part 2 finding protocol flaws with symbolic analysis the
play

Part 2: Finding Protocol Flaws with Symbolic Analysis The - PowerPoint PPT Presentation

Mar 02, 2023 •274 likes •1.32k views

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using encryption for authentication in large networks of computers (CACM 1978) , Needham and Schroeder didnt just initiate a field that led to widely

  1. Secure RPC Protocol: Encrypt-Then-Sign Encrypt messages with recipient’s public key Sign the ciphertexts with the sender’s private key A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Does this ensure message integrity? sender authentication? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 9 / 66

  2. Secure RPC Protocol: Replay Attacks A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) What if request = “Transfer 1000EUR to O ”? O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) We can prevent such replays by incorporating a challenge-response nonce, or a timestamp, or both. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 10 / 66

  3. Secure RPC Protocol: Response confidentiality Suppose request contains the login/password for A ’s account Suppose response is A ’s current bank statement Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 11 / 66

  4. Secure RPC Protocol: Response confidentiality Suppose request contains the login/password for A ’s account Suppose response is A ’s current bank statement Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) No! We show a man-in-the-middle attack Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 11 / 66

  5. Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66

  6. Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66

  7. Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) B thinks that this request came from O and responds with: B � ! O : { response } pk ( O ) , sig {{ response } pk ( O ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66

  8. Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) B thinks that this request came from O and responds with: B � ! O : { response } pk ( O ) , sig {{ response } pk ( O ) } sk ( B ) Hence O obtains the secret response (bank statement of A ) Exercise: Fix the protocol to protect response confidentiality Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66

  9. Finding Attacks Systematically Both attacks above are symbolic attacks that exploit logical flaws. How can we be confident that there are no other logical flaws? Can we formally prove that the protocol satisfies its security goals against all symbolic attackers? To precisely state and prove such security theorems about cryptographic protocols, we need to move to a more formal setting. What does A � ! B : m mean? It specifies the message but now what A and B must do How do we specify security goals? How do we encode the threat model? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 13 / 66

  10. Formal Syntax and Semantics of ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 14 / 66

  11. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  12. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  13. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  14. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  15. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  16. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  17. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  18. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  19. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  20. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional P | Q parallel composition Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  21. ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional P | Q parallel composition ! P replication Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66

  22. Constructors and destructors Two kinds of operations: Constructors f are used to build terms f ( M 1 , . . . , M n ) Destructors g manipulate terms let x = g ( M 1 , . . . , M n ) in P else Q Destructors are defined by rewrite rules g ( N 1 , . . . , N n ) ! N . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 16 / 66

  23. Examples of constructors and destructors Shared-key encryption: { M } K ; one decrypts with the key K Constructor: Shared-key encryption enc ( M , K ) . Destructor: Decryption dec ( M 0 , K ) dec ( enc ( x , y ) , y ) ! x . Perfect encryption assumption: one can decrypt only if one has the key. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 17 / 66

  24. Examples of constructors and destructors (continued) One-way hash function: Constructor: One-way hash function H ( M ) . Very idealized model of a hash function (essentially corresponds to the random oracle model). Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 18 / 66

  25. Examples of constructors and destructors (continued) Tuples: Constructor: tuple ( M 1 , . . . , M n ) . Destructors: projections i th ( M ) i th (( x 1 , . . . , x n )) ! x i Tuples are used to represent all kinds of data structures in protocols. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 19 / 66

  26. Example: The Denning-Sacco protocol Message 1. A ! B : {{ k } sk A } pk B k fresh Message 2. B ! A : { s } k new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( A ) ! in ( c , x _ pk B ); new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in ( B ) | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 20 / 66

  27. Exercise: The Needham-Schroeder public-key protocol Exercise Model the following protocol: Message 1. A ! B { N a , A } pk B N a fresh Message 2. B ! A { N a , N b } pk A N b fresh Message 3. A ! B { N b } pk B Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 21 / 66

