Performance Evaluations of Cryptographic Protocols Verification Tools Dealing with Algebraic Properties

International audienceThere exist several automatic verification tools of cryptographic protocols, but only few of them are able to check protocols in presence of algebraic properties. Most of these tools are dealing either with Exclusive-Or (XOR) and exponentiation properties, so-called Diffie-Hellman (DH). In the last few years, the number of these tools increased and some existing tools have been updated. Our aim is to compare their performances by analysing a selection of cryptographic protocols using XOR and DH. We compare execution time and memory consumption for different versions of the following tools OFMC, CL-Atse, Scyther, Tamarin, TA4SP, and extensions of ProVerif (XOR-ProVerif and DH-ProVerif). Our evaluation shows that in most of the cases the new versions of the tools are faster but consume more memory. We also show how the new tools: Tamarin, Scyther and TA4SP, can be compared to previous ones. We also discover and understand for the protocol IKEv2-DS a difference of modelling by the authors of different tools, which leads to different security results. Finally, for Exclusive-Or and Diffie-Hellman properties, we construct two families of protocols P xori and P dhi that allow us to clearly see for the first time the impact of the number of operators and variables in the tools' performances

Private Multi-party Matrix Multiplication and Trust Computations

This paper deals with distributed matrix multiplication. Each player owns only one row of both matrices and wishes to learn about one distinct row of the product matrix, without revealing its input to the other players. We first improve on a weighted average protocol, in order to securely compute a dot-product with a quadratic volume of communications and linear number of rounds. We also propose a protocol with five communication rounds, using a Paillier-like underlying homomorphic public key cryptosystem, which is secure in the semi-honest model or secure with high probability in the malicious adversary model. Using ProVerif, a cryptographic protocol verification tool, we are able to check the security of the protocol and provide a countermeasure for each attack found by the tool. We also give a randomization method to avoid collusion attacks. As an application, we show that this protocol enables a distributed and secure evaluation of trust relationships in a network, for a large class of trust evaluation schemes.Comment: Pierangela Samarati. SECRYPT 2016 : 13th International Conference on Security and Cryptography, Lisbonne, Portugal, 26--28 Juillet 2016. 201

Filtrage et vérification de flux métiers dans les systèmes industriels

National audienceDe plus en plus d'attaques informatiques contre les systèmes indus-triels sont présentées par les médias. Ces systèmes tendent à devenir géo-graphiquement distribués et à communiquer via des réseaux vulnérables tels qu'Internet. Régissant de nos jours des domaines tels que la production et la distribution d'énergie, l'assainissement des eaux ou le nucléaire, la sécurité des systèmes industriels devient une priorité pour les gouver-nements. L'une des difficultés de la sécurisation des infrastructures in-dustrielles est la conciliation des propriétés de sécurité avec les attendus métiers en terme de flux. Pour ce faire, nous regardons comment filtrer les messages en tenant compte des aspects métiers. Ensuite, nous nous intéressons à la vérification formelle des propriétés des protocoles de communication industriels. Enfin nous proposons une approche Model-Based Testing permettant de générer des attaques informatiques contre des sys-tèmes industriels

Génération systématique de scénarios d'attaques contre des systèmes industriels

National audienceLes systèmes industriels (SCADA) sont la cible d'attaques informatiques depuis Stuxnet [4] en 2010. De part leur interaction avec le mode physique, leur protection est devenue une priorité pour les agences gouvernementales. Dans cet article, nous proposons une approche de modélisation d'attaquants dans un système industriel incluant la production automatique de scénarios d'attaques. Cette approche se focalise sur les capacités de l'attaquant et ses objectifs en fonc-tion des protocoles de communication auxquels il fait face. La description de l'approche est illustrée à l'aide d'un exemple

Formal Analysis of Security Properties on the OPC-UA SCADA Protocol

International audienceIndustrial systems are publicly the target of cyberattacks since Stuxnet [1]. Nowadays they are increasingly communicating over insecure media such as Internet. Due to their interaction with the real world, it is crucial to prove the security of their protocols. In this paper, we formally study the security of one of the most used industrial protocols: OPC-UA. Using ProVerif, a well known cryptographic protocol verification tool, we are able to check secrecy and authentication properties. We find several attacks on the protocols and provide countermeasures

Filtrage et vérification de flux métiers dans les systèmes industriels

National audienceDe plus en plus d'attaques informatiques contre les systèmes indus-triels sont présentées par les médias. Ces systèmes tendent à devenir géo-graphiquement distribués et à communiquer via des réseaux vulnérables tels qu'Internet. Régissant de nos jours des domaines tels que la production et la distribution d'énergie, l'assainissement des eaux ou le nucléaire, la sécurité des systèmes industriels devient une priorité pour les gouver-nements. L'une des difficultés de la sécurisation des infrastructures in-dustrielles est la conciliation des propriétés de sécurité avec les attendus métiers en terme de flux. Pour ce faire, nous regardons comment filtrer les messages en tenant compte des aspects métiers. Ensuite, nous nous intéressons à la vérification formelle des propriétés des protocoles de communication industriels. Enfin nous proposons une approche Model-Based Testing permettant de générer des attaques informatiques contre des sys-tèmes industriels

Lazart: A Symbolic Approach for Evaluation the Robustness of Secured Codes against Control Flow Injections

