Formal methods for software security

Similar documents
Cryptographically Sound Implementations for Typed Information-Flow Security

Integrating verification in programming languages

Translation Validation for a Verified OS Kernel

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Turning proof assistants into programming assistants

Secure Programming Lecture 15: Information Leakage

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Towards a Practical, Verified Kernel

Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish

High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Security-by-Contract for Applications Evolution in Multi-Application Smart Cards

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

About the world-first smart card certificate with EAL7 formal assurances

Lecture 3 MOBILE PLATFORM SECURITY

CS 395T. Analyzing SET with Inductive Method

Computer Security CS 526

Computationally Sound Mechanized Proof of PKINIT for Kerberos

ARM TrustZone for ARMv8-M for software engineers

Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples

C and C++ Secure Coding 4-day course. Syllabus

Browser Security Guarantees through Formal Shim Verification

Refining Computationally Sound Mech. Proofs for Kerberos

From CryptoVerif Specifications to Computationally Secure Implementations of Protocols

Type Theory meets Effects. Greg Morrisett

Introduction to Term Rewrite Systems and their Applications

Language-Based Information- Flow Security

Mixing formal methods to increase robustness against cyber-attacks

Resilient IoT Security: The end of flat security models

X-Rays, not Passport Checks Information Flow Control Using JOANA

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Foundations of Cryptography CS Shweta Agrawal

MLR INSTITUTE OF TECHNOLOGY DUNDIGAL , HYDERABAD QUESTION BANK

Security Protocol Verification: Symbolic and Computational Models

From Crypto to Code. Greg Morrisett

Overview of Cryptography

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

An Approach to the Generation of High-Assurance Java Card Applets

Improving Interrupt Response Time in a Verifiable Protected Microkernel

Representation Independence, Confinement and Access Control

SIR C R REDDY COLLEGE OF ENGINEERING

Mechanising BAN Kerberos by the Inductive Method

Information Security CS526

Certified Memory Usage Analysis

Micro-Architectural Attacks and Countermeasures

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Authenticated Encryption in TLS

Crypto Background & Concepts SGX Software Attestation

Information Security CS526

Type Checking and Type Equality

The MILS Partitioning Communication System + RT CORBA = Secure Communications for SBC Systems

Bitcoin, a decentralized and trustless protocol

Privacy-ABC Technologies on Mobile Phones

Practical Attack Scenarios on Secure Element-enabled Mobile Devices

CSE543 - Computer and Network Security Module: Virtualization

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Proof Carrying Code(PCC)

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

The Evolution of Secure Operating Systems

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

Key Protection for Endpoint, Cloud and Data Center

Formal Methods at Scale in Microsoft

14. Internet Security (J. Kurose)

Securing IoT with the ARM mbed ecosystem

Distributed ID-based Signature Using Tamper-Resistant Module

A Remote Biometric Authentication Protocol for Online Banking

Functional Programming in Embedded System Design

Designing Security & Trust into Connected Devices

Representation Independence, Confinement and Access Control

Distributed Systems. Lecture 14: Security. Distributed Systems 1

The Smart Grid Security Innovation Alliance. John Reynolds October 26, 2011 Cambridge, Massachusetts

New Approaches to Connected Device Security

A Certified Non-Interference Java Bytecode Verifier

Privacy in Statistical Databases

Distributed Systems. Lecture 14: Security. 5 March,

How Formal Analysis and Verification Add Security to Blockchain-based Systems

CSC 5930/9010 Cloud S & P: Virtualization

Deductive Program Verification with Why3, Past and Future

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

The automatic security protocol verifier ProVerif

Automotive Security An Overview of Standardization in AUTOSAR

Security for Multithreaded Programs under Cooperative Scheduling

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

2 Secure Communication in Private Key Setting

ARM Security Solutions and Numonyx Authenticated Flash

Computer Science (CS)

Implementing Cryptography: Good Theory vs. Bad Practice

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Lecture 1: Perfect Security

Inline Reference Monitoring Techniques

From imagination to impact

Towards information-flow aware automatic memory management

E-commerce security: SSL/TLS, SET and others. 4.1

Secure Multiparty Computation

Transcription:

Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017

Formal methods for software security

Formal methods for software security Confidentiality Certification Information flow Secure OS Security types Availability Reference monitors Integrity Coq Non-interference Side channels B Secure programming SEL4 Cryptographic protocols Refinement Computational model Security types Enforcement

Formal methods for software security 1.Basic concepts 2.Cryptographic protocols 3.Secure OS 4.Certification of software 5.Information flow

Basic security concepts Confidentiality my secrets will not be disclosed at least not more than I'm willing to accept. Integrity my data and decisions are not influenced by intruders. Availability software and services are there when I need them.

