Abstract
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approach.
Similar content being viewed by others
References
Almeida J, Bangerter E, Barbosa M, Krenn S, Sadeghi A-R, Schneider T (2010) A certifying compiler for zero-knowledge proofs of knowledge based on σ-protocols. In: 15th European symposium on research in computer security (ESORICS), pp 151–167
Abadi M, Blanchet B, Fournet C (2008) Automated verification of selected equivalences for security protocols. J Logic Algebr Progr 75(1): 3–51
Martín Abadi, Cédric Fournet (2001) Mobile values, new names, and secure communication. In: 28th ACM SIGPLAN-SIGACT symposium on principles of programming languages (POPL), pp 104–115
Abadi M, Gordon AD (1998) A calculus for cryptographic protocols: The spi calculus. Technical report, Digital System Research Center, Report 149
Aizatulin M, Gordon AD, Jürjens J (2011) Extracting and verifying cryptographic models from C protocol code by symbolic execution. In: 18th ACM conference on computer and communications security (CCS), pp 331–340
Aizatulin M, Gordon AD, Jürjens J (2012) Computational verification of C protocol implementations by symbolic execution. In: 19th ACM conference on computer and communications security (CCS) (To appear)
Abadi M, Needham R (1996) Prudent engineering practice for cryptographic protocols. IEEE Trans Softw Eng 22(1): 6–15
Abadi M, Plotkin G (2012) On protection by layout randomization. ACM Trans Inf Syst Secur 15(2): 8–1829
AlFardan NJ, Paterson K (2012) Plaintext-recovery attacks against datagram TLS. In: Network and distributed system security symposium (NDSS)
Avalle M, Pironti A, Pozza D, Sisto R (2011) JavaSPI: a framework for security protocol implementation. Int J Secur Softw Eng 2: 34–48
Albrecht MR, Paterson KG, Watson GJ (2009) Plaintext recovery attacks against SSH. In: 30th IEEE symposium on security and privacy, pp 16–26
Abadi M, Rogaway P (2002) Reconciling two views of cryptography (the computational soundness of formal encryption). J Cryptol 15(2): 103–127
Askarov A, Sabelfeld A (2005) Security-typed languages for implementation of cryptographic protocols: a case study. In: 10th European symposium on research in computer security (ESORICS), pp 197–221
Bengtson J, Bhargavan K, Fournet C, Gordon AD, Maffeis S (2011) Refinement types for secure implementations. ACM Trans Program Lang Syst 33(2): 1–45
Backes M, Busenius A, Hritcu C (2012) On the development and formalization of an extensible code generator for real life security protocols. In: NASA Formal Methods Symposium (NFM), pp 371–387
Bertot Y, Castéran P (2004) Interactive theorem proving and program development. Coq’Art: the calculus of inductive constructions. Texts in theoretical computer science. Springer, Berlin
Bhargavan K, Corin R, Fournet C, Zălinescu E (2008) Cryptographically verified implementations for TLS. In: 15th ACM conference on computer and communications security (CCS), pp 459–468
Bangerter E, Camenisch J, Krenn S, Sadeghi A-R, Schneider T (2008) Automatic generation of sound zero-knowledge protocols. Technical report, Cryptology ePrint Archive, Report 2008/471
Bhargavan K, Corin R, Deniélou P-M, Fournet C, Leifer JJ (2009) Cryptographic protocol synthesis and verification for multiparty sessions. In: 22nd IEEE symposium on computer security foundations (CSF), pp 124–140
Bhargavan K, Fournet C, Gordon AD (2006) Verified reference implementations of WS-security protocols. In: 3rd International Workshop on Web Services and Formal Methods (WS-FM), pp 88–106
Bhargavan K, Fournet C, Guts N (2010) Typechecking higher-order security libraries. In: 8th Asian conference on programming languages and systems (APLAS), pp 47–62
Bhargavan K, Fournet C, Gordon AD, Swamy N (2008) Verified implementations of the information card federated identity-management protocol. In: ACM symposium on information, computer and communications security (ASIA CCS), pp 123–135
Bhargavan K, Fournet C, Gordon AD, Tse S (2008) Verified interoperable implementations of security protocols. ACM Trans Program Lang Syst 31(1): 1–61
Bauer A, Jürjens J (2010) Runtime verification of cryptographic protocols. Comput Secur 29(3): 315–330
Bauer A, Jürjens J, Yu Y (2011) Run-time security traceability for evolving systems. Comput J 54(1): 58–87
Bangerter E, Krenn S, Sadeghi A-R, Schneider T (2010) YACZK: yet another compiler for zero-knowledge. USENIX Security Symposium Posters
Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE computer security foundations workshop (CSFW), pp 82–96
Backes M, Maffei M, Unruh D (2010) Computationally sound verification of source code. In: 17th ACM conference on computer and communications security (CCS), pp 387–398
Blanchet B, Pointcheval D (2006) Automated security proofs with sequences of games. In: 26th international conference on advances in cryptology (CRYPTO), pp 537–554
Bierman G, Parkinson M, Pitts A (2003) MJ: an imperative core calculus for Java and Java with effects. Technical report, Cambridge University Computer Laboratory, Report 563
Busenius A (2011) Mechanized formalization of a transformation from an extensible spi calculus to Java. Master’s thesis, Saarland University (Germany). Available at http://www.infsec.cs.uni-sb.de/~hritcu/students/busenius/masters_thesis.pdf
Carlsen U (1994) Cryptographic protocol flaws: know your enemy. In: 7th computer security foundations workshop (CSFW), pp 192–200
Cadé D, Blanchet B (2012) From computationally-proved protocol specifications to implementations. In: 7th international conference on availability, reliability and security (ARES), pp 65–74