International audienceIn the domain of smart cards, secured devices must be protected against high level attack potential [1]. According to norms such as the Common Criteria [2], the vulnerability analysis must cover the current state-of-the-art in term of attacks. Nowadays, a very classical type of attack is fault injection, conducted by means of laser based techniques. We propose a global approach, called Lazart, to evaluate code robustness against fault injections targeting control flow modifications. The originality of Lazart is twofolds. First, we encompass the evaluation process as a whole: starting from a fault model, we produce (or establish the absence of) attacks, taking into consideration software countermeasures. Furthermore, according to the near state-of-the-art, our methodology takes into account multiple transient fault injections and their combinatory. The proposed approach is supported by an effective tool suite based on the LLVM format [3] and the KLEE symbolic test generator [4]

Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

International audiencePhysical fault injections break security functionalities of algorithms by targeting their implementations. Software techniques strengthen such implementations to enhance their robustness against fault attacks. Exhaustively testing physical fault injections is time consuming and requires complex platforms. Simulation solutions are developed for this specific purpose. We chose two independent tools presented in 2014, the Laser Attack Robustness (Lazart) and the Embedded Fault Simulator (EFS) in order to evaluate software implementations against multiple fault injection attacks. Lazart and the EFS share the common goal that consists in detecting vulnerabilities in the code. However, they operate with different techniques , fault models and abstraction levels. This paper aims at exhibiting specific advantages of both approaches and proposes a combining scheme that emphasizes their complementary nature

Security Architecture for Point-to-Point Splitting Protocols

International audienceThe security of industrial supervisory control and data acquisition systems (SCADA) has become a major concern since the Stuxnet worm in 2010. As these systems are connected to the physical world, this makes them possibly hazardous if a malicious attacker is able to take over their control. SCADA can live up to 40 years, are particularly hard to patch, and quite often have no security feature at all. Thus, rather than securing them, network segregation is often used to prevent attackers from entering the industrial system. In this paper, we propose a generic solution: embed a point-to-point splitting protocol within a physical device, thus able to physically isolate networks, perform deep packet inspection and also provide encryption if necessary. We obtain a kind of next generation firewall, encompassing at least both diode and firewall features, for which conformity to security policies can be ensured. Then we define a set of associated security properties for such devices and the requirements for such a device's security architecture and filtering rules. Finally, we propose a secure hardware implementation

Sécurité des systèmes industriels : filtrage applicatif et recherche de scénarios d'attaques

Industrial systems, also called SCADA (for Supervisory Control And Data Acquisition), are targeted by cyberattacks since Stuxnet in 2010. Due to the criticality of their interaction with the real world, these systems can be really harmful for humans and environment. As industrial systems have historically been physically isolated from the rest of the world, they focused on the protection against outages and human mistakes (also called safety). Cybersecurity differs from safety in the way that an adversary is willing to harm the system and will learn from his mistakes. One of the difficulty in terms of cybersecurity of industrial systems is to make coexist security properties with domain specific constraints. We tackle this question with three main axes. First, we propose a filter dedicated to industrial communications, allowing to enforce applicative properties. Then, we focus on formal verification of cryptographic protocols applied to industrial protocols such as MODBUS or OPC-UA. Using well-known tools from the domain, we model the protocols in order to check if they provide security properties including confidentiality, authentication and integrity. Finally, we propose an approach named ASPICS (for Applicative Attack Scenarios Production for Industrial Control Systems) to study if safety properties (similar to those verified by our filter) can actually be jeopardized by attackers depending on their position and capacity. We implement this approach in the UPPAAL model-checker and study its results on a proof-of-concept example.Les systèmes industriels, souvent appelés SCADA (pour Système d’acquisition et de contrôle de données) sont la cible d’attaques informatiques depuis Stuxnet en 2010. Dû à la criticité de leurs interactions avec le monde réel, ils peuvent représenter une menace pour l’environnement et les humains. Comme ces systèmes ont par le passé été physiquement isolés du reste du monde, ils ont été majoritairement protégés contre des pannes et des erreurs (ce qu’on appelle la sûreté). La sécurité informatique diffère de la sûreté dans le sens où un attaquant cherchera activement à mettre en défaut le système et gagnera en puissance au cours du temps. L’un des challenges dans le cadre de la sécurité des systèmes industriels est de faire cohabiter des propriétés de sécurité avec les contraintes métier du système. Nous répondons à cette question par trois axes de recherche.Tout d’abord, nous proposons un filtre dédié aux communications des systèmes industriels, permettant d’exprimer des propriétés au niveau applicatif. Ensuite, nous nous intéressons à la vérification de protocoles cryptographiques appliquée à des protocoles industriels comme MODBUS ou OPC-UA. À l’aide d’outils classiques du domaine, nous modélisons les protocoles afin de vérifier s’ils garantissent des propriété de confidentialité, d’authentification et d’intégrité. Enfin, nous proposons une approche, nommée ASPICS (pour Applicative Attack Scenarios Production for Industrial Control Systems), permettant de vérifier si des propriétés de sûreté (similaires à celles vérifiées par le filtre) peuvent être mises en défaut par des attaquants en fonction de leur position et de leur capacité. Nous implémentons cette analyse dans le model-checker UPPAAL et l’appliquons sur un exemple