Skip to main content
SpringerLink
Log in

Formal verification of security protocol implementations: a survey

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Almeida J, Bangerter E, Barbosa M, Krenn S, Sadeghi A-R, Schneider T (2010) A certifying compiler for zero-knowledge proofs of knowledge based on σ-protocols. In: 15th European symposium on research in computer security (ESORICS), pp 151–167

  2. Abadi M, Blanchet B, Fournet C (2008) Automated verification of selected equivalences for security protocols. J Logic Algebr Progr 75(1): 3–51

    Article  MATH  MathSciNet  Google Scholar 

  3. Martín Abadi, Cédric Fournet (2001) Mobile values, new names, and secure communication. In: 28th ACM SIGPLAN-SIGACT symposium on principles of programming languages (POPL), pp 104–115

  4. Abadi M, Gordon AD (1998) A calculus for cryptographic protocols: The spi calculus. Technical report, Digital System Research Center, Report 149

  5. Aizatulin M, Gordon AD, Jürjens J (2011) Extracting and verifying cryptographic models from C protocol code by symbolic execution. In: 18th ACM conference on computer and communications security (CCS), pp 331–340

  6. Aizatulin M, Gordon AD, Jürjens J (2012) Computational verification of C protocol implementations by symbolic execution. In: 19th ACM conference on computer and communications security (CCS) (To appear)

  7. Abadi M, Needham R (1996) Prudent engineering practice for cryptographic protocols. IEEE Trans Softw Eng 22(1): 6–15

    Article  Google Scholar 

  8. Abadi M, Plotkin G (2012) On protection by layout randomization. ACM Trans Inf Syst Secur 15(2): 8–1829

    Article  Google Scholar 

  9. AlFardan NJ, Paterson K (2012) Plaintext-recovery attacks against datagram TLS. In: Network and distributed system security symposium (NDSS)

  10. Avalle M, Pironti A, Pozza D, Sisto R (2011) JavaSPI: a framework for security protocol implementation. Int J Secur Softw Eng 2: 34–48

    Article  Google Scholar 

  11. Albrecht MR, Paterson KG, Watson GJ (2009) Plaintext recovery attacks against SSH. In: 30th IEEE symposium on security and privacy, pp 16–26

  12. Abadi M, Rogaway P (2002) Reconciling two views of cryptography (the computational soundness of formal encryption). J Cryptol 15(2): 103–127

    MATH  MathSciNet  Google Scholar 

  13. Askarov A, Sabelfeld A (2005) Security-typed languages for implementation of cryptographic protocols: a case study. In: 10th European symposium on research in computer security (ESORICS), pp 197–221

  14. Bengtson J, Bhargavan K, Fournet C, Gordon AD, Maffeis S (2011) Refinement types for secure implementations. ACM Trans Program Lang Syst 33(2): 1–45

    Article  Google Scholar 

  15. Backes M, Busenius A, Hritcu C (2012) On the development and formalization of an extensible code generator for real life security protocols. In: NASA Formal Methods Symposium (NFM), pp 371–387

  16. Bertot Y, Castéran P (2004) Interactive theorem proving and program development. Coq’Art: the calculus of inductive constructions. Texts in theoretical computer science. Springer, Berlin

  17. Bhargavan K, Corin R, Fournet C, Zălinescu E (2008) Cryptographically verified implementations for TLS. In: 15th ACM conference on computer and communications security (CCS), pp 459–468

  18. Bangerter E, Camenisch J, Krenn S, Sadeghi A-R, Schneider T (2008) Automatic generation of sound zero-knowledge protocols. Technical report, Cryptology ePrint Archive, Report 2008/471

  19. Bhargavan K, Corin R, Deniélou P-M, Fournet C, Leifer JJ (2009) Cryptographic protocol synthesis and verification for multiparty sessions. In: 22nd IEEE symposium on computer security foundations (CSF), pp 124–140

  20. Bhargavan K, Fournet C, Gordon AD (2006) Verified reference implementations of WS-security protocols. In: 3rd International Workshop on Web Services and Formal Methods (WS-FM), pp 88–106

  21. Bhargavan K, Fournet C, Guts N (2010) Typechecking higher-order security libraries. In: 8th Asian conference on programming languages and systems (APLAS), pp 47–62

  22. Bhargavan K, Fournet C, Gordon AD, Swamy N (2008) Verified implementations of the information card federated identity-management protocol. In: ACM symposium on information, computer and communications security (ASIA CCS), pp 123–135

  23. Bhargavan K, Fournet C, Gordon AD, Tse S (2008) Verified interoperable implementations of security protocols. ACM Trans Program Lang Syst 31(1): 1–61

    Article  Google Scholar 

  24. Bauer A, Jürjens J (2010) Runtime verification of cryptographic protocols. Comput Secur 29(3): 315–330

    Article  Google Scholar 

  25. Bauer A, Jürjens J, Yu Y (2011) Run-time security traceability for evolving systems. Comput J 54(1): 58–87

    Article  Google Scholar 

  26. Bangerter E, Krenn S, Sadeghi A-R, Schneider T (2010) YACZK: yet another compiler for zero-knowledge. USENIX Security Symposium Posters

  27. Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE computer security foundations workshop (CSFW), pp 82–96

  28. Backes M, Maffei M, Unruh D (2010) Computationally sound verification of source code. In: 17th ACM conference on computer and communications security (CCS), pp 387–398

  29. Blanchet B, Pointcheval D (2006) Automated security proofs with sequences of games. In: 26th international conference on advances in cryptology (CRYPTO), pp 537–554

  30. Bierman G, Parkinson M, Pitts A (2003) MJ: an imperative core calculus for Java and Java with effects. Technical report, Cambridge University Computer Laboratory, Report 563

  31. Busenius A (2011) Mechanized formalization of a transformation from an extensible spi calculus to Java. Master’s thesis, Saarland University (Germany). Available at http://www.infsec.cs.uni-sb.de/~hritcu/students/busenius/masters_thesis.pdf

  32. Carlsen U (1994) Cryptographic protocol flaws: know your enemy. In: 7th computer security foundations workshop (CSFW), pp 192–200

  33. Cadé D, Blanchet B (2012) From computationally-proved protocol specifications to implementations. In: 7th international conference on availability, reliability and security (ARES), pp 65–74

  34. Chaki S, Datta A (2009) ASPIER: an automated framework for verifying security protocol implementations. In: 22nd IEEE symposium on computer security foundations (CSF), pp 172–185

  35. Clarke EM, Grumberg O, Long DE (1994) Model checking and abstraction. ACM Trans Program Lang Syst 16(5): 1512–1542

    Article  Google Scholar 

  36. Choi J-Y, Jeon C-W, Kim I-G (2005) Automatic generation of the C# code for security protocols verified with Casper/FDR. In: 19th international conference on advanced information networking and applications (AINA), pp 507–510

  37. Cortier V, Kremer S, Warinschi B (2011) A survey of symbolic methods in computational analysis of cryptographic systems. J Autom Secur 46(1): 225–259

    MATH  MathSciNet  Google Scholar 

  38. Dupressoir F, Gordon AD, Jürjens J, Naumann DA (2011) Guiding a general-purpose C verifier to prove cryptographic protocols. In: 24th IEEE symposium on computer security foundations (CSF), pp 3–17

  39. Dierks T, Rescorla E (2008) The transport layer security (TLS) protocol version 1.2. RFC 5246

  40. Dolev D, Yao ACC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2): 198–208

    Article  MATH  MathSciNet  Google Scholar 

  41. Fournet C, Kohlweiss M, Strub P-Y (2011) Modular code-based cryptographic verification. In: 18th ACM conference on computer and communications security (CCS), pp 341–350

  42. Grandy H, Bischof M, Stenzel K, Schellhorn G, Reif W (2008) Verification of Mondex electronic purses with KIV: From a security protocol to verified code. In: 15th international symposium on formal methods (FM), pp 165–180

  43. Goubault-Larrecq J, Parrennes F (2005) Cryptographic protocol analysis on real C code. In: 6th international conference on verification, model checking, and abstract interpretation (VMCAI), pp 363–379

  44. Goubault-Larrecq J, Parrennes F (2009) Cryptographic protocol analysis on real C code. Technical report, Laboratoire Spécification et Vérification, Report LSV-09-18

  45. Goldwasser S, Micali S (1984) Probabilistic encryption. J Comput Syst Sci 28(2): 270–299

    Article  MATH  MathSciNet  Google Scholar 

  46. Graf S, Saïdi H (1997) Construction of abstract state graphs with PVS. In: 9th international conference on computer aided verification (CAV), pp 72–83

