Extracting and verifying cryptographic models from C protocol code by symbolic execution

Consider the problem of verifying security properties of a cryptographic protocol coded in C. We propose an automatic solution that needs neither a pre-existing protocol description nor manual annotation of source code. First, symbolically execute the C program to obtain symbolic descriptions for the network messages sent by the protocol. Second, apply algebraic rewriting to obtain a process calculus description. Third, run an existing protocol analyser (ProVerif) to prove security properties or find attacks. We formalise our algorithm and appeal to existing results for ProVerif to establish computational soundness under suitable circumstances. We analyse only a single execution path, so our results are limited to protocols with no significant branching. The results in this paper provide the first computationally sound verification of weak secrecy and authentication for (single execution paths of) C code.

[1]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[2]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[3]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[4]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[6]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[7]  Mark Ryan,et al.  Towards a Verified Reference Implementation of a Trusted Platform Module , 2009, Security Protocols Workshop.

[8]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[9]  Andrew D. Gordon,et al.  Proceedings of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, USA, 23-25 June 2008 , 2008, CSF.

[10]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[11]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[12]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[13]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[14]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[15]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[16]  Michael Backes,et al.  Computationally sound verification of source code , 2010, CCS '10.

[17]  Magnus Carlsson,et al.  Hardware/software co-verification of cryptographic algorithms using Cryptol , 2009, 2009 Formal Methods in Computer-Aided Design.

[18]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[19]  Manuel Barbosa,et al.  Deductive verification of cryptographic software , 2010, Innovations in Systems and Software Engineering.

[20]  Dominique Unruh The impossibility of computationally sound XOR , 2010, IACR Cryptol. ePrint Arch..

[21]  Erik Poll,et al.  Implementing a Formally Verifiable Security Protocol in Java Card , 2003, SPC.

[22]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[23]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[24]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[25]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[26]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[27]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[28]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[29]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[30]  Ruy Ley-Wild,et al.  Dynamic Model Checking of C Cryptographic Protocol Implementations , 2006 .

[31]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[32]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[33]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[34]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[35]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[36]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[37]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[38]  Ricardo Corin,et al.  Efficient Symbolic Execution for Analysing Cryptographic Protocol Implementations , 2011, ESSoS.

[39]  Michael Backes,et al.  Union and Intersection Types for Secure Protocol Implementations , 2011, TOSCA.

[40]  Jeffrey S. Foster,et al.  Rule-based static analysis of network protocol implementations , 2006, Inf. Comput..