using data flow analysis for automatic checking of
play

Using Data Flow Analysis for Automatic Checking of Computational - PowerPoint PPT Presentation

Nov 19, 2022 •277 likes •760 views

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

  1. Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapäevad Voorel, 29.09–01.10.2006 – p. 1/33

  2. A distributed system. . . . . . can be modeled as application logic protocol logic cryptographic layer and network stack secure authentic insecure A Our task: analyse it! Does it preserve the secrecy of certain data? Teooriapäevad Voorel, 29.09–01.10.2006 – p. 2/33

  3. The simulatable cryptographic library May serve as the cryptographic layer / network stack. Takes API calls from the layer above to generate new encryption/decryption keys, encrypt and decrypt; both symmetrically and asymmetrically generate new signature keys, sign and verify; take and return (unstructured) data; construct and destruct tuples; send messages to other parties. Receives messages from other parties and forwards them to the layer above. The overlying layer accesses all messages through handles. Teooriapäevad Voorel, 29.09–01.10.2006 – p. 3/33

  4. The abstract cryptographic library application logic protocol logic cryptographic layer and network stack messages on insecure and authentic channels A scheduling A monolithic library — consists of a single machine. Cannot be directly implemented. Main part — a database of terms recording their structure and parties that have access to them. Terms in the database ≈ terms in the Dolev-Yao model. Possible operations also similar to the Dolev-Yao model. Teooriapäevad Voorel, 29.09–01.10.2006 – p. 4/33

  5. Terms Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  6. Terms x 1 := nonce () h1 nonce Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  7. Terms x 1 := nonce () x 2 := asymkeypair () h1 h2 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  8. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  9. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) x 4 := store (10110 . . . ) h4 data 10110... h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  10. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) x 4 := store (10110 . . . ) x 5 := ( x 4 , x 1 , x 3 ) h5 (,,) h4 data 10110... h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  11. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) x 4 := store (10110 . . . ) h6 pk x 5 := ( x 4 , x 1 , x 3 ) h5 x 6 := receive (,,) h4 data 10110... h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  12. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) sk pk x 5 := ( x 4 , x 1 , x 3 ) h5 (,,) h4 data y 1 := asymkeypair () 10110... h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  13. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) sk pk x 5 := ( x 4 , x 1 , x 3 ) h2 h5 (,,) h4 data y 1 := asymkeypair () 10110... y 2 := pubkey ( y 1 ) h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  14. Terms x 1 := nonce () x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) h6 sk pk x 5 := ( x 4 , x 1 , x 3 ) h2 h5 x 6 := receive (,,) h4 data y 1 := asymkeypair () 10110... y 2 := pubkey ( y 1 ) send y 2 h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  15. Terms x 1 := nonce () h7 enc x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) h6 sk pk x 5 := ( x 4 , x 1 , x 3 ) h2 h5 x 6 := receive (,,) x 7 := pubenc ( x 6 , x 5 ) h4 data y 1 := asymkeypair () 10110... y 2 := pubkey ( y 1 ) send y 2 h1 h2 h3 nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  16. Terms x 1 := nonce () h7 enc h3 x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) h6 sk pk x 5 := ( x 4 , x 1 , x 3 ) h2 h5 x 6 := receive (,,) x 7 := pubenc ( x 6 , x 5 ) h4 send x 7 data y 1 := asymkeypair () 10110... y 2 := pubkey ( y 1 ) send y 2 h1 h2 h3 y 3 := receive nonce sk pk Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  17. Terms x 1 := nonce () h7 enc h3 x 2 := asymkeypair () x 3 := pubkey ( x 2 ) h1 x 4 := store (10110 . . . ) h6 sk pk x 5 := ( x 4 , x 1 , x 3 ) h2 h5 x 6 := receive (,,) h4 x 7 := pubenc ( x 6 , x 5 ) h4 send x 7 data y 1 := asymkeypair () 10110... y 2 := pubkey ( y 1 ) send y 2 h1 h2 h3 y 3 := receive nonce sk pk y 4 := pubdec ( y 1 , y 3 ) Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  18. Terms x 1 := nonce () h7 enc x 2 := asymkeypair () h3 x 3 := pubkey ( x 2 ) x 4 := store (10110 . . . ) h1 x 5 := ( x 4 , x 1 , x 3 ) h6 sk pk x 6 := receive h2 h5 x 7 := pubenc ( x 6 , x 5 ) (,,) h4 send x 7 h4 y 1 := asymkeypair () data y 2 := pubkey ( y 1 ) 10110... send y 2 y 3 := receive h1 h2 h3 y 4 := pubdec ( y 1 , y 3 ) h5 nonce sk pk y 5 := 2 _ of _ 3( y 4 ) Teooriapäevad Voorel, 29.09–01.10.2006 – p. 5/33

