Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Verifying Implementations
       of Security Protocols in C

             Mihhail Aizatulin1
                 supervised b...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
The Goal

    Source code of a                Our goal is a tool for security
    cryptographic protocol          analysis...
Motivation (I)

  OpenSSL library bug, January 2009:

    int c h e c k c e r t i f i c a t e (){
      ...
      if ( cer...
Motivation (II)




   An attacker can craft a malformed certificate, pretending to be
   someone else:

         paypal.co...
Motivation (III)




   Now the attacker can impersonate the client and the bank to each
   other:

            Password? ...
Background




                          Machine Languages                Formal Languages
                              (...
Background

  There has been great progress in
      static software analysis,




                           Machine Lang...
Background

  There has been great progress in
      static software analysis,
      verification of protocol specifications...
Background

  There has been great progress in
      static software analysis,
      verification of protocol specifications...
ProVerif
  ProVerif is a protocol verifier we would like to use. Its models are
  much more abstract than C.




          ...
ProVerif
  ProVerif is a protocol verifier we would like to use. Its models are
  much more abstract than C.
       ProVeri...
ProVerif
  ProVerif is a protocol verifier we would like to use. Its models are
  much more abstract than C.
       ProVeri...
Symbolic Execution

  Symbolic execution is a tool to simplify programs and extract their
  meaning.

             Concret...
Method (I)


               m, hash(m, kshared )
             A − − − − − − → B.
                −−−−−−




              ...
Method (I)


                             m, hash(m, kshared )
                          A − − − − − − → B.
              ...
Method (II)

     c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) {
         i n t m s g l e n = 5 + l e ...
Method (II)

     c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) {
         i n t m s g l e n = 5 + l e ...
Method (III)

                                       ...
                                                 Symbolic Executi...
Method (III)

                                         ...
                                                   Symbolic Exe...
Method (III)

                                         ...
                                                   Symbolic Exe...
Current Status



  Done:
      Implemented symbolic execution for fixed bitstring lengths
      and linear control flow.
  ...
Thank you!




