formal verification of an implementation of crt rsa
play

Formal verification of an implementation of CRT-RSA Vigilants - PowerPoint PPT Presentation

Jul 14, 2023 •308 likes •612 views

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint work with Boutheina CHETALI, Louis GOUBIN and David VIGILANT PROOFS 2012, September 13 th 2012 Introduction Implementations of cryptosystems can

  1. Formal verification of an implementation of CRT-RSA Vigilant’s algorithm Maria CHRISTOFI Joint work with Boutheina CHETALI, Louis GOUBIN and David VIGILANT PROOFS 2012, September 13 th 2012

  2. Introduction Implementations of cryptosystems can be sensitive to physical attacks, such as fault attacks Improved attack methods ⇒ more attack paths Design more and more complex countermeasures No proof of flaw absence in the implementation This talk : Formal verification of cryptographic implementations • Example : Resistance of CRT-RSA Vigilant’s algorithm against fault attacks Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 2 / 21

  3. 1 Formal verification Our method 2 Case study 3 Conclusion 4 Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 3 / 21

  4. Formal verification of a cryptographic implementation Formal Verification : Use of formal methods (and the associated tools) to verify the correctness of an algorithm against its specification or/and a specific property Two approaches : formalize the specifications and prove properties on the formal model of the specification ⇒ What about the implementation ? “formalize” the source code ⇒ That’s what we talk about in this talk ! Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 4 / 21

  5. Verification techniques How to achieve a formal verification Mathematical proof : completely manual Theorem Proving : mathematical reasoning mechanization • infinite models, partially automatic, human interaction Model checking : systematic and exhaustive exploration of the mathematical model • combinatoric exploration, finite model, completely automatic Static analysis : Software analysis with symbolic execution of the program • partially automatic Some of the existing tools for source code analysis VeriFast : C and java program verifier. Programs first annotated with pre and post conditions (theorem proving) Frama-C : Platform dedicated to source code analysis of C programs (theorem proving & static analysis) CertiCrypt / EasyCrypt : Verification using games sequence Tools oriented protocols : ProVerif, CryptoVerif , etc Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 5 / 21

  6. Global view Aim : Given an implementation of a cryptographic algorithm with countermeasures, define an attack model (here based on fault model) and formally verify that this implementation is resistant to this attack model. .c file : implementation + fault model transformed C file + properties to be proved C file transformed with annotations verification with frama-c/ jessie proof obligations automatic interactive provers provers final result Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 6 / 21

  7. Global view fault model Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 6 / 21

  8. Fault model Classifying faults number of faults authorized per code execution faults on instructions VS faults on data fault types Precise Bit Single Bit Byte Random Arbitrary Fault Model Fault Model Fault Model Fault Model Fault Model control on complete loose loose loose loose/no location (chosen bit) (chosen variable) control on precise no no no no timing number of 1 1 8 random random affected bits fault type bit set or reset bit flip random random unknown persistence permanent permanent permanent permanent permanent and transient and transient and transient and transient and transient Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 7 / 21

