SATMC: a SAT-based Model Checker for Security-critical Systems · SATMC is a SAT-based bounded...

SATMC: a SAT-based Model Checker forSecurity-critical Systems

Alessandro Armando

Security&Trust, CIT irst, Bruno Kessler Foundation, Trento, Italy

joint work withRoberto Carbone, Luca Compagna

Trento, March 19, 2014

(To be presented at TACAS’14.)

Alessandro Armando (FBK) SATMC Trento, March 19, 2014 0 / 31

Outline

1 Introduction

2 Application Domains

3 Modeling Security-critical Systems

4 SAT-based Model Checking of Security-critical Systems

5 Conclusions


Motivations

Security protocols and services are key to securing theever-growing ecosystem of online applications (web, mobile, ...)But security solutions are notoriously difficult to get right.Many security-critical protocols and services have been designedand developed only to be found flawed years after theirdeployment.These flaws are usually due to the complex and unexpectedinterleaving of the protocols and services as well as to thepossible interference of malicious agents.Very difficult to spot by traditional verification techniques (e.g.,manual inspection and testing)Security-critical systems are a natural target for formal methodtechniques.


Model Checking Security Protocols

Since (both honest and malicious) agents can build and exchangemessages of finite, but arbitrary complexity (throughconcatenation and cryptographic primitives), most security-critical,distributed systems are inherently infinite state.For this reason general purpose model checkers (e.g., SPIN,NuSMV) are not suited for the analysis of a large and importantclass of security-critical systems.Special purpose tools (most notably, security protocol analyzers,e.g., CL-AtSe, OFMC, Proverif) are capable of very goodperformance on basic protocols.Yet, they do not support many features that are necessary totackle the complexity of many real-world protocols and services.


SATMC: a SAT-based Model Checker

GoalStrike a balance between general purpose model checkers andsecurity protocol analyzers.

SATMC is a SAT-based bounded model checker forsecurity-critical systems that combines encoding techniquesdeveloped for planning with techniques developed for the analysisof reactive systems.The model is specified through a (multi)set-rewriting formalismclosely related to (an extension of) the STRIPS planning language.Recently extended to support Horn clauses and (first-order) LTL.Supports the analysis of systems that exchange messages over awide range of secure channels, are subject to sophisticatedsecurity policies, and/or aim to achieve a variety of security goals.


SATMC: a SAT-based Model Checker

SATMC has been successfully applied toa variety of application domains (namely, security protocols,security-sensitive business processes, and cryptographic APIs)for different purposes (e.g., design-time security analysis andsecurity testing).

SATMC is integrated and used as a back-end in:research prototypes (the AVISPA Tool, Tookan, the AVANTSSARPlatform, and the SPaCIoS Tool) andindustrial-strength tools (the Security Validator plugin for SAPNetWeaver BPM)


Outline

1 Introduction




5 Conclusions


Application Domains

User

Domain-specificConnector

SATMC

ASLanSpecification

OutputFormat

MiniSAT

NuSMV

BPMNConnector

Security APIConnector

Security Protocol

Connector


Security API Connector

User

Security APIConnector

SATMC

ASLanSpecification

OutputFormat

MiniSAT

NuSMV

1 // modifies the value of one or more object attributes2 void C_SetAttributeValue(long hSes, long hObj, CK_ATTRIBUTE[] pAtt)3 // initializes a decryption operation4 void C_DecryptInit(long hSes, CK_MECHANISM pMechanism, long hKey)5 // decrypt encrypted data6 byte[] C_Decrypt(long hSes, byte[] pEncryptedData)7 // wraps (i.e., encrypts) a key8 byte[] C_WrapKey(long hSes, CK_MECHANISM pMechanism, long hWrappingKey, long hKey)


Security API Connector: Some Results

SATMC lies at the core of Tookan, a tool capable to automaticallydetect and reproduce policy violations in commercially availablecryptographic security tokensa number of attacks detected on the PKCS#11 Security Tokens

M. Bortolozzo, M. Centenaro, R. Focardi and G. Steel. Attacking and Fixing PKCS#11Security Tokens. Proceedings of the 17th ACM Conference on Computer and CommunicationsSecurity (ACM CCS 2010).


