computational verification of c protocol implementations
play

Computational Verification of C Protocol Implementations by Symbolic - PowerPoint PPT Presentation

Jul 26, 2023 •131 likes •426 views

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012

  1. Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J¨ 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012 M. Aizatulin Computational Verification of C Protocols

  2. The Goal What we ultimately care about is the security of deployed systems. Therefore C programs are our objects of study. Things to verify: OpenSSL, IPSec, TPM, PKCS11 reference implementations, ... Method: extract a model using symbolic execution, then translate it to CryptoVerif. We check trace properties such as authentication and weak secrecy, aiming to be automated and sound. Assume correctness of cryptographic primitives. Main limitation so far: model extracted from a single program path. M. Aizatulin Computational Verification of C Protocols

  3. Example Flaw In a Microsoft Research implementation of a smart metering protocol (1000 LOC): s e s s i o n k e y [256 / 8 ] ; unsigned char . . . e n c r y p t e d r e a d i n g = ( ( unsigned i n t ) ∗ s e s s i o n k e y ) ˆ ∗ r e a d i n g ; let msg3 = (hash2 { 0, 1 } castTo ”unsigned int”) ⊕ reading1 in ... let msg3 = parse1(hash2) ⊕ reading1 in ... M. Aizatulin Computational Verification of C Protocols

  4. Background Types of properties and languages. Low-Level High-Level Formal (C, Java) (F#) ( π , LySa) • VCC low-level (NULL • Frama-C dereference, N/A N/A • ESC/Java division by zero) • SLAM • CSur • ProVerif high-level • F7/F ∗ • ASPIER • CryptoVerif (secrecy, • VCC-sec • fs2pv/fs2cv • EasyCrypt authentication) • csec-modex • AVISPA M. Aizatulin Computational Verification of C Protocols

  5. Results C LOC CV LOC Time Primitives Simple MAC ∼ 250 107 4s UF-CMA MAC Simple XOR ∼ 100 90 4s XOR NSL ∼ 450 241 26s IND-CCA2 PKE RPC ∼ 600 126 5s UF-CMA MAC RPC-enc ∼ 700 200 6s IND-CPA INT-CTXT AE Metering ∼ 1000 266 21s UF-CMA sig, CR/PRF hash Six protocols verified in the computational model (as opposed to just one in the ProVerif approach). Found flaws in an NSL implementation and the implementation of a smart metering protocol. NSL implementation verified before, but computational soundness places unrealistic assumptions! M. Aizatulin Computational Verification of C Protocols

  6. Overview: What Property C source with Models of crypto and specification event annotations environment csec-modex CV model + verification result M. Aizatulin Computational Verification of C Protocols

  7. Overview: How C source CIL C virtual machine (CVM) Symbolic execution [Aizatulin et al. , 2011] Intermediate model language (IML) Formatting Abstraction CryptoVerif Calculus CryptoVerif Verification Result M. Aizatulin Computational Verification of C Protocols

  8. One-time Pad: Symbolic Execution unsigned char ∗ payload = malloc (PAYLOAD LEN ) ; RAND bytes ( payload , PAYLOAD LEN ) ; ulong msg len = PAYLOAD LEN + 1 ; ∗ msg = malloc ( msg len ) ; unsigned char ∗ msg = 0x01 ; // add tag memcpy(msg + 1 , payload , PAYLOAD LEN ) ; // add payload unsigned char ∗ pad = otp ( msg len ) ; // one − time pad xor (msg , pad , msg len ) ; send (msg , msg len ) ; new nonce1: fixed 20; out (XOR(01 | nonce1, pad)) M. Aizatulin Computational Verification of C Protocols

  9. One-time Pad: CV Model type fixed 20 [fixed, large]. type fixed 21 [fixed, large]. expand Xor(fixed 21, XOR). query secret nonce1. fun conc1(fixed 20): fixed 21 [compos]. let A = in (c in, ()); new nonce1: fixed 20; out (c out, XOR(conc1(nonce1), pad)); 0 . process ! N ( in (c in, ()); ( ∗ one − time pad ∗ ) new pad: fixed 21; out (c out, ()); A) M. Aizatulin Computational Verification of C Protocols

