Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

@article{Kobeissi2017AutomatedVF,
  title={Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach},
  author={Nadim Kobeissi and Karthikeyan Bhargavan and Bruno Blanchet},
  journal={2017 IEEE European Symposium on Security and Privacy (EuroS\&P)},
  year={2017},
  pages={435-450}
}
Many popular web applications incorporate end-to-end secure messaging protocols, which seek to ensure that messages sent between users are kept confidential and authenticated, even if the web application's servers are broken into or otherwise compelled into releasing all their data. Protocols that promise such strong security guarantees should be held up to rigorous analysis, since protocol flaws and implementations bugs can easily lead to real-world attacks. We propose a novel methodology that… 

Figures from this paper

Verifpal: Cryptographic Protocol Analysis for the Real World
TLDR
Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.
Verifpal: Cryptographic Protocol Analysis for Students and Engineers
TLDR
Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.
Practical Formal Methods for Real World Cryptography
TLDR
A tool chain and framework based on the F∗ programming language is described to formally specify, verify and compile high-performance cryptographic software that is secure by design and ongoing work on using this framework to build verified implementations of privacy preserving machine learning software is concluded.
Formally Verified Cryptographic Web Applications in WebAssembly
TLDR
A new toolchain is presented that compiles Low*, a low-level subset of the F* programming language, into WebAssembly, and formalizes the full translation rules in the paper and implements it in a few thousand lines of OCaml.
DY: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code
TLDR
DY is a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F programming language that enables it to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.
Seems Legit: Automated Analysis of Subtle Attacks on Protocols that Use Signatures
TLDR
A hierarchy of new formal models for signature schemes is given that captures subtleties of real-world protocols that allows us to analyse (often unexpected) behaviours ofreal- world protocols that were previously out of reach of symbolic analysis.
A Formal Model for Checking Cryptographic API Usage in JavaScript
TLDR
A dynamic variant of Security Annotations, which represents security properties of values via type-like information, is constructed within an existing JavaScript semantics and mechanize it to obtain a reference interpreter for JavaScript with embedded Security Annotations.
Automated Symbolic Verification of Telegram's MTProto 2.0
TLDR
This paper provides a fully automated proof of the soundness of MTProto 2.0's authentication, normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several security properties, including authentication, integrity, confidentiality and perfect forward secrecy.
Poster: Towards a Data Centric Approach for the Design and Verification of Cryptographic Protocols
TLDR
This paper demonstrates how easy MetaCP makes it to design and verify a protocol going from the graphical design to formally verified protocol using a Tamarin prover plugin.
Formal Analysis of QUIC Handshake Protocol Using Symbolic Model Checking
TLDR
A formal model of the QUIC handshake protocol is developed and a comprehensive formal security analysis is performed by using two state-of-the-art model checking tools for cryptographic protocols, i.e., ProVeirf and Verifpal, showing that ProVerif is generally more powerful than VerifPal in terms of verifying authentication properties.
...
...

References

SHOWING 1-10 OF 46 REFERENCES
Verified interoperable implementations of security protocols
TLDR
The approach is developed for protocols written in F#, a dialect of ML, and verified by compilation to ProVerif a resolution-based theorem prover for cryptographic protocols, and illustrated with protocols for Web services security.
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
TLDR
This paper proposes AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations, and finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers.
Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif
  • B. Blanchet
  • Computer Science, Mathematics
    Found. Trends Priv. Secur.
  • 2016
TLDR
This survey presents an overview of the research on ProVerif, an automatic symbolic protocol verifier that automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses.
Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS
TLDR
This work designs and implements two new TLS extensions that strengthen the authentication guarantees of the handshake and develops an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and proves that their composition provides strong, simple application security.
Language-based Defenses Against Untrusted Browser Origins
TLDR
Defensive JavaScript (DJS), a subset of the language that guarantees the behavior integrity of scripts even when loaded in a hostile environment, is presented, and a sound type system, type inference tool, and defensive libraries for cryptography and data encodings are given.
On the CCA (in)Security of MTProto
TLDR
An audit of Telegram's Android source code found that the symmetric encryption scheme used in Telegram is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
Verified Contributive Channel Bindings for Compound Authentication
TLDR
The first formal models that can reconstruct the recently published triple handshake attacks on TLS are presented, and the first automated analysis of its proposed countermeasure is presented.
A Formal Security Analysis of the Signal Messaging Protocol
TLDR
This work extracts from the implementation a formal description of the abstract protocol, and defines a security model which can capture the "ratcheting" key update structure, and proves the security of Signal's core in this model, demonstrating several standard security properties.
How Secure is TextSecure?
TLDR
It is formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.
Off-the-record communication, or, why not to use PGP
TLDR
This paper presents a protocol for secure online communication, called "off-the-record messaging", which has properties better-suited for casual conversation than do systems like PGP or S/MIME.
...
...