151 research outputs found
Analysis of Key Wrapping APIs:Generic Policies, Computational Security
International audienceWe present an analysis of key wrapping APIs with generic policies. We prove that certain minimal conditions on policies are sufficient for keys to be indistinguishable from random in any execution of an API. Our result captures a large class of API policies, including both the hierarchies on keys that are common in the scientific literature and the non-linear dependencies on keys used in PKCS#11. Indeed, we use our result to propose a secure refinement of PKCS#11, assuming that the attributes of keys are transmitted as authenticated associated data when wrapping and that there is an enforced separation between keys used for wrapping and keys used for other cryptographic purposes. We use the Computationally Complete Symbolic Attacker developed by Bana and Comon. This model enables us to obtain computational guarantees using a simple proof with a high degree of modularity
Smart Contract Synthesis Modulo Hyperproperties
Smart contracts are small but highly security-critical programs that
implement wallets, token systems, auctions, crowd funding systems, elections,
and other multi-party transactions on the blockchain. A broad range of methods
has been developed to ensure that a smart contract is functionally correct.
However, smart contracts often additionally need to satisfy certain
hyperproperties, such as symmetry, determinism, or an information flow policy.
In this paper, we show how a synthesis method for smart contracts can ensure
that the contract satisfies its desired hyperproperties. We build on top of a
recently developed synthesis approach from specifications in the temporal logic
TSL. We present HyperTSL, an extension of TSL for the specification of
hyperproperties of infinite-state software. As a preprocessing step, we show
how to detect if a hyperproperty has an equivalent formulation as a (simpler)
trace property. Finally, we describe how to refine a synthesized contract to
adhere to its HyperTSL specification.Comment: published at 36th IEEE Computer Security Foundations Symposium (CSF
2023
A Provably Secure PKCS#11 Configuration Without Authenticated Attributes
Cryptographic APIs like PKCS#11 are interfaces to trusted hardware where keys are stored; the secret keys should never leave the trusted hardware in plaintext. In PKCS#11 it is possible to give keys conflicting roles, leading to a number of key-recovery attacks. To prevent these attacks, one can authenticate the attributes of keys when wrapping, but this is not standard in PKCS#11. Alternatively, one can configure PKCS#11 to place additional restrictions on the commands permitted by the API.
Bortolozzo et al. proposed a configuration of PKCS#11, called the Secure Templates Patch (STP), supporting symmetric encryption and key wrapping. However, the security guarantees for STP given by Bortolozzo et al. are with respect to a weak attacker model. STP has been implemented as a set of filtering rules in Caml Crush, a software filter for PKCS#11 that rejects certain API calls. The filtering rules in Caml Crush extend STP by allowing users to compute and verify MACs and so the previous analysis of STP does not apply to this configuration.
We give a rigorous analysis of STP, including the extension used in Caml Crush. Our contribution is as follows:
(i) We show that the extension of STP used in Caml Crush is insecure.
(ii) We propose a strong, computational security model for configurations of PKCS#11 where the adversary can adaptively corrupt keys and prove that STP is secure in this model.
(iii) We prove the security of an extension of STP that adds support for public-key encryption and digital signatures
A machine-checked proof of security for AWS key management service
We present a machine-checked proof of security for the domain management protocol of Amazon Web Services' KMS (Key Management Service) a critical security service used throughout AWS and by AWS customers. Domain management is at the core of AWS KMS; it governs the top-level keys that anchor the security of encryption services at AWS. We show that the protocol securely implements an ideal distributed encryption mechanism under standard cryptographic assumptions. The proof is machine-checked in the EasyCrypt proof assistant and is the largest EasyCrypt development to date.Manuel Barbosa was supported by grant SFRH/BSAB/143018/2018 awarded by the Portuguese Foundation for Science and Technology (FCT). Vitor Pereira was supported by grant FCT-PD/BD/113967/201 awarded by FCT. This work was partially funded by national funds via FCT in the context of project PTDC/CCI-INF/31698/2017
Correctness Criteria for Function-Based Reclassifiers: A Language Based Approach
An emerging problem in systems security is controlling how a program uses the
data it has access to. Information Flow Control (ifc) propagates restrictions
on data by following the flow of information, for example if a secret value
flows to a public value, that value should be considered secret as well. A
common problem in ifc is reclassification of data, for instance to explicitly
make data less restricted. An ifc mechanism often has strict flow rules in
its normal operation, but reclassification by definition need to bypass these
restrictions.
This thesis proposes correctness criteria that aim to provide stronger semantic
guarantees for the behavior of reclassification functions. We first conduct a
survey on prior work in IFC, which concludes that little emphasis has been put
on crystallizing such criteria. We then define a set of criteria for reclassification
and implement a parser to enforce these criteria. If a piece of code is successfully
analyzed by the parser, then that code can be safely used to reclassify data. Rust
is emerging as one of the more prominent languages for systems programming
due to its memory safety, and we conjecture this can be analogously continued
to target ifc as well
Ain't No Stopping Us Monitoring Now
Not all properties are monitorable. This is a well-known fact, and it means
there exist properties that cannot be fully verified at runtime. However, given
a non-monitorable property, a monitor can still be synthesised, but it could
end up in a state where no verdict will ever be concluded on the satisfaction
(resp., violation) of the property. For this reason, non-monitorable properties
are usually discarded. In this paper, we carry out an in-depth analysis on
monitorability, and how non-monitorable properties can still be partially
verified. We present our theoretical results at a semantic level, without
focusing on a specific formalism. Then, we show how our theory can be applied
to achieve partial runtime verification of Linear Temporal Logic (LTL)
- …