15 research outputs found
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Statically detecting message confusions in a multi-protocol setting
In a multi-protocol setting, different protocols are concurrently
executed, and each principal can participate in more than one.
The possibilities of attacks therefore increase, often due to the presence
of similar patterns in messages. Messages coming from one protocol can
be confused with similar messages coming from another protocol. As a
consequence, data of one type may be interpreted as data of another,
and it is also possible that the type is the expected one, but the message
is addressed to another protocol. In this paper, we shall present
an extension of the LySa calculus [7, 4] that decorates encryption with
tags including the protocol identifier, the protocol step identifier and
the intended types of the encrypted terms. The additional information
allows us to find the messages that can be confused and therefore to
have hints to reconstruct the attack. We extend accordingly the standard
static Control Flow Analysis for LySa, which over-approximates
all the possible behaviour of the studied protocols, included the possible
message confusions that may occur at run-time. Our analysis has been
implemented and successfully applied to small sets of protocols. In particular,
we discovered an undocumented family of attacks, that may arise
when Bauer-Berson-Feiertag and the Woo-Lam authentication protocols
are running in parallel. The implementation complexity of the analysis
is low polynomial