  10. RPC-enc A : event client begin ( A , B , request ) A → B : A, { request , k S } k AB B : event server reply ( A , B , request , response ) B → A : { response } k S A : event client accept ( A , B , request , response ) M. Aizatulin Computational Verification of C Protocols

  11. RPC-enc: IML let A = ... let B = in (c, msg1); if ’p’ = msg1 { 0, 1 } then if len(msg1) ≥ 5 + msg1 { 1, 4 } then if msg1 { 1, 4 } ≤ 100 then if len(msg1) − (5 + msg1 { 1, 4 } ) ≤ 200 then let client1 = msg1 { 5, msg1 { 1, 4 }} in let cipher1 = msg1 { 5 + msg1 { 1, 4 } , len(msg1) − (5 + msg1 { 1, 4 } ) } in if client1 = xClient then let msg2 = injbot − 1 (D(cipher1, lookup(client1, serverID, db))) in if ’p’ = msg2 { 0, 1 } then if len(msg2) ≥ 5 + msg2 { 1, 4 } then if msg2 { 1, 4 } = 100 then let var2 = msg2 { 5, msg2 { 1, 4 }} in event server reply(client1, serverID, var2, response); if len(msg2) − (5 + msg2 { 1, 4 } ) = 16 then let kS = msg2 { 5 + msg2 { 1, 4 } , len(msg2) − (5 + msg2 { 1, 4 } ) } in new nonce1: seed; let cipher2 = E(response, kS, nonce1) in out (c, cipher2); 0 . M. Aizatulin Computational Verification of C Protocols

  12. RPC-enc: Introduce Formatting Functions 1 From A : conc 1( x, y ) := ′ p ′ | len ( x ) | x | y conc 2( x, y ) := ′ p ′ | len ( x ) | x | y From B : parse 1( x ) := x { 5 , x { 1 , 4 }} parse 2( x ) := x { 5 + x { 1 , 4 } , len( x ) − (5 + x { 1 , 4 } ) } parse 3( x ) := x { 5 , x { 1 , 4 }} parse 4( x ) := x { 5 + x { 1 , 4 } , len( x ) − (5 + x { 1 , 4 } ) } M. Aizatulin Computational Verification of C Protocols

  13. RPC-enc: Introduce Formatting Functions 2 let A = ... let B = in (c, msg1); if ’p’ = msg1 { 0, 1 } then if len(msg1) ≥ 5 + msg1 { 1, 4 } then if msg1 { 1, 4 } ≤ 100 then if len(msg1) − (5 + msg1 { 1, 4 } ) ≤ 200 then let client1 = msg1 { 5, msg1 { 1, 4 }} in let cipher1 = msg1 { 5 + msg1 { 1, 4 } , len(msg1) − (5 + msg1 { 1, 4 } ) } in if client1 = xClient then let msg2 = injbot − 1 (D(cipher1, lookup(client1, serverID, db))) in if ’p’ = msg2 { 0, 1 } then if len(msg2) ≥ 5 + msg2 { 1, 4 } then if msg2 { 1, 4 } = 100 then let var2 = msg2 { 5, msg2 { 1, 4 }} in event server reply(client1, serverID, var2, response); if len(msg2) − (5 + msg2 { 1, 4 } ) = 16 then let kS = msg2 { 5 + msg2 { 1, 4 } , len(msg2) − (5 + msg2 { 1, 4 } ) } in new nonce1: seed; let cipher2 = E(response, kS, nonce1) in out (c, cipher2); 0 . M. Aizatulin Computational Verification of C Protocols

  14. RPC-enc: Introduce Formatting Functions 3 let A = ... let B = in (c, msg1); if ’p’ = msg1 { 0, 1 } then if len(msg1) ≥ 5 + msg1 { 1, 4 } then if msg1 { 1, 4 } ≤ 100 then if len(msg1) − (5 + msg1 { 1, 4 } ) ≤ 200 then let client1 = parse1(msg1) in let cipher1 = parse2(msg1) in if client1 = xClient then let msg2 = injbot − 1 (D(cipher1, lookup(client1, serverID, db))) in if ’p’ = msg2 { 0, 1 } then if len(msg2) ≥ 5 + msg2 { 1, 4 } then if msg2 { 1, 4 } = 100 then if len(msg2) − (5 + msg2 { 1, 4 } ) = 16 then let var2 = parse3(msg2) in event server reply(client1, serverID, var2, response); let kS = parse4(msg2) in new nonce1: seed; let cipher2 = E(response, kS, nonce1) in out (c, cipher2); 0 . M. Aizatulin Computational Verification of C Protocols

