24 research outputs found
Automated verification of equivalence properties of cryptographic protocols
The original publication is available at www.springerlink.comInternational audienceIndistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks, and can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for bounded number of sessions. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under- and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those which can be modeled by an optimally reducing convergent rewrite system. Although, we were unable to prove its termination, it has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools
Computing knowledge in security protocols under convergent equational theories
International audienceThe analysis of security protocols requires reasoning about the knowledge an attacker acquires by eavesdropping on network traffic. In formal approaches, the messages exchanged over the network are modeled by a term algebra equipped with an equational theory axiomatizing the properties of the cryptographic primitives (e.g. encryption, signature). In this context, two classical notions of knowledge, deducibility and indistinguishability, yield corresponding decision problems.\par We propose a procedure for both problems under arbitrary convergent equational theories. Since the underlying problems are undecidable we cannot guarantee termination. Nevertheless, our procedure terminates on a wide range of equational theories. In particular, we obtain a new decidability result for a theory we encountered when studying electronic voting protocols. We also provide a prototype implementation
Automated Verification of Equivalence Properties of Cryptographic Protocols
Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance against offline guessing attacks, which can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for a bounded number of sessions of cryptographic protocols. As in the applied pi-calculus, our protocol specification language is parametrized by a first-order sorted term signature and an equational theory which allows formalization of algebraic properties of cryptographic primitives. Our procedure is able to verify trace equivalence for determi-nate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under-and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those that can be modeled by an optimally reducing convergent rewrite system. The procedure is based on a fully abstract modelling of the traces of a bounded number of sessions of the protocols into first-order Horn clauses on which a dedicated resolution procedure is used to decide equivalence properties. We have shown that our procedure terminates for the class of subterm convergent equational theories. Moreover, the procedure has been implemented in a prototype tool A-KiSs (Active Knowledge in Security Protocols) and has been effectively tested on examples. Some of the examples were outside the scope of existing tools, including checking anonymity of an electronic voting protocol
All-Path Reachability Logic
This paper presents a language-independent proof system for reachability
properties of programs written in non-deterministic (e.g., concurrent)
languages, referred to as all-path reachability logic. It derives
partial-correctness properties with all-path semantics (a state satisfying a
given precondition reaches states satisfying a given postcondition on all
terminating execution paths). The proof system takes as axioms any
unconditional operational semantics, and is sound (partially correct) and
(relatively) complete, independent of the object language. The soundness has
also been mechanized in Coq. This approach is implemented in a tool for
semantics-based verification as part of the K framework (http://kframework.org
Compartmented Threshold RSA Based on the Chinese Remainder Theorem
In this paper we combine the compartmented secret
sharing schemes based on the Chinese remainder theorem
with the RSA scheme in order to obtain, as a novelty, a
dedicated solution for compartmented threshold decryption
or compartmented threshold digital signature generation.
AMS Subject Classification: 94A60, 94A62, 11A07
Keywords and phrases: threshold cryptography, secret
sharing, Chinese remainder theore
Reachability Logic
Abstract. This paper introduces *reachability logic*, a language-independent seven-rule proof system for deriving reachability properties of systems. The key ingredients of *reachability logic* are its sentences, which are called reachability rules and generalize the transitions of operational semantics and the Hoare triples of axiomatic semantics, and the *Circularity* proof rule, which generalizes invariant proof rules for iterative and recursive constructs in axiomatic semantics. The target transition system is described as a set of reachability rules, which are taken as axioms in a reachability logic proof. Typical definition styles which can be read as collections of reachability rules include conventional small-step and big-step operational semantics. The reachability logic proof system is shown sound (in the sense of partial correctness) and relatively complete. The soundness result has also been formalized in Coq, allowing to convert reachability logic proofs into proof certificates depending only on the operational semantics and the unavoidable domain reasoning. Reachability logic thus eliminates the need to independently define an axiomatic and an operational semantics for each language, and the non-negligible effort to prove the former sound and complete w.r.t the latter.unpublishednot peer reviewe
Securing Verified IO Programs Against Unverified Code in F*
We introduce SCIO*, a formally secure compilation framework for statically
verified partial programs performing input-output (IO). The source language is
an F* subset in which a verified program interacts with its IO-performing
context via a higher-order interface that includes refinement types as well as
pre- and post-conditions about past IO events. The target language is a smaller
F* subset in which the compiled program is linked with an adversarial context
that has an interface without refinement types, pre-conditions, or concrete
post-conditions. To bridge this interface gap and make compilation and linking
secure we propose a formally verified combination of higher-order contracts and
reference monitoring for recording and controlling IO operations. Compilation
uses contracts to convert the logical assumptions the program makes about the
context into dynamic checks on each context-program boundary crossing. These
boundary checks can depend on information about past IO events stored in the
state of the monitor. But these checks cannot stop the adversarial target
context before it performs dangerous IO operations. Therefore linking in SCIO*
additionally forces the context to perform all IO actions via a secure IO
library, which uses reference monitoring to dynamically enforce an access
control policy before each IO operation. We prove in F* that SCIO* soundly
enforces a global trace property for the compiled verified program linked with
the untrusted context. Moreover, we prove in F* that SCIO* satisfies by
construction Robust Relational Hyperproperty Preservation, a very strong secure
compilation criterion. Finally, we illustrate SCIO* at work on a simple web
server example.Comment: POPL'24 camera-ready versio
Trace-Relating Compiler Correctness and Secure Compilation
Compiler correctness is, in its simplest form, defined as the inclusion of
the set of traces of the compiled program into the set of traces of the
original program, which is equivalent to the preservation of all trace
properties. Here traces collect, for instance, the externally observable events
of each execution. This definition requires, however, the set of traces of the
source and target languages to be exactly the same, which is not the case when
the languages are far apart or when observations are fine-grained. To overcome
this issue, we study a generalized compiler correctness definition, which uses
source and target traces drawn from potentially different sets and connected by
an arbitrary relation. We set out to understand what guarantees this
generalized compiler correctness definition gives us when instantiated with a
non-trivial relation on traces. When this trace relation is not equality, it is
no longer possible to preserve the trace properties of the source program
unchanged. Instead, we provide a generic characterization of the target trace
property ensured by correctly compiling a program that satisfies a given source
property, and dually, of the source trace property one is required to show in
order to obtain a certain target property for the compiled code. We show that
this view on compiler correctness can naturally account for undefined behavior,
resource exhaustion, different source and target values, side-channels, and
various abstraction mismatches. Finally, we show that the same generalization
also applies to many secure compilation definitions, which characterize the
protection of a compiled program against linked adversarial code.Comment: ESOP'20 camera ready version together with online appendi
A CFD process chain for simulating open windtunnel test sections
This paper discusses a CFD procedure for simulating open wind tunnel test sections based on the investigations of the DLR project ForMEx II. Within this project numerical simulations and the analysis of the wind tunnel (w/t) experiments are performed in order to study the potential of CFD to support and improve the w/t corrections. In this paper, the aerodynamic low speed w/t DNW-NWB and the aeroacoustic w/t AWB are investigated. First, computations for the empty test sections are conducted, for the evaluation of the CFD potential to simulate the open jet flow in each of the w/ts, and second, the open jet flow with the DLR F16 2D high-lift model installed, for the aeroacoustic AWB w/t. The overall good agreement of the numerical results compared to the experiments indicate a reliable capability to simulate and further support the development and adjustment of the tunnel corrections for open test sections