Stateful Security Protocol Verification
Jun Pang
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
A long-standing research problem in security protocol design is how to efficiently verify security protocols with tamper-resistant global states. In this paper, we address this problem by first proposing a protocol specification framework, which explicitly represents protocol execution states and state transformations. Secondly, we develop an algorithm for verifying security properties by utilizing the key ingredients of the firstorder reasoning for reachability analysis, while tracking state transformation and checking the validity of newly generated states. Our verification algorithm is proven to be (partially) correct, if it terminates. We have implemented the proposed framework and verification algorithms in a tool named SSPA, and evaluate it using a number of stateful security protocols. The experimental results show that our approach is not only feasible but also practically efficient. In particular, we have found a security flaw on the digital envelope protocol, which could not be detected by existing security protocol verifiers.
Key takeaways
- Before going into the details of the protocol, we give a brief introduction on the trusted platform module (TPM) [16] used in the protocol first.
- The protocol rules specified in our framework are of the
- Notice that our approach is not limited to the applications of TPM, but potentially other stateful security protocols.
- In the DEP, the adversary has control over the TPM.
- For instance, in the DEP, the adversary can access Bob's TPM, and he can use additional TPMs to process messages if necessary.
Related papers
A Hybrid Analysis for Security Protocols with State
Lecture Notes in Computer Science, 2014
Cryptographic protocols rely on message-passing to coordinate activity among principals. Each principal maintains local state in individual local sessions only as needed to complete that session. However, in some protocols a principal also uses state to coordinate its different local sessions. Sometimes the non-local, mutable state is used as a means, for example with smart cards or Trusted Platform Modules. Sometimes it is the purpose of running the protocol, for example in commercial transactions.
A new method of verification of security protocols
Cornell University - arXiv, 2017
In the paper we introduce a process model of security protocols, where processes are graphs with edges labelled by actions, and present a new method of specification and verification of security protocols based on this model.
Security protocols from the software verification perspective
mimuw.edu.pl
Abstract. We believe that it is important to verify not just the correctness of abstract security protocols, but also to verify the correctness of real implementations of security protocols. Considerable research is needed to facilitate the development process for such ...
Introducing ASPECT 1 - a tool for checking protocol security
2002
We have developed an efficient proof-of-concept prototype tool for security protocol validation called ASPECT. This prototype is designed to demonstrate the feasibility of our approach to security protocol checking and validation. Our approach can be characterised in terms of "flaw-detection for security protocols", much in the same way that programs in a programming language can be type checked. However, we go beyond approaches based solely upon static analysis by combining an initial static, passive analysis with an active search that attempts to uncover attacks upon the given protocol. Naturally, a successful attack indicates the presence of a security flaw in the protocol. More precisely, ASPECT takes a conventional security protocol description given in terms of message sequences between several parties, and analyses this statically in terms of defined high-level security goals (e.g. confidentiality, authorisation) to derive a number of conjectured security properties for the given protocol. ASPECT then attempts to find protocol flaws, if any, by trying to dynamically construct active attack patterns to disprove these conjectures. The question of whether the checking techniques used within ASPECT are complete is currently open and the subject of further research. In this introductory report, we illustrate what ASPECT does in terms of a worked example, where we develop a simple authentication protocol. This protocol is revised several times and ASPECT used to examine these revisions. As you would anticipate, ASPECT finds no flaws with the final revision of this protocol. Contents
Model Checking for Security Protocols
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious intruders becomes paramount. People have looked to cryptography to help solve many of these problems. However, cryptography itself is only a tool. The security of a system depends not only on the cryptosystem being used, but also on how it is used. Typically, researchers have proposed the use of security protocols to provide these security guarantees. These protocols consist of a sequence of messages, many with encrypted parts. In this paper, we develop a way of verifying these protocols using model checking. Model checking has proven to be a very useful technique for verifying hardware designs. By modelling circuits as nite-state machines, and examining all possible execution traces, model checking has found a number of errors in real world designs. Like hardware designs, security protocols are very subtle, and can also have bugs which are di cult to nd. By examining all possible execution traces of a security protocol in the presence of a malicious intruder with well de ned capabilities, we can determine if a protocol does indeed enforce its security guarantees. If not, we can provide a sample trace of an attack on the protocol.
Using state space exploration and a natural deduction style message derivation engine to verify security protocols
1998
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them.
HERMES: An Automatic Tool for Verification of Secrecy in Security Protocols
Lecture Notes in Computer Science, 2003
Generic Verification of Security Protocols
Lecture Notes in Computer Science, 2005
Security protocols are notoriously difficult to debug. One approach to the automatic verification of security protocols with a bounded set of agents uses logic programming with analysis and synthesis rules to describe how the attacker gains information and constructs new messages. We propose a generic approach to verifying security protocols in Spin. The dynamic process creation mechanism of Spin is used to nondeterministically create different combinations of role instantiations. We incorporate the synthesis and analysis features of the logic programming approach to describe how the intruder learns information and replays it back into the system. We formulate a generic "loss of secrecy" property that is flagged whenever the intruder learns private information from an intercepted message. We also describe a simplification of the Dolev-Yao attacker model that suffices to analyze secrecy properties.
Approaches to Formal Verification of Security Protocols
Computing Research Repository, 2011
In recent times, many protocols have been proposed to provide security for various information and communication systems. Such protocols must be tested for their functional correctness before they are used in practice. Application of formal methods for verification of security protocols would enhance their reliability thereby, increasing the usability of systems that employ them. Thus, formal verification of security protocols has become a key issue in computer and communications security. In this paper we present, analyze and compare some prevalent approaches towards verification of secure systems. We follow the notion of -same goal through different approaches -as we formally analyze the Needham Schroeder Public Key protocol for Lowe's attack using each of our presented approaches.
