Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC...
Transcript of Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC...
![Page 1: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/1.jpg)
Computational Verification of C ProtocolImplementations by Symbolic Execution
Mihhail Aizatulin1 Andrew Gordon23 Jan Jurjens4
1The Open University
2Microsoft Research Cambridge
3University of Edinburgh
4Dortmund University
October 2012
M. Aizatulin Computational Verification of C Protocols
![Page 2: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/2.jpg)
The Goal
What we ultimately care about is the security of deployed systems.Therefore C programs are our objects of study.
Things to verify: OpenSSL, IPSec, TPM, PKCS11 referenceimplementations, ...
Method: extract a model using symbolic execution, thentranslate it to CryptoVerif.
We check trace properties such as authentication and weaksecrecy, aiming to be automated and sound.
Assume correctness of cryptographic primitives.
Main limitation so far: model extracted from a single programpath.
M. Aizatulin Computational Verification of C Protocols
![Page 3: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/3.jpg)
Example Flaw
In a Microsoft Research implementation of a smart meteringprotocol (1000 LOC):
uns igned char s e s s i o n k e y [ 2 5 6 / 8 ] ;. . .e n c r y p t e d r e a d i n g =
( ( uns igned i n t ) ∗ s e s s i o n k e y ) ˆ ∗ r e a d i n g ;
let msg3 = (hash2{0, 1} castTo ”unsigned int”) ⊕ reading1 in ...
let msg3 = parse1(hash2) ⊕ reading1 in ...
M. Aizatulin Computational Verification of C Protocols
![Page 4: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/4.jpg)
Background
Types of properties and languages.
Low-Level(C, Java)
High-Level(F#)
Formal(π, LySa)
low-level (NULLdereference,division by zero)
• VCC• Frama-C• ESC/Java• SLAM
N/A N/A
high-level(secrecy,authentication)
• CSur• ASPIER• VCC-sec• csec-modex
• F7/F∗
• fs2pv/fs2cv
• ProVerif• CryptoVerif• EasyCrypt• AVISPA
M. Aizatulin Computational Verification of C Protocols
![Page 5: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/5.jpg)
Results
C LOC CV LOC Time Primitives
Simple MAC ∼ 250 107 4s UF-CMA MACSimple XOR ∼ 100 90 4s XORNSL ∼ 450 241 26s IND-CCA2 PKERPC ∼ 600 126 5s UF-CMA MACRPC-enc ∼ 700 200 6s IND-CPA INT-CTXT AEMetering ∼ 1000 266 21s UF-CMA sig, CR/PRF hash
Six protocols verified in the computational model (as opposedto just one in the ProVerif approach).
Found flaws in an NSL implementation and theimplementation of a smart metering protocol.
NSL implementation verified before, but computationalsoundness places unrealistic assumptions!
M. Aizatulin Computational Verification of C Protocols
![Page 6: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/6.jpg)
Overview: What
csec-modex
C source withevent annotations
Models of crypto andenvironment
Propertyspecification
CV model + verification result
M. Aizatulin Computational Verification of C Protocols
![Page 7: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/7.jpg)
Overview: How
C source
C virtual machine (CVM)
Intermediate model language (IML)
CryptoVerif Calculus
Verification Result
CIL
Symbolic execution [Aizatulin et al., 2011]
Formatting Abstraction
CryptoVerif
M. Aizatulin Computational Verification of C Protocols
![Page 8: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/8.jpg)
One-time Pad: Symbolic Execution
uns igned char ∗ p a y l o a d = m a l l o c (PAYLOAD LEN ) ;RAND bytes ( pay load , PAYLOAD LEN ) ;
u l o n g m s g l e n = PAYLOAD LEN + 1 ;uns igned char ∗ msg = m a l l o c ( m s g l e n ) ;
∗ msg = 0 x01 ; // add tagmemcpy ( msg + 1 , pay load , PAYLOAD LEN ) ; // add pay load
uns igned char ∗ pad = otp ( m s g l e n ) ; // one−t ime padx o r ( msg , pad , m s g l e n ) ;
send ( msg , m s g l e n ) ;
new nonce1: fixed 20; out(XOR(01|nonce1, pad))
M. Aizatulin Computational Verification of C Protocols
![Page 9: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/9.jpg)
One-time Pad: CV Model
type fixed 20 [fixed, large].type fixed 21 [fixed, large].
expand Xor(fixed 21, XOR).
query secret nonce1.
fun conc1(fixed 20): fixed 21 [compos].
let A =in(c in, ());new nonce1: fixed 20;out(c out, XOR(conc1(nonce1), pad)); 0 .
