Computational verification of C protocol implementations by symbolic execution

We verify cryptographic protocols coded in C for correspondence properties with respect to the computational model of cryptography. The first step uses symbolic execution to extract a process calculus model from a C implementation of the protocol. The new contribution is the second step in which we translate the extracted model to a CryptoVerif protocol description, such that successful verification with CryptoVerif implies the security of the original C implementation. We implement our method and apply it to verify several protocols out of reach of previous work in the symbolic model (using ProVerif), either due to the use of XOR and Diffie-Hellman commitments, or due to the lack of an appropriate computational soundness result. We analyse only a single execution path, so our tool is limited to code following a fixed protocol narration. This is the first security analysis of C code to target a verifier for the computational model. We successfully verify over 3000 LOC. One example (about 1000 LOC) is independently written and currently in testing phase for industrial deployment; during its analysis we uncovered a vulnerability now fixed by its author.

[1]  Jean-Christophe Filliâtre,et al.  A Deductive Verification Platform for Cryptographic Software , 2010, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[2]  Ricardo Corin,et al.  Efficient Symbolic Execution for Analysing Cryptographic Protocol Implementations , 2011, ESSoS.

[3]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[4]  Bruno Blanchet,et al.  From Computationally-proved Protocol Specifications to Implementations , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[5]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[6]  Ralf Küsters,et al.  A Framework for the Cryptographic Verification of Java-Like Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[7]  Jeffrey S. Foster,et al.  Rule-based static analysis of network protocol implementations , 2006, Inf. Comput..

[8]  Dominique Unruh The impossibility of computationally sound XOR , 2010, IACR Cryptol. ePrint Arch..

[9]  Vitaly Shmatikov,et al.  Towards computationally sound symbolic analysis of key exchange protocols , 2005, FMSE '05.

[10]  Véronique Cortier,et al.  A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems , 2011, Journal of Automated Reasoning.

[11]  Michael Backes,et al.  Computationally sound verification of source code , 2010, CCS '10.

[12]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[13]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[14]  Jan Jürjens,et al.  Verifying Cryptographic Code in C: Some Experience and the Csec Challenge , 2011, Formal Aspects in Security and Trust.

[15]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[16]  Bruno Blanchet,et al.  Computationally Sound Mechanized Proofs of Correspondence Assertions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[17]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[18]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[19]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[20]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[21]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[22]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[23]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[24]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[25]  Michal Moskal,et al.  Verifying Implementations of Security Protocols by Refinement , 2012, VSTTE.

[26]  Ruy Ley-Wild,et al.  Dynamic Model Checking of C Cryptographic Protocol Implementations , 2006 .

[27]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[28]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[29]  Sarfraz Khurshid,et al.  Exploring very large state spaces using genetic algorithms , 2004, International Journal on Software Tools for Technology Transfer.

[30]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[31]  Andrew D. Gordon,et al.  Verified implementations of the information card federated identity-management protocol , 2008, ASIACCS '08.

[32]  Andre Scedrov,et al.  Computationally sound mechanized proofs for basic and public-key Kerberos , 2008, ASIACCS '08.

[33]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[34]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[35]  Virgil D. Gligor,et al.  Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, Tokyo, Japan, March 18-20, 2008 , 2008, AsiaCCS.

[36]  Jan Jürjens,et al.  Extracting and verifying cryptographic models from C protocol code by symbolic execution , 2011, CCS '11.

[37]  Catalin Hritcu,et al.  Union, intersection, and refinement types and reasoning about type disjointness for security protocol analysis , 2012 .

[38]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[39]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[40]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[41]  P. Cogn,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2009 .

[42]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[43]  Bruno Blanchet,et al.  Models and Proofs of Protocol Security: A Progress Report , 2009, CAV.

[44]  Andrew D. Gordon,et al.  Cryptographic Verification by Typing for a Sample Protocol Implementation , 2011, FOSAD.

[45]  Andrew D. Gordon,et al.  Provable Implementations of Security Protocols , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[46]  Ralf Küsters,et al.  Computational soundness for key exchange protocols with symmetric encryption , 2009, CCS.