A Multiset Rewriting Model for Specifying and Verifying Timing Aspects of Security Protocols

Catherine Meadows has played an important role in the advancement of formal methods for protocol security verification. Her insights on the use of, for example, narrowing and rewriting logic has made possible the automated discovery of new attacks and the shaping of new protocols. Meadows has also investigated other security aspects, such as, distance-bounding protocols and denial of service attacks. We have been greatly inspired by her work. This paper describes the use of Multiset Rewriting for the specification and verification of timing aspects of protocols, such as network delays, timeouts, timed intruder models and distance-bounding properties. We detail these timed features with a number of examples and describe decidable fragments of related verification problems

On formalising and analysing the tweetchain protocol

Distributed Ledger Technology is demonstrating its capability to provide flexible frameworks for information assurance capable of resisting to byzantine failures and multiple target attacks. The availability of development frameworks allows the definition of many applications using such a technology. On the contrary, the verification of such applications are far from being easy since testing is not enough to guarantee the absence of security problems. The paper describes an experience in the modelling and security analysis of one of these applications by means of formal methods: in particular, we consider the Tweetchain protocol as a case study and we use the Tamarin Prover tool, which supports the modelling of a protocol as a multiset rewriting system and its analysis with respect to temporal first-order properties. With the aim of making the modeling and verification process reproducible and independent of the specific protocol, we present a general structure of the Tamarin Prover model and of the properties to verified. Finally, we discuss the strengths and limitations of the Tamarin Prover approach considering three aspects: modelling, analysis and the verification process. Copyrigh

FORMAL SECURITY ANALYSIS: SECRECY, AUTHENTICATION AND ATTESTATION

Ph.DDOCTOR OF PHILOSOPH

Integration of analysis techniques in security and fault-tolerance

This thesis focuses on the study of integration of formal methodologies in security protocol analysis and fault-tolerance analysis. The research is developed in two different directions: interdisciplinary and intra-disciplinary. In the former, we look for a beneficial interaction between strategies of analysis in security protocols and fault-tolerance; in the latter, we search for connections among different approaches of analysis within the security area. In the following we summarize the main results of the research

Workshop on Modelling of Objects, Components, and Agents, Aarhus, Denmark, August 27-28, 2001

This booklet contains the proceedings of the workshop Modelling of Objects, Components, and Agents (MOCA'01), August 27-28, 2001. The workshop is organised by the CPN group at the Department of Computer Science, University of Aarhus, Denmark and the "Theoretical Foundations of Computer Science" Group at the University of Hamburg, Germany. The papers are also available in electronic form via the web pages: http://www.daimi.au.dk/CPnets/workshop01

SoK: Computer-Aided Cryptography

Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency,and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography—how it can help and what the caveats are—in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy,scope, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography community’s involvement in the TLS 1.3 standardization effort.Finally, we conclude with recommendations to paper authors,tool developers, and standardization bodies moving forward

A formal specification and verification framework for timed security protocols

Nowadays, protocols often use time to provide better security. For instance, critical credentials are often associated with expiry dates in system designs. However, using time correctly in protocol design is challenging, due to the lack of time related formal specification and verification techniques. Thus, we propose a comprehensive analysis framework to formally specify as well as automatically verify timed security protocols. A parameterized method is introduced in our framework to handle timing parameters whose values cannot be decided in the protocol design stage. In this work, we first propose timed applied π-calculus as a formal language for specifying timed security protocols. It supports modeling of continuous time as well as application of cryptographic functions. Then, we define its formal semantics based on timed logic rules, which facilitates efficient verification against various authentication and secrecy properties. Given a parameterized security protocol, our method either produces a constraint on the timing parameters which guarantees the security property satisfied by the protocol, or reports an attack that works for any parameter value. The correctness of our verification algorithm has been formally proved. We evaluate our framework with multiple timed and untimed security protocols and successfully find a previously unknown timing attack in Kerberos V

Modelling and verification of security requirements and stealthiness in security protocols

Traditionally, formal methods are used to verify security guarantees of a system by proving that the system meets its desired specifications. These guarantees are achieved by verifying the system's security properties, in a formal setting, against its formal specifications. This includes, for example, proving the security properties of confidentiality and authentication, in an adversarial setting, by constructing a complete formal model of the protocol. Any counterexample to this proof implies an attack on the security property. All such proofs are usually based on an ordered set of actions, generated by the protocol execution, called a trace. Both the proofs and their counterexamples can be investigated further by analysing the behaviour of these protocol traces. The attack trace might either follow the standard behaviour as per protocol semantics or show deviation from it. In the latter case, however, it should be easy for an analyst to spot any attack based on its comparison from standard traces. This thesis makes two key contributions: a novel methodology for verifying the security requirements of security protocols by only modelling the attacks against a protocol specification, and, secondly, a formal definition of ‘stealthiness’ in a protocol trace which is used to classify attacks on security protocols as either ‘stealthy’ or ‘non-stealthy’. Our first novel proposal tests security properties and then verifies the security requirements of a protocol by modelling only a subset of interactions that constitute the attacks. Using this both time and effort saving methodology, without modelling the complete protocol specifications, we demonstrate the efficacy of our technique using real attacks on one of the world's most used protocols-WPA2. We show that the process of modelling the complete protocol specifications, for verifying security properties, can be simplified by modelling only a subset of protocol specifications needed to model a given attack. We establish the merit of our novel simplified approach by identifying the inadequacy of security properties apart from augmenting and verifying the new security properties, by modelling only the attacks versus the current practice of modelling the complete protocol which is a time and effort intensive process. We find that the current security requirements for WPA2, as stated in its specification, are insufficient to ensure security. We then propose a set of security properties to be augmented to the specification to stop these attacks. Further, our method also allows us to verify if the proposed additional security requirements, if enforced correctly, would be enough to stop attacks. Second, we seek to verify the ‘stealthiness’ of protocol attacks by introducing a novel formal definition of a ‘stealthy’ trace. ‘Stealthy’ actions by a participating entity or an adversary in a protocol interaction are about camouflaging fraudulent actions as genuine ones by fine-tuning their actions to make it look like honest ones. In our model, protocols are annotated to indicate what each party will log about each communication. Given a particular logging strategy, our framework determines whether it is possible to find an attack that produces log entries indistinguishable from normal runs of the protocol, or if any attack can be detected from the log entries alone. We present an intuitive definition of when an attack is ‘stealthy’, which cannot be automatically checked directly, with regard to some logging strategy. Next, we introduce session IDs to identify unique sessions. We show that our initial intuitive definition is equivalent to a second definition using these session IDs, which can also be tested automatically in TAMARIN. We analyse various attacks on known vulnerable protocols to see, for a range of logging strategies, which can be made into stealth attacks, and which cannot. This approach compares the stealthiness of various known attacks against a range of logging strategies

Transparent code authentication at the processor level

The authors present a lightweight authentication mechanism that verifies the authenticity of code and thereby addresses the virus and malicious code problems at the hardware level eliminating the need for trusted extensions in the operating system. The technique proposed tightly integrates the authentication mechanism into the processor core. The authentication latency is hidden behind the memory access latency, thereby allowing seamless on-the-fly authentication of instructions. In addition, the proposed authentication method supports seamless encryption of code (and static data). Consequently, while providing the software users with assurance for authenticity of programs executing on their hardware, the proposed technique also protects the software manufacturers’ intellectual property through encryption. The performance analysis shows that, under mild assumptions, the presented technique introduces negligible overhead for even moderate cache sizes