towards computationally sound symbolic security analysis
play

Towards computationally sound symbolic security analysis Daniele - PowerPoint PPT Presentation

Dec 31, 2022 •821 likes •1.34k views

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial June 2004 Security protocols Protocols: distributed programs Goal: maintain prescribed behavior in adversarial execution environment

  1. Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial – June 2004

  2. Security protocols ● Protocols: distributed programs ● Goal: maintain prescribed behavior in adversarial execution environment ● Tool: Cryptography P2 Adv. P1 For all Adv. P3

  3. Analyzing security protocols ● Typically much more complicated than traditional protocols because of universal quantification over the adversaries ● Implications: – Security cannot be tested, but only proved – Need for a formal model to precisely formulate and prove security properties

  4. Models of security ● Computational model – Encryption [Goldwasser, Micali 1983] ● Symbolic model – [Dolev, Yao 1983] ● Other models – Random oracle model – Generic model

  5. Computational Model ● Detailed model of computation / communication ● Cryptographic operations are not modeled , but defined within the model. 0/1 0/1 100100101 0001110101 0/1

  6. Example: CPA-secure Encryption ● Encryption scheme = (Kgen, E, D) ● Security against “chosen plaintext attack”: Pr{g=b}~1/2 g m 0 if |m 0 |=|m 1 | pk m 1 Kgen Adversary b then m b sk E(pk, m b ) D(sk, _) E(pk, _)

  7. Features of CPA-security ● Even partial information about message is hidden – captured by size 2 message space ● No assumption on message distribution – captured by adversarially chosen messages ● Strong security (succ. prob. ~ 1/2) ● Encryption function can be used multiple times – Letting Adv. make many queries (m 0 ,m 1 ) does not make the definition substantially stronger

  8. Non-features of CPA-security ● Message length is not necessarily hidden: – Messages must satisfy |m 0 | = |m 1 | ● The key is not necessarily hidden, e.g.: – Kgen': Run Kgen->k, and output k' = (k,r) – E' (k,r) (m) = (E k (m),r) ● Other definitions are possible: – e.g., schemes can completely hide the key

  9. Symbolic model ● Abstract computation and communication model ● Cryptography is integral part of the model: cryptography = abstract data type k E(k,m) E(k, m) D(k, _ ) m E(k',m) E(k', _ ) E(k', m) k'

  10. Computational model ● Advantages: – High security assurance – Provides guidance to design of crypto primitives – Allows definition of new crypto primitives ● Disadvantages – Proofs are long and hard to verify – Security intuition is often lost in technical details – Few cryptographers still write full proofs, and nobody read them anyway

  11. Symbolic model ● Potential advantages – Simpler, higher level proofs: e.g., no probabilities – Automatic proof verification ● Disadvantages – Security proved only against abstract adversaries – Unclear assumptions on cryptographic primitives – Tailored to specific security properties, and classes of protocols

  12. Computational vs. symbolic Adv. ● Computational Adversary: – arbitrary probabilistic polynomial time Adv. – may break symbolic model assumptions by guessing a key (with non zero probability) ● Symbolic Adversary: – restricted but computationally unbounded and/or non-deterministic adversary – may break the computational model by non- deterministically guessing a key

  13. Abstraction Level k E(k,m) D(k, _ ) m ● Security Protocols E(k',m) E(k', _ ) ● Cryptography k' ● Digital circuits ● Physics / EE 0/1 0/1 0/1

  14. What level of abstraction should be used to ... ● ... describe security protocols ? – Higest level that allows to describe the protocol's actions – Typically, symbolic model is enough ● ... define security properties ? – Highest possible that allows to describe all realistic threats (e.g., adversarial's actions) – Computational model is typically accepted as a reasonable choice

  15. Beyond the computational model ● Power analysis attacks – [Kocher] ● Timing attacks – [Kocher] ● Sometimes useful: – constant round concurrent Zero Knowledge protocols [Dwork, Naor, Sahai] [Goldreich]

  16. Soundness of symbolic analysis ● Goal: framework where – protocols are written and analyzed symbolically – still, security holds against computational adversaries ● Advantages and limitations – Simple protocols and security proofs – High security assurance – Applies only to a subclass of protocols – Targets restricted class of security properties