Verifying security properties of internet protocol stacks: The split verification approach
Journal of Systems Architecture, 2011
We propose a novel method to construct user-space internet protocol stacks whose security properties can be formally explored and verified. The proposed method allows construction of protocol stacks using a C++ subset. We define a formal state-transformer representation of protocol stacks in which the protocol stack is specified in terms of three primary operations, which are constructed from sub-operations, in
FORMAL VERIFICATION TECHNIQUES FOR COMPUTER COMMUNICATION SECURITY PROTOCOLS
Rapid development of networks and communications makes security a more and more crucial problem. To provide security for diierent systems, many communication security protocols are proposed. Such protocols must be proved correct before they can be used in practice. Formal veriication techniques are promising methods to verify protocols and have been receiving a lot of attention recently. In this paper, we survey several security protocols and formal veriication techniques to verify the protocols.
Formal verification of security protocol implementations: a survey
Automated formal verification of security protocols has been mostly focused on analyzing highlevel abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approach.
Verifying Second-Level Security Protocols
2003
A second-level security protocol is defined as a security protocol that relies on an underlying security protocol in order to achieve its goals. The verification of classical authentication protocols has become routine, but second-level protocols raise new challenges. These include the formalisation of appeals to the underlying protocols, the modification of the threat model, and the formalisation of the novel goals. These challenges have been met using Isabelle and the Inductive Approach [14]. The outcomes are demonstrated on a recent protocol for certified e-mail delivery by Abadi et al. [2].
Formal verification logic for hybrid security protocols
Computer Systems: Science & Engineering, 2003
Automated Logic-Based Technique for Formal Verification of Security Protocols
Journal of Advances in Computer Networks, 2018
The design of secure protocols is complex and prone to error. Formal verification is an imperative step in the design of security protocols and provides a rigid and thorough means of evaluating the correctness of security protocols. This paper discusses the process of formal verification using a logic-based technique for detecting protocol weaknesses that are exploitable by freshness and interleaving attacks. This technique is realised as a special purpose logic for attack detection that can be used throughout the design stage, i.e. it subjects a draft of a protocol to formal analysis prior to its publication or deployment. For any detected failure the analysis will also reveal reasons for the weaknesses, facilitating design corrections. A summary of the attack detection logic is presented and its ability to detect weaknesses is demonstrated by applying it to a smart-card based authentication protocol. Further, a prototype implementation of the attack detection logic theory is introduced. An empirical study is presented that assesses the effectiveness and efficiency of the proposed automated technique by applying it to a set of protocols, incorporating some with known vulnerabilities and some that are known to be secure. This study confirms the ability of the technique to detect all design weaknesses. Additionally, it establishes the efficiency of the verification technique, in terms of memory requirements (study was carried out on a computing platform of 2GB of RAM) and execution times (milliseconds) required for protocol verification.
Establishing and Fixing Security Protocols Weaknesses Using a Logic-based Verification Tool
Journal of Communications, 2013
Formal verification aims at providing a rigid and thorough means of evaluating the correctness of security protocols and also establishing that the protocols are free of weaknesses that can be exploited by attacks. This paper discusses the process of formal verification using a logic-based verification tool. The verification tool with attack detection capabilities is introduced, and the verification process is demonstrated by way of a case study on two published security protocols that provide mutual authentication using smart cards. The performed verification reveals new weaknesses in the protocols that can be exploited by a replay attack and a parallel session attack. The impact of these attacks is that an attacker is able to masquerade as a legitimate remote user to cheat the system. The reasoning why these attacks are possible is detailed and an amended protocol, resistant to these attacks is proposed. Formal verification of the amended protocol provides confidence in the correctness and effectiveness of the proposed modifications.
Experiments in Theorem Proving and Model Checking for Protocol Verification
1996
Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Murø state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized protocol illustrates the difficulty of using theorem proving to verify infinite-state protocols. Some of this difficulty can be overcome by extracting a finite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Murø, SMV, and the PVS model checkers on this reduced protocol.
Verified Security Protocol Modeling and Implementation with AnBx
2012
AnBx is an extension of the Alice & Bob notation for protocol narrations to serve as a specification language for a purely declarative modelling of distributed protocols. AnBx is built around a set of communication and data abstractions which provide primitive support for the high-level security guarantees, and help shield from the details of the underlying cryptographic infrastructure.Being implemented on top of the OFMC verification tool, AnBx serves not only for specification and design, but also for security analysis of distributed protocols. Moreover the framework, keeping apart the protocol logic from the application logic, allow for automatic generation of Java source code of protocols specified in AnBx. We demonstrate the practical effectiveness of our approach with the specification and analysis of two real-life e-payment protocols, obtaining stronger and more scalable security guarantees than those offered by the original ones.In the second part of the thesis we formally analyse the Secure Vehicle Communication system (SeVeCom), using the AIF framework which is based on a novel set-abstraction technique.We report on two new attacks found and verify that under some reasonable assumptions, the system is secure.
Proving Security Protocols Correct
1999
Security protocols use cryptography to set up private communication channels on an insecure network. Many protocols contain flaws, and because security goals are seldom specified in detail, we cannot be certain what constitutes a flaw. Thanks to recent work by a number of researchers, security protocols can now be analyzed formally.
Static validation of security protocols
Journal of Computer Security, 2005
We perform a systematic expansion of protocol narrations into terms of a process algebra in order to make precise some of the detailed checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice for identifying a number of authentication flaws in symmetric and asymmetric key protocols such as Needham-Schroeder symmetric key, Otway-Rees, Yahalom, Andrew Secure RPC, Needham-Schroeder asymmetric key, and Beller-Chang-Yacobi MSR.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.