Post on 11-May-2015
Verifying Implementationsof Security Protocols in C
Mihhail Aizatulin1
supervised byAndrew Gordon2, Jan Jurjens3, Bashar Nuseibeh1
1The Open University
2Microsoft Research Cambridge
3Dortmund University
CRC PhD Student ConferenceOpen UniversityJune 3-4, 2010
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.
The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
The Goal
Source code of acryptographic protocolimplementation
Our tools
List of all potentialsecurity flaws or proofof security
Our goal is a tool for securityanalysis at implementation level.The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verifyOpenSSL or Kerberos).
We assume that
cryptographic primitives areimplemented correctly,
cryptography is unbreakable(for now).
M. Aizatulin Verifying Implementations of Security Protocols in C
Motivation (I)
OpenSSL library bug, January 2009:
i n t c h e c k c e r t i f i c a t e ( ){. . .i f ( c e r t i f i c a t e m a l f o r m e d )
return −1;e l s e i f ( ! c e r t i f i c a t e c h e c k o k )
return 0 ;e l s e return 1 ;}
// l a t e r i n code :. . .i f ( c h e c k c e r t i f i c a t e ( ) ) // oops !{
t r u s t c e r t i f i c a t e ( ) ;}
M. Aizatulin Verifying Implementations of Security Protocols in C
Motivation (II)
An attacker can craft a malformed certificate, pretending to besomeone else:
Attacker (= Internet) paypal.comClient
paypal.com Certificate?
Malformed Certificate
M. Aizatulin Verifying Implementations of Security Protocols in C
Motivation (III)
Now the attacker can impersonate the client and the bank to eachother:
Attacker (= Internet) paypal.comClient
Password?
Password + “get $$$”
Password?
Password
M. Aizatulin Verifying Implementations of Security Protocols in C
Background
There has been great progress in
static software analysis,
verification of protocol specifications.
But so far very little progress in where the two meet.
Machine Languages(C, Java)
Formal Languages(π-calculus, LySa)
low-level properties(NULL dereference,division by zero)
VCC Frama-C
ESC/Java
SLAM
high-level properties(secrecy, authentica-tion)
CSur
Our Goal
ProVerif/CryptoVerif
AVISPA
LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C
Background
There has been great progress in
static software analysis,
verification of protocol specifications.
But so far very little progress in where the two meet.
Machine Languages(C, Java)
Formal Languages(π-calculus, LySa)
low-level properties(NULL dereference,division by zero)
VCC Frama-C
ESC/Java
SLAM
high-level properties(secrecy, authentica-tion)
CSur
Our Goal
ProVerif/CryptoVerif
AVISPA
LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C
Background
There has been great progress in
static software analysis,
verification of protocol specifications.
But so far very little progress in where the two meet.
Machine Languages(C, Java)
Formal Languages(π-calculus, LySa)
low-level properties(NULL dereference,division by zero)
VCC Frama-C
ESC/Java
SLAM
high-level properties(secrecy, authentica-tion)
CSur
Our Goal
ProVerif/CryptoVerif
AVISPA
LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C
Background
There has been great progress in
static software analysis,
verification of protocol specifications.
But so far very little progress in where the two meet.
Machine Languages(C, Java)
Formal Languages(π-calculus, LySa)
low-level properties(NULL dereference,division by zero)
VCC Frama-C
ESC/Java
SLAM
high-level properties(secrecy, authentica-tion)
CSur
Our Goal
ProVerif/CryptoVerif
AVISPA
LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C
ProVerif
ProVerif is a protocol verifier we would like to use. Its models aremuch more abstract than C.
ProVerif
M ::= expression
a, b, c name
x, y, z variable
f(M1, . . . ,Mn) constructor
C
M,N ::= expression
0, . . . , ’a’, . . . constant
M opN operator
u lvalue
&u reference
u ::= lvalue
x, y, z variable
∗ u dereference
u.field field access
u[i] array access
M. Aizatulin Verifying Implementations of Security Protocols in C
ProVerif
ProVerif is a protocol verifier we would like to use. Its models aremuch more abstract than C.
ProVerif
M ::= expression
a, b, c name
x, y, z variable
f(M1, . . . ,Mn) constructor
C
M,N ::= expression
0, . . . , ’a’, . . . constant
M opN operator
u lvalue
&u reference
u ::= lvalue
x, y, z variable
∗ u dereference
u.field field access
u[i] array access
M. Aizatulin Verifying Implementations of Security Protocols in C
ProVerif
ProVerif is a protocol verifier we would like to use. Its models aremuch more abstract than C.