  17. What is a sound symbolic analysis? Symbolic High level + = Adversary protocol Security Symb. model property Comp. model High level = Concrete + protocol Adversary

  18. Using the soundness theorem ● High level protocol Prot ● Soundness theorem: – For any comp. Adv, if SymbExec[Prot,[Adv]] satisfies S, then CompExec((Prot),Adv) satisfies S ● Symbolic security proof – For any symb. Adv', SymbExec[Prot,Adv'] satisfies S ● Strong security guarantee – For any comp Adv, CompExec[(Prot),Adv] satisfies S

  19. Remarks ● Standard process in cryptography: – E.g. Transformation from semihonest to malicious adversarial models using Zero Knowledge ● Compiling protocols: – Usually a non-trivial transformation – May introduce inefficiencies (e.g., use of ZK) ● Compiling adversaries: – Usually efficiency is not as critical here

  20. What's different with soundness of symbolic analysis? ● Formal high level protocol description language – E.g., no probabilities. Important for automation. ● Simple interpretation of high level procols – Essential for analysing existing protocols – Important for implementation of new protocols ● Compiling adversaries: highly non-trivial – Very restricted target language – Important for automatic verification

  21. Approaches to sound symbolic analysis ● Secure multiparty computation – Library to interpret/compile symbolic programs in computational setting – Powerful: Embed symbolic terms in computational model, retaining all capabilities of comp. model ● Ad-hoc approaches – Specialized languages for subclasses of protocols – Directly justify symbolic analysis

  22. Example: encrypted expressions ● Very simple protocols: “A(input) -> B: output” ● Syntax: X = input | const | {X} key | (X,...,X), ● Example: X = (k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) ● Computational interpretation [X]:{0,1}*->{0,1}* – Generate keys Kgen->k1,k2,k3 – Evaluate expression bottom up, where ● [{X} k ]=E k ([X]) ● [(X1,...,Xn)] = ([X1],...,[Xn])

  23. Symbolic execution ● On input m, A transmits X' = X[m/input] to B ● The symbolic (Dolev-Yao) adversary, given expression X', computes as much information as possible, according to the following rules: – X' is known – If (X1,...,Xn) is known, then X1, ..., Xn are known – If {X} k and k are known, then X is known

  24. Security properties ● Secrecy of the input: – the input value is protected by the protocol ● Computational secrecy: – For any input s, the distributions [X](s) and [X](0) are computationally indistinguishable ● Symbolic secrecy: – No symbolic (Dolev-Yao) adversary can recover m from X[m/input]

  25. Pattern Semantics ● Associate each program with a pattern: – P = input | const | (P,...,P) | {P} key | “?” ● Examples: – Pattern(k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) = (k1, {(k3, {(0, input)} k2 )} k1 , {k2} k3 ) – Pattern(k1, {(k3, {(0, input)} k2 )} k1 , {k4} k3 ) = (k1, {(k3, “?” )} k1 , {k4} k3 )

  26. Soundness Theorem ● [Abadi-Rogaway] if Pattern(X1)==Pattern(X2) then [X1]~[X2] are computationally indistinguishable, provided that – (Kgen, E, D) is “type 0” secure encryption scheme – expressions X1, X2 are acyclic, e.g., expression ({k1} k2 ,{k2} k1 ) is not allowed. ● Corollary: – If Pattern(X) does not contain “input”, then X is secure

  27. Soundness result as a metatheorem ● Soundness theorem has the form of a standard cryptography result ● As easy to use as normal cryptographic definitions Pr{g=b}~1/2 g X 0 k 1 ,k 2 ,... if Pat(X 0 )=Pat(X 1 ) Kgen Adversary b Kgen Kgen then X b X 1 [X b ] [ _ ] [ _ ] [ _ ]

  28. Case study: Secure multicast = Group member ● Authenticated broadcast channel, = Non-member ● Dynamically changing group of users 010001001010110110110100101 Center send(m 1 ) u 4 u 1 u 2 u 3 u 4 u 5 u 6 u 2 rem(u 2 ) add(u 4 ) m 1 m 1 m 1 m 1 send(m 2 ) m 2 m 2 m 2 m 2

