User-friendly Formal Methods for Security-aware Applications and Protocols

Formal support in the design and implementation of security-aware applications increases the assurance in the final artifact. Formal methods techniques work by setting a model that unambiguously defines attacker capabilities, protocol parties behavior, and expected security properties. Rigorous reasoning can be done on the model about the interaction of the external attacker with the protocol parties, assessing whether the security properties hold or not. Unfortunately, formal verification requires a high level of expertise to be used properly and, in complex systems, the model analysis requires an amount of resources (memory and time) that are not available with current technologies. The aim of this thesis is to propose new interfaces and methodologies that facilitate the usage of formal verification techniques applied to security-aware protocols and distributed applications. In particular, this thesis presents: (i) Spi2JavaGUI, a framework for the model-driven development of security protocols, that combines (for the first time in literature) an intuitive user interface, automated formal verification and code generation; (ii) a new methodology that enables the model-driven development and the automated formal analysis of distributed applications, which requires less resources and formal verification knowledge to complete the verification process, when compared to previous approaches; (iii) the formal verification of handover procedures defined by the Long Term Evolution (LTE) standard for mobile communication networks, including the results and all the translation rules from specification documents to formal models, that facilitates the application of formal verification to other parts of the standard in the future

Visual Model-Driven Design, Verification and Implementation of Security Protocols

A novel visual model-driven approach to security protocol design, verification, and implementation is presented in this paper. User-friendly graphical models are combined with rigorous formal methods to enable protocol verification and sound automatic code generation. Domain-specific abstractions keep the graphical models simple, yet powerful enough to represent complex, realistic protocols such as SSH. The main contribution is to bring together aspects that were only partially available or not available at all in previous proposal

Formally sound implementations of security protocols with JavaSPI

Designing and coding security protocols is an error prone task. Several flaws are found in protocol implementations and specifications every year. Formal methods can alleviate this problem by backing implementations with rigorous proofs about their behavior. However, formally-based development typically requires domain specific knowledge available only to few experts and the development of abstract formal models that are far from real implementations. This paper presents a Java-based protocol design and implementation framework, where the user can write a security protocol symbolic model in Java, using a well defined subset of the language that corresponds to applied π-calculus. This Java model can be symbolically executed in the Java debugger, formally verified with ProVerif, and further refined to an interoperable Java implementation of the protocol. Soundness theorems are provided to prove that, under some reasonable assumptions, a simulation relation relates the Java refined implementation to the symbolic model verified by ProVerif, so that, for the usual security properties, a property verified by ProVerif on the symbolic model is preserved in the Java refined implementation. The applicability of the framework is evaluated by developing an extensive case study on the popular SSL protocol

Vehicle Navigation Service Based on Real-Time Traffic Information

GNSS-assisted vehicle navigation services are nowadays very common in most of the developed countries. However, most of those services are either delivered through proprietary technologies, or fall short in flexibility because of the limited capability to couple road information with real-time traffic information. This paper presents the motivations and a brief summary of a vehicle navigation service based on real-time traffic information, delivered through an open protocol that is currently under standardization in the Open Mobile Alliance forum

Automated Formal Verification of Application-specific Security Properties

In the past, formal verification of security properties of distributed applications has been mostly targeted to security protocols and generic security properties, like confidentiality and authenticity. At ESSOS 2010, Moebius et. al. presented an approach for developing Java applications with formally verified application-specific security properties. That method, however, is based on an interactive theorem prover, which is not automatic and requires considerable expertise. This paper shows that a similar result can be achieved in a fully automated way, using a different model-driven approach and state-of-the-art automated verification tools. The proposed method splits the verification problem into two independent sub-problems using compositional verification techniques and exploits one tool for analyzing the security protocol under active attackers and another tool for verifying the application logic. The same case study that was verified in the previous work is used here in order to show how the new approach works

Formal Verification of LTE-UMTS Handover Procedures

Long Term Evolution (LTE) is the most recent standard in mobile communications, introduced by 3rd Generation Partnership Project (3GPP). Most of the formal security analysis works in literature about LTE analyze authentication procedures, while interoperability is far less considered. This paper presents a formal security analysis of the interoperability procedures between LTE and the older Universal Mobile Telecommunications System (UMTS) networks, when mobile devices seamlessly switch between the two technologies. The Proverif tool has been used to conduct the verification. The analysis shows that security properties (secrecy of keys, including backward/forward secrecy, immunity from off-line guessing attacks and network components authentication) hold almost as expected, if all the protections allowed by the LTE standard are adopted. If backhauling traffic is not protected with IPSec, which is a common scenario since the use of IPSec is not mandatory, some security properties still hold while others are compromised. Consequently, user's traffic and network's nodes are exposed to attacks in this scenario

Formal verification of LTE-UMTS and LTE-LTE handover procedures

Abstract Long Term Evolution (LTE) is the most recent standard in mobile communications, introduced by 3rd Generation Partnership Project (3GPP). Most of the works in literature about LTE security analyze authentication procedures, while handover procedures are far less considered. This paper focuses on the procedures that are activated when a mobile device moves between different LTE cells and between LTE and the older Universal Mobile Telecommunications System (UMTS) networks and completes previous results with a deeper formal analysis of these procedures. The analysis shows that security properties (secrecy of keys, including backward/forward secrecy, immunity from off-line guessing attacks, and network components authentication) hold almost as expected in nominal conditions, i.e. when all backhaul links are secured and all backhaul nodes are trusted. The paper also analyses how these security properties are affected by possible anomalous situations, such as a compromised backhaul node or a misconfiguration by which a backhaul link becomes not protected and can be accessed by an attacker. The analysis shows that some security properties hold even in these adverse cases while other properties are compromised