Basic security concepts Confidentiality my secrets will not be disclosed at least not more than I'm willing to accept. Integrity my data and decisions are not influenced by intruders. Availability software and services are there when I need them. Security Safety

Basic security concepts Confidentiality my secrets will not be disclosed at least not more than I'm willing to accept. Integrity my data and decisions are not influenced by intruders. Availability software and services are there when I need them. Security Safety but they are strongly related

Attacker model Security is open-ended! The question Is my software secure? must be complemented by an attacker model, stating the threats we are up against. Specify the attackers observational power (output, network messages, time, ) actions (code insertion, message injection, ) access to machine (physical, through network, )

Enforcement mechanisms Certification of applications Common Criteria Formal methods for reaching upper levels. Security-enhancing software development secure programming guidelines secure compilation. Static code analysis eg, Java's byte code verifier, information flow analysis. Reference monitors and run-time analysis

Cryptographic protocols

Models of cryptographic protocols Symbolic models specified as a series of exchanges of messages assuming perfect cryptography Example : two agents A, B Attackers may intercept and re-send messages encrypt and decrypt messages (with available keys)

Verification Model state = current message + state of A,B, and attacker rewriting rules defining protocol and attacker Security properties { (msg)key, key } { msg, (msg)key, key } secrecy ("no state where attacker has the secret") authentification, re-play, specific properties ("key may not be used on stored content", "vote has been counted")

Tools A variety of mature tools AVISPA, Tamarin, ProVerif, Timbuk, based on term and multi-set rewriting, Horn clauses, Interfaces for writing and animating protocols eg as Message Sequence Charts (SPAN).

Computational models A model closer to reality: Messages: bit strings, Crypto primitives: functions on bit strings, Attacker : any probabilistic poly-time Turing machine. Properties proved for all traces except for a set of traces of negligible probability. Secrecy: attacker can distinguish secret from random number with only infinitesimal probability. Proofs by refinement of models. See eg. the cryptoverif tool

Implementations of crypto protocols

Implementations of crypto protocols Security concerns with implementations of protocols and basic operations of cryptography.

Implementations of crypto protocols Security concerns with implementations of protocols and basic operations of cryptography. Implementations of cryptographic primitives are prone to side channel attacks: leaking secrets via timing or energy consumption, a challenge for implementors

Implementations of crypto protocols Security concerns with implementations of protocols and basic operations of cryptography. Implementations of cryptographic primitives are prone to side channel attacks: leaking secrets via timing or energy consumption, a challenge for implementors Implementations of entire protocols are prone to programming errors: see the Verified TLS project for building a formally verified implementation of TLS.

Secure operating systems

Security and OS Organized Sharing of ressources between processes using the same memory communicating via IPC and still guarantee isolation properties. P1 P2 P3 OS Store

Security and OS Organized Sharing of ressources between processes using the same memory communicating via IPC and still guarantee isolation properties. P1 P2 P3 OS Store GuestOS GuestOS Hypervisor Store

Security and OS Organized Sharing of ressources between processes using the same memory communicating via IPC and still guarantee isolation properties. P1 P2 P3 OS Store GuestOS GuestOS Hypervisor Store Large, complex software - long history of security alerts.

The SEL4 project Project run at NICTA 2004-2014. Formal verification of Liedtke's L4 micro-kernel. small code base (9 K Loc), threads, memory management, IPC, interrupts, capabilitybased AC, running on ARM, verified using the Isabelle/HOL theorem prover. Prove: Functional correctness (and a lot of safety properties) Non-interference

SEL4: proof structure Proof by refinement Abstract model Executable model C implementation Binary kernel HOL Haskell C HOL4 binary spec

SEL4: proof structure Proof by refinement Abstract model Executable model C implementation Binary kernel HOL Haskell C HOL4 binary spec On the "Abstract model", build access control model, integrity and confidentiality proof

SEL4: proof structure Proof by refinement Abstract model Executable model C implementation Binary kernel HOL Haskell C HOL4 binary spec On the "Abstract model", build access control model, integrity and confidentiality proof 200 000 lines of Isabelle/HOL proof 25 person-years

Prove & Run's ProvenCore SEL4 uses Isabelle/HOL and Haskell higher-order logic and lazy functional programming is still not main-stream development tools. Prove & Run has developed a formally verified microkernel ProvenCore refinement proof method isolation properties. using their SMART development framework: functional, executable specification closer to programmer's intuition equipped with a dedicated prover

Certification of Java Card applications

Java Card certification

Java Card certification Java Card reduced dialect of Java for bank cards and SIM, no dynamic loading, reflection, floating points, threads, "resource-constrained" programming practice.

Java Card certification Java Card reduced dialect of Java for bank cards and SIM, no dynamic loading, reflection, floating points, threads, "resource-constrained" programming practice. Industrial context: Applications developed by third-parties and put on an app store. Must be certified according to industry norms (eg, AFSCM * norms for NFC applications). Need "light-weight" certification techniques. *Association Française du Sans Contact Mobile

AFSCM norms/guidelines Enforce good programming practice and resource usage catch exceptions, call methods with valid args, no recursion and almost no dynamic allocation, don't call method xxx. Avoid exceptions due to null pointers, array indexing, class casts, illegal applet interaction through the firewall.

