extracting and verifying cryptographic models from c
play

Extracting and Verifying Cryptographic Models from C Protocol Code - PowerPoint PPT Presentation

Nov 26, 2022 •247 likes •543 views

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

  1. Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J¨ urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University November 2011 M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  2. The Goal Problem: we often verify formal models of cryptographic protocols, but what we rely on are their implementations. We bridge the gap by extracting high-level (pi calculus) models straight from C code. Support following scenarios: Given a legacy implementation of a protocol, learn what the implementation really does and prove security. When implementing a new protocol make sure that you did so without mistakes. We check trace properties such as authentication and weak secrecy, aiming to be automated and sound. We assume correctness of cryptographic primitives. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  3. Background Types of properties and languages. Low-Level High-Level Formal (C, Java) (F#) ( π , LySa) • VCC low-level (NULL • Frama-C dereference, N/A N/A • ESC/Java division by zero) • SLAM • CSur • ProVerif high-level • F7/F ∗ • JavaSec • CryptoVerif (secrecy, • ASPIER • fs2pv/fs2cv • AVISPA authentication) • csec-modex • LySatool M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  4. Results Three implementations (1300 LOC) verified in the symbolic model. One of them also verified in the computational model by application of a computational soundness result. Found 3 flaws in a Microsoft Research implementation of a smart metering protocol (1000 LOC) (all fixed now). Metering flaw: unsigned char s e s s i o n k e y [256 / 8 ] ; . . . e n c r y p t e d r e a d i n g = (( unsigned i n t ) ∗ s e s s i o n k e y ) ˆ ∗ r e a d i n g ; Extracted model: let msg3 = (hash2 { 0, 1 } castTo ”unsigned int”) ⊕ reading1 in ... M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  5. Demo Abstract protocol: m, hmac ( m, k AB ) A − − − − − − − − − − − → B. Concrete protocol: len( m ) | 1 | m | hmac (len( m ) | 2 | m, k AB ) A − − − − − − − − − − − − − − − − − − − − − − → B. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  6. Overview: What Property C source with Models of crypto and specification event annotations environment csec-modex Pi model + verification result Major limitation: So far the symbolic execution only follows a single path in the program. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  7. Overview: How C source CIL Simple instruction language (CVM) Symbolic Execution Intermediate model language (IML) Message format abstraction Applied pi ProVerif Verification Result M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  8. Correctness (1) Definition (Security of protocols) Given a protocol P , attacker E , trace property ρ , and resource bound t ∈ N let insec( P, E, ρ, t ) be the success probability of E against P with respect to ρ , given resources t . M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  9. Correctness (2) Theorem (Soundness of Model Extraction) For any environment process P E [ · , · ] , attacker E , property ρ , and resource bound t insec( P E [ client . c , server . c ] , E, ρ, t ) ≤ insec( P E [ client . iml , server . iml ] , E, ρ, p 1 ( t )) ≤ insec( P E [ client . pv , server . pv ] , E, ρ, p 2 ( t )) with some fixed polynomials p 1 and p 2 . M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  10. Symbolic Execution: Basic Idea Symbolic execution is a tool to simplify programs and extract their meaning. Concrete: Symbolic: x = 2 y = 3 x = a y = b int f ( int x , int y ) { int f ( int x , int y ) { return ++x ∗ y++; } return ++x ∗ y++; } 9 ( a + 1) b M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  11. Symbolic Execution with Symbolic Lengths (1) Introducing new values: k e y l e n ; void ∗ key ; s i z e t key = malloc (MAX KEY LEN ) ; keygen ( key , &k e y l e n ) ; stack key � ptr(heap 1 , 0) heap 1 � k , for some fresh k stack key len � len( k ) Generate “ ( νk ); ” in the IML model. The way of modelling keys is specified in keygen proxy(). M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  12. Symbolic Execution with Symbolic Lengths (2) Pointer arithmetic: stack len � len( x ) void ∗ msg = malloc ( msg len ) ; void ∗ p = msg + s i z e of ( l e n ) + l e n ; stack msg � ptr(heap 2 , 0) stack p � ptr(heap 2 , 4 + len( x )) M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  13. Symbolic Execution with Symbolic Lengths (3) Writing through pointers: stack p � ptr(heap 2 , 4 + len( x )) heap 2 � len( x ) | x | y Fact: len( y ) = len( k ) xor (p , key , k e y l e n ) ; heap 2 � len( x ) | x | y ⊕ k M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  14. Symbolic Execution with Symbolic Lengths (4) Output: stack msg � ptr(heap 2 , 0) heap 2 � len( x ) | x | y ⊕ k stack msg len � 4 + len( x ) + len( y ) w r i t e (msg , msg len ) ; Generate IML “ out ( len( x ) | x | y ⊕ k );”. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  15. Symbolic Execution with Symbolic Lengths (5) Extracting a substring: void ∗ buf = malloc (MAX LEN ) ; s i z e t l e n = read ( buf , MAX LEN ) ; f i e l d l e n = ∗ (( s i z e t ∗ ) buf ) ; s i z e t stack field len � x { 0 , 4 } Where x is a fresh variable and we generate IML “ in ( x );”. M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  16. Symbolic Execution with Symbolic Lengths (6) Extracting a substring: stack field len � x { 0 , 4 } void ∗ f i e l d = malloc ( f i e l d l e n ) ; memcpy( f i e l d , buf + s i z eof ( f i e l d l e n ) , f i e l d l e n ) stack field � ptr(heap 3 , 0) heap 3 � x { 4 , x { 0 , 4 }} M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  17. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  18. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; stack len � r 1 len( r 1 ) = 4 in ( r 1 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  19. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; stack len � r 1 len( r 1 ) = 4 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  20. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  21. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  22. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; hmac( buf , buf + len , l e n ) ; stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 | hmac ( r 2 ) len( hmac ( r 2 )) = 20 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

