Affine Refinement Types for Secure Distributed Programming

Recent research has shown that it is possible to leverage general-purpose theorem-proving techniques to develop powerful type systems for the verification of a wide range of security properties on application code. Although successful in many respects, these type systems fall short of capturing resource-conscious properties that are crucial in large classes of modern distributed applications. In this article, we propose the first type system that statically enforces the safety of cryptographic protocol implementations with respect to authorization policies expressed in affine logic. Our type system draws on a novel notion of “exponential serialization” of affine formulas, a general technique to protect affine formulas from the effect of duplication. This technique allows formulate of an expressive logical encoding of the authentication mechanisms underpinning distributed resource-aware authorization policies. We discuss the effectiveness of our approach on two case studies: the EPMO e-commerce protocol and the Kerberos authentication protocol. We finally devise a sound and complete type-checking algorithm, which is the key to achieving an efficient implementation of our analysis technique.

[1]  Michele Bugliesi,et al.  Dynamic types for authentication , 2007, J. Comput. Secur..

[2]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[3]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[4]  Éric Tanter,et al.  First-class state change in plaid , 2011, OOPSLA '11.

[5]  Cédric Fournet,et al.  Cryptographic Protocol Synthesis and Verification for Multiparty Sessions , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[6]  Michael Backes,et al.  Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations , 2014, J. Comput. Secur..

[7]  Bruno Blanchet,et al.  Using Horn Clauses for Analyzing Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[8]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[9]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[10]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.

[11]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[12]  Jonathan Aldrich,et al.  A type system for borrowing permissions , 2012, POPL '12.

[13]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[14]  Jonathan Aldrich,et al.  Modular typestate checking of aliased objects , 2007, OOPSLA.

[15]  Michele Bugliesi,et al.  Authenticity by tagging and typing , 2004, FMSE '04.

[16]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[17]  Michele Bugliesi,et al.  Affine Refinement Types for Authentication and Authorization , 2012, TGC.

[18]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[19]  Michele Bugliesi,et al.  Resource-Aware Authorization Policies for Statically Typed Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[20]  Robert DeLine,et al.  Adoption and focus: practical linear types for imperative programming , 2002, PLDI '02.

[21]  de Ng Dick Bruijn,et al.  Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[22]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[23]  James H. Morris Protection in programming languages , 1973, CACM.

[24]  de Ng Dick Bruijn Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[25]  Michele Bugliesi,et al.  Logical Foundations of Secure Resource Management in Protocol Implementations , 2013, POST.

[26]  Jean-Yves Girard,et al.  Linear logic: its syntax and semantics , 1995 .

[27]  Joshua D. Guttman,et al.  Trust Management in Strand Spaces: A Rely-Guarantee Method , 2004, ESOP.

[28]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[29]  Alberto Momigliano,et al.  Cut elimination for a logic with induction and co-induction , 2012, J. Appl. Log..

[30]  Michele Bugliesi,et al.  Compositional Analysis of Authentication Protocols , 2004, ESOP.

[31]  C. Pollard,et al.  Center for the Study of Language and Information , 2022 .

[32]  A. Troelstra Lectures on linear logic , 1992 .

[33]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[34]  Michael Backes,et al.  Achieving Security Despite Compromise Using Zero-knowledge , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[35]  Riccardo Pucella,et al.  Stateful Contracts for Affine Types , 2010, ESOP.

[36]  Michael Backes,et al.  Computationally sound verification of source code , 2010, CCS '10.

[37]  Xiaoyang Sean Wang,et al.  Authorization in trust management: Features and foundations , 2008, CSUR.

[38]  Agostino Cortesi,et al.  Causality-based Abstraction of Multiplicity in Security Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[39]  Riccardo Focardi,et al.  Types for Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[40]  Agostino Cortesi,et al.  A calculus of challenges and responses , 2007, FMSE '07.

[41]  David Walker,et al.  An effective theory of type refinements , 2003, ACM SIGPLAN Notices.

[42]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[43]  Martin Hofmann,et al.  Type inference in intuitionistic linear logic , 2010, PPDP.

[44]  Matteo Maffei Tags for Multi-Protocol Authentication , 2005, Electron. Notes Theor. Comput. Sci..

[45]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[46]  Robin Milner,et al.  Functions as processes , 1990, Mathematical Structures in Computer Science.

[47]  Michael Backes,et al.  Union and Intersection Types for Secure Protocol Implementations , 2011, TOSCA.

[48]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[49]  Michele Bugliesi,et al.  Analysis of typed analyses of authentication protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[50]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[51]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.