  28. Formal Semantics Semantic configurations are E , P where E is a set of names P is a multiset of processes Intuitively, E , P where E = { a 1 , . . . , a n } and P = { P 1 , . . . , P m } corresponds to new a 1 ; . . . new a n ; ( P 1 | . . . | P m ) Initial configuration for P : fn ( P ) , { P } . The semantics is defined by reduction E , P ! E 0 , P 0 : the execution of the configuration is modeled by transforming it into another configuration. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 22 / 66

  29. Formal Semantics: reduction relation E , P [ { 0 } ! E , P (Red Nil) E , P [ { ! P } ! E , P [ { P , ! P } (Red Repl) E , P [ { P | Q } ! E , P [ { P , Q } (Red Par) E , P [ { new a ; P } ! E [ { a 0 } , P [ { P { a 0 / a } } (Red Res) where a 0 / 2 E . E , P [ { out ( N , M ); . Q , in ( N , x ) . P } ! E , P [ { Q , P { M / x } } (Red I/O) E , P [ { let x = g ( M 1 , . . . , M n ) in P else Q } ! E , P [ { P { M 0 / x } } if g ( M 1 , . . . , M n ) ! M 0 (Red Destr 1) E , P [ { let x = g ( M 1 , . . . , M n ) in P else Q } ! E , P [ { Q } if there exists no M 0 such that g ( M 1 , . . . , M n ) ! M 0 (Red Destr 2) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 23 / 66

  30. Example: Denning-Sacco Execution with Adversary { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); | new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } A benign adversary (the first process) reads the public keys of A and B and sends a message on c to initiate a new session from A to B . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 24 / 66

  31. Example (2): generate keys ! { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 25 / 66

  32. Example (2): generate keys ! { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 25 / 66

  33. Example (3): generate keys ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 26 / 66

  34. Example (3): generate keys ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 26 / 66

  35. Example (4) ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , out ( c , pk ( sk A )); . out ( c , pk ( sk B )); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 27 / 66

  36. Example (4) ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , out ( c , pk ( sk A )); . out ( c , pk ( sk B )); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 27 / 66

  37. Example (5) ! ⇤ { c , sk A , sk B } , { out ( c , pk ( sk B )); , ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 28 / 66

  38. Example (5) ! ⇤ { c , sk A , sk B } , { out ( c , pk ( sk B )); , ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 28 / 66

  39. Example (6) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 29 / 66

  40. Example (6) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 29 / 66

  41. Example (7) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 30 / 66

  42. Example (7) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 30 / 66

  43. Example (8) ! { c , sk A , sk B } , { new k ; out ( c , penc ( sign ( k , sk A ) , pk ( sk B ))); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 31 / 66

  44. Example (8) ! { c , sk A , sk B } , { new k ; out ( c , penc ( sign ( k , sk A ) , pk ( sk B ))); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 31 / 66

  45. Example (9) ! { c , sk A , sk B , k 0 } , out ( c , penc ( sign ( k 0 , sk A ) , pk ( sk B ))); . { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 32 / 66

  46. Example (9) ! { c , sk A , sk B , k 0 } , out ( c , penc ( sign ( k 0 , sk A ) , pk ( sk B ))); . { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 32 / 66

  47. Example (10) ! ⇤ { c , sk A , sk B , k 0 } , { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , let y 0 = pdec ( penc ( sign ( k 0 , sk A ) , pk ( sk B )) , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 33 / 66

  48. Example (10) ! ⇤ { c , sk A , sk B , k 0 } , { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , let y 0 = pdec ( penc ( sign ( k 0 , sk A ) , pk ( sk B )) , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 33 / 66

  49. Example (11) ! ⇤ { c , sk A , sk B , k 0 } , in ( c , x ) . let s = dec ( x , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , out ( c , enc ( s , k 0 ));) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 34 / 66

  50. Example (11) ! ⇤ { c , sk A , sk B , k 0 } , in ( c , x ) . let s = dec ( x , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , out ( c , enc ( s , k 0 ));) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 34 / 66

  51. Example (12) ! { c , sk A , sk B , k 0 } , let s = dec ( enc ( s , k 0 ) , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 35 / 66

  52. Example (12) ! { c , sk A , sk B , k 0 } , let s = dec ( enc ( s , k 0 ) , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 35 / 66

  53. Symbolic Adversary The protocol is executed in parallel with an adversary. The adversary can be any process. S = finite set of names (initial knowledge of the adversary). Definition The closed process Q is an S -adversary , fn ( Q ) ✓ S . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 36 / 66

  54. Symbolic Secrecy Intuitive definition The secret M cannot be output on a public channel Definition A trace T = E 0 , P 0 ! ⇤ E 0 , P 0 outputs M if and only if T contains a reduction E , P [ { out ( c , M ); . Q , in ( c , x ) . P } ! E , P [ { Q , P { M / x } } for some E , P , x , P , Q , and c 2 S . Definition The closed process P preserves the secrecy of M from S , 8 S -adversary Q , 8 T = fn ( P ) [ S , { P , Q } ! ⇤ E 0 , P 0 , T does not output M . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 37 / 66

  55. Verification with ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 38 / 66

  56. Verifying protocols in the symbolic model Compute the set of all terms that the attacker can obtain. This set is infinite: The attacker can generate messages of unbounded size. The number of sessions of the protocol is unbounded. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 39 / 66

  57. Verification Complexity Bounded messages and number of sessions ) finite state Model checking: FDR [Lowe, TACAS’96] Bounded number of sessions but unbounded messages ) insecurity is typically NP-complete Constraint solving: Cl-AtSe, integrated in AVISPA Extensions of model checking: OFMC, integrated in AVISPA Unbounded messages and number of sessions ) the problem is undecidable Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 40 / 66

  58. Solutions to undecidability Rely on user interaction Interactive theorem proving, Isabelle [Paulson, JCS’98] Use approximations Abstract interpretation [Monniaux, SCP’03], TA4SP integrated in AVISPA Typing [Abadi, JACM’99], [Gordon, Je ff rey, CSFW’02] (Sometimes also relies on type annotations by the user.) Allow non-termination ProVerif uses approximations and allows non-termination. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 41 / 66

  59. ProVerif ProVerif is a verifier for cryptographic protocols Fully automatic For an unbounded number of sessions and an unbounded message size Undecidable problem ) need for abstractions Handles a wide range of cryptographic primitives, defined by rewrite rules or equations Proves various security properties: secrecy, correspondences, some equivalences Does not always terminate and is not complete. In practice: E ffi cient: small examples verified in less than 0.1 s; complex ones in a few minutes. Very precise: no false attack in our tests for secrecy and authentication. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 42 / 66

  60. How ProVerif Works Two ideas (extending [Weidenbach, CADE’99]): a simple abstract representation of protocols, by a set of Horn clauses; an e ffi cient resolution algorithm to find which facts can be derived from these clauses. Using these ideas, we can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 43 / 66

  61. Protocol representation as horn clauses Messages terms M ::= x | f ( M 1 , . . . , M n ) | k [ M 1 , . . . , M n ] penc ( c 0 , pk ( sk A )) . Properties facts F ::= attacker ( M ) . Protocol, attacker Horn clauses F 1 ^ . . . ^ F n ) F attacker ( m ) ^ attacker ( pk ) ) attacker ( penc ( m , pk )) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 44 / 66

  62. Example - Cryptographic primitives Public-key encryption: Encryption penc ( m , pk ) . attacker ( m ) ^ attacker ( pk ) ) attacker ( penc ( m , pk )) Public key generation pk ( sk ) . (builds a public key from a secret key) attacker ( sk ) ) attacker ( pk ( sk )) Decryption pdec ( penc ( m , pk ( sk )) , sk ) ! m . attacker ( penc ( m , pk ( sk ))) ^ attacker ( sk ) ) attacker ( m ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 45 / 66

  63. Initial knowledge Clauses that represent the initial knowledge of the adversary: attacker ( M ) if the adversary knows M . Example For the Denning-Sacco protocol: attacker ( pk ( sk A )) attacker ( pk ( sk B )) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 46 / 66

  64. Names Normally, fresh names are created each time the protocol is run. Here, we only distinguish two names when they are created after receiving di ff erent messages. Each name k becomes a function of the messages previously received: k [ M 1 , . . . , M n ] . (Skolemisation) These functions can only be applied by the principal that creates the name, not by the attacker. The attacker can create his own fresh names: attacker ( b [ ]) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 47 / 66

  65. Denning-Sacco protocol A ! B : {{ k } sk A } pk B k fresh A talks to any principal represented by its public key pk ( x ) . A sends to it the message {{ k } sk A } pk ( x ) . attacker ( pk ( x )) ) attacker ( penc ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x ))) . B ! A : { s } k B has received a message {{ y } sk A } pk B . B sends { s } y . attacker ( penc ( sign ( y , sk A [ ]) , pk ( sk B [ ]))) ) attacker ( enc ( s , y )) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 48 / 66

  66. General coding of a protocol If a principal A has received the messages M 1 , . . . , M n and sends the message M , attacker ( M 1 ) ^ . . . ^ attacker ( M n ) ) attacker ( M ) . Exercise Give Horn clauses for the Needham-Schroeder public key protocol: Message 1. A ! B { N a , A } pk B N a fresh Message 2. B ! A { N a , N b } pk A N b fresh Message 3. A ! B { N b } pk B Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 49 / 66

  67. Approximations The freshness of nonces is partially modeled. The number of times a message appears is ignored, only the fact that is has appeared is taken into account. The state of the principals is not fully modeled. These approximations are keys for an e ffi cient verification. Solve the state space explosion problem. No limit on the number of runs of the protocols. ) essential for the certification of protocols. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 50 / 66

  68. Secrecy Secrecy criterion If attacker ( M ) cannot be derived from the clauses, then M is secret. The term M cannot be built by an attacker. The resolution algorithm will determine whether a given fact can be derived from the clauses. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 51 / 66

  69. Authenticity Authenticity means: if A thinks he talks to B then he really talks to B . Authenticity can be defined by correspondence assertions [Woo and Lam, Oakland’93]: If A executes e A ( B ) ( A thinks he talks to B ), then B must have executed e B ( A ) ( B has started a run with A ). Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 52 / 66

  70. Correspondences: events Events record that some program point has been reached, with certain values of the variables. Syntax: P , Q ::= processes . . . event ( M ) . P event Semantics: E , { event ( M ) . P } [ P ! E , { P } [ P (Red Event) An S -adversary does not contain events. Definition A trace T = E 0 , P 0 ! ⇤ E 0 , P 0 executes event ( M ) if and only if T contains a reduction E , P [ { event ( M ) . P } ! E , P [ { P } for some E , P , P . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 53 / 66

  71. Correspondences Intuitive definition If event ( M ) has been executed then event ( M 1 ) , . . . event ( M n ) have been executed Definition The closed process P 0 satisfies the correspondence l ^ event ( M ) event ( M k ) k = 1 with respect to S -adversaries if and only if, for any S -adversary Q , for any E 0 containing fn ( P 0 ) [ S [ fn ( M ) [ S k fn ( M k ) , for any substitution σ , for any trace T = E 0 , { P 0 , Q } ! ⇤ E 0 , P 0 , if T executes σ event ( M ) , then there exists σ 0 such that σ 0 M = σ M and, for all k 2 { 1 , . . . , l } , T executes event ( σ 0 M k ) as well. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 54 / 66

  72. Analyzing TLS 1.3 with ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 55 / 66

  73. Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions E ffi ciency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 56 / 66

  74. Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions E ffi ciency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT These are potentially contradictory goals Needs extensive security analysis before deployment! The IETF called for academics to formally analyze the protocol drafts. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 56 / 66

  75. Symbolic analysis to find downgrade (and other) attacks Recent attacks on legacy crypto in TLS: RC4 Keystream biases [Mar’13] Lucky13 MAC-Encode-Encrypt CBC [Mar’13] POODLE SSLv3 MAC-Encode-Encrypt [Dec’14] FREAK Export-grade 512-bit RSA [Mar’15] LOGJAM Export-grade 512-bit DH [May’15] SLOTH RSA-MD5 signatures [Jan’16] DROWN SSLv2 PSA-PKCS#1v1.5 Enc [Mar’16] Legacy crypto remains in TLS libraries for backwards compatibility. Is TLS 1.3 secure, if it is deployed alongside older versions of TLS? Can a man-in-the-middle downgrade TLS 1.3 peers to use legacy crypto? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 57 / 66

  76. Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 58 / 66

  77. Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Di ffi e-Hellman group behaves like a trivial 1-element group fun dh_ideal ( element , b i t s t r i n g ) : element . equation f o r a l l x : b i t s t r i n g , y : b i t s t r i n g ; dh_ideal ( dh_ideal (G, x ) , y ) = dh_ideal ( dh_ideal (G, y ) , x ) . fun dh_exp ( group , element , b i t s t r i n g ) : element reduc f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp (WeakDH, e , x ) = BadElement otherwise f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp ( StrongDH , BadElement , x ) = BadElement otherwise f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp ( StrongDH , e , x ) = dh_ideal ( e , x ) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 58 / 66

  78. Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Di ffi e-Hellman group behaves like a trivial 1-element group Similarly, we model strong and weak authenticated encryption, hash functions, MACs, RSA encryption and signatures. Our model is overly conservative, it may not indicate real exploits Our goal is to verify TLS 1.3 against future attacks on legacy crypto Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 59 / 66

  79. Modeling TLS 1.3 in ProVerif Key Derivation Functions: HKDF-Extract ( k , s ) = HMAC-H k ( s ) Client C Server S hkdf-expand-label 1 ( s , l , h ) = HMAC-H s ( len H () k “ TLS 1 . 3 , ” k l k h k 0x01 ) Long-term Keys: ( sk C , pk C ) Long-term Keys: ( sk S , pk S ) Derive-Secret ( s , l , m ) = ClientHello ( n C , o ff er C [( G , g x ) , G 0 ]) hkdf-expand-label 1 ( s , l , H ( m )) RetryRequest ( G 0 ) TLS 1.3 1-RTT handshake 1-RTT Key Schedule: Generates x 0 and computes: Generates y and computes: es = kdf 0 es = kdf 0 kdf 0 = HKDF-Extract ( 0 len H () , 0 len H () ) 12 messages in 3 flights, ClientHello ( n C , o ff er 0 C [ G 0 , g x 0 ]) kdf hs ( es , e ) = HKDF-Extract ( es , e ) kdf ms ( hs , log 1 ) = ms , k h c , k h s , k m c , k m s where Chooses parameters: 16 derived keys, mode S = ( TLS1.3 , DHE ( G 0 ) , H () , enc ()) ms = HKDF-Extract ( hs , 0 len H () ) ServerHello ( n S , mode S [ G 0 , g y ]) hts c = Derive-Secret ( hs , hts c , log 1 ) log 1 log 1 then data exchange hts s = Derive-Secret ( hs , hts s , log 1 ) Computes: Computes: hs = kdf hs ( es , g x 0 y ) hs = kdf hs ( es , g x 0 y ) k h c = hkdf-expand-label ( hts c , key , “" ) ms , k h c , k h s , k m c , k m s = kdf ms ( hs , log 1 ) ms , k h c , k h s , k m c , k m s = kdf ms ( hs , log 1 ) k m + PSK-based 0-RTT c = hkdf-expand-label ( hts c , finished , “" ) enc k h s ( Extensions ( . . . )) enc k h s ( CertRequest ( . . . )) k h s = hkdf-expand-label ( hts s , key , “" ) enc k h s ( Certificate ( pk S )) log 2 log 2 k m s = hkdf-expand-label ( hts s , finished , “" ) + TLS 1.2 enc k h s ( CertVerify ( signp sk S ( H ( log 2 )))) log 3 log 3 enc k h s ( Finished ( mac k m s ( H ( log 3 )))) log 4 log 4 kdf k ( ms , log 4 ) = k c , k s , ems where ats c = Derive-Secret ( ms , ats c , log 4 ) Computes: Computes: Agile Crypto: ⇠ 400 lines k c , k s , ems = kdf k ( ms , log 4 ) k c , k s , ems = kdf k ( ms , log 4 ) ats s = Derive-Secret ( ms , ats s , log 4 ) enc k h c ( Certificate ( pk C )) log 5 log 5 ems = Derive-Secret ( ms , ems , log 4 ) enc k h c ( CertVerify ( signp sk C ( H ( log 5 )))) log 6 log 6 enc k h c ( Finished ( mac k m c ( H ( log 6 )))) k c = hkdf-expand-label ( ats c , key , “" ) TLS models: ⇠ 500 lines log 7 log 7 k s = hkdf-expand-label ( ats s , key , “" ) Computes: Computes: psk 0 = kdf psk ( ms , log 7 ) psk 0 = kdf psk ( ms , log 7 ) kdf psk ( ms , log 7 ) = psk 0 where cid = ems or psk 0 or H ( log 7 ) cid = ems or psk 0 or H ( log 7 ) Modeling is easy, psk 0 = Derive-Secret ( ms , rms , log 7 ) New client session: New server session: PSK-based Key Schedule: C = C ] cid 7! ( o ff er C , mode S , S = S ] cid 7! ( o ff er C , mode S , verification takes e ff ort kdf es ( psk ) = es , k b where pk C , pk S , pk C , pk S , k c , k s , ems , psk 0 ) k c , k s , ems , psk 0 ) enc k c ( Data ( m 1 )) es = HKDF-Extract ( 0 len H () , psk ) enc k s ( Data ( m 2 )) k b = Derive-Secret ( es , pbk , “" ) Application Data Stream: Application Data Stream: kdf 0RTT ( es , log 1 ) = k c where cid cid C ! S : m 1 , m 2 , . . . C ! S : m 1 , m 2 , . . . ets c = Derive-Secret ( es , ets c , log 1 ) k c = hkdf-expand-label ( ets c , key , “" ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 60 / 66

  80. Writing and verifying security goals We state security queries for data sent between honest users Secrecy: messages between honest peers are unknown to an adversary Authenticity: messages between honest peers cannot be tampered Replay prevention: messages between honest peers cannot be replayed Forward secrecy: secrecy holds even if the peers’ long-term keys are leaked after the session is complete Secrecy query for msg ( conn , S ) sent from anonymous C to server S query attacker ( msg ( conn , S )) = ) false Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 61 / 66

  81. Refining security queries QUERY: is msg ( conn , S ) secret? query attacker ( msg ( conn , S )) = ) false FALSE: ProVerif finds a counterexample if S ’s private key is compromised. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 62 / 66

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St ephanie Delaune, Denis Lugiez & Ralf Treinen)

983 views • 33 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.34k views • 118 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

589 views • 44 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.22k views • 98 slides
Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In Part I of this chapter: Modeling with state machines and

1.8k views • 126 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
Analysis of Key Aspects of Human Capacity Building, Possible Flaws of Public Policy on VET that

Analysis of Key Aspects of Human Capacity Building, Possible Flaws of Public Policy on VET that

1 Analysis of Key Aspects of Human Capacity Building, Possible Flaws of Public Policy on VET that Need to be Addressed Victoria Karbysheva Ministry of Education and Research of Ukraine October, 25,

933 views • 27 slides
Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

ICTAC 2018 15 th International Colloquium on Theoretical Aspects of Computing Stellenbosch, South Africa, Oct 19, 2018 Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable Approach Gennaro Parlato

818 views • 59 slides
Partial Updates: Losing Information for Freshness Melih Ba stop cu and S ennur Uluku s

Partial Updates: Losing Information for Freshness Melih Ba stop cu and S ennur Uluku s

Partial Updates: Losing Information for Freshness Melih Ba stop cu and S ennur Uluku s Department of Electrical and Computer Engineering, University of Maryland, College Park, MD 1 / 16 Motivation In this work, we study the

356 views • 16 slides
Machine Learning and Data Mining Collaborative Filtering & Recommender Systems Kalev Kask

Machine Learning and Data Mining Collaborative Filtering & Recommender Systems Kalev Kask

+ Machine Learning and Data Mining Collaborative Filtering & Recommender Systems Kalev Kask Recommender systems Automated recommendations Inputs User information Situation context, demographics, preferences, past ratings

560 views • 28 slides
Collabora've Filtering Jay Urbain, Ph.D. Electrical Engineering and

Collabora've Filtering Jay Urbain, Ph.D. Electrical Engineering and

Collabora've Filtering Jay Urbain, Ph.D. Electrical Engineering and Computer Science Department Milwaukee School of Engineering Credits: See last page with

957 views • 51 slides
An Introduction to Student Devices Information for Parents Why devices for students? Connect

An Introduction to Student Devices Information for Parents Why devices for students? Connect

An Introduction to Student Devices Information for Parents Why devices for students? Connect students to tools, information, and resources - at school and at home Support development of important competencies How will students be

509 views • 3 slides
Power Generators Presented by Samson Yu School of Electrical and Electronic Engineering (EECE),

Power Generators Presented by Samson Yu School of Electrical and Electronic Engineering (EECE),

Dynamic State Estimation of Power Generators Presented by Samson Yu School of Electrical and Electronic Engineering (EECE), University of Western Australia (UWA) 0. . Motivations Future grids: A seamless, cost-effective electricity

424 views • 21 slides
Large Scale Wind Power Investments Impact on Wholesale Electricity Market mer Karaduman MIT

Large Scale Wind Power Investments Impact on Wholesale Electricity Market mer Karaduman MIT

Large Scale Wind Power Investments Impact on Wholesale Electricity Market mer Karaduman MIT Economics, Stanford Bits & Watts Contact: omerk@mit.edu https://www.dropbox.com/s/ho5m3878mnzcztf/WoodNov10_karaduman.mp4?dl=0 For attendees:

290 views • 8 slides
Finite-dimensional irreducible modules for an even subalgebra of U q ( sl 2 ) Alison Gordon Lynch

Finite-dimensional irreducible modules for an even subalgebra of U q ( sl 2 ) Alison Gordon Lynch

Finite-dimensional irreducible modules for an even subalgebra of U q ( sl 2 ) Alison Gordon Lynch University of Wisconsin-Madison gordon@math.wisc.edu June 5, 2014 Alison Gordon Lynch (Wisconsin) June 5, 2014 Introduction Fix a field F and

877 views • 28 slides
Device independent quantum random number generation Yang Liu, Qi Zhao, Ming-Han Li, Jian-Yu Guan,

Device independent quantum random number generation Yang Liu, Qi Zhao, Ming-Han Li, Jian-Yu Guan,

University of Science and Technology of China University of Science and Technology of China Device independent quantum random number generation Yang Liu, Qi Zhao, Ming-Han Li, Jian-Yu Guan, Yanbao Zhang, Bing Bai, Weijun Zhang, Wen-Zhao Liu,

276 views • 26 slides

More recommend