ProVerif
M ::= expression
a, b, c name
x, y, z variable
f(M1, . . . ,Mn) constructor
C
M,N ::= expression
0, . . . , ’a’, . . . constant
M opN operator
u lvalue
&u reference
u ::= lvalue
x, y, z variable
∗ u dereference
u.field field access
u[i] array access
M. Aizatulin Verifying Implementations of Security Protocols in C
Symbolic Execution
Symbolic execution is a tool to simplify programs and extract theirmeaning.
Concrete: Symbolic:
i n t f ( i n t x , i n t y ){return ++x ∗ y++;}
x = 2 y = 3
9
i n t f ( i n t x , i n t y ){return ++x ∗ y++;}
x = a y = b
(a+ 1)b
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (I)
Am, hash(m, kshared)−−−−−−−−−−−−→ B.
Client side implemented as:
c l i e n t ( char ∗ pay load , i n t p a y l o a d l e n ){i n t m s g l e n = 5 + l e n + SHA1 LEN ;char ∗ msg = m a l l o c ( m s g l e n ) ;char ∗ p = msg ;∗p = l e n ; p += 4 ; // add l e n g t h∗( p++) = 1 ; // add the tagmemcpy ( pay load , p , l e n ) ; // add the pay loadsha1 ( msg , 5 + l e n , p ) ; // add the hashsend ( msg , m s g l e n ) ; // send
}
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (I)
Am, hash(m, kshared)−−−−−−−−−−−−→ B.
Client side implemented as:
c l i e n t ( char ∗ pay load , i n t p a y l o a d l e n ){i n t m s g l e n = 5 + l e n + SHA1 LEN ;char ∗ msg = m a l l o c ( m s g l e n ) ;char ∗ p = msg ;∗p = l e n ; p += 4 ; // add l e n g t h∗( p++) = 1 ; // add the tagmemcpy ( pay load , p , l e n ) ; // add the pay loadsha1 ( msg , 5 + l e n , p ) ; // add the hashsend ( msg , m s g l e n ) ; // send
}
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (II)
c l i e n t ( char ∗ pay load , i n t p a y l o a d l e n ){i n t m s g l e n = 5 + l e n + SHA1 LEN ;char ∗ msg = m a l l o c ( m s g l e n ) ;char ∗ p = msg ;∗p = l e n ; p += 4 ; // add l e n g t h∗( p++) = 1 ; // add the tagmemcpy ( pay load , p , l e n ) ; // add the pay loadsha1 ( msg , 5 + l e n , p ) ; // add the hashsend ( msg , m s g l e n ) ; // send
}
out(len(payload )|01|payload|sha1(len(payload )|01|payload, kshared))
Symbolic Execution
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (II)
c l i e n t ( char ∗ pay load , i n t p a y l o a d l e n ){i n t m s g l e n = 5 + l e n + SHA1 LEN ;char ∗ msg = m a l l o c ( m s g l e n ) ;char ∗ p = msg ;∗p = l e n ; p += 4 ; // add l e n g t h∗( p++) = 1 ; // add the tagmemcpy ( pay load , p , l e n ) ; // add the pay loadsha1 ( msg , 5 + l e n , p ) ; // add the hashsend ( msg , m s g l e n ) ; // send
}
out(len(payload )|01|payload|sha1(len(payload )|01|payload, kshared))
Symbolic Execution
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (III)
...
out(len(payload )|01|payload|sha1(len(payload )|01|payload, kshared))
Symbolic Execution
out(f1(payload, hash1(payload, kshared)))
Format Abstraction
Integrity verified.
ProVerif (+ Server Side)
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (III)
...
out(len(payload )|01|payload|sha1(len(payload )|01|payload, kshared))
Symbolic Execution
out(f1(payload, hash1(payload, kshared)))
Format Abstraction
Integrity verified.
ProVerif (+ Server Side)
M. Aizatulin Verifying Implementations of Security Protocols in C
Method (III)
...
out(len(payload )|01|payload|sha1(len(payload )|01|payload, kshared))
Symbolic Execution
out(f1(payload, hash1(payload, kshared)))
Format Abstraction
Integrity verified.
ProVerif (+ Server Side)
M. Aizatulin Verifying Implementations of Security Protocols in C
Current Status
Done:
Implemented symbolic execution for fixed bitstring lengthsand linear control flow.
Proved correctness of format abstraction.
To do:
Implement symbolic execution for variable bitstring lengths.
Implement format abstraction.
Add support for arbitrary control flow.
M. Aizatulin Verifying Implementations of Security Protocols in C
Thank you!
M. Aizatulin Verifying Implementations of Security Protocols in C