48 research outputs found
Automated analysis of security protocols with global state
Security APIs, key servers and protocols that need to keep the status of
transactions, require to maintain a global, non-monotonic state, e.g., in the
form of a database or register. However, most existing automated verification
tools do not support the analysis of such stateful security protocols -
sometimes because of fundamental reasons, such as the encoding of the protocol
as Horn clauses, which are inherently monotonic. A notable exception is the
recent tamarin prover which allows specifying protocols as multiset rewrite
(msr) rules, a formalism expressive enough to encode state. As multiset
rewriting is a "low-level" specification language with no direct support for
concurrent message passing, encoding protocols correctly is a difficult and
error-prone process. We propose a process calculus which is a variant of the
applied pi calculus with constructs for manipulation of a global state by
processes running in parallel. We show that this language can be translated to
msr rules whilst preserving all security properties expressible in a dedicated
first-order logic for security properties. The translation has been implemented
in a prototype tool which uses the tamarin prover as a backend. We apply the
tool to several case studies among which a simplified fragment of PKCS\#11, the
Yubikey security token, and an optimistic contract signing protocol
Verifying Accountability for Unbounded Sets of Participants
Little can be achieved in the design of security protocols without trusting
at least some participants. This trust should be justified; or, at the very
least, subject to examination. A way of strengthening trustworthiness is to
hold parties accountable for their actions, as this provides strong incentives
to refrain from malicious behavior. This has lead to an increased interest in
accountability in the design of security protocols.
In this work, we combine the accountability definition of K\"unnemann,
Esiyok, and Backes, with the notion of case tests to extend its applicability
to protocols with unbounded sets of participants. We propose a general
construction of verdict functions and a set of verification conditions which
achieve soundness and completeness.
Expressing the verification conditions in terms of trace properties allows us
to extend Tamarin---a protocol verification tool---with the ability to analyze
and verify accountability properties in a highly automated way. In contrast to
prior work, our approach is significantly more flexible and applicable to a
wide range of protocols.Comment: 40 page
CryptoBap: A Binary Analysis Platform for Cryptographic Protocols
We introduce CryptoBap, a platform to verify weak secrecy and authentication
for the (ARMv8 and RISC-V) machine code of cryptographic protocols. We achieve
this by first transpiling the binary of protocols into an intermediate
representation and then performing a crypto-aware symbolic execution to
automatically extract a model of the protocol that represents all its execution
paths. Our symbolic execution resolves indirect jumps and supports bounded
loops using the loop-summarization technique, which we fully automate. The
extracted model is then translated into models amenable to automated
verification via ProVerif and CryptoVerif using a third-party toolchain. We
prove the soundness of the proposed approach and used CryptoBap to verify
multiple case studies ranging from toy examples to real-world protocols,
TinySSH, an implementation of SSH, and WireGuard, a modern VPN protocol
Universal Composability is Secure Compilation
Universal composability is a framework for the specification and analysis of
cryptographic protocols with a strong compositionality guarantee: UC protocols
are secure even when composed with other protocols. Secure compilation tells
whether compiled programs are as secure as their source-level counterparts, no
matter what target-level code they interact with. These two disciplines are
studied in isolation, but we believe there is a deeper connection between them
with benefits from both worlds to reap. This paper outlines the connection
between universal composability and robust compilation, the latest of secure
compilation theories. We show how to read the universal composability theorem
in terms of a robust compilation theorem and vice-versa. This, in turn, shows
which elements of one theory corresponds to which element in the other theory.
We believe this is the first step towards understanding how can secure
compilation theories be used in universal composability settings and
vice-versa
Automated analysis of security protocols with global state
Security APIs, key servers and protocols that need to keep the status of transactions, require to maintain a global, non-monotonic state, e.g., in the form of a database or register. However, most existing automated verification tools do not support the analysis of such stateful security protocols - sometimes because of fundamental reasons, such as the encoding of the protocol as Horn clauses, which are inherently monotonic. A notable exception is the recent tamarin prover which allows specifying protocols as multiset rewrite (msr) rules, a formalism expressive enough to encode state. As multiset rewriting is a "low-level" specification language with no direct support for concurrent message passing, encoding protocols correctly is a difficult and error-prone process. We propose a process calculus which is a variant of the applied pi calculus with constructs for manipulation of a global state by processes running in parallel. We show that this language can be translated to msr rules whilst preserving all security properties expressible in a dedicated first-order logic for security properties. The translation has been implemented in a prototype tool which uses the tamarin prover as a backend. We apply the tool to several case studies among which a simplified fragment of PKCS#11, the Yubikey security token, and an optimistic contract signing protocol
Causality & Control flow
Causality has been the issue of philosophic debate since
Hippocrates. It is used in formal verification and testing, e.g.,
to explain counterexamples or construct fault trees. Recent work
defines actual causation in terms of Pearl's causality framework,
but most definitions brought forward so far struggle with examples
where one event preempts another one. A key point to capturing
such examples in the context of programs or distributed systems is
a sound treatment of control flow. We discuss how causal models
should incorporate control flow and discover that much of what
Pearl/Halpern's notion of contingencies tries to capture is
captured better by an explicit modelling of the control flow in
terms of structural equations and an arguably simpler definition.
Inspired by causality notions in the security domain, we bring
forward a definition of causality that takes these
control-variables into account. This definition provides a clear
picture of the interaction between control flow and causality and
captures these notoriously difficult preemption examples without
secondary concepts. We give convincing results on a benchmark of
34 examples from the literature
Automated Verification of Accountability in Security Protocols
Accountability is a recent paradigm in security protocol design which aims to
eliminate traditional trust assumptions on parties and hold
them accountable for their misbehavior.
It is meant to establish trust in the first place and to
recognize and react if this trust is violated.
In this work, we discuss a protocol-agnostic definition of accountability:
a protocol provides accountability (w.r.t. some security property)
if it can identify all misbehaving parties, where
misbehavior is defined as a deviation from the protocol that causes
a security violation.
We provide a mechanized method for the
verification of accountability and demonstrate its use for
verification and attack finding on various examples from the
accountability and causality literature, including Certificate Transparency and
Kroll’s Accountable Algorithms protocol.
We reach a high degree of automation by expressing accountability in terms of
a set of trace properties and show their soundness and completeness
Accountability in Security Protocols
A promising paradigm in protocol design is to hold parties
accountable for misbehavior, instead of postulating that they are
trustworthy.
Recent approaches in defining this property, called accountability,
characterized malicious behavior as a deviation from the protocol
that causes a violation of the desired security property, but did so
under the assumption that all deviating parties are controlled by
a single, centralized adversary. In this work, we investigate the
setting where multiple parties can deviate with or without
coordination in a variant of the applied-pi calculus.
We first
demonstrate that, under realistic assumptions,
it is impossible to determine all misbehaving parties; however,
we show that accountability can be relaxed to exclude causal
dependencies that arise from the behavior of deviating parties, and
not from the protocol as specified.
We map out the design space for the relaxation,
point out protocol classes separating these notions
and define
conditions under which we can guarantee fairness and completeness.
Most importantly, we discover under which circumstances
it is correct to consider accountability in the single-adversary setting,
where this property can be verified with off-the-shelf protocol verification tools