Validation of security protocol implementations from security objectives

Protocol security testing can verify and find the potential defects of protocols and their implementations to avoid possible threatening request attacks. It requires concrete experiment against a real, physical implementation. But with the growing complexity of the protocol, added to the multiplicity of possible malicious inputs, the combination of scenarios to be computed will increase to an explosive speed and become the main problem. To address this, we use the concept of Security Objectives to Protocol Security Testing, to generate the test cases on-the-fly. We propose the model, the approach and the algorithm for this protocol verification method and we present a case study with an authentication service.

[1]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[2]  David Lee,et al.  Testing Security Properties of Protocol Implementations - a Machine Learning Based Approach , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[3]  Thierry Jéron,et al.  TGV : theory , principles and algorithms A tool for the automatic synthesis of conformance test cases for non-deterministic reactive systems , 2004 .

[4]  Jan Tretmans,et al.  Conformance Testing with Labelled Transition Systems: Implementation Relations and Test Generation , 1996, Comput. Networks ISDN Syst..

[5]  Ousmane Koné Conformance testing to real-time communications systems , 2002, Comput. Commun..

[6]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 2000, RFC.

[7]  Shaoying Liu,et al.  Generating test data from state‐based specifications , 2003, Softw. Test. Verification Reliab..

[8]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[9]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[10]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[11]  Andrew D. Gordon,et al.  A semantics for web services authentication , 2004, Theor. Comput. Sci..

[12]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[13]  Stig Fr. Mjølsnes,et al.  A framework for compositional verification of security protocols , 2006, Inf. Comput..

[14]  Joseph Sifakis,et al.  A Notion of Glue Expressiveness for Component-Based Systems , 2008, CONCUR.

[15]  Ousmane Koné,et al.  Test generation for interworking systems , 2000, Comput. Commun..

[16]  Abdeslam En-Nouaary,et al.  Test development for communication protocols: towards automation , 1999, Comput. Networks.

[17]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[18]  Ousmane Koné,et al.  Network Securing against Threatening Requests , 2011, DPM/SETOP.

[19]  Richard Lai,et al.  A survey of communication protocol testing , 2002, J. Syst. Softw..

[20]  César Viho,et al.  Interoperability Test Generation: Formal Definitions and Algorithm , 2008 .

[21]  Ferhat Khendek,et al.  Compositional Testing of Communication Systems , 2006, TestCom.

[22]  Andrew D. Gordon,et al.  A Type Discipline for Authorization Policies , 2005, ESOP.

[23]  Madhavan Mukund,et al.  Generic Verification of Security Protocols , 2005, SPIN.