Chaki S, Datta A (2009) ASPIER: an automated framework for verifying security protocol implementations. In: 22nd IEEE symposium on computer security foundations (CSF), pp 172–185
Clarke EM, Grumberg O, Long DE (1994) Model checking and abstraction. ACM Trans Program Lang Syst 16(5): 1512–1542
Choi J-Y, Jeon C-W, Kim I-G (2005) Automatic generation of the C# code for security protocols verified with Casper/FDR. In: 19th international conference on advanced information networking and applications (AINA), pp 507–510
Cortier V, Kremer S, Warinschi B (2011) A survey of symbolic methods in computational analysis of cryptographic systems. J Autom Secur 46(1): 225–259
Dupressoir F, Gordon AD, Jürjens J, Naumann DA (2011) Guiding a general-purpose C verifier to prove cryptographic protocols. In: 24th IEEE symposium on computer security foundations (CSF), pp 3–17
Dierks T, Rescorla E (2008) The transport layer security (TLS) protocol version 1.2. RFC 5246
Dolev D, Yao ACC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2): 198–208
Fournet C, Kohlweiss M, Strub P-Y (2011) Modular code-based cryptographic verification. In: 18th ACM conference on computer and communications security (CCS), pp 341–350
Grandy H, Bischof M, Stenzel K, Schellhorn G, Reif W (2008) Verification of Mondex electronic purses with KIV: From a security protocol to verified code. In: 15th international symposium on formal methods (FM), pp 165–180
Goubault-Larrecq J, Parrennes F (2005) Cryptographic protocol analysis on real C code. In: 6th international conference on verification, model checking, and abstract interpretation (VMCAI), pp 363–379
Goubault-Larrecq J, Parrennes F (2009) Cryptographic protocol analysis on real C code. Technical report, Laboratoire Spécification et Vérification, Report LSV-09-18
Goldwasser S, Micali S (1984) Probabilistic encryption. J Comput Syst Sci 28(2): 270–299
Graf S, Saïdi H (1997) Construction of abstract state graphs with PVS. In: 9th international conference on computer aided verification (CAV), pp 72–83
Gritzalis S, Spinellis D (1997) Cryptographic protocols over open distributed systems: a taxonomy of flaws and related protocol analysis tools. In: 16th international conference on computer safety, reliability and security (SAFECOMP), pp 123–137
Hui ML, Lowe G (2001) Fault-preserving simplifying transformations for security protocols. J Comput Secur 9(1/2):3–46
Hubbers E, Oostdijk M, Poll E (2003) Implementing a formally verifiable security protocol in Java Card. In: 1st international conference on security in pervasive computing (SPC), pp 213–226
MasterCard International Inc. The Mondex protocol. http://www.mondexusa.com
J ürjens J (2001) Secrecy-preserving refinement. Form Methods Increasing Softw Product 2021(1):135–152
Jürjens J (2005) Verification of low-level crypto-protocol implementations using automated theorem proving. In: 2nd ACM/IEEE international conference on formal methods and models for co-design (MEMOCODE), pp 89–98
Jürjens J (2008) Using interface specifications for verifying crypto-protocol implementations. In: Workshop on foundations of interface technologies (FIT)
Jürjens J (2009) Automated security verification for crypto protocol implementations: Verifying the JESSIE project. Electron Notes Theor Comput Sci 250(1): 123–136
Jürjens J, Yu Y, Bauer A (2008) Tools for traceable security verification. In: BCS international academic conference on visions of computer science (VoCS), pp 367–390
Kiyomoto S, Ota H, Tanaka T (2008) A security protocol compiler generating C source codes. In: 2nd international conference on information security and assurance (ISA), pp 20–25
Kleiner E, Roscoe AW (2006) On the relationship between web services security and traditional protocols. Electro Notes Theor Comput Sci 155(1): 583–603
Kuesters R, Truderung T, Graf J (2012) A framework for the cryptographic verification of Java-like programs. In: 25th IEEE symposium on computer security foundations (CSF), pp 192–212
Leavens GT, Baker AL, Ruby C (2006) Preliminary design of JML: a behavioral interface specification language for Java. ACM SIGSOFT Softw Eng Notes 31(3): 1–38
Lowe G (1995) An attack on the Needham-Schroeder public-key authentication protocol. Inf Process Lett 56(3): 131–133
Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: 2nd international workshop on tools and algorithms for construction and analysis of systems (TACAS), pp 147–166
Meiklejohn S, Erway CC, Küpçü A, Hinkle T, Lysyanskaya A (2010) ZKPDL: a language-based system for efficient zero-knowledge proofs and electronic cash. In: 19th USENIX conference on security, pp 193–206
Mitchell JC, Shmatikov V, Stern U (1998) Finite-state analysis of SSL 3.0. In: 7th USENIX security symposium (SSYM), pp 201–216
Needham RM, Schroeder MD (1978) Using encryption for authentication in large networks of computers. Commun ACM 21(12): 993–999
Ogata K, Futatsugi K (2005) Equational approach to formal analysis of TLS. In: 25th IEEE international conference on distributed computing systems (ICDCS), pp 795–804
Otway D, Rees O (1987) Efficient and timely mutual authentication. ACM Operat Syst Rev 21(1): 8–10
O’Shea N (2008) Using Elyjah to analyse Java implementations of cryptographic protocols. In: Joint workshop on foundations of computer security, automated reasoning for security protocol analysis and issues in the theory of security (FCS-ARSPA-WITS), pp 221–226
O’Shea N (2010) Verification and validation of security protocol implementations. PhD thesis, School of Informatics, University of Edinburgh (UK). Available at http://hdl.handle.net/1842/4753.