process! N (in(c in, ());(∗ one−time pad ∗)new pad: fixed 21;out(c out, ());A)
M. Aizatulin Computational Verification of C Protocols
![Page 10: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/10.jpg)
RPC-enc
A : event client begin(A,B , request)A→ B : A, {request , kS}kAB
B : event server reply(A,B , request , response)B → A : {response}kSA : event client accept(A,B , request , response)
M. Aizatulin Computational Verification of C Protocols
![Page 11: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/11.jpg)
RPC-enc: IML
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet client1 = msg1{5, msg1{1, 4}} inlet cipher1 = msg1{5 + msg1{1, 4}, len(msg1) − (5 + msg1{1, 4})} inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenlet var2 = msg2{5, msg2{1, 4}} inevent server reply(client1, serverID, var2, response);if len(msg2) − (5 + msg2{1, 4}) = 16 thenlet kS = msg2{5 + msg2{1, 4}, len(msg2) − (5 + msg2{1, 4})} innew nonce1: seed;let cipher2 = E(response, kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 12: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/12.jpg)
RPC-enc: Introduce Formatting Functions 1
From A:
conc1(x, y) := ′p′|len(x)|x|yconc2(x, y) := ′p′|len(x)|x|y
From B:
parse1(x) := x{5, x{1, 4}}parse2(x) := x{5 + x{1, 4}, len(x)− (5 + x{1, 4})}parse3(x) := x{5, x{1, 4}}parse4(x) := x{5 + x{1, 4}, len(x)− (5 + x{1, 4})}
M. Aizatulin Computational Verification of C Protocols
![Page 13: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/13.jpg)
RPC-enc: Introduce Formatting Functions 2
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet client1 = msg1{5, msg1{1, 4}} inlet cipher1 = msg1{5 + msg1{1, 4}, len(msg1) − (5 + msg1{1, 4})} inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenlet var2 = msg2{5, msg2{1, 4}} inevent server reply(client1, serverID, var2, response);if len(msg2) − (5 + msg2{1, 4}) = 16 thenlet kS = msg2{5 + msg2{1, 4}, len(msg2) − (5 + msg2{1, 4})} innew nonce1: seed;let cipher2 = E(response, kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 14: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/14.jpg)
RPC-enc: Introduce Formatting Functions 3
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet client1 = parse1(msg1) inlet cipher1 = parse2(msg1) inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenif len(msg2) − (5 + msg2{1, 4}) = 16 thenlet var2 = parse3(msg2) inevent server reply(client1, serverID, var2, response);let kS = parse4(msg2) innew nonce1: seed;let cipher2 = E(response, kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 15: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/15.jpg)
RPC-enc: Type Inference
From user template:
injbot−1 : bitstringbot→ bounded200
E : bounded200 × fixed16 × seed→ bounded200
Therefore
parse4 : bounded200 → fixed16
Similarly
conc1 : bounded100 × bounded200 → bitstring
conc2 : fixed100 × fixed16 → bounded200
parse1 : bitstring→ bounded200
parse2 : bitstring→ bounded200
parse3 : bounded200 → fixed100
M. Aizatulin Computational Verification of C Protocols
![Page 16: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/16.jpg)
RPC-enc: Type Checking 1
Context for parse4:
Φparse4 =(len(msg2) ≤ 200) ∧ (′p′ = msg2{0, 1})∧ (len(msg2) ≥ 5 +msg2{1, 4})∧ (msg2{1, 4} ≤ 100)
∧ (len(msg2)− (5 +msg2{1, 4}) = 16)
The last clause implies that
len(parse4(msg2))
= len(msg2{5 +msg2{1, 4}, len(msg2)− (5 +msg2{1, 4})})= len(msg2)− (5 +msg2{1, 4})} = 16,
thus the type of parse4 is correct.
M. Aizatulin Computational Verification of C Protocols
![Page 17: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/17.jpg)
Example: Type Checking 2
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet client1 = parse1(msg1) inlet cipher1 = parse2(msg1) inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenif len(msg2) − (5 + msg2{1, 4}) = 16 thenlet var2 = parse3(msg2) inevent server reply(client1, serverID, var2, response);let kS = parse4(msg2) innew nonce1: seed;let cipher2 = E(castfixed100→bounded200 (response), kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 18: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/18.jpg)
RPC-enc: Parsing Safety 1
Φparse4 =⇒ ∃x : bounded100, y : bounded200 : msg2 = conc2(x, y)
Additionally, conc2 is injective and for all x : bounded100,y : bounded200
parse3(conc2(x, y)) = x,
parse4(conc2(x, y)) = y.