BPMN Connector

User

BPMNConnector

SATMC

ASLanSpecification

OutputFormat

MiniSAT

NuSMV


BPMN Connector: Some Results

SATMC lies at the coreof a Security Validation prototype for BPsdeveloped by the Product Security Research unit at SAP

A. Armando and S. E. Ponta. Model Checking Authorization Requirements inBusiness Processes. In Computers & Security, vol. 40, no. 0, pp. 1 - 22, 2014.

W. Arsac, L. Compagna, G. Pellegrino, and S. E. Ponta. Security Validation of BusinessProcesses via Model-checking. In ESSoS 2011.


Security Protocol ConnectorUser

Security ProtocolConnector

SATMC

ASLanSpecification

OutputFormat

MiniSAT

NuSMVC IdP SP

1. GET URI

2. HTTP302 IdP?SAMLRequest=AReq(ID,SP)

3. GET IdP?SAMLRequest=AReq(ID,SP)

IdP builds an authentication assertionAA = AAssert(ID,C, IdP,SP)4. HTTP200 Form(. . .)

5. POST SP?SAMLResponse=AResp(ID,SP, IdP, {AA}K−1IdP

)

6. HTTP200 Resource(URI)


Security Protocol Connector: Some Results

SATMC played key role in the discovery of:Flaw in a version of the Asokan, Shoup, and Waidner protocol foronline contract signing “patched” by Mitchell & Shmatikov:

A. Armando, R. Carbone and L. Compagna. LTL Model Checking for SecurityProtocols. In the proceedings of the 20th IEEE Computer Security FoundationsSymposium (CSF20)

Flaw in a strong (i.e. two-factor and two-channel) authenticationprotocol.

A. Armando, R. Carbone and L. Zanetti. Formal Modeling and Automatic SecurityAnalysis of Two-Factor and Two-Channel Authentication Protocols. In theproceedings of the International Conference on Network and System Security (NSS 2013).June, 2013.


Security Protocol Connector: Some Results

Flaw detected in Google’s SAML-based SSO for Google Apps

Authentication flaw in the most common use-case scenario ofSAML 2.0 SSO Profile.(Errata by OASIS SecurityServices Technical Committee.)

Cross-Site Scripting (XSS) vulnerabilities detected in:SAML-based SSO for Google AppsSimpleSAMLphpNovell Access Manager v3.1


Responsible Disclosure of the Vulnerability


The News goes on the Press. . .


The News goes on the Blogs of Security Experts


A. Armando, R. Carbone, L. Compagna, J. Cuellar, G. Pellegrino, A. Sorniotti. Anauthentication flaw in browser-based Single Sign-On protocols: Impact andremediations. In Computers & Security, Volume 33, pages 41-58, 2013.


Outline

1 Introduction




5 Conclusions


Model Checking Problem

Fact: atomic formula of a first-order languageModel: M = 〈I,R,H, C〉I: initial state,R: set of rewrite rulesH: set of Horn clausesC: set of constraints (closed formulae)

model︷︸︸︷ LTL formula︷︸︸︷MS‖MI |= G

MS = 〈IS,RS,HS, CS〉: model of the security-sensitive systemMI = 〈II ,RI ,HI , CI〉: model of the intruderG: LTL formula expressing the security properties that thecombined model must enjoy.


Facts

Fact MeaningDomain sent(s, b, a, m, c) s sent m on c to a pretending to be bIndependent rcvd(a, b, m, c) m (supposedly sent by b) has been received

on c by acontains(d , ds) d is member of ds

ik(m) the intruder knows mProtocols stater (j , a, ts) a plays r , has internal state ts, and can exe-

cute step jBusiness pa(r , t) r has the permission to perform tProcesses ua(a, r) a is assigned to r

executed(a, t) a executed tgranted(a, t) a is granted to execute t

APIs attrs(as) security token has attributes as


Initial State

MS = 〈IS,RS,HS, CS〉

security protocols: contains a state-fact stater (1,a, ts) for eachagent a.business processes: specifies which tasks are ready for executionas well as the access control policy (e.g., the user-role and therole-permission assignment relations).security APIs: specifies some attribute-value assignments


Rewriting Rules

MS = 〈IS,RS,HS, CS〉C IdP SP

1. GET URI

2. HTTP302 IdP?SAMLRequest=AReq(ID,SP)

3. GET IdP?SAMLRequest=AReq(ID,SP)

IdP builds an authentication assertionAA = AAssert(ID,C, IdP,SP)4. HTTP200 Form(. . .)