 M. Aizatulin   Verifying Implementations of Security Protocols in C
Upcoming SlideShare
Loading in …5
×

Aizatulin slides-4-3

704 views

Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Aizatulin slides-4-3

  1. 1. Verifying Implementations of Security Protocols in C Mihhail Aizatulin1 supervised by Andrew Gordon2 , Jan J¨rjens3 , Bashar Nuseibeh1 u 1 The Open University 2 Microsoft Research Cambridge 3 Dortmund University CRC PhD Student Conference Open University June 3-4, 2010 M. Aizatulin Verifying Implementations of Security Protocols in C
  2. 2. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation Our tools List of all potential security flaws or proof of security M. Aizatulin Verifying Implementations of Security Protocols in C
  3. 3. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation The analysis should be automated, Our tools List of all potential security flaws or proof of security M. Aizatulin Verifying Implementations of Security Protocols in C
  4. 4. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation The analysis should be automated, sound (not miss any bugs), Our tools List of all potential security flaws or proof of security M. Aizatulin Verifying Implementations of Security Protocols in C
  5. 5. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation The analysis should be automated, sound (not miss any bugs), scalable (aim to verify Our tools OpenSSL or Kerberos). List of all potential security flaws or proof of security M. Aizatulin Verifying Implementations of Security Protocols in C
  6. 6. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation The analysis should be automated, sound (not miss any bugs), scalable (aim to verify Our tools OpenSSL or Kerberos). We assume that cryptographic primitives are implemented correctly, List of all potential security flaws or proof of security M. Aizatulin Verifying Implementations of Security Protocols in C
  7. 7. The Goal Source code of a Our goal is a tool for security cryptographic protocol analysis at implementation level. implementation The analysis should be automated, sound (not miss any bugs), scalable (aim to verify Our tools OpenSSL or Kerberos). We assume that cryptographic primitives are implemented correctly, List of all potential security flaws or proof cryptography is unbreakable of security (for now). M. Aizatulin Verifying Implementations of Security Protocols in C
  8. 8. Motivation (I) OpenSSL library bug, January 2009: int c h e c k c e r t i f i c a t e (){ ... if ( certificate malformed ) r e t u r n −1; else i f (! c e r t i f i c a t e c h e c k o k ) return 0; else return 1;} // l a t e r i n code : ... i f ( c h e c k c e r t i f i c a t e ( ) ) // o o p s ! { trust certificate (); } M. Aizatulin Verifying Implementations of Security Protocols in C
  9. 9. Motivation (II) An attacker can craft a malformed certificate, pretending to be someone else: paypal.com Certificate? Malformed Certificate Client Attacker (= Internet) paypal.com M. Aizatulin Verifying Implementations of Security Protocols in C
  10. 10. Motivation (III) Now the attacker can impersonate the client and the bank to each other: Password? Password? Password Password + “get $$$” Client Attacker (= Internet) paypal.com M. Aizatulin Verifying Implementations of Security Protocols in C
  11. 11. Background Machine Languages Formal Languages (C, Java) (π-calculus, LySa) low-level properties (NULL dereference, division by zero) high-level properties (secrecy, authentica- tion) M. Aizatulin Verifying Implementations of Security Protocols in C
  12. 12. Background There has been great progress in static software analysis, Machine Languages Formal Languages (C, Java) (π-calculus, LySa) low-level properties VCC Frama-C (NULL dereference, ESC/Java division by zero) SLAM high-level properties (secrecy, authentica- tion) M. Aizatulin Verifying Implementations of Security Protocols in C
  13. 13. Background There has been great progress in static software analysis, verification of protocol specifications. Machine Languages Formal Languages (C, Java) (π-calculus, LySa) low-level properties VCC Frama-C (NULL dereference, ESC/Java division by zero) SLAM high-level properties ProVerif/CryptoVerif (secrecy, authentica- AVISPA tion) LySatool M. Aizatulin Verifying Implementations of Security Protocols in C
  14. 14. Background There has been great progress in static software analysis, verification of protocol specifications. But so far very little progress in where the two meet. Machine Languages Formal Languages (C, Java) (π-calculus, LySa) low-level properties VCC Frama-C (NULL dereference, ESC/Java division by zero) SLAM high-level properties ProVerif/CryptoVerif CSur (secrecy, authentica- AVISPA Our Goal tion) LySatool M. Aizatulin Verifying Implementations of Security Protocols in C
  15. 15. ProVerif ProVerif is a protocol verifier we would like to use. Its models are much more abstract than C. M. Aizatulin Verifying Implementations of Security Protocols in C
  16. 16. ProVerif ProVerif is a protocol verifier we would like to use. Its models are much more abstract than C. ProVerif M ::= expression a, b, c name x, y, z variable f (M1 , . . . , Mn ) constructor M. Aizatulin Verifying Implementations of Security Protocols in C
  17. 17. ProVerif ProVerif is a protocol verifier we would like to use. Its models are much more abstract than C. ProVerif C M ::= expression M, N ::= expression a, b, c name 0, . . . , ’a’, . . . constant x, y, z variable M op N operator f (M1 , . . . , Mn ) constructor u lvalue &u reference u ::= lvalue x, y, z variable ∗u dereference u.f ield field access u[i] array access M. Aizatulin Verifying Implementations of Security Protocols in C
  18. 18. Symbolic Execution Symbolic execution is a tool to simplify programs and extract their meaning. Concrete: Symbolic: x = 2 y = 3 x = a y = b i n t f ( i n t x , i n t y ){ i n t f ( i n t x , i n t y ){ r e t u r n ++x ∗ y++;} r e t u r n ++x ∗ y++;} 9 (a + 1)b M. Aizatulin Verifying Implementations of Security Protocols in C
  19. 19. Method (I) m, hash(m, kshared ) A − − − − − − → B. −−−−−− M. Aizatulin Verifying Implementations of Security Protocols in C
  20. 20. Method (I) m, hash(m, kshared ) A − − − − − − → B. −−−−−− Client side implemented as: c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) { i n t m s g l e n = 5 + l e n + SHA1 LEN ; char ∗ msg = m a l l o c ( m s g l e n ) ; char ∗ p = msg ; ∗p = l e n ; p += 4 ; // add l e n g t h ∗ ( p++) = 1 ; // add t h e t a g memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h s e n d ( msg , m s g l e n ) ; // s e n d } M. Aizatulin Verifying Implementations of Security Protocols in C
  21. 21. Method (II) c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) { i n t m s g l e n = 5 + l e n + SHA1 LEN ; char ∗ msg = m a l l o c ( m s g l e n ) ; char ∗ p = msg ; ∗p = l e n ; p += 4 ; // add l e n g t h ∗ ( p++) = 1 ; // add t h e t a g memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h s e n d ( msg , m s g l e n ) ; // s e n d } M. Aizatulin Verifying Implementations of Security Protocols in C
  22. 22. Method (II) c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) { i n t m s g l e n = 5 + l e n + SHA1 LEN ; char ∗ msg = m a l l o c ( m s g l e n ) ; char ∗ p = msg ; ∗p = l e n ; p += 4 ; // add l e n g t h ∗ ( p++) = 1 ; // add t h e t a g memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h s e n d ( msg , m s g l e n ) ; // s e n d } Symbolic Execution out(len(payload )|01| payload |sha1(len(payload )|01| payload, kshared )) M. Aizatulin Verifying Implementations of Security Protocols in C
  23. 23. Method (III) ... Symbolic Execution out(len(payload )|01| payload |sha1(len(payload )|01| payload, kshared )) M. Aizatulin Verifying Implementations of Security Protocols in C
  24. 24. Method (III) ... Symbolic Execution out(len(payload )|01| payload |sha1(len(payload )|01| payload, kshared )) Format Abstraction out(f1 (payload, hash1 (payload, kshared ))) M. Aizatulin Verifying Implementations of Security Protocols in C
  25. 25. Method (III) ... Symbolic Execution out(len(payload )|01| payload |sha1(len(payload )|01| payload, kshared )) Format Abstraction out(f1 (payload, hash1 (payload, kshared ))) ProVerif (+ Server Side) Integrity verified. M. Aizatulin Verifying Implementations of Security Protocols in C
  26. 26. Current Status Done: Implemented symbolic execution for fixed bitstring lengths and linear control flow. Proved correctness of format abstraction. To do: Implement symbolic execution for variable bitstring lengths. Implement format abstraction. Add support for arbitrary control flow. M. Aizatulin Verifying Implementations of Security Protocols in C
  27. 27. Thank you! M. Aizatulin Verifying Implementations of Security Protocols in C

×