2,633 research outputs found
Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
Intel Software Guard Extension (SGX) offers software applications enclave to
protect their confidentiality and integrity from malicious operating systems.
The SSL/TLS protocol, which is the de facto standard for protecting
transport-layer network communications, has been broadly deployed for a secure
communication channel. However, in this paper, we show that the marriage
between SGX and SSL may not be smooth sailing.
Particularly, we consider a category of side-channel attacks against SSL/TLS
implementations in secure enclaves, which we call the control-flow inference
attacks. In these attacks, the malicious operating system kernel may perform a
powerful man-in-the-kernel attack to collect execution traces of the enclave
programs at page, cacheline, or branch level, while positioning itself in the
middle of the two communicating parties. At the center of our work is a
differential analysis framework, dubbed Stacco, to dynamically analyze the
SSL/TLS implementations and detect vulnerabilities that can be exploited as
decryption oracles. Surprisingly, we found exploitable vulnerabilities in the
latest versions of all the SSL/TLS libraries we have examined.
To validate the detected vulnerabilities, we developed a man-in-the-kernel
adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL
library running in the SGX enclave (with the help of Graphene) and completely
broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only
57286 queries. We also conducted CBC padding oracle attacks against the latest
GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS
(i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it
only needs 48388 and 25717 queries, respectively, to break one block of AES
ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can
be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Automated Cryptographic Analysis of the Pedersen Commitment Scheme
Aiming for strong security assurance, recently there has been an increasing
interest in formal verification of cryptographic constructions. This paper
presents a mechanised formal verification of the popular Pedersen commitment
protocol, proving its security properties of correctness, perfect hiding, and
computational binding. To formally verify the protocol, we extended the theory
of EasyCrypt, a framework which allows for reasoning in the computational
model, to support the discrete logarithm and an abstraction of commitment
protocols. Commitments are building blocks of many cryptographic constructions,
for example, verifiable secret sharing, zero-knowledge proofs, and e-voting.
Our work paves the way for the verification of those more complex
constructions.Comment: 12 pages, conference MMM-ACNS 201
On Global Types and Multi-Party Session
Global types are formal specifications that describe communication protocols
in terms of their global interactions. We present a new, streamlined language
of global types equipped with a trace-based semantics and whose features and
restrictions are semantically justified. The multi-party sessions obtained
projecting our global types enjoy a liveness property in addition to the
traditional progress and are shown to be sound and complete with respect to the
set of traces of the originating global type. Our notion of completeness is
less demanding than the classical ones, allowing a multi-party session to leave
out redundant traces from an underspecified global type. In addition to the
technical content, we discuss some limitations of our language of global types
and provide an extensive comparison with related specification languages
adopted in different communities
Experimental demonstration of an isotope-sensitive warhead verification technique using nuclear resonance fluorescence
Future nuclear arms reduction efforts will require technologies to verify
that warheads slated for dismantlement are authentic without revealing any
sensitive weapons design information to international inspectors. Despite
several decades of research, no technology has met these requirements
simultaneously. Recent work by Kemp et al. [Kemp RS, Danagoulian A, Macdonald
RR, Vavrek JR (2016) Proc Natl Acad Sci USA 113:8618--8623] has produced a
novel physical cryptographic verification protocol that approaches this treaty
verification problem by exploiting the isotope-specific nature of nuclear
resonance fluorescence (NRF) measurements to verify the authenticity of a
warhead. To protect sensitive information, the NRF signal from the warhead is
convolved with that of an encryption foil that contains key warhead isotopes in
amounts unknown to the inspector. The convolved spectrum from a candidate
warhead is statistically compared against that from an authenticated template
warhead to determine whether the candidate itself is authentic. Here we report
on recent proof-of-concept warhead verification experiments conducted at the
Massachusetts Institute of Technology. Using high-purity germanium (HPGe)
detectors, we measured NRF spectra from the interrogation of proxy 'genuine'
and 'hoax' objects by a 2.52 MeV endpoint bremsstrahlung beam. The observed
differences in NRF intensities near 2.2 MeV indicate that the physical
cryptographic protocol can distinguish between proxy genuine and hoax objects
with high confidence in realistic measurement times.Comment: 38 pages, 19 figures; revised for peer review and copy editing;
addition to SI for realistic scenario projections; minor length reduction for
journal requirement
Towards a Constrained-based Verification of Parameterized Cryptographic Protocols
International audienceAlthough many works have been dedicated to standard protocols like Needham-Schroeder very few address the more challenging class of group protocol s. We present a synchronous model for group protocols, that generalizes standard protocol models by permitting unbounded lists inside messages. In this extended model we propose a correct and complete set of inference rules for checking security properties in presence of an active intruder for the class of well-tagged protocols. Our inference system generalizes the ones that are implemented in several tools for a bounded number of sessions and fixed size lists in message. In particular when applied to protocols whose specification does not contain unbounded lists our inference system provides a decision procedure for secrecy in the case of a fixed number of sessions
Non-collaborative Attackers and How and Where to Defend Flawed Security Protocols (Extended Version)
Security protocols are often found to be flawed after their deployment. We
present an approach that aims at the neutralization or mitigation of the
attacks to flawed protocols: it avoids the complete dismissal of the interested
protocol and allows honest agents to continue to use it until a corrected
version is released. Our approach is based on the knowledge of the network
topology, which we model as a graph, and on the consequent possibility of
creating an interference to an ongoing attack of a Dolev-Yao attacker, by means
of non-collaboration actuated by ad-hoc benign attackers that play the role of
network guardians. Such guardians, positioned in strategical points of the
network, have the task of monitoring the messages in transit and discovering at
runtime, through particular types of inference, whether an attack is ongoing,
interrupting the run of the protocol in the positive case. We study not only
how but also where we can attempt to defend flawed security protocols: we
investigate the different network topologies that make security protocol
defense feasible and illustrate our approach by means of concrete examples.Comment: 29 page
- …