  15. RPC-enc: Type Inference From user template: injbot − 1 : bitstringbot → bounded 200 E : bounded 200 × fixed 16 × seed → bounded 200 Therefore parse 4 : bounded 200 → fixed 16 Similarly conc 1 : bounded 100 × bounded 200 → bitstring conc 2 : fixed 100 × fixed 16 → bounded 200 parse 1 : bitstring → bounded 200 parse 2 : bitstring → bounded 200 parse 3 : bounded 200 → fixed 100 M. Aizatulin Computational Verification of C Protocols

  16. RPC-enc: Type Checking 1 Context for parse 4 : Φ parse 4 =(len( msg 2 ) ≤ 200) ∧ ( ′ p ′ = msg 2 { 0 , 1 } ) ∧ (len( msg 2 ) ≥ 5 + msg 2 { 1 , 4 } ) ∧ ( msg 2 { 1 , 4 } ≤ 100) ∧ (len( msg 2 ) − (5 + msg 2 { 1 , 4 } ) = 16) The last clause implies that len( parse 4 ( msg 2 )) = len( msg 2 { 5 + msg 2 { 1 , 4 } , len( msg 2 ) − (5 + msg 2 { 1 , 4 } ) } ) = len( msg 2 ) − (5 + msg 2 { 1 , 4 } ) } = 16 , thus the type of parse 4 is correct. M. Aizatulin Computational Verification of C Protocols

  17. Example: Type Checking 2 let A = ... let B = in (c, msg1); if ’p’ = msg1 { 0, 1 } then if len(msg1) ≥ 5 + msg1 { 1, 4 } then if msg1 { 1, 4 } ≤ 100 then if len(msg1) − (5 + msg1 { 1, 4 } ) ≤ 200 then let client1 = parse1(msg1) in let cipher1 = parse2(msg1) in if client1 = xClient then let msg2 = injbot − 1 (D(cipher1, lookup(client1, serverID, db))) in if ’p’ = msg2 { 0, 1 } then if len(msg2) ≥ 5 + msg2 { 1, 4 } then if msg2 { 1, 4 } = 100 then if len(msg2) − (5 + msg2 { 1, 4 } ) = 16 then let var2 = parse3(msg2) in event server reply(client1, serverID, var2, response); let kS = parse4(msg2) in new nonce1: seed; let cipher2 = E(cast fixed 100 → bounded 200 (response), kS, nonce1) in out (c, cipher2); 0 . M. Aizatulin Computational Verification of C Protocols

  18. RPC-enc: Parsing Safety 1 Φ parse 4 = ⇒ ∃ x : bounded 100 , y : bounded 200 : msg 2 = conc 2 ( x, y ) Additionally, conc 2 is injective and for all x : bounded 100 , y : bounded 200 parse 3 ( conc 2 ( x, y )) = x, parse 4 ( conc 2 ( x, y )) = y. M. Aizatulin Computational Verification of C Protocols

Recommend

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Formal/Computational Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w ith Karthik Bhargavan, Andy Gordon, http://research.microsoft.com/~fournet http://msr-inria.inria.fr/projects/sec

1.28k views • 101 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999>'

744 views • 73 slides
Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth, Sebastian Schildt, Lars Wolf Wolf-Bastian P September 23, 2011: CHANTS Workshop, Las Vegas, NV Motivation Several Bundle Protocol (BP) implementations

874 views • 17 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
BGP A study into the BGP protocol as well as BGP implementations to improve Route Server

BGP A study into the BGP protocol as well as BGP implementations to improve Route Server

BGP A study into the BGP protocol as well as BGP implementations to improve Route Server scalability. Parallelization Jenda Brands Patrick de Niet Insert content in this area 2 The internet is growing B Active BGP entries in FIB From