Paulson LC (1999) Inductive analysis of the Internet protocol TLS. ACM Trans Inf Syst Secur 2(3): 332–351
Pironti A (2010) Sound automatic implementation generation and monitoring of security protocol implementations from verified formal specifications. PhD thesis, Politecnico di Torino (Italy). Available at http://alfredo.pironti.eu/research/sites/default/files/Pironti_Dissertation.pdf
Pironti A, Jürjens J (2010) Formally-based black-box monitoring of security protocols. In: International symposium on engineering secure software and systems (ESSoS), pp 79–95
Polikarpova N, Moskal M (2012) Verifying implementations of security protocols by refinement. In: Verified software: theories, tools, experiments (VSTTE), pp 50–65
Pironti A, Pozza D, Sisto R (2011) Automated formal methods for security protocol engineering. In: IGI global cyber security standards, practices and industrial applications: systems and methodologies, pp 138–166
Pironti A, Pozza D, Sisto R (2012) Formally-based semi-automatic implementation of an open security protocol. J Syst Soft 85(1): 835–849
Pironti A, Sisto R (2010) Provably correct Java implementations of Spi Calculus security protocols specifications. Comput Secur 29(3): 302–314
Pironti A, Sisto R (2012) Safe abstractions of data encodings in formal security protocol models. Form Asp Comput (To appear)
Pozza D, Sisto R, Durante L (2004) Spi2java: automatic cryptographic protocol Java code generation from spi calculus. In: 18th international conference on advanced information networking and applications (AINA), pp 400–405
Rizzo J, Duong T (2010) Practical padding oracle attacks. In: 4th USENIX offensive technologies (WOOT), pp 1–8
Schellhorn G (2005) ASM refinement and generalizations of forward simulation in data refinement: a comparison. Theoret Comput Sci 336(2–3): 403–435
Song DX, Perrig A, Phan D (2001) AGVI—automatic generation, verification, and implementation of security protocols. In: 13th international conference on computer aided verification (CAV), pp 241–245
Shamir A, Rivest R, Adleman L (1978) Mental poker. Technical report, Massachussets Institute of Technology
Stenzel K (2004) A formally verified calculus for full Java Card. In: 10th international conference on algebraic methodology and software technology (AMAST), pp 33–36
Tobarra L, Cazorla D, Cuartero F, Díaz G (2006) Formal verification of TLS handshake and extensions for wireless networks. In: IADIS international conference on applied computing, pp 57–64
Tobler B, Hutchison A (2004) Generating network security protocol implementations from formal specifications. In: 2nd international workshop on certification and security in inter-organizational e-services (CSES), pp 33–54
Vaudenay S (2002) Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS . . . . In: International conference on the theory and applications of cryptographic techniques—advances in cryptology (EUROCRYPT), pp 534–546
Viganò L (2006) Automated security protocol analysis with the AVISPA tool. Electr Notes Theor Comput Sci 155(1): 61–86
Wagner D, Schneier B (1996) Analysis of the SSL 3.0 protocol. In: 2nd USENIX Workshop on Electronic Commerce (WOEC), pp 29–40
Xiaodong SD, David W, Xuqing T (2001) Timing analysis of keystrokes and timing attacks on SSH. In: 10th conference on USENIX security symposium (SSYM), pp 25–25
Yao AC (1982) Theory and application of trapdoor functions. In: 23rd annual symposium on foundations of computer science (FOCS), pp 80–91
Author information
Authors and Affiliations
Corresponding author
Additional information
by Eerke Boiten and Steve Schneider
Rights and permissions
About this article
Cite this article
Avalle, M., Pironti, A. & Sisto, R. Formal verification of security protocol implementations: a survey. Form Asp Comp 26, 99–123 (2014). https://doi.org/10.1007/s00165-012-0269-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-012-0269-9