  47. Gritzalis S, Spinellis D (1997) Cryptographic protocols over open distributed systems: a taxonomy of flaws and related protocol analysis tools. In: 16th international conference on computer safety, reliability and security (SAFECOMP), pp 123–137

  48. Hui ML, Lowe G (2001) Fault-preserving simplifying transformations for security protocols. J Comput Secur 9(1/2):3–46

    Google Scholar 

  49. Hubbers E, Oostdijk M, Poll E (2003) Implementing a formally verifiable security protocol in Java Card. In: 1st international conference on security in pervasive computing (SPC), pp 213–226

  50. MasterCard International Inc. The Mondex protocol. http://www.mondexusa.com

  51. J ürjens J (2001) Secrecy-preserving refinement. Form Methods Increasing Softw Product 2021(1):135–152

    Google Scholar 

  52. Jürjens J (2005) Verification of low-level crypto-protocol implementations using automated theorem proving. In: 2nd ACM/IEEE international conference on formal methods and models for co-design (MEMOCODE), pp 89–98

  53. Jürjens J (2008) Using interface specifications for verifying crypto-protocol implementations. In: Workshop on foundations of interface technologies (FIT)

  54. Jürjens J (2009) Automated security verification for crypto protocol implementations: Verifying the JESSIE project. Electron Notes Theor Comput Sci 250(1): 123–136

    Article  Google Scholar 

  55. Jürjens J, Yu Y, Bauer A (2008) Tools for traceable security verification. In: BCS international academic conference on visions of computer science (VoCS), pp 367–390

  56. Kiyomoto S, Ota H, Tanaka T (2008) A security protocol compiler generating C source codes. In: 2nd international conference on information security and assurance (ISA), pp 20–25

  57. Kleiner E, Roscoe AW (2006) On the relationship between web services security and traditional protocols. Electro Notes Theor Comput Sci 155(1): 583–603

    Article  Google Scholar 

  58. Kuesters R, Truderung T, Graf J (2012) A framework for the cryptographic verification of Java-like programs. In: 25th IEEE symposium on computer security foundations (CSF), pp 192–212

  59. Leavens GT, Baker AL, Ruby C (2006) Preliminary design of JML: a behavioral interface specification language for Java. ACM SIGSOFT Softw Eng Notes 31(3): 1–38

    Article  Google Scholar 

  60. Lowe G (1995) An attack on the Needham-Schroeder public-key authentication protocol. Inf Process Lett 56(3): 131–133

    Article  MATH  Google Scholar 

  61. Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: 2nd international workshop on tools and algorithms for construction and analysis of systems (TACAS), pp 147–166

  62. Meiklejohn S, Erway CC, Küpçü A, Hinkle T, Lysyanskaya A (2010) ZKPDL: a language-based system for efficient zero-knowledge proofs and electronic cash. In: 19th USENIX conference on security, pp 193–206

  63. Mitchell JC, Shmatikov V, Stern U (1998) Finite-state analysis of SSL 3.0. In: 7th USENIX security symposium (SSYM), pp 201–216

  64. Needham RM, Schroeder MD (1978) Using encryption for authentication in large networks of computers. Commun ACM 21(12): 993–999

    Article  MATH  Google Scholar 

  65. Ogata K, Futatsugi K (2005) Equational approach to formal analysis of TLS. In: 25th IEEE international conference on distributed computing systems (ICDCS), pp 795–804

  66. Otway D, Rees O (1987) Efficient and timely mutual authentication. ACM Operat Syst Rev 21(1): 8–10

    Article  Google Scholar 

  67. O’Shea N (2008) Using Elyjah to analyse Java implementations of cryptographic protocols. In: Joint workshop on foundations of computer security, automated reasoning for security protocol analysis and issues in the theory of security (FCS-ARSPA-WITS), pp 221–226

  68. O’Shea N (2010) Verification and validation of security protocol implementations. PhD thesis, School of Informatics, University of Edinburgh (UK). Available at http://hdl.handle.net/1842/4753.