624 views • 25 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Enabling MAC Protocol Implementations on Software-defined Radios George Nychis, Thibaud

Enabling MAC Protocol Implementations on Software-defined Radios George Nychis, Thibaud

1 Enabling MAC Protocol Implementations on Software-defined Radios George Nychis, Thibaud Hottelier, Zhuochen Yang, Srinivasan Seshan, and Peter Steenkiste Carnegie Mellon University 2 Wireless Media Access Control Protocols No single

255 views • 24 slides
Generating a Family of Byzantine- Fault-Tolerant Protocol Implementations Using a Meta- Model

Generating a Family of Byzantine- Fault-Tolerant Protocol Implementations Using a Meta- Model

Generating a Family of Byzantine- Fault-Tolerant Protocol Implementations Using a Meta- Model Architecture Graham Kirby, Alan Dearle & Stuart Norcross School of Computer Science, University of St Andrews A Finite State Machine WADS 2007

599 views • 20 slides
Computational Logic Implementations of Herbrands Theorem Damiano Zanardini UPM European

Computational Logic Implementations of Herbrands Theorem Damiano Zanardini UPM European

Computational Logic Implementations of Herbrands Theorem Damiano Zanardini UPM European Master in Computational Logic (EMCL) School of Computer Science Technical University of Madrid damiano@fi.upm.es Academic Year 2008/2009 D. Zanardini (

359 views • 32 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug Emina Michael Arvind Zachary Weitz Woos Torlak D. Ernst Krishnamurthy Tatlock The Border Gateway Protocol The Border Gateway Protocol AS AS

645 views • 29 slides
Analysing Protocol Implementations Anders Moen Hagalisletto, Lars Strand, Wolfgang Leister and

Analysing Protocol Implementations Anders Moen Hagalisletto, Lars Strand, Wolfgang Leister and

Analysing Protocol Implementations Anders Moen Hagalisletto, Lars Strand, Wolfgang Leister and Arne-Kristian Groven The 5th Information Security Practice and Experience Conference (ISPEC 2009) Xi'an, China April 2009 Outline Motivation VoIP

771 views • 20 slides
Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School

Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School

Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School of Computer Science and Communication Royal Institute of Technology 2006-11-02 Karl Palmskog Verification of the Session Management Protocol

648 views • 27 slides
Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John O Leary, Mark R. Tuttle SCL, Intel Corp Parametric Verification using Flows P A True or Cex P(N) Model Check Abstract Last year we

479 views • 32 slides
Verification of the Session Management Protocol Masters Project in Computer Science Karl

Verification of the Session Management Protocol Masters Project in Computer Science Karl

Verification of the Session Management Protocol Masters Project in Computer Science Karl Palmskog Supervisor: Mads Dam Examiner: Johan H astad Commissioned by Yuri Ismailov at Ericsson AB 2006-11-08 Karl Palmskog Verification of the

488 views • 15 slides
Straight Skeleton Implementations Computational Geometry and Applications Lab based on Exact

Straight Skeleton Implementations Computational Geometry and Applications Lab based on Exact

UNIVERSITY OF SALZBURG Straight Skeleton Implementations Computational Geometry and Applications Lab based on Exact Arithmetic Gnther Eder, Martin Held, and Peter Palfrader Online Conference, March 2020 Straight Skeleton UNIVERSITY OF

866 views • 84 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov University of Amsterdam Faculty of Physics, Mathematics and Informatics MSc System and Network Engineering Research Project 2 July 3, 2017 1 /

476 views • 33 slides
Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

t i f a r c A t * C o m * p l * t e n t e A e t * A s i W s E n L e o l C l S C D P * o * c O e s u u m E O e R e n v o t t d e * y s * a a E d l u e a t Protocol-based

543 views • 37 slides
Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James Steve Zach Mike Tom Woos Wilcox Anton Tatlock Ernst Anderson Contributions First formal proof of Rafts safety first verified

1.17k views • 52 slides
Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org

Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org

The GSM core network Erlang in Osmocom Core Network protocol implementations Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org hmw-consulting.de sysmocom GmbH October 13, 2012 - OSDC.fr - Paris /

1.06k views • 35 slides

More recommend