towards computationally sound symbolic security analysis
play

Towards computationally sound symbolic security analysis Daniele - PowerPoint PPT Presentation

Dec 31, 2022 •821 likes •1.34k views

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial June 2004 Security protocols Protocols: distributed programs Goal: maintain prescribed behavior in adversarial execution environment

  1. Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial – June 2004

  2. Security protocols ● Protocols: distributed programs ● Goal: maintain prescribed behavior in adversarial execution environment ● Tool: Cryptography P2 Adv. P1 For all Adv. P3

  3. Analyzing security protocols ● Typically much more complicated than traditional protocols because of universal quantification over the adversaries ● Implications: – Security cannot be tested, but only proved – Need for a formal model to precisely formulate and prove security properties

  4. Models of security ● Computational model – Encryption [Goldwasser, Micali 1983] ● Symbolic model – [Dolev, Yao 1983] ● Other models – Random oracle model – Generic model

  5. Computational Model ● Detailed model of computation / communication ● Cryptographic operations are not modeled , but defined within the model. 0/1 0/1 100100101 0001110101 0/1

  6. Example: CPA-secure Encryption ● Encryption scheme = (Kgen, E, D) ● Security against “chosen plaintext attack”: Pr{g=b}~1/2 g m 0 if |m 0 |=|m 1 | pk m 1 Kgen Adversary b then m b sk E(pk, m b ) D(sk, _) E(pk, _)

  7. Features of CPA-security ● Even partial information about message is hidden – captured by size 2 message space ● No assumption on message distribution – captured by adversarially chosen messages ● Strong security (succ. prob. ~ 1/2) ● Encryption function can be used multiple times – Letting Adv. make many queries (m 0 ,m 1 ) does not make the definition substantially stronger

  8. Non-features of CPA-security ● Message length is not necessarily hidden: – Messages must satisfy |m 0 | = |m 1 | ● The key is not necessarily hidden, e.g.: – Kgen': Run Kgen->k, and output k' = (k,r) – E' (k,r) (m) = (E k (m),r) ● Other definitions are possible: – e.g., schemes can completely hide the key

  9. Symbolic model ● Abstract computation and communication model ● Cryptography is integral part of the model: cryptography = abstract data type k E(k,m) E(k, m) D(k, _ ) m E(k',m) E(k', _ ) E(k', m) k'

  10. Computational model ● Advantages: – High security assurance – Provides guidance to design of crypto primitives – Allows definition of new crypto primitives ● Disadvantages – Proofs are long and hard to verify – Security intuition is often lost in technical details – Few cryptographers still write full proofs, and nobody read them anyway

  11. Symbolic model ● Potential advantages – Simpler, higher level proofs: e.g., no probabilities – Automatic proof verification ● Disadvantages – Security proved only against abstract adversaries – Unclear assumptions on cryptographic primitives – Tailored to specific security properties, and classes of protocols

  12. Computational vs. symbolic Adv. ● Computational Adversary: – arbitrary probabilistic polynomial time Adv. – may break symbolic model assumptions by guessing a key (with non zero probability) ● Symbolic Adversary: – restricted but computationally unbounded and/or non-deterministic adversary – may break the computational model by non- deterministically guessing a key

  13. Abstraction Level k E(k,m) D(k, _ ) m ● Security Protocols E(k',m) E(k', _ ) ● Cryptography k' ● Digital circuits ● Physics / EE 0/1 0/1 0/1

  14. What level of abstraction should be used to ... ● ... describe security protocols ? – Higest level that allows to describe the protocol's actions – Typically, symbolic model is enough ● ... define security properties ? – Highest possible that allows to describe all realistic threats (e.g., adversarial's actions) – Computational model is typically accepted as a reasonable choice

  15. Beyond the computational model ● Power analysis attacks – [Kocher] ● Timing attacks – [Kocher] ● Sometimes useful: – constant round concurrent Zero Knowledge protocols [Dwork, Naor, Sahai] [Goldreich]

  16. Soundness of symbolic analysis ● Goal: framework where – protocols are written and analyzed symbolically – still, security holds against computational adversaries ● Advantages and limitations – Simple protocols and security proofs – High security assurance – Applies only to a subclass of protocols – Targets restricted class of security properties

  17. What is a sound symbolic analysis? Symbolic High level + = Adversary protocol Security Symb. model property Comp. model High level = Concrete + protocol Adversary

  18. Using the soundness theorem ● High level protocol Prot ● Soundness theorem: – For any comp. Adv, if SymbExec[Prot,[Adv]] satisfies S, then CompExec((Prot),Adv) satisfies S ● Symbolic security proof – For any symb. Adv', SymbExec[Prot,Adv'] satisfies S ● Strong security guarantee – For any comp Adv, CompExec[(Prot),Adv] satisfies S

  19. Remarks ● Standard process in cryptography: – E.g. Transformation from semihonest to malicious adversarial models using Zero Knowledge ● Compiling protocols: – Usually a non-trivial transformation – May introduce inefficiencies (e.g., use of ZK) ● Compiling adversaries: – Usually efficiency is not as critical here

  20. What's different with soundness of symbolic analysis? ● Formal high level protocol description language – E.g., no probabilities. Important for automation. ● Simple interpretation of high level procols – Essential for analysing existing protocols – Important for implementation of new protocols ● Compiling adversaries: highly non-trivial – Very restricted target language – Important for automatic verification