  19. Dolev-Yao vs. simul. cryptolib There exists a large body of work analysing protocols with semantics in the Dolev-Yao model. Our abstract cryptographic library is very similar to it. Some differences: The adversary can learn public key from an asymmetric encryption, the identity of the key from a symmetric encryption. The adversary can create “empty” ciphertexts and garbage terms. The adversary can modify signatures (but cannot change the signed text), empty symmetric ciphertexts — can fix the plaintext. The methods for Dolev-Yao carry over. Teooriapäevad Voorel, 29.09–01.10.2006 – p. 6/33

  20. Simulatability ∃ Sim , such that for all A and almost all H : H A ≈ H Sim A The views of the user H must be indistinguishable. Conditions on H nontrivial, but not too restrictive. Teooriapäevad Voorel, 29.09–01.10.2006 – p. 7/33

  21. A protocol participant Theorem. (B & Pf, S&P ’05) A protocol participant keeps a data item M received from above API calls secret if M is passed downwards only Program as unstructured data. M will not become known to the adversary. API calls M does not affect the control flow of the Program. Simulation also requires No encryption cycles A symmetric key used by a participant does not become known to the adversary Teooriapäevad Voorel, 29.09–01.10.2006 – p. 8/33

  22. Program Language Variables x ∈ Var . Constants / values n, v ∈ Z . Abstract channels c ∈ Chan . Expressions | | ::= symkey ( i ) asymkeypair () e n | | symenc ( e, e ) | asymenc ( e, e ) x | ( e, . . . , e ) | symdec ( e, e ) | asymdec ( e, e ) π j | | | i ( e ) nonce () pubkey ( e ) | | store ( e ) retrieve ( e ) Processes Threads P ::= P act | P inact | Reject receive c x from x ′ .P ::= T P inact ::= T 1 | · · · | T n | ! receive c x from x ′ .P let x := e in P else P ′ P act ::= Program: T 1 | · · · | T n | if e = e then P else P ′ | send c e to e.P inact Teooriapäevad Voorel, 29.09–01.10.2006 – p. 9/33

  23. Processing a message A machine implementing the protocol logic contains a list of threads, each with its own state. When a message M arrives, with the abstract channel C the apparent sender Y then we attempt to give it to the first thread. Teooriapäevad Voorel, 29.09–01.10.2006 – p. 10/33

  24. Giving a message to a thread M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel (!) receive c x from x ′ .P Compare c and C . If c = C then. . . Teooriapäevad Voorel, 29.09–01.10.2006 – p. 11/33

  25. Starting the execution of a thread M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel (!) receive C x from x ′ .P S k [ x �→ M, x ′ �→ Y ] P Execute: Teooriapäevad Voorel, 29.09–01.10.2006 – p. 12/33

  26. Normal end of execution M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel receive C x from x ′ .P S k [ x �→ M, x ′ �→ Y ] P Execute: T ′ 1 | · · · | T ′ S ′ m T ′ T ′ T 1 T 2 T k − 1 T k +1 T n m 1 S ′ S ′ S 1 S 2 S k − 1 S k +1 S n Teooriapäevad Voorel, 29.09–01.10.2006 – p. 13/33

  27. Normal end of execution M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel ! receive C x from x ′ .P S k [ x �→ M, x ′ �→ Y ] P Execute: T ′ 1 | · · · | T ′ S ′ m T ′ T ′ T 1 T 2 T k − 1 T k T k +1 T n m 1 S ′ S ′ S 1 S 2 S k − 1 S k S k +1 S n Teooriapäevad Voorel, 29.09–01.10.2006 – p. 14/33

