Towards a Comprehensive Solution for Secure Cryptographic Protocol Execution based on Runtime Verification

Analytical security of cryptographic protocols does not immediately translate to operational security due to incorrect implementation and attacks targeting the execution environment. Code verification and hardwarebased trusted execution solutions exist, however these leave it up to the implementer to assemble the complete solution, and imposing a complete re-think of the hardware platforms and software development process. We rather aim for a comprehensive solution for secure cryptographic protocol execution, based on runtime verification and stock hardware security modules that can be deployed on existing platforms and protocol implementations. A study using a popular web browser shows promising results with respect to practicality.

[1]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[3]  Paolo PRINETTO,et al.  Side-channel analysis of SEcube TM platform , 2017 .

[4]  Jan Jürjens,et al.  Runtime verification of cryptographic protocols , 2010, Comput. Secur..

[5]  Xiang Zhang,et al.  Defensing the malicious attacks of vehicular network in runtime verification perspective , 2016, 2016 IEEE International Conference on Electronic Information and Communication Technology (ICEICT).

[6]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[7]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[8]  Gordon J. Pace,et al.  Runtime Verification for Stream Processing Applications , 2016, ISoLA.

[9]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[10]  Dejan Nickovic,et al.  Runtime Monitoring with Recovery of the SENT Communication Protocol , 2017, CAV.

[11]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[12]  Ranveer Chandra,et al.  VeriFi: Model-Driven Runtime Verification Framework for Wireless Protocol Implementations , 2018, ArXiv.

[13]  Juan Manuel González Nieto,et al.  Modeling key compromise impersonation attacks on group key exchange protocols , 2008, TSEC.

[14]  Leonardo Mariani,et al.  Run-Time Verification , 2004, Model-Based Testing of Reactive Systems.

[15]  Patrick Röder,et al.  A Robust Integrity Reporting Protocol for Remote Attestation , 2006 .

[16]  R. Sekar An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[17]  Adriana Suárez Corona,et al.  Group key exchange protocols withstanding ephemeral-key reveals , 2018, IET Inf. Secur..

[18]  Abdelmadjid Bouabdallah,et al.  Trusted Execution Environment: What It is, and What It is Not , 2015, TrustCom 2015.

[19]  Rainer Steinwandt,et al.  Secure group key establishment revisited , 2007, International Journal of Information Security.

[20]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[21]  Adriana Suárez Corona,et al.  Attribute-based group key establishment , 2010, Adv. Math. Commun..

[22]  Joeri de Ruiter,et al.  Analysis of Secure Key Storage Solutions on Android , 2014, SPSM@CCS.

[23]  Gordon J. Pace,et al.  LARVA --- Safer Monitoring of Real-Time Java Programs (Tool Paper) , 2009, 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods.

[24]  Nikolai Kosmatov,et al.  E-ACSL, a Runtime Verification Tool for Safety and Security of C Programs (tool paper) , 2017, RV-CuBES.

[25]  Julien Signoles,et al.  Hybrid Information Flow Analysis for Real-World C Code , 2017, TAP@STAF.

[26]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Michael Gissing,et al.  Dynamic Enforcement of Platform Integrity , 2010, TRUST.