methods and tools for design time and runtime formal
play

Methods and tools for design time and runtime formal analysis of - PowerPoint PPT Presentation

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015


  1. Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015 M.Rocchetto PhD Thesis Verona, May 8, 2015 1

  2. Introduction 1 Design time security verification 2 History Security Protocol interpolation Method (SPiM) Example The SPiM tool Runtime security verification 3 M.Rocchetto PhD Thesis Verona, May 8, 2015 2

  3. Outline Introduction 1 Design time security verification 2 History Security Protocol interpolation Method (SPiM) Example The SPiM tool Runtime security verification 3 M.Rocchetto PhD Thesis Verona, May 8, 2015 3

  4. Introduction - What What Formal techniques for the verification of: security protocols web applications Design time: SPiM , protocol verification using Craig interpolation as a speed-up technique Runtime: Formalization of web applications (major EU bank) searching for CSRF M.Rocchetto PhD Thesis Verona, May 8, 2015 4

  5. Introduction - Why Verification protocol/webapp verification: difficult & error-prone state space explosion (DY) Interpolation good results in sw verification: can we use interpolation with protocols? can we use interpolation with DY? Web applications good results with formal verification of protocols: can we use it with web applications? can we use the DY or a specific web intruder? how can we model a webapp? M.Rocchetto PhD Thesis Verona, May 8, 2015 5

  6. Outline Introduction 1 Design time security verification 2 History Security Protocol interpolation Method (SPiM) Example The SPiM tool Runtime security verification 3 M.Rocchetto PhD Thesis Verona, May 8, 2015 6

  7. Outline Introduction 1 Design time security verification 2 History Security Protocol interpolation Method (SPiM) Example The SPiM tool Runtime security verification 3 M.Rocchetto PhD Thesis Verona, May 8, 2015 7

  8. Interpolation, once upon a time William Craig , “ Three Uses of the Herbrand- Gentzen Theorem in Relating Model Theory and Proof Theory ”, The Journal of Symbolic Logic, 1957 William Craig, UC Berkeley Logic Group picnic 1977. Craig interpolation M.Rocchetto PhD Thesis Verona, May 8, 2015 8

  9. Interpolation, once upon a time William Craig , “ Three Uses of the Herbrand- Gentzen Theorem in Relating Model Theory and Proof Theory ”, The Journal of Symbolic Logic, 1957 William Craig, UC Berkeley Logic Group picnic 1977. Craig interpolation M.Rocchetto PhD Thesis Verona, May 8, 2015 8

  10. Interpolation, once upon a time William Craig , “ Three Uses of the Herbrand- Gentzen Theorem in Relating Model Theory and Proof Theory ”, The Journal of Symbolic Logic, 1957 William Craig, UC Berkeley Logic Group picnic 1977. Craig interpolation In FOL, if α ∧ β is inconsistent, then there exists ˆ ı s.t. α implies ˆ ı ˆ ı implies ¬ β L (ˆ ı) ∈ L ( α ) ∩ L ( β ) M.Rocchetto PhD Thesis Verona, May 8, 2015 8

  11. Interpolation, 53 years later Kenneth L. McMillan , “ Lazy Annotation for Program Testing and Verification ”, Computer Aided Verification, 2010 Kenneth McMillan, somewhere in Japan IntraLA - for sequential programs M.Rocchetto PhD Thesis Verona, May 8, 2015 9

  12. Interpolation, 53 years later Kenneth L. McMillan , “ Lazy Annotation for Program Testing and Verification ”, Computer Aided Verification, 2010 Kenneth McMillan, somewhere in Japan IntraLA - for sequential programs Init - initialize the graph Decide - performs symbolic execution Learn - calculates interpolants Conjoin - backward if DFS is not leading to a goal M.Rocchetto PhD Thesis Verona, May 8, 2015 9

  13. Interpolation, 53 years later Kenneth L. McMillan , “ Lazy Annotation for Program Testing and Verification ”, Computer Aided Verification, 2010 Kenneth McMillan, somewhere in Japan IntraLA - for sequential programs Successfully applied in formal methods for model checking and test-case generation for sequential programs Unsuitable to the direct application for security protocols: sequential programs only no intruder logic M.Rocchetto PhD Thesis Verona, May 8, 2015 9

  14. Outline Introduction 1 Design time security verification 2 History Security Protocol interpolation Method (SPiM) Example The SPiM tool Runtime security verification 3 M.Rocchetto PhD Thesis Verona, May 8, 2015 10

  15. SPiM tool structure ASLan++2Sil Tools DY entity A{ Theories Z3 ... EUF } input Translator iZ3 entity B{ ∀ X ... } Verdict ASLan++ output SPiA quantifier A A elimination Java X 1 Java G … --SiL-- X n VE Source code and case studies available at http://regis.di.univr.it/spim.php M.Rocchetto PhD Thesis Verona, May 8, 2015 11

  16. Running Example Needham-Schroeder Public Key (NSPK) protocol A → B : { N A , A } pk ( B ) B → A : { N A , N B } pk ( A ) A → B : { N B } pk ( B ) Man-in-the-middle attack A → i : { N A , A } pk ( i ) i ( A ) → B : { N A , A } pk ( B ) B → i ( A ) : { N A , N B } pk ( A ) i → A : { N A , N B } pk ( A ) A → i : { N B } pk ( i ) i ( A ) → B : { N B } pk ( B ) M.Rocchetto PhD Thesis Verona, May 8, 2015 12

  17. Running Example Needham-Schroeder with Lowe’s fix (NSL) protocol A → B : { N A , A } pk ( B ) B → A : { N A , N B , B } pk ( A ) A → B : { N B } pk ( B ) M.Rocchetto PhD Thesis Verona, May 8, 2015 13