The Java Card analyser

The Java Card analyser A combination of numeric and points-to analysis tailored to the application domain, take advantage of imposed restrictions, precise (flow-sensitive, inter-proc, trace partitioning).

The Java Card analyser A combination of numeric and points-to analysis tailored to the application domain, take advantage of imposed restrictions, precise (flow-sensitive, inter-proc, trace partitioning). Major challenge: modelling the Java Card API.

The Java Card analyser A combination of numeric and points-to analysis tailored to the application domain, take advantage of imposed restrictions, precise (flow-sensitive, inter-proc, trace partitioning). Major challenge: modelling the Java Card API. Outcome: an abstract model of execution states mined by queries formalising the AFSCM norms.

The Java Card analyser A combination of numeric and points-to analysis tailored to the application domain, take advantage of imposed restrictions, precise (flow-sensitive, inter-proc, trace partitioning). Major challenge: modelling the Java Card API. Outcome: an abstract model of execution states mined by queries formalising the AFSCM norms.

Information flow analysis

Back to confidentiality Classify data as either private/secret/confidential public A basic security policy: "Confidential data should not become public"

Breaking confidentiality int secret s; // s {0,1} int public p;

Breaking confidentiality int secret s; // s {0,1} int public p; p := s; Direct flow

Breaking confidentiality int secret s; // s {0,1} int public p; p := s; Direct flow if s == 1 then p := 1 else p := 0 Indirect flow

Non-interference Confidentiality can be formalised as non-interference: Changes in secret values should not be publicly observable

Non-interference Confidentiality can be formalised as non-interference: Changes in secret values should not be publicly observable

Non-interference Confidentiality can be formalised as non-interference: Changes in secret values should not be publicly observable

Non-interference Confidentiality can be formalised as non-interference: Changes in secret values should not be publicly observable

Dynamic enforcement Add a security level ("taint") to all data and variables Security levels evolve due to assignments

Dynamic enforcement Add a security level ("taint") to all data and variables Security levels evolve due to assignments p := s; // direct flow

Dynamic enforcement Add a security level ("taint") to all data and variables Security levels evolve due to assignments p := s; // direct flow

Dynamic enforcement Add a security level ("taint") to all data and variables Security levels evolve due to assignments p := s; // direct flow and when we assign under secret control: if s == 1 then p := 1

Dynamic enforcement Add a security level ("taint") to all data and variables Security levels evolve due to assignments p := s; // direct flow and when we assign under secret control: if s == 1 then p := 1

Secure? Not enough to enforce confidentiality! int secret s; // s {0,1} int public p,q; p := 0; q := 1; if s == 0 then q := 0; if q == 1 then p := 1;

Secure? Not enough to enforce confidentiality! int secret s; // s {0,1} int public p,q; p := 0; q := 1; if s == 0 then q := 0; if q == 1 then p := 1; s=0 p=0,q=1 p=0,q=0 skip p=0

Secure? Not enough to enforce confidentiality! int secret s; // s {0,1} int public p,q; p := 0; q := 1; if s == 0 then q := 0; if q == 1 then p := 1; s=0 p=0,q=1 p=0,q=0 skip p=0 s=1 p=0,q=1 skip p=1,q=1 p=1

Secure? Not enough to enforce confidentiality! int secret s; // s {0,1} int public p,q; p := 0; q := 1; if s == 0 then q := 0; if q == 1 then p := 1; s=0 p=0,q=1 p=0,q=0 skip p=0 s=1 p=0,q=1 skip p=1,q=1 p=1 Need the "no-sensitive-upgrade" principle

Static information flow control Information flow types: T,Tx,Tpc {public secret} Typing rules: e : T T T x Tpc T x Tpc x := e assign e : T Tpc T S i i = 1,2 Tpc if e then S 1 else S 2 if Well-typed programs are non-interferent

Declassification and side channels How to declassify confidential data: what and when to declassify? how much to declassify (passwd, statistics)? Information leaks due to other channels timing energy consumption Challenge: analysis tools to check constant-time properties of (well-crafted) cryptographic computations.

Coda

Many more topics Malware detection analysis of (obfuscated) binaries. Access control formal models and enforcement. Attack trees. Web security secure web programming with JavaScript et al. Privacy differential privacy (theory vs. practice), software in coherence with legislation (EU GDPR).

Formal methods for software security Formal methods can improve the security of software. Come with solid foundations and mature tools. More and more industrial applications. Technology is becoming main-stream.

Formal methods for software security Formal methods can improve the security of software. Come with solid foundations and mature tools. More and more industrial applications. Technology is becoming main-stream. Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback