Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

@article{Kobeissi2017AutomatedVF,
  title={Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach},
  author={Nadim Kobeissi and Karthikeyan Bhargavan and Bruno Blanchet},
  journal={2017 IEEE European Symposium on Security and Privacy (EuroS\&P)},
  year={2017},
  pages={435-450}
}
Many popular web applications incorporate end-to-end secure messaging protocols, which seek to ensure that messages sent between users are kept confidential and authenticated, even if the web application's servers are broken into or otherwise compelled into releasing all their data. Protocols that promise such strong security guarantees should be held up to rigorous analysis, since protocol flaws and implementations bugs can easily lead to real-world attacks. We propose a novel methodology that… 

Figures from this paper

Verifpal: Cryptographic Protocol Analysis for the Real World
TLDR
Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.
Verifpal: Cryptographic Protocol Analysis for Students and Engineers
TLDR
Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.
Practical Formal Methods for Real World Cryptography
TLDR
A tool chain and framework based on the F∗ programming language is described to formally specify, verify and compile high-performance cryptographic software that is secure by design and ongoing work on using this framework to build verified implementations of privacy preserving machine learning software is concluded.
Formally Verified Cryptographic Web Applications in WebAssembly
TLDR
A new toolchain is presented that compiles Low*, a low-level subset of the F* programming language, into WebAssembly, and formalizes the full translation rules in the paper and implements it in a few thousand lines of OCaml.
PrettyCat: Adaptive guarantee-controlled software partitioning of security protocols
TLDR
This work presents a method and toolset to automatically segregate security related software into an indefinite number of partitions, based on the security guarantees required by the deployed cryptographic building blocks, and demonstrates its applicability and achieves a significant reduction of the trusted computing base.
DY: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code
TLDR
DY is a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F programming language that enables it to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.
Noise*: A Library of Verified High-Performance Secure Channel Protocol Implementations (Long Version)
TLDR
This work presents a verified implementation of a Noise protocol compiler that takes any Noise protocol, and produces an optimized C implementation with extensive correctness and security guarantees, and formally state and prove the security of the Noise code.
Automating Cryptographic Protocol Language Generation from Structured Specifications
  • Roberto Metere, Luca Arnaboldi
  • Computer Science
    2022 IEEE/ACM 10th International Conference on Formal Methods in Software Engineering (FormaliSE)
  • 2022
TLDR
This paper model the Diffie-Hellman key exchange with a data-centric approach where the protocol design is stored in a structured way rather than as textual specifications and extends the tool to export to an additional formal language, ProVerif, as well as a C++ fully running implementation.
Seems Legit: Automated Analysis of Subtle Attacks on Protocols that Use Signatures
TLDR
A hierarchy of new formal models for signature schemes is given that captures subtleties of real-world protocols that allows us to analyse (often unexpected) behaviours ofreal- world protocols that were previously out of reach of symbolic analysis.
Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS
TLDR
This paper presents a formal framework for group messaging in the F (cid:63) language and uses it to compare the security and performance of several candidate MLS protocols up to draft 7.0, and presents the first mechanically checked proof for MLS, the new asynchronous group messaging protocol.
...
...

References

SHOWING 1-10 OF 46 REFERENCES
Verified interoperable implementations of security protocols
TLDR
The approach is developed for protocols written in F#, a dialect of ML, and verified by compilation to ProVerif a resolution-based theorem prover for cryptographic protocols, and illustrated with protocols for Web services security.
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
TLDR
This paper proposes AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations, and finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers.
Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif
  • B. Blanchet
  • Computer Science, Mathematics
    Found. Trends Priv. Secur.
  • 2016
TLDR
This survey presents an overview of the research on ProVerif, an automatic symbolic protocol verifier that automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses.
Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS
TLDR
This work designs and implements two new TLS extensions that strengthen the authentication guarantees of the handshake and develops an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and proves that their composition provides strong, simple application security.
Language-based Defenses Against Untrusted Browser Origins
TLDR
Defensive JavaScript (DJS), a subset of the language that guarantees the behavior integrity of scripts even when loaded in a hostile environment, is presented, and a sound type system, type inference tool, and defensive libraries for cryptography and data encodings are given.
On the CCA (in)Security of MTProto
TLDR
An audit of Telegram's Android source code found that the symmetric encryption scheme used in Telegram is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
Verified Contributive Channel Bindings for Compound Authentication
TLDR
The first formal models that can reconstruct the recently published triple handshake attacks on TLS are presented, and the first automated analysis of its proposed countermeasure is presented.
A Formal Security Analysis of the Signal Messaging Protocol
TLDR
This work extracts from the implementation a formal description of the abstract protocol, and defines a security model which can capture the "ratcheting" key update structure, and proves the security of Signal's core in this model, demonstrating several standard security properties.
Defensive JavaScript - Building and Verifying Secure Web Components
TLDR
This work presents a tutorial of the DJS language along with motivations for its design, and shows how to program security components in DJS, how to verify their defensiveness using theDJS typechecker, and how to analyze their security properties automatically using ProVerif.
How Secure is TextSecure?
TLDR
It is formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.
...
...