  18. Input ASLan++2Sil T DY o o l entity A{ s Theories Z3 ... EUF } input Translator iZ3 entity B{ ∀ X ... } Verdict ASLan++ output SPiA quantifier A A elimination Java X 1 Java G … --SiL-- X n VE Why ASLan++? strong background (AVANTSSAR) high level language (similar to Java) made for protocol analysis, one can specify: entities as parallel processes communication between entities M.Rocchetto PhD Thesis Verona, May 8, 2015 14

  19. Input ASLan++2Sil T DY o o l entity A{ s Theories Z3 ... EUF } input Translator iZ3 entity B{ ... ∀ X } Verdict ASLan++ output SPiA quantifier A A elimination Java X 1 Java G … --SiL-- X n VE ASLan++ NSL Code example Alice(Actor,B:agent){ Bob(Actor,A:agent){ Goal: Bob authenticates Alice Na:=fresh(); ?->Actor:{?Na.?A}_pk(Actor); ------------------------------- Actor->B:{Na.Actor}_pk(B); Nb:=fresh(); Instantiation: B->Actor:{Na.?Nb.B}_pk(Actor); Actor->A:{Na.Nb.B}_pk(A); Actor->B:{Nb}_pk(B); A->Actor:{Nb}_pk(Actor); Alice Bob (1) a i } } (2) i b M.Rocchetto PhD Thesis Verona, May 8, 2015 14

  20. Control Flow Graph and Intruder Actions ASLan++2Sil DY Tools entity A{ Theories Z3 ... EUF } input iZ3 entity B{ Translator ∀ X ... } ASLan++ Verdict output SPiA quantifier A A elimination Java X 1 Java G … --SiL-- X n VE IntraLA algorithm designed for sequential programs (K. McMillan. Lazy annotation for program testing and verification . CAV’10) To apply (a modified version of) IntraLA to security protocols, we define a translation of a specification of a protocol P for a given scenario into a sequential non-deterministic program M.Rocchetto PhD Thesis Verona, May 8, 2015 15

  21. From parallel to sequential Alice := a , Bob := i Alice(Actor,B:agent){ 1.1) Alice.Actor := a; Na:=fresh(); 1.2) Alice.B := Y_1; Actor->B:{Na.Actor}_pk(B); 1.3) IK := { a,b,i,pk_a,pk_b,pk_i,pk_i^-1 } ; B->Actor:{Na.?Nb.B}_pk(Actor); 1.4) Actor->B:{Nb}_pk(B); 1.5) Alice.Na := c_1; 1.6) IK := IK + { Alice.Na,Alice.Actor } _pk(Alice.B); } 1.7) 1.8) if (IK |- { Alice.Na,?Alice.Nb,Alice.B } _pk(Alice.Actor)) Bob(Actor,A:agent){ 1.9) then 1.10) Alice.Nb = Y_2; ?->Actor:{?Na.?A}_pk(Actor); 1.11) else Nb:=fresh(); 1.12) end Actor->A:{Na.Nb.B}_pk(A); 1.13) A->Actor:{Nb}_pk(Actor); 1.14) IK := IK + { Alice.Nb } _pk(Alice.B); } M.Rocchetto PhD Thesis Verona, May 8, 2015 16

  22. From parallel to sequential Alice := i , Bob := b 2.1) Bob.Actor := b; Alice(Actor,B:agent){ 2.2) IK := { a,b,i,pk_a,pk_b,pk_i,pk_i^-1 } ; 2.3) Na:=fresh(); if (IK |- { ?Bob.Na,?Bob.A } _pk(Bob.Actor)) 2.4) Actor->B:{Na.Actor}_pk(B); 2.5) then B->Actor:{Na.?Nb.B}_pk(Actor); 2.6) Bob.Na = Y_1; Actor->B:{Nb}_pk(B); 2.7) Bob.A = Y_2; 2.8) else } 2.9) end 2.10) Bob(Actor,A:agent){ 2.11) Bob.Nb := c_1; 2.12) IK := IK + { Bob.Na,Bob.Nb,Bob.Actor } _pk(Bob.A); ?->Actor:{?Na.?A}_pk(Actor); 2.13) Nb:=fresh(); 2.14) if (IK |- { Bob.Nb } _pk(Bob.Actor)) Actor->A:{Na.Nb.B}_pk(A); 2.15) then A->Actor:{Nb}_pk(Actor); 2.16) do nothing 2.17) else } 2.18) end M.Rocchetto PhD Thesis Verona, May 8, 2015 17

  23. Control Flow Graph - NSL l 0 [X i = k] Combining sessions 1.1-3 stands for the 2.1-2 Intruder's choice l 1 Input variables X i to switch 1.5-6 between sessions l 2 [X 1 =1] [X 1 =2] l 3 l 7 1.1) Alice.Actor := a; 1.8-14 2.4-12 1.2) Alice.B := Y_1; 1.3) IK := { a,b,i,pk_a,pk_b,pk_i,pk_i^-1 } ; l 4 l 8 1.4) [X 2 =1] [X 2 =2] 1.5) Alice.Na := c_1; 2.4-12 1.6) IK := IK + { Alice.Na,Alice.Actor } _pk(Alice.B); 1.7) l 9 l 5 l 10 1.8) if (IK |- 1.8-14 2.14-18 { Alice.Na,?Alice.Nb,Alice.B } _pk(Alice.Actor)) 2.14-18 1.9) then l 11 1.10) Alice.Nb = Y_2; l 6 1.11) else 1.8-14 1.12) end if (Bob.A != i) 1.13) l 12 1.14) IK := IK + { Alice.Nb } _pk(Alice.B); if (Bob.A != i) g M.Rocchetto PhD Thesis Verona, May 8, 2015 18

Recommend


More recommend