(PriPart(Key),M),M,PubPart(Key)) = true. Alfredo Pironti Formal Methods for Security Protocols Engineering 8 / 26

Background Shared key cryptography fun SharedKey/1. reduc MaterialShareKey(SharedKey(x)) = x. fun SymEncrypt/2. reduc SymDecrypt(Key, SymEncrypt(Key, M)) = M. Hash function fun H/1. Diffie-Hellman fun DHPub/1. fun DHKey/2. equation DHKey(x,DHPub(y)) = DHKey(y,DHPub(x)). Alfredo Pironti Formal Methods for Security Protocols Engineering 9 / 26

The JavaSPI Framework I Features The model is a Java program Executable Not yet a fully fledged implementation Standard Java debugger realizes model simulation Implementation details as standard Java annotations Finally translated into the concrete application Formal verification done via ProVerif (Dolev-Yao model) Implies some relationship between Java and ProVerif Alfredo Pironti Formal Methods for Security Protocols Engineering 10 / 26

The JavaSPI Framework II Restrictions on Java Code All new objects must belong to the SpiWrapperSim library Side-effect free library implementing pi calculus terms Other accidental restrictions No nested new objects (create tmp variables instead) Restricted loops, recursion and Java lists (to ease verification) Alfredo Pironti Formal Methods for Security Protocols Engineering 11 / 26

Reference Example The 6.1.5 (sof) Clark-Jacob Protocol 1 B A : B, Rb 2 A B : A, {H(Rb), Ra, A, K} Kab 3 B A : B, {H(Ra)} K Alfredo Pironti Formal Methods for Security Protocols Engineering 12 / 26

The Reference Example in JavaSPI Application Architecture One Java class per protocol actor As abstract as the Spi Calculus model Demo Via the Eclipse IDE Code Simulation Generated prototype Alfredo Pironti Formal Methods for Security Protocols Engineering 13 / 26

Formal Verification I The Java-ProVerif Tool From a JavaSPI model To a ProVerif model Security queries as Java annotations in the JavaSPI model Demo Security Java annotations Resulting ProVerif model Alfredo Pironti Formal Methods for Security Protocols Engineering 14 / 26

Formal Verification II Java-ProVerif Syntax Translation Rules Syntactical translation between semantically equivalent languages A Taste of the Translation Rules Statement Java ProVerif Fresh Type a = new Type(); new a; Assign Type a = b; let a = b in Send cab.send(a); out(cab, a); Receive Type a = cab.receive(type.class); in(cab, a); Constructor Type a = new Type(b); let a = C(b) in Destructor Type a = b.method(args) let a = D(args) Match case if (a.equals(b)) {...} if a = b then (...) Alfredo Pironti Formal Methods for Security Protocols Engineering 15 / 26

Concrete Implementation Java Annotations Natural coupling between model and implementation details Exploiting annotations scope to reduce burden Sensible default values significantly reduce required annotations Java-Java tool From annotated JavaSPI to concrete Java implementation With cryptographic algorithms (e.g. AES, SHA-1) and parameters (e.g. key size, TCP port) Marshaling layer (network format and byte order) Demo Not much sense on the sof protocol Artificial implementation details, as there is no standard Explained in a minute along with bigger SSL example Alfredo Pironti Formal Methods for Security Protocols Engineering 16 / 26

Framework Architecture Alfredo Pironti Formal Methods for Security Protocols Engineering 17 / 26

A Significant Subset of SSL Features Both client and server sides Restricted scenario - Hardcoded ciphersuites + DH key exchange + Run-time resolution of IVs Formally verified (ProVerif) Interoperable (OpenSSL) Alfredo Pironti Formal Methods for Security Protocols Engineering 18 / 26

The JavaSPI Model of (the subset of) SSL Code Annotations Do not burden the code ~60 annotations in total (Client + Server) ~10% of the whole model size Demo Show refinement annotations Show and run refined implementation Alfredo Pironti Formal Methods for Security Protocols Engineering 19 / 26

Linking Java to pi calculus The problem Java code is executed ProVerif model is verified Intuition JavaSPI code has restrictions It looks like a ProVerif model Show that Whatever Java can do There exists a pi calculus process that does the same (and is verified) So that we can verify ProVerif models and run Java code Alfredo Pironti Formal Methods for Security Protocols Engineering 20 / 26

Practice and Theory In practice /* let plain = SymDecrypt(key,cipher) in */ Message plain = cipher.decrypt(key); Formally The other way round Function tr p : pi Java In: pi calculus process Out: well formed (i.e. that compiles ) Java code Alfredo Pironti Formal Methods for Security Protocols Engineering 21 / 26

Dynamic Semantic Correctness Intuition The generated Java program correctly refines the Spi calculus specification it was generated from Labelled Transition Systems (LTS) for Spi calculus and Java Weak simulation relation S between the two Alfredo Pironti Formal Methods for Security Protocols Engineering 22 / 26

Dynamic Semantic Correctness Pi Calculus Operational Semantics Pσ L P σσ where P, P are open pi calculus processes and σ, σ are sets of variable substitutions Example out(c,m); P c!m P let plain = SymDecrypt(Key, SymEncrypt(Key, M)); P τ P[ M / plain ] Alfredo Pironti Formal Methods for Security Protocols Engineering 23 / 26

Dynamic Semantic Correctness Java Operational Semantics j, Mem L j, Mem where j, j are sequences of Java statements to be executed and Mem, Mem are partial relations representing the current memory configuration Example {c.send(m); j}, Mem c!m {j}, Mem {Message plain = cipher.decrypt(key); j}, Mem τ {j}, Mem[plain := M] (if cipher is {M} key ) Alfredo Pironti Formal Methods for Security Protocols Engineering 24 / 26

Dynamic Semantic Correctness Simulation Relation S S(Pσ, (j, Mem)) j = tr p (P, RI ) σ = Mem for some refinement information RI The Java code is actually implementing a translated Spi calculus process Alfredo Pironti Formal Methods for Security Protocols Engineering 25 / 26

Dynamic Semantic Correctness Theorem [HASE08; COSE10] If the SpiWrapper library behaves as assumed, then S(Pσ, (j, Mem)) j, Mem τ L τ j, Mem Pσ L P σ S(P σ, (j, Mem )) Alfredo Pironti Formal Methods for Security Protocols Engineering 26 / 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback