StatVerif: Modelling protocols that involve persistent state Mark - - PowerPoint PPT Presentation

StatVerif: Modelling protocols that involve persistent state

Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, St´ ephanie Delaune, Steve Kremer, Joshua Phillips and Graham Steel 7–8 December 2011

Outline The ProVerif method Protocols with persistent state

The TPM

StatVerif

Verifying cryptographic protocols

“Provable/computational security”

1 Computationally bounded

(polynomial) attacker

2 Exact cryptographic

• perations on bitstrings

3 Bitstring (more concrete)

model

4 Prove difficulty of violating

security property is equivalent to solving a hard problem “Formal/symbolic methods”

1 Idealised (worst case)

attacker

2 Idealised (best case) perfect

cryptography

3 Symbolic (more abstract)

model of protocol

4 Prove impossibility of

violating security property within the model

Attacker model

We model a very powerful attacker, with “Dolev-Yao” capabilities: it completely controls the communication channels, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages. (The network is the attacker.) manipulate data in arbitrary ways, including applying crypto operations provided has the necessary keys. It controls dishonest participants.

“It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today.” - Bruce Schneier

Coding protocols as processes

Original handshake protocol:

let Server = in (ch, pkC’); new k;

• ut (ch, enc(pkC’, sign(skS, k ) ));

in (ch, m); 0.

Handshake protocol S C new k

encpkC (signskS(k))

− − − − − − − − − − − →

senck(s)

← − − − − − − − − − − −

The handshake protocol in full

free ch. (* Public key cryptography *) fun pk/1. fun enc/2. fun dec/2. equation dec(x, enc(pk(x), y) ) = y. (* Signatures *) fun sign/2. fun checksign/2. fun getmess/1. fun ok/0. equation checksign(pk(x), sign(x,y)) = ok. equation getmess(sign(x,y)) = y. (* Shared-key cryptography *) fun senc/2. fun sdec/2. equation sdec(senc(x,y),x) = y.

The handshake protocol in full 2

let Server = in (ch, pkC’); new k;

• ut (ch, enc(pkC’, sign(skS, k ) ));

in (ch, m); 0. let Client = in (ch, pkS’); in (ch, m); let m’ = dec(skC, m) in if checksign(pkS’, m’) = ok then let k’ = getmess(m) in if pkS’ = pkS then

• ut (ch, senc(k’, s)).

Security properties

The applied pi calculus can model the following: Reachability properties (e.g., secrecy) Correspondence assertions (e.g., authentication) Observational equivalence (e.g., strong secrecy; for instance, ballot secrecy; )

Handshake protocol - analysis

S I C

new k new s pkC

← − − − − − − − − − − −

pkM

← − − − − − − − − − − −

encpkM(signskS(k))

− − − − − − − − − − − →

encpkC (signskS(k))

− − − − − − − − − − − →

senck(s)

← − − − − − − − − − − − C publishes her public key I starts a session with S I learns signskS(k) and k I replays signskS(k) in a session with S I is able to output secrect s Adversary process I

in (c, xPK);

• ut (c, pkM);

in (c, y); let sig = decskM(y) in

• ut (c, encxPK(sig));

in (c, z);

• ut (c, sdecgetmsg(sig)(z))

Protocols with persistent state

Persistent state

Agents that have persistent state: Web servers, database servers, . . . Hardware tokens

Smart cards: capabilities, . . . RFID tags: their identity, . . . TPM: PCR values, session nonces, . . . HSM: PIN codes, . . .

Trusted party in contract signing protocols VANETs . . .

The trusted platform module

Digital rights management

u n f

• r

g e a b l e c

• n

f i g u r a t i

• n

r e p

• r

t

Secure environment

Richard Stallman Creator of GNU, Emacs, GCC, GPL, the Free Software Foundation

“With a plan they call trusted computing, large media corporations, together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you.” He calls it “treacherous computing”.

Ross Anderson Professor of Computer Security, University of Cambridge “TC can support remote

• censorship. In its simplest form,

applications may be designed to delete pirated music under remote control.” “In 2010 President Clinton may have two red buttons on her desk -

• ne that sends the missiles to

China, and another that turns off all the PCs in China.” He also talks of commercial bullying, economic warfare and political censorship.