M. Aizatulin Computational Verification of C Protocols
![Page 19: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/19.jpg)
Example: Parsing Safety 2
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet client1 = parse1(msg1) inlet cipher1 = parse2(msg1) inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenif len(msg2) − (5 + msg2{1, 4}) = 16 thenlet var2 = parse3(msg2) inevent server reply(client1, serverID, var2, response);let kS = parse4(msg2) innew nonce1: seed;let cipher2 = E(castfixed100→bounded200 (response), kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 20: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/20.jpg)
RPC-enc: Parsing Safety 3
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet conc1(client1, cipher1) = msg1 inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenif len(msg2) − (5 + msg2{1, 4}) = 16 thenlet conc2(var2, kS) = msg2 inevent server reply(client1, serverID, var2, response);new nonce1: seed;let cipher2 = E(castfixed100→bounded200 (response), kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 21: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/21.jpg)
RPC-enc: Cleaning Up 1
let A = ...let B =in(c, msg1);if ’p’ = msg1{0, 1} thenif len(msg1) ≥ 5 + msg1{1, 4} thenif msg1{1, 4} ≤ 100 thenif len(msg1) − (5 + msg1{1, 4}) ≤ 200 thenlet conc1(client1, cipher1) = msg1 inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inif ’p’ = msg2{0, 1} thenif len(msg2) ≥ 5 + msg2{1, 4} thenif msg2{1, 4} = 100 thenif len(msg2) − (5 + msg2{1, 4}) = 16 thenlet conc2(var2, kS) = msg2 inevent server reply(client1, serverID, var2, response);new nonce1: seed;let cipher2 = E(castfixed100→bounded200 (response), kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 22: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/22.jpg)
RPC-enc: Cleaning Up 2
let A = ...let B =in(c, msg1);let conc1(client1, cipher1) = msg1 inif client1 = xClient then
let msg2 = injbot−1(D(cipher1, lookup(client1, serverID, db))) inlet conc2(var2, kS) = msg2 inevent server reply(client1, serverID, var2, response);new nonce1: seed;let cipher2 = E(castbounded100→bounded200 (response), kS, nonce1) inout(c, cipher2); 0 .
M. Aizatulin Computational Verification of C Protocols
![Page 23: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/23.jpg)
Formatting Abstraction: Summary
To simplify IML to CV:
Replace formatting expressions by function symbols.
Prove that formatting functions are type-safe in context.Introduce type casts when necessary and justified.
Recognize places where parsing is safe and introduce patternmatching there.
Remove arithmetic conditionals.
M. Aizatulin Computational Verification of C Protocols
![Page 24: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/24.jpg)
Soundness
CryptoVerif
Special value ⊥.
Arbitrary securityparameter k.
Must be type-safe.
cvinsec(Q, ρ, k)
C/IML
No special value, failure stopsexecution.
Fixed security parameter k0.
No types for bitstrings.
insec(Q, ρ)
Theorem (CryptoVerif Translation is Sound)
Let Q be an IML process that successfully translates to aCryptoVerif process Q. Then for any evaluation context C and anycorrespondence property ρ
insec(C[Q], ρ) ≤ cvinsec(C[Q], ρ, k0).
M. Aizatulin Computational Verification of C Protocols
![Page 25: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/25.jpg)
Tool Support in Cryptography
There is a trend of developing tool support for cryptographic tools:ProVerif, CryptoVerif, EasyCrypt, F7. Personal experience:CryptoVerif is great!
Makes proofs easier. Halevi, 2005:“The problem is that as a community, we generate moreproofs than we carefully verify (and as a consequence some ofour published proofs are incorrect).”
Have a common language for security specifications,modelling protocols, and doing proofs.
Is cryptography mature enough, so that instead of writing proofswe can start writing tools to do proofs for us?
M. Aizatulin Computational Verification of C Protocols
![Page 26: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/26.jpg)
Current Status
Implementation available fromhttps://github.com/tari3x/csec-modex
Csec-challenge:http://research.microsoft.com/csec-challenge
Working on verifying PolarSSL.
Open questions:
Observational equivalence/simulation.
Support arbitrary control flow.
M. Aizatulin Computational Verification of C Protocols
![Page 27: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/27.jpg)
Thank you!
M. Aizatulin Computational Verification of C Protocols
![Page 28: Computational Verification of C Protocol Implementations ...€¦ · RPC ˘600 126 5s UF-CMA MAC RPC-enc ˘700 200 6s IND-CPA INT-CTXT AE Metering ˘1000 266 21s UF-CMA sig, CR/PRF](https://reader033.fdocuments.in/reader033/viewer/2022050304/5f6d067b89b35171a826dc78/html5/thumbnails/28.jpg)
Bibliography
Mihhail Aizatulin, Andrew D. Gordon, and Jan Jurjens.Extracting and verifying cryptographic models from C protocolcode by symbolic execution.In 18th ACM Conference on Computer and CommunicationsSecurity (CCS 2011), 2011.Full version available at http://arxiv.org/abs/1107.1017.
M. Aizatulin Computational Verification of C Protocols