Code security analysis of a biometric authentication system using automated theorem provers

Understanding the security goals provided by cryptographic protocol implementations is known to be difficult, since security requirements such as secrecy, integrity and authenticity of data are notoriously hard to establish, especially in the context of cryptographic interactions. A lot of research has been devoted to developing formal techniques to analyze abstract specifications of cryptographic protocols. Less attention has been paid to the analysis of cryptoprotocol implementations, for which a formal link to specifications is often not available. In this paper, we apply an approach to determine security goals provided by a C implementation to an industrially-strength biometric authentication system. Our approach is based on control flow graphs and automated theorem provers for first-order logic

[1]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[2]  Vassilis Prevelakis,et al.  Characterizing the 'security vulnerability likelihood' of software functions , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[3]  Catherine A. Meadows,et al.  A system for the specification and analysis of key management protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Johann Schumann Automatic Verification of Cryptographic Protocols with SETHEO , 1997, CADE.

[5]  Gernot Stenz,et al.  E-SETHEO: An Automated3 Theorem Prover , 2000, TABLEAUX.

[6]  Dieter Gollmann Facets of Security , 2003, Global Computing.

[7]  Spiros Mancoridis,et al.  Using program transformation to secure C programs against buffer overflows , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[8]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[9]  Peter Y. A. Ryan,et al.  An Attack on a Recursive Authentication Protocol. A Cautionary Tale , 1998, Inf. Process. Lett..

[10]  Christoph Weidenbach,et al.  Towards an Automatic Analysis of Security Protocols in First-Order Logic , 1999, CADE.

[11]  Ernie Cohen First-order Verification of Cryptographic Protocols , 2003, J. Comput. Secur..

[12]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).