  9. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { 2 : 3 : 4 : 5 : int x = 0 ; 6 : 7 : 8 : 9 : a = a + 1 ; 10 : 11 : 12 : 13 : 14 : x = a + b ; 15 : 16 : 17 : 18 : 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  10. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { 2 : switch(f) { 3 : case 1 : a = 0 ; break ; 4 : } 5 : int x = 0 ; 6 : switch (f) { 7 : case 2 : a = 0 ; break ; 8 : } 9 : a = a + 1 ; 10 : 11 : switch(f) { 12 : case 3 : a = 0 ; break ; 13 : } 14 : x = a + b ; 15 : 16 : switch(f) { 17 : case 4 : a = 0 ; break ; 18 : } 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  11. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { /* NextType(a,1) = read/write */ 2 : switch(f) { 3 : case 1 : a = 0 ; break ; 4 : } 5 : int x = 0 ; 6 : switch (f) { 7 : case 2 : a = 0 ; break ; 8 : } 9 : a = a + 1 ; /* Type(a,9) = read/write */ 10 : /* NextType(a,9) = read */ 11 : switch(f) { 12 : case 3 : a = 0 ; break ; 13 : } 14 : x = a + b ; /* Type(a,14) = read */ 15 : /* NextType(a,14) = ∅ */ 16 : switch(f) { 17 : case 4 : a = 0 ; break ; 18 : } 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  12. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { /* NextType(a,1) = read/write */ 2 : switch(f) { 3 : case 1 : a = 0 ; break ; 4 : } 5 : int x = 0 ; 6 : switch (f) { 7 : case 2 : a = 0 ; break ; 8 : } 9 : a = a + 1 ; /* Type(a,9) = read/write */ 10 : /* NextType(a,9) = read */ 11 : switch(f) { 12 : case 3 : a = 0 ; break ; 13 : } 14 : x = a + b ; /* Type(a,14) = read */ 15 : /* NextType(a,14) = ∅ */ 16 : switch(f) { 17 : case 4 : a = 0 ; break ; 18 : } 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  13. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { /* NextType(a,1) = read/write */ 2 : 3 : 4 : 5 : int x = 0 ; 6 : switch (f) { 7 : case 1 : a = 0 ; break ; 8 : } 9 : a = a + 1 ; /* Type(a,9) = read/write */ 10 : /* NextType(a,9) = read */ 11 : switch(f) { 12 : case 2 : a = 0 ; break ; 13 : } 14 : x = a + b ; /* Type(a,14) = read */ 15 : /* NextType(a,14) = ∅ */ 16 : switch(f) { 17 : case 3 : a = 0 ; break ; 18 : } 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  14. Inject fault model If NextType ( var , i ) ∈ { write , ∅} an attack on var injected on line i is useless and equivalent to the initial code. If NextType ( var , i ) ∈ { read , read / write } and j the line that presents the next use of var , an attack on var injected on the interval [ i , j ] has exactly the same effects on var with an attack injected on line j , but it has no effect between lines i and j − 1. Example : we are interested in variable a 1 : int example(int a, int b) { /* NextType(a,1) = read/write */ 2 : 3 : 4 : 5 : int x = 0 ; 6 : switch (f) { 7 : case 1 : a = 0 ; break ; 8 : } 9 : a = a + 1 ; /* Type(a,9) = read/write */ 10 : /* NextType(a,9) = read */ 11 : switch(f) { 12 : case 2 : a = 0 ; break ; 13 : } 14 : x = a + b ; /* Type(a,14) = read */ 15 : /* NextType(a,14) = ∅ */ 16 : 17 : 18 : 19 : return x ; 20 : } Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 8 / 21

  15. .c file : implementation + fault model � transformed C file + properties to be proved C file transformed with annotations verification with frama-c/ jessie proof obligations automatic interactive provers provers final result Formal verification of an implementation of CRT-RSA Vigilant’s algorithm 9 / 21

Recommend

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov University of Amsterdam Faculty of Physics, Mathematics and Informatics MSc System and Network Engineering Research Project 2 July 3, 2017 1 /

476 views • 33 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML Vincent Rahli, David Guaspari, Mark Bickford and Robert L. Constable http://www.nuprl.org October 7, 2015 Vincent Rahli EventML October 7, 2015

540 views • 24 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

881 views • 31 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

819 views • 49 slides
Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015 Outline Motivation for Formal Verification Overview of MCMAS Overview of PRISM Formal verification It is a systematic way to check

461 views • 34 slides
Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Mathematical foundations Formal logic: Syntax: a formal language (formula expressing facts) Semantics: to define the meaning

740 views • 54 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Mathematical foundations Formal logic: Syntax: a formal language (formula expressing facts) Semantics: to define the

811 views • 68 slides
Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July

Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July

Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July 2008 0 Formal verification Formal verification: mathematically prove the correctness of a design with respect to a mathematical formal specification

570 views • 53 slides
Formal Formal Specif Specification ication and Verific and Verification ation of Solid of

Formal Formal Specif Specification ication and Verific and Verification ation of Solid of

Presented at FMBC 2020 Formal Formal Specif Specification ication and Verific and Verification ation of Solid of Solidity ity Contracts Contracts with E with Events vents kos Hajdu 1 , Dejan Jovanovi 2 , Gabriela Ciocarlie 2 1

298 views • 14 slides
Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms 1 Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64 overview Quick introduction to HOL Light Floating point numbers and IA-64 formats HOL

451 views • 19 slides
Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

911 views • 63 slides

More recommend