Verifying Implementations of Security Protocols in CMihhail Aizatulin (avatar@hot.ee)

1. Goal

Our goal is a tool for cryptographic security analysis at implementation level:

Source code of acryptographicprotocolimplementation

Our toolsList of all potentialsecurity flaws orproof of security

2. Motivation: an Attack ExampleHere is an example vulnerability that we would like to prevent. In January

2009 a flaw in the OpenSSL library was discovered, permitting a corrupt certifi-cate to be recognised as valid. A function return value is wrongly interpreted:

i n t c h e c k _ c e r t i f i c a t e ( ) {. . .i f ( c e r t i f i c a t e _ m a l f o r m e d )

return −1;e lse i f ( ! c e r t i f i c a t e _ c h e c k _ o k )

return 0 ;e lse return 1 ; }

/ / l a t e r in c o d e :. . .i f ( c h e c k _ c e r t i f i c a t e ( ) ) / / o ops !{

t r u s t _ c e r t i f i c a t e ( ) ;}

Notice how the -1 return value passes the validity test! An attacker can crafta malformed certificate, pretending to be someone else:

Attacker (= Internet) paypal.comClient

paypal.com Certificate?

Malformed Certificate

Now the attacker can impersonate the client and the bank to each other:

Attacker (= Internet) paypal.comClient

Password?

Password + “get $$$”

Password?

Password

We would like to use formal methods to prove absence of similar flaws.

6. Symbolic ExecutionSymbolic execution is a tool to simplify programs and extract their meaning.

The program is “executed” with symbols as input, instead of numbers:

Concrete: Symbolic:

i n t f ( i n t x , i n t y ) {return ++x ∗ y ++; }

x = 2 y = 3

9

i n t f ( i n t x , i n t y ) {return ++x ∗ y ++; }

x = a y = b

(a + 1)b

We use symbolic execution to derive the formats of messages that the programgenerates.

8. Current StatusDone:• Implemented symbolic execution for fixed bitstring lengths and linear con-

trol flow.• Proved correctness of format abstraction.

To do:• Implement symbolic execution for variable bitstring lengths.• Implement format abstraction.•Add support for arbitrary control flow.

3. AssumptionsWe assume that cryptographic primitives (encryption, hash-

ing) are implemented correctly and are unbreakable.

4. BackgroundVery little has been done for crypto-verification of low-level

languages. We rely on tools for proving security from high-levelspecifications of protocols. Currently we are using ProVerif.

5. ChallengesWe cannot simply reuse existing program verification tools,

because we don’t just verify a program, but a system, consistingof several instances of a program and an unknown attacker.

7. Proposed MethodWe propose to use symbolic execution to extract a high-level

model of the protocol and then use existing tools to verify it.Suppose we use shared key hashing for message integrity:

Am, hash(m, kshared)−−−−−−−−−−→ B.

The client side implementation could look as follows. Note theextra data added to the message: the payload length and a tag.

c l i e n t ( char ∗ payload , i n t payload_len ) {i n t msg_len = 5 + len + SHA1_LEN ;char ∗ msg = malloc ( msg_len ) ;char ∗ p = msg ;∗p = len ; p += 4 ; / / add l e n g t h∗ (p++) = 1 ; / / add t h e t a gmemcpy( payload , p , len ) ; / / add t h e p a y l o a dsha1 (msg , 5 + len , p ) ; / / add t h e hashsend (msg , msg_len ) ; / / s end

}

Using symbolic execution we can summarise the effect of thefunction:

out(len(payload)|01|payload|sha1(len(payload)|01|payload, kshared))

Symbolic Execution

Here “|” stands for bitstring concatenation. High-level verifi-cation tools can’t deal with it directly, so we perform some extraanalysis to prove that concatenation patterns can be abstractedas pure symbolic functions:

out(f1(payload, hash1(payload, kshared)))

Format Abstraction

This is a representation that ProVerif can easily deal with:

Integrity verified.

ProVerif (+ Server Side)

9. ProjectThe project is supervised by Andrew Gordon (Microsoft Research), Jan Jürjens (Dortmund University) and Bashar Nuseibeh (Open University). It

is partially supported through the Microsoft Research PhD Scholarship programme.