Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols

We describe how to verify security properties of C code for cryptographic protocols by using a general-purpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array, decoration of a crypto API with contracts based on symbolic terms, and expression of the attacker model in terms of C programs. We rely on the general-purpose verifier VCC, we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC.

[1]  Ricardo Corin,et al.  Efficient Symbolic Execution for Analysing Cryptographic Protocol Implementations , 2011, ESSoS.

[2]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[3]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[4]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[6]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[7]  Andre Scedrov,et al.  Breaking and fixing public-key Kerberos , 2006, Inf. Comput..

[8]  Jan Jürjens,et al.  Extracting and verifying cryptographic models from C protocol code by symbolic execution , 2011, CCS '11.

[9]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[10]  Cliff B. Jones,et al.  Developing methods for computer programs including a notion of interference , 1981 .

[11]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[12]  Mark Ryan,et al.  Towards a Verified Reference Implementation of a Trusted Platform Module , 2009, Security Protocols Workshop.

[13]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[14]  Bruno Blanchet,et al.  Proved generation of implementations from computationally secure protocol specifications , 2013, J. Comput. Secur..

[15]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[16]  Ricardo Corin,et al.  Crypto-Verifying Protocol Implementations in ML , 2007 .

[17]  Santiago Zanella-Béguelin,et al.  Formal certification of game-based cryptographic proofs. (Certification formelle de preuves cryptographiques basées sur les séquences de jeux) , 2010 .

[18]  Andrew D. Gordon,et al.  Verified interoperable implementations of security protocols , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[19]  Andrew D. Gordon,et al.  Provable Implementations of Security Protocols , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[20]  Ralf Küsters,et al.  A Framework for the Cryptographic Verification of Java-Like Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[21]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[22]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[23]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[24]  Michal Moskal,et al.  Verifying Implementations of Security Protocols by Refinement , 2012, VSTTE.

[25]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[26]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[27]  Michael Backes,et al.  Computationally sound verification of source code , 2010, CCS '10.

[28]  Ernie Cohen First-order Verification of Cryptographic Protocols , 2003, J. Comput. Secur..

[29]  Norbert Schirmer,et al.  From Total Store Order to Sequential Consistency: A Practical Reduction Theorem , 2010, ITP.

[30]  Erik Poll,et al.  Implementing a Formally Verifiable Security Protocol in Java Card , 2003, SPC.

[31]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[32]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[33]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[34]  Michał Moskal,et al.  Programming with triggers , 2009, SMT '09.

[35]  Wolfgang J. Paul,et al.  Theory of Multi Core Hypervisor Verification , 2013, SOFSEM.

[36]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[37]  Wolfgang J. Paul Cyber War, Formal Verification and Certified Infrastructure , 2012, VSTTE.

[38]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[39]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[40]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[41]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[42]  Jan Jürjens,et al.  Computational verification of C protocol implementations by symbolic execution , 2012, CCS.

[43]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[44]  Michael Backes,et al.  Union and Intersection Types for Secure Protocol Implementations , 2011, TOSCA.

[45]  Jeffrey S. Foster,et al.  Rule-based static analysis of network protocol implementations , 2006, Inf. Comput..

[46]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[47]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .