skip to main content
10.1145/1706299.1706350acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article

Modular verification of security protocol code by typing

Published: 17 January 2010 Publication History

Abstract

We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We develop cryptographic libraries that embed a logic model of their cryptographic structures and that specify preconditions and postconditions on their functions so as to maintain their invariants. We present a theory to justify the soundness of modular code verification via our method.
We implement the method for protocols coded in F# and verified using F7, our SMT-based typechecker for refinement types, that is, types carrying formulas to record invariants. As illustrated by a series of programming examples, our method can flexibly deal with a range of different cryptographic constructions and protocols.
We evaluate the method on a series of larger case studies of protocol code, previously checked using whole-program analyses based on ProVerif, a leading verifier for cryptographic protocols. Our results indicate that compositional verification by typechecking with refinement types is more scalable than the best domain-specific analysis currently available for cryptographic code.

References

[1]
M. Abadi. Secrecy by typing in security protocols. JACM, 46(5):749--786, 1999.
[2]
M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptology, 21(4), 2008.
[3]
J. Bengtson, K. Bhargavan, C. Fournet, A.D. Gordon, and S. Maffeis. Refinement types for secure implementations. Technical Report MSR-TR-2008-118, Microsoft Research, 2008. See also CSF'08.
[4]
K. Bhargavan, C. Fournet, and A.D. Gordon. Verified reference implementations of WS-Security protocols. In WS-FM'06, LNCS 4184, 2006a.
[5]
K. Bhargavan, C. Fournet, A.D. Gordon, and S. Tse. Verified interoperable implementations of security protocols. In CSFW'06, 2006b.
[6]
K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Cryptographically verified implementations for TLS. In ACM CCS, pages 459--468, 2008a.
[7]
K. Bhargavan, C. Fournet, A.D. Gordon, and N. Swamy. Verified implementations of the Information Card federated identity-management protocol. In ASIACCS'08, pages 123--135, 2008b.
[8]
B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In CSFW'01, pages 82--96, 2001.
[9]
B. Blanchet. A computationally sound mechanized prover for security protocols. In IEEE Symposium on Security and Privacy, 2006.
[10]
I. Cervesato, A.D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad. Breaking and fixing public-key Kerberos. Information and Computation, 206 (2-4):402--424, 2008.
[11]
S. Chaki and A. Datta. ASPIER: An automated framework for verifying security protocol implementations. In CSF'09, 2009.
[12]
E. Cohen. TAPS: A first-order verifier for cryptographic protocols. In 13th IEEE Computer Security Foundations Workshop, pages 144--158, 2000.
[13]
L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS'08, pages 337--340. Springer, 2008. LNCS 4963.
[14]
D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT-29(2):198--208, 1983.
[15]
C. Flanagan. Hybrid type checking. In ACM POPL'06, pages 245--256, 2006.
[16]
A.D. Gordon and A.S.A. Jeffrey. Authenticity by typing for security protocols. J. Computer Security, 11(4):451--521, 2003a.
[17]
A.D. Gordon and A.S.A. Jeffrey. Types and effects for asymmetric cryptographic protocols. J. Computer Security, 12(3/4):435--484, 2003b.
[18]
J. Goubault-Larrecq and F. Parrennes. Cryptographic protocol analysis on real C code. In VMCAI'05, pages 363--379, 2005.
[19]
C. Gunter. Semantics of programming languages. MIT Press, 1992.
[20]
E. Kleiner and A.W. Roscoe. On the relationship between web services security and traditional protocols. In MFPS XXI, 2005.
[21]
G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In TACAS, pages 147--166, 1996. LNCS 1055.
[22]
J.H. Morris, Jr. Protection in programming languages. Commun. ACM, 16 (1):15--21, 1973.
[23]
R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Commun. ACM, 21(12):993--999, 1978.
[24]
L. Paulson. The inductive approach to verifying cryptographic protocols. J. Computer Security, 6:85--128, 1998.
[25]
L.C. Paulson. Logic and proof. Cambridge University lecture notes, 2008.
[26]
G.D. Plotkin. Denotational semantics with partial functions. Unpublished lecture notes, CSLI, Stanford University, July 1985.
[27]
P. Rondon, M. Kawaguchi, and R. Jhala. Liquid types. In ACM PLDI'08, pages 159--169, 2008.

Cited By

View all
  • (2024)Layered Symbolic Security Analysis in $$\textsf {DY}^\star $$Computer Security – ESORICS 202310.1007/978-3-031-51479-1_1(3-21)Online publication date: 12-Jan-2024
  • (2023)Sound Verification of Security Protocols: From Design to Interoperable Implementations2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179325(1077-1093)Online publication date: May-2023
  • (2022)Noise: A Library of Verified High-Performance Secure Channel Protocol Implementations2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833621(107-124)Online publication date: May-2022
  • Show More Cited By

Index Terms

  1. Modular verification of security protocol code by typing

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    POPL '10: Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
    January 2010
    520 pages
    ISBN:9781605584799
    DOI:10.1145/1706299
    • cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 45, Issue 1
      POPL '10
      January 2010
      500 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/1707801
      Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 17 January 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. f7
    2. refinement type

    Qualifiers

    • Research-article

    Conference

    POPL '10
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 824 of 4,130 submissions, 20%

    Upcoming Conference

    POPL '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)11
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 26 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Layered Symbolic Security Analysis in $$\textsf {DY}^\star $$Computer Security – ESORICS 202310.1007/978-3-031-51479-1_1(3-21)Online publication date: 12-Jan-2024
    • (2023)Sound Verification of Security Protocols: From Design to Interoperable Implementations2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179325(1077-1093)Online publication date: May-2023
    • (2022)Noise: A Library of Verified High-Performance Secure Channel Protocol Implementations2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833621(107-124)Online publication date: May-2022
    • (2021)An In-Depth Symbolic Security Analysis of the ACME StandardProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484588(2601-2617)Online publication date: 12-Nov-2021
    • (2021)$\text{DY}^{\star}$: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00042(523-542)Online publication date: Sep-2021
    • (2021)Learning Assumptions for Verifying Cryptographic Protocols CompositionallyFormal Aspects of Component Software10.1007/978-3-030-90636-8_1(3-23)Online publication date: 28-Oct-2021
    • (2020)A Dynamic Data Slice Approach to the Vulnerability Analysis of E-Commerce SystemsIEEE Transactions on Systems, Man, and Cybernetics: Systems10.1109/TSMC.2018.286238750:10(3598-3612)Online publication date: Oct-2020
    • (2020)Analyzing Security Protocol Web Implementations Based on Model Extraction With Applied PI CalculusIEEE Access10.1109/ACCESS.2020.29716158(26623-26636)Online publication date: 2020
    • (2020)System-Level Non-interference of Constant-Time Cryptography. Part II: Verified Static Analysis and Stealth MemoryJournal of Automated Reasoning10.1007/s10817-020-09548-xOnline publication date: 17-Feb-2020
    • (2018)Symbolic execution of security protocol implementationsProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307436(13-13)Online publication date: 13-Aug-2018
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media