extracting and verifying cryptographic models from c
play

Extracting and Verifying Cryptographic Models from C Protocol Code - PowerPoint PPT Presentation

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of


  1. Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J¨ urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University November 2011 M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  2. The Goal Problem: we often verify formal models of cryptographic protocols, but what we rely on are their implementations. We bridge the gap by extracting high-level (pi calculus) models straight from C code. Support following scenarios: Given a legacy implementation of a protocol, learn what the implementation really does and prove security. When implementing a new protocol make sure that you did so without mistakes. We check trace properties such as authentication and weak secrecy, aiming to be automated and sound. We assume correctness of cryptographic primitives. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  3. Background Types of properties and languages. Low-Level High-Level Formal (C, Java) (F#) ( π , LySa) • VCC low-level (NULL • Frama-C dereference, N/A N/A • ESC/Java division by zero) • SLAM • CSur • ProVerif high-level • F7/F ∗ • JavaSec • CryptoVerif (secrecy, • ASPIER • fs2pv/fs2cv • AVISPA authentication) • csec-modex • LySatool M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  4. Results Three implementations (1300 LOC) verified in the symbolic model. One of them also verified in the computational model by application of a computational soundness result. Found 3 flaws in a Microsoft Research implementation of a smart metering protocol (1000 LOC) (all fixed now). Metering flaw: unsigned char s e s s i o n k e y [256 / 8 ] ; . . . e n c r y p t e d r e a d i n g = (( unsigned i n t ) ∗ s e s s i o n k e y ) ˆ ∗ r e a d i n g ; Extracted model: let msg3 = (hash2 { 0, 1 } castTo ”unsigned int”) ⊕ reading1 in ... M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  5. Demo Abstract protocol: m, hmac ( m, k AB ) A − − − − − − − − − − − → B. Concrete protocol: len( m ) | 1 | m | hmac (len( m ) | 2 | m, k AB ) A − − − − − − − − − − − − − − − − − − − − − − → B. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  6. Overview: What Property C source with Models of crypto and specification event annotations environment csec-modex Pi model + verification result Major limitation: So far the symbolic execution only follows a single path in the program. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  7. Overview: How C source CIL Simple instruction language (CVM) Symbolic Execution Intermediate model language (IML) Message format abstraction Applied pi ProVerif Verification Result M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  8. Correctness (1) Definition (Security of protocols) Given a protocol P , attacker E , trace property ρ , and resource bound t ∈ N let insec( P, E, ρ, t ) be the success probability of E against P with respect to ρ , given resources t . M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  9. Correctness (2) Theorem (Soundness of Model Extraction) For any environment process P E [ · , · ] , attacker E , property ρ , and resource bound t insec( P E [ client . c , server . c ] , E, ρ, t ) ≤ insec( P E [ client . iml , server . iml ] , E, ρ, p 1 ( t )) ≤ insec( P E [ client . pv , server . pv ] , E, ρ, p 2 ( t )) with some fixed polynomials p 1 and p 2 . M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  10. Symbolic Execution: Basic Idea Symbolic execution is a tool to simplify programs and extract their meaning. Concrete: Symbolic: x = 2 y = 3 x = a y = b int f ( int x , int y ) { int f ( int x , int y ) { return ++x ∗ y++; } return ++x ∗ y++; } 9 ( a + 1) b M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  11. Symbolic Execution with Symbolic Lengths (1) Introducing new values: k e y l e n ; void ∗ key ; s i z e t key = malloc (MAX KEY LEN ) ; keygen ( key , &k e y l e n ) ; stack key � ptr(heap 1 , 0) heap 1 � k , for some fresh k stack key len � len( k ) Generate “ ( νk ); ” in the IML model. The way of modelling keys is specified in keygen proxy(). M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  12. Symbolic Execution with Symbolic Lengths (2) Pointer arithmetic: stack len � len( x ) void ∗ msg = malloc ( msg len ) ; void ∗ p = msg + s i z e of ( l e n ) + l e n ; stack msg � ptr(heap 2 , 0) stack p � ptr(heap 2 , 4 + len( x )) M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  13. Symbolic Execution with Symbolic Lengths (3) Writing through pointers: stack p � ptr(heap 2 , 4 + len( x )) heap 2 � len( x ) | x | y Fact: len( y ) = len( k ) xor (p , key , k e y l e n ) ; heap 2 � len( x ) | x | y ⊕ k M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  14. Symbolic Execution with Symbolic Lengths (4) Output: stack msg � ptr(heap 2 , 0) heap 2 � len( x ) | x | y ⊕ k stack msg len � 4 + len( x ) + len( y ) w r i t e (msg , msg len ) ; Generate IML “ out ( len( x ) | x | y ⊕ k );”. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  15. Symbolic Execution with Symbolic Lengths (5) Extracting a substring: void ∗ buf = malloc (MAX LEN ) ; s i z e t l e n = read ( buf , MAX LEN ) ; f i e l d l e n = ∗ (( s i z e t ∗ ) buf ) ; s i z e t stack field len � x { 0 , 4 } Where x is a fresh variable and we generate IML “ in ( x );”. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  16. Symbolic Execution with Symbolic Lengths (6) Extracting a substring: stack field len � x { 0 , 4 } void ∗ f i e l d = malloc ( f i e l d l e n ) ; memcpy( f i e l d , buf + s i z eof ( f i e l d l e n ) , f i e l d l e n ) stack field � ptr(heap 3 , 0) heap 3 � x { 4 , x { 0 , 4 }} M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  17. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  18. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; stack len � r 1 len( r 1 ) = 4 in ( r 1 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  19. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; stack len � r 1 len( r 1 ) = 4 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  20. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  21. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  22. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; hmac( buf , buf + len , l e n ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 | hmac ( r 2 ) len( hmac ( r 2 )) = 20 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  23. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; hmac( buf , buf + len , l e n ) ; i f (memcmp( buf , buf + len , MAC LEN) == 0) stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 | hmac ( r 2 ) len( hmac ( r 2 )) = 20 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); if r 2 { 0 , 20 } = hmac ( r 2 ) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

Recommend


More recommend