  69. Paulson LC (1999) Inductive analysis of the Internet protocol TLS. ACM Trans Inf Syst Secur 2(3): 332–351

    Article  Google Scholar 

  70. Pironti A (2010) Sound automatic implementation generation and monitoring of security protocol implementations from verified formal specifications. PhD thesis, Politecnico di Torino (Italy). Available at http://alfredo.pironti.eu/research/sites/default/files/Pironti_Dissertation.pdf

  71. Pironti A, Jürjens J (2010) Formally-based black-box monitoring of security protocols. In: International symposium on engineering secure software and systems (ESSoS), pp 79–95

  72. Polikarpova N, Moskal M (2012) Verifying implementations of security protocols by refinement. In: Verified software: theories, tools, experiments (VSTTE), pp 50–65

  73. Pironti A, Pozza D, Sisto R (2011) Automated formal methods for security protocol engineering. In: IGI global cyber security standards, practices and industrial applications: systems and methodologies, pp 138–166

  74. Pironti A, Pozza D, Sisto R (2012) Formally-based semi-automatic implementation of an open security protocol. J Syst Soft 85(1): 835–849

    Article  Google Scholar 

  75. Pironti A, Sisto R (2010) Provably correct Java implementations of Spi Calculus security protocols specifications. Comput Secur 29(3): 302–314

    Article  Google Scholar 

  76. Pironti A, Sisto R (2012) Safe abstractions of data encodings in formal security protocol models. Form Asp Comput (To appear)

  77. Pozza D, Sisto R, Durante L (2004) Spi2java: automatic cryptographic protocol Java code generation from spi calculus. In: 18th international conference on advanced information networking and applications (AINA), pp 400–405

  78. Rizzo J, Duong T (2010) Practical padding oracle attacks. In: 4th USENIX offensive technologies (WOOT), pp 1–8

  79. Schellhorn G (2005) ASM refinement and generalizations of forward simulation in data refinement: a comparison. Theoret Comput Sci 336(2–3): 403–435

    Article  MATH  MathSciNet  Google Scholar 

  80. Song DX, Perrig A, Phan D (2001) AGVI—automatic generation, verification, and implementation of security protocols. In: 13th international conference on computer aided verification (CAV), pp 241–245

  81. Shamir A, Rivest R, Adleman L (1978) Mental poker. Technical report, Massachussets Institute of Technology

  82. Stenzel K (2004) A formally verified calculus for full Java Card. In: 10th international conference on algebraic methodology and software technology (AMAST), pp 33–36

  83. Tobarra L, Cazorla D, Cuartero F, Díaz G (2006) Formal verification of TLS handshake and extensions for wireless networks. In: IADIS international conference on applied computing, pp 57–64

  84. Tobler B, Hutchison A (2004) Generating network security protocol implementations from formal specifications. In: 2nd international workshop on certification and security in inter-organizational e-services (CSES), pp 33–54

  85. Vaudenay S (2002) Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS . . . . In: International conference on the theory and applications of cryptographic techniques—advances in cryptology (EUROCRYPT), pp 534–546

  86. Viganò L (2006) Automated security protocol analysis with the AVISPA tool. Electr Notes Theor Comput Sci 155(1): 61–86

    Article  Google Scholar 

  87. Wagner D, Schneier B (1996) Analysis of the SSL 3.0 protocol. In: 2nd USENIX Workshop on Electronic Commerce (WOEC), pp 29–40

  88. Xiaodong SD, David W, Xuqing T (2001) Timing analysis of keystrokes and timing attacks on SSH. In: 10th conference on USENIX security symposium (SSYM), pp 25–25

  89. Yao AC (1982) Theory and application of trapdoor functions. In: 23rd annual symposium on foundations of computer science (FOCS), pp 80–91

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Automatica e Informatica, Politecnico di Torino, Corso Duca degli Abruzzi, 24, 10129, Torino, Italy

    Matteo Avalle & Riccardo Sisto

  2. Prosecco, INRIA, Paris-Rocquencourt, 23, Avenue d’Italie, 75013, Paris, France

    Alfredo Pironti

Authors
  1. Matteo Avalle
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alfredo Pironti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Riccardo Sisto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Riccardo Sisto.

Additional information

by Eerke Boiten and Steve Schneider

Rights and permissions

Reprints and permissions

About this article

Cite this article

Avalle, M., Pironti, A. & Sisto, R. Formal verification of security protocol implementations: a survey. Form Asp Comp 26, 99–123 (2014). https://doi.org/10.1007/s00165-012-0269-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-012-0269-9

Keywords

Search

Navigation