Secure environment

Attestation from cloud

Cloud server

Platform configuration registers

The TPM has 24 platform configuration registers, PCRs. Updating a PCR The command TPM Extend(PCR p, Data x) effects the assignment p := SHA-1(p || x)

StatVerif

StatVerif syntax: processes

P, Q ::= processes

• ut(M, N); P
• utput

in(M, x); P input P | Q parallel composition !P replication new a; P restriction let x = g(M1, . . . , Mn) in P else Q destructor application if M = N then P else Q conditional [s → M] state cell read s as x; P read s := M; P write lock; P begin locked section unlock; P end locked section

Coding processes as Horn clauses: ProVerif

let Server = in (ch, x); new n;

• ut (ch, enc(k, (x,n) ));

attacker:x → attacker:enc(k[], (x,n[x]) );

Coding processes as Horn clauses: StatVerif

let Server = in (ch, x); new n;

• ut (ch, enc(k, (x,n) ));

attacker:x → attacker:enc(k[], (x,n[x]) ); attacker:u,x → attacker:u,enc(k[], (x,n[x]) );

Assignments

let Server = in (ch, x); u := h(u,x); attacker:u,x ∧ attacker:u,y → attacker:h(u,x),y;

The Horn clauses representation

The translation of a StatVerif process generates clauses built around the following two predicates att( ˜ M, N) means that state ˜ M is reachable and in that state the attacker knows the value N; mes( ˜ M, K, N) means that state ˜ M is reachable and in that state the value N is available on channel K.

Attacker clauses: constructors and destructors

The attacker can build new messages by applying any constructor to messages he knows. For each constructor f (M1, . . . , Mn) att(xs, M1) ∧ · · · ∧ att(xs, Mn) → att(xs, f (M1, . . . , Mn)) Asymmetric encryption att(xs, xk) ∧ att(xs, xm) → att(xs, aenc(xk, xm)) The attacker can analyse messages by applying any destructor to messages he knows . For each destructor g(M1, . . . , Mn) → M att(xs, M1) ∧ · · · ∧ att(xs, Mn) → att(xs, M) Asymmetric-key decryption att(xs, xk) ∧ att(xs, aenc(pbk(xk), xm)) → att(xs, xm)

Attacker clauses: public channels

The attacker can send messages on public channels att(xs, xc) ∧ att(xs, xm) → mes(xs, xc, xm) The attacker can eavesdrop on public channels att(xs, xc) ∧ mes(xs, xc, xm) → att(xs, xm)

Attacker clauses: public state cells

Consider the protocol new ˜ m; ([s1 → M1] | · · · | [sn → Mn] | P) The attacker can read from public state cells For all i ∈ {1, . . . , n}

att((xs1, . . . , xsn), si[]) → att((xs1, . . . , xsn), xsi)

The attacker can write to public state cells For all i ∈ {1, . . . , n}

att((xs1, . . . xsi, . . . , xsn), si[])∧ att((xs1, . . . , xsi, . . . , xsn), ysi)∧ mes((xs1, . . . , xsi, . . . , xsn), zc, zm) → mes((xs1, . . . , ysi, . . . , xsn), zc, zm) att((xs1, . . . xsi, . . . , xsn), si[])∧ att((xs1, . . . , xsi, . . . , xsn), ysi)∧ att((xs1, . . . , xsi, . . . , xsn), zm) → att((xs1, . . . , ysi, . . . , xsn), zm)

Protocol clauses

0ρHℓφµ = ∅ Q1 | Q2ρHℓφfalse = Q1ρ Hℓφfalse ∪ Q2ρHℓφfalse !QρHℓφfalse = QρHℓφfalse new a; QρHℓφµ =



Q(ρ ∪ {a → a[ℓ]})Hℓφµ Q(ρ ∪ {a → attn[]})Hℓφµ if a ∈ bn(P)