5. POST SP?SAMLResponse=AResp(ID,SP, IdP, {AA}K−1IdP

)

6. HTTP200 Resource(URI) Security Protocol

Connector

rcvd (C,SP,hRsp(c30x,IdP,AReq),CSP2C) �

statec(2,C, [SP, . . . ,CC2IdP])send2(C,...,CC2IdP)−−−−−−−−−−−→

statec(3,C, [Areq,SP, . . . ,CC2IdP]) �

sent (C,C,IdP,hReq(get,IdP,AReq),CC2IdP)


Horn Clauses


BPMNConnector

granted(A,T)grant(A,R,T)←−−−−−−−− ua(A,R),pa(R,T)


Behaviour of Principals


Security Protocol

Connector

Property LTL Formulaprogress(a, r , j) G ∀(stater (j ,a,ES)⇒F¬stater (j ,a,ES))availability(a, c) G ∀(rcvd(a,P,M, c)⇒F¬rcvd(a,P,M, c))


Formal modeling of the Intruder

MI = (MDY‖MI′)

MDY = 〈∅,RDY ,HDY , ∅〉

RDY : ability to overhear, divert, and intercept messagesHDY : inferential capabilities, e.g., the ability to decrypt messageswhen the key used for encryption is known to the intruder as wellas that to forge new messages.

MI′ = 〈II′ ,RI′ ,HI′ , CI′〉

II′ : initial knowledge in the scenario considered,RI′ and HI′ : domain specific behaviors of the intruder, andCI′ : constrains the otherwise allowed behaviors.


Formal modeling of the Intruder (Examples)

MI′ = 〈II′ ,RI′ ,HI′ , CI′〉Security APIConnector

Java method C Decrypt:

ik (crypt(K,R)) �ik (hand(N,inv(K))) �

attrs(KeyAttrs) �contains(attr(decrypt,true,N),KeyAttrs)

decrypt key asym(KeyAttrs,K,R,N)−−−−−−−−−−−−−−−−−−−−−−−→ ik(R) �LHS

MI′ = 〈II′ ,RI′ ,HI′ , CI′〉Security Protocol

ConnectorProperty LTL Formula

confidential to(c,p) G ∀(rcvd(A,B,M, c)⇒A = p)authentic on(c,p) G ∀(sent(RS,A,B,M, c)⇒(A = p∧RS = p))

weakly confidential(c) G ∀((rcvd(A,B,M, c) ∧Frcvd(A′,B′,M ′, c))⇒A = A′)

resilient(c) G ∀(sent(RS,A,B,M, c)⇒Frcvd(B,A,M, c))


Security Goals

MS‖MI |= G

Complex properties involving temporal operators and first-orderquantifiers:

For instance, a fair exchange goal: Security Protocol

Connector

G∀nO.∀nR.(hasvc(r , txt ,nO,nR)⇒F ∃nR.hasvc(o, txt ,nO,nR))

stating that if an agent r has a valid contract, then we ask o topossess a valid contract relative to the same contractual text txtand secret commitment nO.Separation of duty property SoD3 BPMN

ConnectorG ∀(executed(A,approve travel)⇒

G¬executed(A,approve budget))

This goal states that if an agent A has executed the taskapprove travel then he should not execute the taskapprove budget.


