Assumptions, trust, and names in computer security protocols

A major goal of using any security protocol is to create certain beliefs in the participants. A security protocol will use techniques like cryptography to guarantee some things, but it will still require a participant to make assumptions about other things that the protocol cannot guarantee; such assumptions often constitute trust in other participants. In this thesis, we attempt to precisely identify the required assumptions of some example protocols. In the process, we find that we must consider the names that participants use to reason about each other. It turns out that naming is a complex topic with a rich body of philosophical work, and we apply some ideas from this work to the problem of identifying security protocols' required assumptions. Finally, we begin work on a mathematical model of protocols and beliefs to which a formal logic of belief could be applied. The model is left incomplete because of some unresolved problems with modeling belief caused by the design requirement that the model's elements have clear operational meanings. The solution of these problems is left as future work.http://archive.org/details/assumptionstrust109455657Approved for public release; distribution is unlimited

Segurança em virtualização VMware: Infraestruturas e agregados de máquinas virtuais

Segurança em Infraestruturas e Agregados de Máquinas Virtuais A Proteção de ambientes virtuais Virtualização é uma tecnologia que utiliza um ambiente lógico para superar as limitações físicas do hardware. Devido ás suas características de encapsulamento e isolamento a virtualização é a base para o paradigma da computação em nuvem 1. Os diversos tipos das tecnologias de virtualização, implicações de segurança e sistemas de ficheiros em infraestruturas VMware serão apresentadas ao longo da obra. A virtualização é uma tecnologia complexa, com muitas facetas e inúmeros tipos de controlos, que podem ser implementados para proteger os ativos virtuais bem como as suas máquinas hospedeiras. ”Virtualization is both an opportunity and a threat” diz Patrick Lin director de produto da VMware [1]. Os sistemas operativos atuais fornecem uma abstração de processos para alcançar uma partilha de recursos e isolamento, no entanto a partir de uma perspetiva de segurança, um intruso que comprometa um processo, pode ganhar controlo total sobre o sistema. Isso faz com que os sistemas de segurança que se encontram em execução no mesmo sistema, tais como programas de antivírus ou sistemas de deteção de intrusão, poderão se encontrar também vulneráveis a ataques. Em resposta ao isolamento imperfeito entre processos, pode-se recorrer á utilização de agregados virtuais com o intuito de garantir a privacidade e a confidencialidade e integridade das informações. Será apresentada uma análise pormenorizada das estratégias de ataque que podem ser usadas contra as infraestruturas de virtualização VMware, bem como o seu nível de eficácia

Security of Contactless Smart Card Protocols

Tato práce analyzuje hrozby pro protokoly využívající bezkontaktní čipové karty a představuje metodu pro poloautomatické hledání zranitelností v takových protokolech pomocí model checkingu. Návrh a implementace bezpečných aplikací jsou obtížné úkoly, i když je použit bezpečný hardware. Specifikace na vysoké úrovni abstrakce může vést k různým implementacím. Je důležité používat čipovou kartu správně, nevhodná implementace protokolu může přinést zranitelnosti, i když je protokol sám o sobě bezpečný. Cílem této práce je poskytnout metodu, která může být využita vývojáři protokolů k vytvoření modelu libovolné čipové karty, se zaměřením na bezkontaktní čipové karty, k vytvoření modelu protokolu a k použití model checkingu pro nalezení útoků v tomto modelu. Útok může být následně proveden a pokud není úspěšný, model je upraven pro další běh model checkingu. Pro formální verifikaci byla použita platforma AVANTSSAR, modely jsou psány v jazyce ASLan++. Jsou poskytnuty příklady pro demonstraci použitelnosti navrhované metody. Tato metoda byla použita k nalezení slabiny bezkontaktní čipové karty Mifare DESFire. Tato práce se dále zabývá hrozbami, které není možné pokrýt navrhovanou metodou, jako jsou útoky relay. This thesis analyses contactless smart card protocol threats and presents a method of semi-automated vulnerability finding in such protocols using model checking. Designing and implementing secure applications is difficult even when secure hardware is used. High level application specifications may lead to different implementations. It is important to use the smart card correctly, inappropriate protocol implementation may introduce a vulnerability, even if the protocol is secure by itself. The goal of this thesis is to provide a method that can be used by protocol developers to create a model of arbitrary smart card, with focus on contactless smart cards, to create a model of the protocol, and to use model checking to find attacks in this model. The attack can be then executed and if not successful, the model is refined for another model checker run. The AVANTSSAR platform was used for the formal verification, models are written in the ASLan++ language. Examples are provided to demonstrate usability of the proposed method. This method was used to find a weakness of Mifare DESFire contactless smart card. This thesis also deals with threats not possible to cover by the proposed method, such as relay attacks.

A semantics for a logic of authentication (extended abstract

Abstract: Burrows, Abadi, and Needham have proposed a logic for the analysis of authentication protocols. It is a logic of belief, with special constructs for expressing some of the central concepts used in authentication. The logic has revealed many subtleties and serious errors in published protocols. Unfortunately, it has also created some confusion. In this paper, we provide a new semantics for the logic, our attempt to clarify its meaning. In the search for a sound semantics, we have identi ed many sources of the past confusion. Identifying these sources has helped us improve the logic's syntax and inference rules, and extend its applicability. One of the greatest di erences between our semantics and the original semantics is our treatment of belief as a form of resource-bounded, defeasible knowledge.