Pseudo-Random Number Generator Verification: A Case Study

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9593)

Abstract

In 2013, a monetarily moderate but widely noted bitcoin theft drew attention to a flaw in Android’s pseudo random number generator (PRNG). A programming error affecting the information flow in the seeding code of the generator has weakened the security of the cryptographic protocol behind bitcoin transactions.

We demonstrate that logic-based verification can be efficiently applied to safeguard against this particular class of vulnerabilities, which are very difficult to detect otherwise. As a technological vehicle, we use the KeY verification system for Java. We show how to specify PRNG seeding with information flow contracts from the KeY’s extension to the Java Modeling Language (JML) and report our experiences in verifying the actual implementation.

References

  1. 1.
    Ahrendt, W., et al.: The KeY platform for verification and analysis of Java programs. In: Giannakopoulou, D., Kroening, D. (eds.) VSTTE 2014. LNCS, vol. 8471, pp. 55–71. Springer, Heidelberg (2014)Google Scholar
  2. 2.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 203–212. ACM (2005)Google Scholar
  3. 3.
    Bitcoin.org. Android security vulnerability (2013). https://bitcoin.org/en/alert/2013-08-11-android
  4. 4.
    Cornejo, M., Ruhault, S.: Characterization of real-life PRNGs under partial state corruption. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 1004–1015. ACM (2014)Google Scholar
  5. 5.
    Debian Weak Key Vulnerability. CVE-2008-0166 (2008). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
  6. 6.
    Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 647–658. ACM (2013)Google Scholar
  7. 7.
    Gurney, J.-M.: URGENT: RNG broken for last 4 months (2015). https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html
  8. 8.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  9. 9.
    The KeY Tool. www.key-project.org
  10. 10.
    Klebanov, V.: Precise quantitative information flow analysis - a symbolic approach. Theoret. Comput. Sci. 538, 124–139 (2014)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Klebanov, V., Manthey, N., Muise, C.: SAT-based analysis and quantification of information flow in programs. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 177–192. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: a behavioral interface specification language for Java. SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006)CrossRefGoogle Scholar
  13. 13.
    Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! the state of randomness in current Java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129–144. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Scheben, C.: Program-level specification and deductive verification of security properties. Ph.D. thesis, Karlsruhe Institute of Technology (2014)Google Scholar
  16. 16.
    Scheben, C., Schmitt, P.H.: Verification of information flow properties of Java programs without approximations. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 232–249. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Scheben, C., Schmitt, P.H.: Efficient self-composition for weakest precondition calculi. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 579–594. Springer, Heidelberg (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Karlsruhe Institute of Technology (KIT)KarlsruheGermany

Personalised recommendations