• therwise

in(M, x); QρHℓφfalse = Q(ρ ∪ {x → x, vs1 → vs1, . . . , vsn → vsn}) H′ (x :: ℓ) φ false where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh and H′ = H ∧ mes(φ0, ρ(M), x) in(M, x); QρHℓφtrue = Q(ρ ∪ {x → x})(H ∧ mes(φ, ρ(M), x))(x :: ℓ)φtrue

• ut(M, N); QρHℓφµ

= {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ QρHℓφµ let x = g(M1, . . . , Mn) in Q1 else Q2ρHℓφµ =

S 

Q1((ρσ) ∪ {x → p′σ′})(Hσ)(ℓσ)(φσ)µ | g(p′ 1, . . . , p′ n) → p′ ∈ def (g) and (σ, σ′) mgus and M1ρσ = p′ 1σ′, . . . , Mnρσ = p′ nσ′

ff

∪ Q2ρHℓφµ if M = N then Q1 else Q2ρHℓφµ = Q1(ρσ)(Hσ)(ℓσ)(φσ)µ ∪ Q2ρHℓφµ where σ = mgu(ρ(M), ρ(N)) lock; QρHℓφfalse = Q(ρ ∪ {vs1 → vs1, . . . , vsn → vsn})Hℓφ0true where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh unlock; QρHℓφtrue = QρHℓφfalse si := M; QρHℓφfalse = Q(ρ ∪ {vs1 → vs1, . . . , vsn → vsn, vc → vc, vm → vm})Hℓφfalse ∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)} ∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)} where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn), and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn) with vs1, . . . , vsn, vc, vm fresh si := M; QρHℓφtrue = Q(ρ ∪ {vc → vc, vm → vm})Hℓφ′true ∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)} ∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)} where φ = (M1, . . . , Mi−1, Mi , Mi+1, . . . , Mn), and φ′ = (M1, . . . , Mi−1, ρ(M), Mi+1, . . . , Mn), and vc, vm fresh read si as x; QρHℓφfalse = Q(ρ ∪ {x → vsi , vs1 → vs1, . . . , vsi → vsi , . . . , vsn → vsn, vc → vc, vm → vm})(H ∧ mes(φ0, vc, vm))ℓφfalse where φ0 = (vs1, . . . , vsi , . . . , vsn), with vs1, . . . , vsi , . . . , vsn, vc, vm fresh read si as x; QρHℓφtrue = Q(ρ ∪ {x → Mi , vc → vc, vm → vm})(H ∧ mes(φ, vc, vm))ℓφtrue where φ = (M1, . . . , Mi , . . . , Mn) and vc, vm fresh

Protocol clauses

0ρHℓφµ = ∅ Q1 | Q2ρHℓφfalse = Q1ρ Hℓφfalse ∪ Q2ρHℓφfalse !QρHℓφfalse = QρHℓφfalse new a; QρHℓφµ =



Q(ρ ∪ {a → a[ℓ]})Hℓφµ Q(ρ ∪ {a → attn[]})Hℓφµ if a ∈ bn(P)

• therwise

in(M, x); QρHℓφfalse = Q(ρ ∪ {x → x, vs1 → vs1, . . . , vsn → vsn}) H′ (x :: ℓ) φ false where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh and H′ = H ∧ mes(φ0, ρ(M), x) in(M, x); QρHℓφtrue = Q(ρ ∪ {x → x})(H ∧ mes(φ, ρ(M), x))(x :: ℓ)φtrue

• ut(M, N); QρHℓφµ

= {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ QρHℓφµ let x = g(M1, . . . , Mn) in Q1 else Q2ρHℓφµ =