  23. Symbolic Execution: Example #d e f i n e MAC LEN 20 #d e f i n e MAX LEN 1000 i n t l e n ; read (&len , s i z e o f ( l e n ) ) ; i f ( ( l e n < MAC LEN) | | ( l e n > MAX LEN)) e x i t ( ) ; char ∗ buf = malloc ( l e n + MAC LEN ) ; read ( buf , l e n ) ; hmac( buf , buf + len , l e n ) ; i f (memcmp( buf , buf + len , MAC LEN) == 0) stack len � r 1 len( r 1 ) = 4 stack buf � ptr(heap 1 , 0) len( r 2 ) = r 1 heap 1 � r 2 | hmac ( r 2 ) len( hmac ( r 2 )) = 20 in ( r 1 ); if ¬ (( r 1 < 20) ∨ ( r 1 > 1000)) then in ( r 2 ); if r 2 { 0 , 20 } = hmac ( r 2 ) then M. Aizatulin Extracting and Verifying Cryptographic Models from C Code

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John Matthews Galois Connections August 15, 2006 1 Presently at Microsoft. Thanks Rockwell Collins Advanced Technology Center, especially David

655 views • 27 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Three Ways to Argue for Cryptographic Security Cryptanalysis

933 views • 75 slides
Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models

Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models

Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models Susanna Au-Yeung, Jeremy Bradley, Nicholas Dingle, Tony Field, Peter Harrison, William Knottenbelt , Aleksandar Trifunovic, Helen Wilson email: {

663 views • 51 slides
Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise

Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise

Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise Levy-dit-Vehel 1,2 1 LIX &amp; INRIA Saclay, Universit Paris-Saclay 2 ENSTA ParisTech Journes codage &amp; cryptographie 2018, Aussois, France

842 views • 55 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Zero-shot Entity Extraction from Web Pages ACL June 23, 2014 Panupong Pasupat and Percy Liang

Zero-shot Entity Extraction from Web Pages ACL June 23, 2014 Panupong Pasupat and Percy Liang

Zero-shot Entity Extraction from Web Pages ACL June 23, 2014 Panupong Pasupat and Percy Liang Focus: Entity Extraction What are the longest hiking trails near Baltimore ? Data Source hiking trails near Baltimore Avalon Super Loop Patapsco

1.21k views • 73 slides
Chapter 8: Information Extraction (IE) 8.1 Motivation and Overview 8.2 Rule-based IE 8.3 Hidden

Chapter 8: Information Extraction (IE) 8.1 Motivation and Overview 8.2 Rule-based IE 8.3 Hidden

Chapter 8: Information Extraction (IE) 8.1 Motivation and Overview 8.2 Rule-based IE 8.3 Hidden Markov Models (HMMs) for IE 8.4 Linguistic IE 8.5 Entity Reconciliation 8.6 IE for Knowledge Acquisition 8-1 IRDM WS 2005 8.1 Motivation and

1.12k views • 54 slides
Finding, Extracting, and Integrating Data from Maps Craig Knoblock University of Southern

Finding, Extracting, and Integrating Data from Maps Craig Knoblock University of Southern

Finding, Extracting, and Integrating Data from Maps Craig Knoblock University of Southern California and Geosemble Technologies Acknowledgements Finding Maps Joint work with Matthew Michelson, Vipul Verma (IIT IIT Kharagpur), Aman

1.52k views • 125 slides
Using Provenance to Extract Semantic File Attributes Daniel Margo and Robin Smogor Harvard

Using Provenance to Extract Semantic File Attributes Daniel Margo and Robin Smogor Harvard

Using Provenance to Extract Semantic File Attributes Daniel Margo and Robin Smogor Harvard University Semantic Attributes Human-meaningful data adjectives. Applications: Search (Google Desktop, Windows Live) Namespaces (iTunes,

384 views • 20 slides
A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

587 views • 26 slides
` Discovery of Green Fluorescent Protein, GFP Osamu Shimomura Ruins of the Medical College of

` Discovery of Green Fluorescent Protein, GFP Osamu Shimomura Ruins of the Medical College of

` Discovery of Green Fluorescent Protein, GFP Osamu Shimomura Ruins of the Medical College of Nagasaki, 1945 Shigeo Hayashi, 1945 Prof. Shungo Yasunaga (1911-1959) Nagasaki University Prof. Yoshimasa Hirata (1915-2000) Nagoya University

691 views • 33 slides
Application to Electrical Data Jean-Michel Poggi Laboratoire de Mathmatique, Universit

Application to Electrical Data Jean-Michel Poggi Laboratoire de Mathmatique, Universit

19th International Conference on Computational Statistics Paris - France, August 22-27 Empirical Mode Decomposition for Trend Extraction. Application to Electrical Data Jean-Michel Poggi Laboratoire de Mathmatique, Universit dOrsay,

466 views • 44 slides
PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau, Gerard de Melo PhD Candidate, Tsinghua University Visiting Student, Columbia University http://www.larayang.com/ Content Evaluating Summary

575 views • 35 slides

More recommend