Runtime verification of cryptographic protocols

There has been a significant amount of work devoted to the static verification of security protocol designs. Virtually all of these results, when applied to an actual implementation of a security protocol, rely on certain implicit assumptions on the implementation (for example, that the cryptographic checks that according to the design have to be performed by the protocol participants are carried out correctly). So far there seems to be no approach that would enforce these implicit assumptions for a given implementation of a security protocol (in particular regarding legacy implementations which have not been developed with formal verification in mind). In this paper, we use a code assurance technique called ''runtime verification'' to solve this open problem. Runtime verification determines whether or not the behaviour observed during the execution of a system matches a given formal specification of a ''reference behaviour''. By applying runtime verification to an implementation of any of the participants of a security protocol, we can make sure during the execution of that implementation that the implicit assumptions that had to be made to ensure the security of the overall protocol will be fulfilled. The overall assurance process then proceeds in two steps: First, a design model of the security protocol in UML is verified against security properties such as secrecy of data. Second, the implicit assumptions on the protocol participants are derived from the design model, formalised in linear-time temporal logic, and the validity of these formulae at runtime is monitored using runtime verification. The aim is to increase one's confidence that statically verified properties are satisfied not only by a model of the system, but also by the actual running system itself. We demonstrate the approach at the hand of the open source implementation Jessie of the de-facto Internet security protocol standard SSL. We also briefly explain how to transfer the results to the SSL-implementation within the Java Secure Sockets Extension (JSSE) recently made open source by Sun Microsystems.

[1]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  A. Prasad Sistla,et al.  Safety, liveness and fairness in temporal logic , 1994, Formal Aspects of Computing.

[3]  Gernot Stenz,et al.  E-SETHEO: An Automated3 Theorem Prover , 2000, TABLEAUX.

[4]  Simin Nadjm-Tehrani,et al.  Verification of Embedded Systems Using Synchronous Observers , 1996, FTRTFT.

[5]  Jan Jürjens,et al.  Code security analysis with assertions , 2005, ASE '05.

[6]  Somesh Jha,et al.  Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis , 2007, 29th International Conference on Software Engineering (ICSE'07).

[7]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[8]  Grigore Rosu,et al.  Monitoring Java Programs with Java PathExplorer , 2001, RV@CAV.

[9]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[10]  George Spanoudakis,et al.  Towards security monitoring patterns , 2007, SAC '07.

[11]  Frank Piessens,et al.  A Caller-Side Inline Reference Monitor for an Object-Oriented Intermediate Language , 2008, FMOODS.

[12]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[13]  Sabrina Sicari,et al.  Introducing privacy in a hospital information system , 2008, SESS '08.

[14]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[15]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[16]  Joachim Parrow,et al.  Proceedings of the 4th International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems , 1996 .

[17]  Nicolas Halbwachs,et al.  Synchronous Observers and the Verification of Reactive Systems , 1993, AMAST.

[18]  Luciano Baresi,et al.  Smart monitors for composed services , 2004, ICSOC '04.

[19]  Leonardo Mariani,et al.  Run-Time Verification , 2004, Model-Based Testing of Reactive Systems.

[20]  Bart De Decker,et al.  How aspect-oriented programming can help to build secure software , 2002, Informatica.

[21]  Martin Leucker,et al.  Monitoring of Real-Time Properties , 2006, FSTTCS.

[22]  Till Dörges,et al.  From security patterns to implementation using petri nets , 2008, SESS '08.

[23]  Mattia Monga,et al.  LISABETH: automated content-based signature generator for zero-day polymorphic worms , 2008, SESS '08.

[24]  Fabio Massacci,et al.  The verification of an industrial payment protocol: the SET purchase phase , 2002, CCS '02.

[25]  Marc Geilen,et al.  On the Construction of Monitors for Temporal Logic Properties , 2001, RV@CAV.

[26]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[27]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[28]  Indrakshi Ray,et al.  A light-weight static approach to analyzing UML behavioral properties , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[29]  Jan Jürjens,et al.  Security protocols, properties, and their monitoring , 2008, SESS '08.

[30]  Grigore Rosu,et al.  Electronic Notes in Theoretical Computer Science: Preface , 2001 .

[31]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[32]  George S. Avrunin,et al.  Property specification patterns for finite-state verification , 1998, FMSP '98.

[33]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[34]  Rebecca N. Wright,et al.  An Authentication Logic with Formal Semantics Supporting Synchronization, Revocation, and Recency , 2002, IEEE Trans. Software Eng..

[35]  Michael Gegick,et al.  On the design of more secure software-intensive systems by use of attack patterns , 2007, Inf. Softw. Technol..

[36]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[37]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[38]  Bastian Braun,et al.  SAVE: static analysis on versioning entities , 2008, SESS '08.

[39]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[40]  Stig Fr. Mjølsnes,et al.  A framework for compositional verification of security protocols , 2006, Inf. Comput..

[41]  Ruth Breu,et al.  Model-Driven Security Engineering for Trust Management in SECTET , 2007, J. Softw..

[42]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[43]  Martin Leucker,et al.  Comparing LTL Semantics for Runtime Verification , 2010, J. Log. Comput..

[44]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[45]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[46]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[47]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[48]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[49]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[50]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[51]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[52]  Vladimiro Sassone,et al.  A framework for concrete reputation-systems with applications to history-based access control , 2005, CCS '05.