Verifying Implementations of Security Protocols in C
Mihhail Aizatulin (

   1. Goal
Upcoming SlideShare
Loading in …5

Aizatulin poster


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Aizatulin poster

  1. 1. Verifying Implementations of Security Protocols in C Mihhail Aizatulin ( 1. Goal Our goal is a tool for cryptographic security analysis at implementation level: Source code of a List of all potential cryptographic Our tools security flaws or protocol proof of security implementation 2. Motivation: an Attack Example 3. Assumptions Here is an example vulnerability that we would like to prevent. In January We assume that cryptographic primitives (encryption, hash- 2009 a flaw in the OpenSSL library was discovered, permitting a corrupt certifi- ing) are implemented correctly and are unbreakable. cate to be recognised as valid. A function return value is wrongly interpreted: int check_certificate ( ) { / / l a t e r in code : 4. Background ... ... if ( certificate_malformed ) if ( check_certificate ()) / / oops ! Very little has been done for crypto-verification of low-level r e t u r n − 1; { languages. We rely on tools for proving security from high-level else if ( ! certificate_check_ok ) trust_certificate (); specifications of protocols. Currently we are using ProVerif. return 0 ; } else return 1 ; } Notice how the -1 return value passes the validity test! An attacker can craft 5. Challenges a malformed certificate, pretending to be someone else: We cannot simply reuse existing program verification tools, because we don’t just verify a program, but a system, consisting Certificate? of several instances of a program and an unknown attacker. Malformed Certificate Client Attacker (= Internet) 7. Proposed Method We propose to use symbolic execution to extract a high-level Now the attacker can impersonate the client and the bank to each other: model of the protocol and then use existing tools to verify it. Suppose we use shared key hashing for message integrity: Password? Password? m, hash(m, k shared ) Password Password + “get $$$” A−−−−−−−−−− B. → Client Attacker (= Internet) The client side implementation could look as follows. Note the extra data added to the message: the payload length and a tag. We would like to use formal methods to prove absence of similar flaws. c l i e n t ( char ∗ payload , i n t payload_len ) { i n t msg_len = 5 + l e n + SHA1_LEN ; 6. Symbolic Execution char ∗ msg = malloc ( msg_len ) ; char ∗ p = msg ; Symbolic execution is a tool to simplify programs and extract their meaning. ∗p = l e n ; p += 4 ; / / add l e n g t h The program is “executed” with symbols as input, instead of numbers: ∗ ( p++) = 1 ; / / add t h e t a g memcpy( payload , p , l e n ) ; / / add t h e p a y l o a d Concrete: Symbolic: sha1 ( msg , 5 + len , p ) ; / / add t h e h a s h x = 2 y = 3 x = a y = b send ( msg , msg_len ) ; / / send } int f ( int x , int y ) { int f ( int x , int y ) { Using symbolic execution we can summarise the effect of the r e t u r n ++x ∗ y + + ; } r e t u r n ++x ∗ y + + ; } function: Symbolic Execution 9 ( a + 1) b out(len(payload)|01|payload We use symbolic execution to derive the formats of messages that the program |sha1(len(payload)|01|payload, kshared )) generates. Here “|” stands for bitstring concatenation. High-level verifi- 8. Current Status cation tools can’t deal with it directly, so we perform some extra analysis to prove that concatenation patterns can be abstracted Done: as pure symbolic functions: • Implemented symbolic execution for fixed bitstring lengths and linear con- Format Abstraction trol flow. • Proved correctness of format abstraction. out(f 1(payload, hash1(payload, kshared ))) To do: This is a representation that ProVerif can easily deal with: • Implement symbolic execution for variable bitstring lengths. ProVerif (+ Server Side) • Implement format abstraction. • Add support for arbitrary control flow. Integrity verified. 9. Project The project is supervised by Andrew Gordon (Microsoft Research), Jan Jürjens (Dortmund University) and Bashar Nuseibeh (Open University). It is partially supported through the Microsoft Research PhD Scholarship programme.