  21. Approaches to sound symbolic analysis ● Secure multiparty computation – Library to interpret/compile symbolic programs in computational setting – Powerful: Embed symbolic terms in computational model, retaining all capabilities of comp. model ● Ad-hoc approaches – Specialized languages for subclasses of protocols – Directly justify symbolic analysis

  22. Example: encrypted expressions ● Very simple protocols: “A(input) -> B: output” ● Syntax: X = input | const | {X} key | (X,...,X), ● Example: X = (k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) ● Computational interpretation [X]:{0,1}*->{0,1}* – Generate keys Kgen->k1,k2,k3 – Evaluate expression bottom up, where ● [{X} k ]=E k ([X]) ● [(X1,...,Xn)] = ([X1],...,[Xn])

  23. Symbolic execution ● On input m, A transmits X' = X[m/input] to B ● The symbolic (Dolev-Yao) adversary, given expression X', computes as much information as possible, according to the following rules: – X' is known – If (X1,...,Xn) is known, then X1, ..., Xn are known – If {X} k and k are known, then X is known

  24. Security properties ● Secrecy of the input: – the input value is protected by the protocol ● Computational secrecy: – For any input s, the distributions [X](s) and [X](0) are computationally indistinguishable ● Symbolic secrecy: – No symbolic (Dolev-Yao) adversary can recover m from X[m/input]

  25. Pattern Semantics ● Associate each program with a pattern: – P = input | const | (P,...,P) | {P} key | “?” ● Examples: – Pattern(k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) = (k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) – Pattern(k1, {(k3, {(0, input)} k2 )} k1 , {k4} k3 ) = (k1, {(k3, “?” )} k1 , {k4} k3 )

  26. Soundness Theorem ● [Abadi-Rogaway] if Pattern(X1)==Pattern(X2) then [X1]~[X2] are computationally indistinguishable, provided that – (Kgen, E, D) is “type 0” secure encryption scheme – expressions X1, X2 are acyclic, e.g., expression ({k1} k2 ,{k2} k1 ) is not allowed. ● Corollary: – If Pattern(X) does not contain “input”, then X is secure

  27. Soundness result as a metatheorem ● Soundness theorem has the form of a standard cryptography result ● As easy to use as normal cryptographic definitions Pr{g=b}~1/2 g X 0 k 1 ,k 2 ,... if Pat(X 0 )=Pat(X 1 ) Kgen Adversary b Kgen Kgen then X b X 1 [X b ] [ _ ] [ _ ] [ _ ]

  28. Case study: Secure multicast = Group member ● Authenticated broadcast channel, = Non-member ● Dynamically changing group of users 010001001010110110110100101 Center send(m 1 ) u 4 u 1 u 2 u 3 u 4 u 5 u 6 u 2 rem(u 2 ) add(u 4 ) m 1 m 1 m 1 m 1 send(m 2 ) m 2 m 2 m 2 m 2

  29. Multicast key distribution problem ● Standard approach to achieve secrecy: – Establish a common secret key – Use the key to encrypt the messages ● Problem: – Update the key when group membership changes – Individually sending new key to all members is too expensive – Cannot encrypt new key under old one because the old one is compromised

  30. Secure key distribution = Group member ● Authenticated broadcast channel, = Non-member ● Dynamically changing group of users 010001001010110110110100101 Center u 4 u 1 u 2 u 3 u 4 u 5 u 6 u 2 rem(u 2 ) k 1 k 1 k 1 add(u 4 ) k 2 k 2 k 2 k 2

  31. Secure key distribution ● For any sequence of updates, and coalition C, {u C , xxx, k(S)} ~ {u C , xxx, k'(S)}, where S = {t :C does not intersect the group } Adv k(S) updates Center u 1 u 3 u 4 u 5 u 6 u 2 k1 add(u 1 ) u 1 u 3 u 4 u 5 u 6 k2 add(u 2 ) u 2 k3 add(u 4 ) u 1 u 3 u 4 u 5 u 6 u 2 del(u 2 ) k4 u 1 u 3 u 4 u 5 u 6 u 2 add(u 5 ) k5 u 1 u 3 u 4 u 5 u 6 u 2

Recommend

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F. M ejean, L. Pillard, J. Tharaud National School of Applied Mathematics and Computer Science, ENSIMAG 27 November 2009 P. Cogn ee, D.

591 views • 23 slides
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

972 views • 78 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey

Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey

Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey Heinz March 20, 2010 PLC 34 1 Main Goals of Presentation 1. Provide quantitative support for vowel harmony in sound-symbolic forms in Korean 2.

921 views • 33 slides
Towards Automated Computationally Faithful Specify protocol participants as processes following

Towards Automated Computationally Faithful Specify protocol participants as processes following

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan

146 views • 4 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340

Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340

COMP 546 Lecture 19 Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340 m/s, or 34 cm/ ms. (This depends on temperature and other factors) 2 Wave equation =

601 views • 45 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental Mathematical Computation, July 2125, 2014, ICERM, Brown University Symbolic local Fourier Analysis (and some Special Functions Inequalities)

1.21k views • 82 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for Recommendation Systems Byron Leite Dantas Bezerra Byron Leite Dantas Bezerra bldb@dsc.upe.br bldb@dsc.upe.br Francisco Assis Tenrio Carvalho

708 views • 34 slides
Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard Problems Rachael Madsen Optimal Design Software LLC BS in Mathematics Software Engineer & Architect Python programmer

872 views • 46 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides

More recommend