  29. Multicast key distribution problem ● Standard approach to achieve secrecy: – Establish a common secret key – Use the key to encrypt the messages ● Problem: – Update the key when group membership changes – Individually sending new key to all members is too expensive – Cannot encrypt new key under old one because the old one is compromised

  30. Secure key distribution = Group member ● Authenticated broadcast channel, = Non-member ● Dynamically changing group of users 010001001010110110110100101 Center u 4 u 1 u 2 u 3 u 4 u 5 u 6 u 2 rem(u 2 ) k 1 k 1 k 1 add(u 4 ) k 2 k 2 k 2 k 2

  31. Secure key distribution ● For any sequence of updates, and coalition C, {u C , xxx, k(S)} ~ {u C , xxx, k'(S)}, where S = {t :C does not intersect the group } Adv k(S) updates Center u 1 u 3 u 4 u 5 u 6 u 2 k1 add(u 1 ) u 1 u 3 u 4 u 5 u 6 k2 add(u 2 ) u 2 k3 add(u 4 ) u 1 u 3 u 4 u 5 u 6 u 2 del(u 2 ) k4 u 1 u 3 u 4 u 5 u 6 u 2 add(u 5 ) k5 u 1 u 3 u 4 u 5 u 6 u 2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F. M ejean, L. Pillard, J. Tharaud National School of Applied Mathematics and Computer Science, ENSIMAG 27 November 2009 P. Cogn ee, D.

591 views • 23 slides
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

972 views • 78 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey

Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey

Comparing Learning Models for Korean Sound-symbolic Vowel Harmony Darrell Larsen and Jeffrey Heinz March 20, 2010 PLC 34 1 Main Goals of Presentation 1. Provide quantitative support for vowel harmony in sound-symbolic forms in Korean 2.

921 views • 33 slides
Towards Automated Computationally Faithful Specify protocol participants as processes following

Towards Automated Computationally Faithful Specify protocol participants as processes following

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan

146 views • 4 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340

Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340

COMP 546 Lecture 19 Sound 2: frequency analysis Tues. March 27, 2018 1 Speed of Sound Sound travels at about 340 m/s, or 34 cm/ ms. (This depends on temperature and other factors) 2 Wave equation =

601 views • 45 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See:

802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See:

802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See: http://www.ieee802.org/1/files/public/minutes /802-1-general-info-v3.pdf Decorum Press (i.e., anyone reporting publicly on this meeting) are to announce

393 views • 27 slides
Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 ,

Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 ,

Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 , Xiaojuan Cai 1 ,Shoji Yuen 2 1 BASICS, Shanghai Jiao Tong University 2 Graduate School of Information Science, Nagoya University 19th, April. 2010

418 views • 19 slides
Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and

Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and

Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein A quick review Strings: abc vs. abc vs. abc vs. rabc String

336 views • 20 slides
A Network Programming Language Nate Foster, Mike Freedman, Rob Harrison, Chris Monsanto, Jen

A Network Programming Language Nate Foster, Mike Freedman, Rob Harrison, Chris Monsanto, Jen

A Network Programming Language Nate Foster, Mike Freedman, Rob Harrison, Chris Monsanto, Jen Rexford, Alec Story, and Dave Walker Traditional Networks Operator : Monitors tra ffi c, Con fi gures policy Control Plane (software) : Tracks

619 views • 30 slides
CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 A model for Control-Flow Hijack attacks

673 views • 41 slides
Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim

Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim

Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim OGorman, Martin Popel, Roman Sudarikov, Zde nka Ure sov a August 1, 2014 1 / 24 Introduction 2 / 24 Motivation We are

371 views • 24 slides
Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We

Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We

Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We Publish Statistics Why Publish Stats? To gauge how bad (or good) things are And, were not trying to sell you something Vendor

628 views • 27 slides
The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas

The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas

The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas Athenodorou, Georg Bergner, and Biagio Lucini Outline Introduction Motivation and background Chiral symmetry breaking Aims and predictions Results Phase

1.09k views • 70 slides

More recommend