  28. Abnormal end of execution M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel (!) receive C x from x ′ .P S k [ x �→ M, x ′ �→ Y ] P Execute: S ′ Reject T 1 T 2 T k − 1 T k T k +1 T n S 1 S 2 S k − 1 S k S k +1 S n Teooriapäevad Voorel, 29.09–01.10.2006 – p. 15/33

  29. Giving a message to a thread M Message T 1 T 2 T k − 1 T k T k +1 T n Y Sender S 1 S 2 S k − 1 S k S k +1 S n C Abstr. channel (!) receive c x from x ′ .P Compare c and C . If c � = C then T 1 T 2 T k − 1 T k T k +1 T n S 1 S 2 S k − 1 S k S k +1 S n Teooriapäevad Voorel, 29.09–01.10.2006 – p. 16/33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today

Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today

Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today Control flow graphs Liveness analysis Register allocation CS553 Lecture Introduction to Data-flow Analysis 1 Data-flow

435 views • 15 slides
Model Checking & Program Analysis Markus Mller-Olm Dortmund University Overview

Model Checking & Program Analysis Markus Mller-Olm Dortmund University Overview

Model Checking & Program Analysis Markus Mller-Olm Dortmund University Overview Introduction Model Checking Flow Analysis Some Links between MC and FA Conclusion Apology for not giving proper credit to other

535 views • 41 slides
CMSC 430 Introduction to Compilers Spring 2016 Data Flow Analysis Data Flow Analysis A

CMSC 430 Introduction to Compilers Spring 2016 Data Flow Analysis Data Flow Analysis A

CMSC 430 Introduction to Compilers Spring 2016 Data Flow Analysis Data Flow Analysis A framework for proving facts about programs Reasons about lots of little facts Little or no interaction between facts Works best on

502 views • 35 slides
Chapter 1 Data flow analysis Course Static analysis and all that Martin Steffen INF5906 /

Chapter 1 Data flow analysis Course Static analysis and all that Martin Steffen INF5906 /

Chapter 1 Data flow analysis Course Static analysis and all that Martin Steffen INF5906 / autum 2017 Chapter 1 Learning Targets of Chapter Data flow analysis. various DFAs monotone frameworks operational semantics foundations

1.08k views • 82 slides
Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow

Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow

Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow analysis Today Introduce lattice-theoretic frameworks for data-flow analysis CS553 Lecture Lattice Theoretic Framework for DFA 1 Context

421 views • 15 slides
Generalizing Data-flow Analysis Announcements Read Section 9.3 in the book Today

Generalizing Data-flow Analysis Announcements Read Section 9.3 in the book Today

Generalizing Data-flow Analysis Announcements Read Section 9.3 in the book Today Other types of data-flow analysis Reaching definitions, available expressions, reaching constants Abstracting data-flow analysis

383 views • 9 slides
Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Example How many registers do we need a := 0 1 for the program on the right? L1: b := a + 1 2

408 views • 12 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
Introduction Goal: Use programmers design decisions with automatic checking todetect potential

Introduction Goal: Use programmers design decisions with automatic checking todetect potential

0.5 setgray0 0.5 setgray1 Introduction Goal: Use programmers design decisions with automatic checking todetect potential errors. Extended Static Checking (ESC) tries to prove correctness at compile-time helps finding run-time exceptions

302 views • 11 slides
Compiler Construction Lecture 18: Data flow analysis framework 2020-03-10 Michael Engel

Compiler Construction Lecture 18: Data flow analysis framework 2020-03-10 Michael Engel

Compiler Construction Lecture 18: Data flow analysis framework 2020-03-10 Michael Engel Overview Data-flow analysis partial orders lattices operators Compiler Construction 18: Data flow analysis framework 2 CFGs

360 views • 25 slides
1 CSE Example CSE Approach 1 Before CSE After CSE Notation c := a + b c := a + b

1 CSE Example CSE Approach 1 Before CSE After CSE Notation c := a + b c := a + b

Program Optimizations using Data-Flow Analysis Dead Code Elimination Last time Remove statements that define only one variable and the variable being defined is not in the live out set. Lattice theoretic framework for data-flow analysis

291 views • 7 slides
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . 1

473 views • 28 slides
Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All Together The Bitcoin System The First Primitive Data Structure Reference Reference Header Header Header Transactions Transactions

1k views • 57 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides
A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.

391 views • 36 slides

More recommend