194 research outputs found
Automating Security Analysis: Symbolic Equivalence of Constraint Systems
We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy). Infinite sets of possible traces are symbolically represented using deducibility constraints. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence
Trace Equivalence Decision: Negative Tests and Non-determinism
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability.
In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions)
YAPA: A generic tool for computing intruder knowledge
Reasoning about the knowledge of an attacker is a necessary step in many
formal analyses of security protocols. In the framework of the applied pi
calculus, as in similar languages based on equational logics, knowledge is
typically expressed by two relations: deducibility and static equivalence.
Several decision procedures have been proposed for these relations under a
variety of equational theories. However, each theory has its particular
algorithm, and none has been implemented so far. We provide a generic procedure
for deducibility and static equivalence that takes as input any convergent
rewrite system. We show that our algorithm covers most of the existing decision
procedures for convergent theories. We also provide an efficient
implementation, and compare it briefly with the tools ProVerif and KiSs
Intruder deducibility constraints with negation. Decidability and application to secured service compositions
The problem of finding a mediator to compose secured services has been
reduced in our former work to the problem of solving deducibility constraints
similar to those employed for cryptographic protocol analysis. We extend in
this paper the mediator synthesis procedure by a construction for expressing
that some data is not accessible to the mediator. Then we give a decision
procedure for verifying that a mediator satisfying this non-disclosure policy
can be effectively synthesized. This procedure has been implemented in CL-AtSe,
our protocol analysis tool. The procedure extends constraint solving for
cryptographic protocol analysis in a significative way as it is able to handle
negative deducibility constraints without restriction. In particular it applies
to all subterm convergent theories and therefore covers several interesting
theories in formal security analysis including encryption, hashing, signature
and pairing.Comment: (2012
CoCon: A conference management system with formally verified document confidentiality
We present a case study in formally verified security for realistic systems: the information flow security verification of the functional kernel of a web application, the CoCon conference management system. We use the Isabelle theorem prover to specify and verify fine-grained confidentiality properties, as well as complementary safety and âtracebackâ properties. The challenges posed by this development in terms of expressiveness have led to bounded-deducibility security, a novel security model and verification method generally applicable to systems describable as input/output automata
CoSMed: a confidentiality-verified social media platform
This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The systemâs kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD security has to give way to a dynamic integration of the triggers as part of the bound
CoSMed: a confidentiality-verified social media platform
This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The systemâs kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD security has to give way to a dynamic integration of the triggers as part of the bound
Composition and Declassification in Possibilistic Information Flow Security
Formal methods for security can rule out whole classes of security vulnerabilities, but applying them in practice remains challenging. This thesis develops formal verification techniques for information flow security that combine the expressivity and scalability strengths of existing frameworks. It builds upon Bounded Deducibility (BD) Security, which allows specifying and verifying fine-grained policies about what information may flow when to whom. Our main technical result is a compositionality theorem for BD Security, providing scalability by allowing us to verify security properties of a large system by verifying smaller components. Its practical utility is illustrated by a case study of verifying confidentiality properties of a distributed social media platform. Moreover, we discuss its use for the modular development of secure workflow systems, and for the security-preserving enforcement of safety and security properties other than information flow control
CoCon: A conference management system with formally verified document confidentiality
We present a case study in formally verified security for realistic systems: the information flow security verification of the functional kernel of a web application, the CoCon conference management system. We use the Isabelle theorem prover to specify and verify fine-grained confidentiality properties, as well as complementary safety and âtracebackâ properties. The challenges posed by this development in terms of expressiveness have led to bounded-deducibility security, a novel security model and verification method generally applicable to systems describable as input/output automata
Relating two standard notions of secrecy
Two styles of definitions are usually considered to express that a security
protocol preserves the confidentiality of a data s. Reachability-based secrecy
means that s should never be disclosed while equivalence-based secrecy states
that two executions of a protocol with distinct instances for s should be
indistinguishable to an attacker. Although the second formulation ensures a
higher level of security and is closer to cryptographic notions of secrecy,
decidability results and automatic tools have mainly focused on the first
definition so far.
This paper initiates a systematic investigation of the situations where
syntactic secrecy entails strong secrecy. We show that in the passive case,
reachability-based secrecy actually implies equivalence-based secrecy for
digital signatures, symmetric and asymmetric encryption provided that the
primitives are probabilistic. For active adversaries, we provide sufficient
(and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC
- âŠ