Outline

1 Introduction




5 Conclusions


SAT-based Model Checking of Security-criticalSystems

SATMC

ASLanSpecification

OutputFormat

MiniSAT

NuSMV

SATMC: fully automatic security-critical systems analyser. Itreduces the security problem to propositional satisfiabilityproblems (SAT).Fruitful combination of

SAT-reduction techniques developed for AI-planningBounded model-checking techniques for reactive systems


SATMC Internals

DY Attacker(MDY )

G MI′ MS kmax

ModelEncoding

SATMC

Planning GraphGenerator

GoalGrounding

PLTL2SAT(NuSMV)

SAT Solver(MiniSAT)&

C

I R HM ′ =〈I,R,H, ∅〉

Φk

[[C⇒G]]k

[[M ′]]k

Output Format

Every truth-value assignment satisfying Φk corresponds to acounterexample of M |= G of length k and vice versa


DY Attacker module

DY Attacker(MDY )

G MI′ MS kmax

ModelEncoding

SATMC


GoalGrounding

PLTL2SAT(NuSMV)


C

I R HM ′ =〈I,R,H, ∅〉

Φk

[[C⇒G]]k

[[M ′]]k

Output Format

Optimizing transformations on MS‖MDY .Produce a model MS-DY which is easier to analyze than (yetequivalent to) MS‖MDY .computes and yields the model MS-DY‖MI′ which is equivalent toMS‖MI with MI = (MDY‖MI′).

Thus the problem of checking whether MS‖MDY‖MI′ |= G is reduced tochecking whether MS-DY‖MI′ |= G.


Model Encoding and Planning Graph Generator

I(f 0,hc0) ∧∧k−1

i=0 Ti(f i ,ρi ,hci , f i+1,hci+1)

DY Attacker(MDY )

G MI′ MS kmax

ModelEncoding

SATMC


GoalGrounding

PLTL2SAT(NuSMV)


C

I R HM ′ =〈I,R,H, ∅〉

Φk

[[C⇒G]]k

[[M ′]]k

Output Format

Idea: Use knowledge about the initial state to simplify the Tk ’s.Approach: Propagate information provided by the initial state forbuilding a finite over-approximation of the forward search tree.

Linear Encoding

T T T

I

T

G

Graphplan-based encoding [2,3]

I

G

T T2 T1 3T0

[1] H. Kautz, H. McAllester, and B. Selman. Encoding Plans in Propositional Logic (KR’96)[2] A. Blum, and M. Furst. Fast Planning through Planning Graph Analysis (IJCAI’95)[3] H. Kautz, and B. Selman. Unifying SAT-based and Graph-based Planning (IJCAI’99)


Grounding First-order LTL Formulae

DY Attacker(MDY )

G MI′ MS kmax

ModelEncoding

SATMC


GoalGrounding

PLTL2SAT(NuSMV)


C

I R HM ′ =〈I,R,H, ∅〉

Φk

[[C⇒G]]k

[[M ′]]k

Output Format

Planning graphs are also key to turn any first-order LTL formula ψ intoa propositional LTL formula ψ0 such that if π is an execution path of M ′

with k or less states that violates ψ0, then π violates also ψ, and viceversa.

Goal Grounding: reduce the BMC problem for any first-order LTLformula ψ to the BMC for a propositional LTL formula ψ0

PLTL2SAT: reduction to SAT by using the techniques available inthe literature (functionalities currently given by the NuSMV modelchecker, used as a plugin by SATMC)


Outline

1 Introduction




5 Conclusions


Conclusions

SATMC 3.0: SAT-based Model Checker for security-criticalsystemsProblem: determine the existence of an attack of bounded lengthviolating a given security goalSuccessfully combines techniques:

from AI planning andfor the analysis of reactive systems

to reduce the problem to SATSATMC supports the specification of security policies as Hornclauses and of security assumptions and goals as first-order LTLformulae.Its flexibility and effectiveness is demonstrated by:

successful usage within three industrial relevant applicationdomains (security protocols, business processes, and securityAPIs)integration within a number of research prototypes andindustrial-strength tools.


SATMC: a SAT-based Model Checker for Security-critical Systems · SATMC is a SAT-based bounded...

Documents

Transcript of SATMC: a SAT-based Model Checker for Security-critical Systems · SATMC is a SAT-based bounded...