S 

Q1((ρσ) ∪ {x → p′σ′})(Hσ)(ℓσ)(φσ)µ | g(p′ 1, . . . , p′ n) → p′ ∈ def (g) and (σ, σ′) mgus and M1ρσ = p′ 1σ′, . . . , Mnρσ = p′ nσ′

ff

∪ Q2ρHℓφµ if M = N then Q1 else Q2ρHℓφµ = Q1(ρσ)(Hσ)(ℓσ)(φσ)µ ∪ Q2ρHℓφµ where σ = mgu(ρ(M), ρ(N)) lock; QρHℓφfalse = Q(ρ ∪ {vs1 → vs1, . . . , vsn → vsn})Hℓφ0true where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh unlock; QρHℓφtrue = QρHℓφfalse si := M; QρHℓφfalse = Q(ρ ∪ {vs1 → vs1, . . . , vsn → vsn, vc → vc, vm → vm})Hℓφfalse ∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)} ∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)} where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn), and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn) with vs1, . . . , vsn, vc, vm fresh si := M; QρHℓφtrue = Q(ρ ∪ {vc → vc, vm → vm})Hℓφ′true ∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)} ∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)} where φ = (M1, . . . , Mi−1, Mi , Mi+1, . . . , Mn), and φ′ = (M1, . . . , Mi−1, ρ(M), Mi+1, . . . , Mn), and vc, vm fresh read si as x; QρHℓφfalse = Q(ρ ∪ {x → vsi , vs1 → vs1, . . . , vsi → vsi , . . . , vsn → vsn, vc → vc, vm → vm})(H ∧ mes(φ0, vc, vm))ℓφfalse where φ0 = (vs1, . . . , vsi , . . . , vsn), with vs1, . . . , vsi , . . . , vsn, vc, vm fresh read si as x; QρHℓφtrue = Q(ρ ∪ {x → Mi , vc → vc, vm → vm})(H ∧ mes(φ, vc, vm))ℓφtrue where φ = (M1, . . . , Mi , . . . , Mn) and vc, vm fresh

Assignments

si := M; QρHℓφfalse = Qρ′Hℓφfalse ∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)} ∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)} where φ0 = (vs1, . . . , vsi−1, vsi, vsi+1, . . . , vsn), and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn) with vs1, . . . , vsn, vc, vm fresh and ρ′ = ρ ∪ {vs1 → vs1, . . . , vsn → vsn, vc → vc, vm → vm} si := M; QρHℓφtrue = Q(ρ ∪ {vc → vc, vm → vm})Hℓφ′true ∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)} ∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)} where φ = (M1, . . . , Mi−1, Mi, Mi+1, . . . , Mn), and φ′ = (M1, . . . , Mi−1, ρ(M), Mi+1, . . . , Mn), and vc, vm fresh

Main result

Theorem (The StatVerif compiler is correct) Let M be a message. Let P be a protocol of the form new ˜ m; ([s1 → M1] | · · · | [sn → Mn] | Q) Clauses(P) ⊢ secrecy(M) ⇒ P | = secrecy(M) If ∀ ˜ K the fact att( ˜ K, M) is not derivable from Clauses(P), then P preserves the secrecy of M.

Some clauses for commands of the TPM

TPM Read: att(xp, x) → att(xp, xp) TPM CreateWrapKey: att(xp, xpcr) ∧ key(xp, xsk, xpk, xp) → att(xp, pk(bindk[xpcr]), wrap(xpk, bindk[xpcr], tpmpf[], xpcr)) TPM LoadKey2: att(xp, pk(xkey)) ∧ att(xp, wrap(xpk, xkey, tpmpf[], xpcr)) ∧ key(xp, xsk, xpk, xp) → key(xp, xkey, pk(xkey), xpcr) TPM Unbind: att(xp, aenc(xpk, xdata)) ∧ key(xp, xsk, xpk, xp) → att(xp, xdata) TPM Extend: att(xp, xv) ∧ att(xp, x) → att(h(xp, xv), x) key(xp, xsk, xpk, xpcr) ∧ att(xp, xv) → key(h(xp, xv), xsk, xpk, xpcr)

Making ProVerif work on the Horn clauses

Safe abstraction: Replace att(xp, xv) ∧ att(xp, x) → att(h(xp, xv), x) with n instances, in which xp is zero[] h(zero[], x1) h(h(zero[], x1), x2) h(h(h(zero[], x1), x2), x3) . . .

Current and future work

Prototype implementation by Joshua Phillips More case studies

UMTS protocols, RFID protocols, . . .

Extension to authentication properties Extension to observational equivalence Abstractions