Sums and Lovers: Case Studies in Security, Compositionality and Refinement
A truly secure protocol is one which never violates its security requirements, no matter how bizarre the circumstances, provided those circumstances are within its terms of reference. Such cast-iron guarantees, as far as they are possible, require formal techniques: proof or model-checking. Informally, they are difficult or impossible to achieve.
Our technique is refinement, until recently not much applied to security. We argue its benefits by giving rigorous formal developments, in refinement-based program algebra, of several security case studies.
A conspicuous feature of our studies is their layers of abstraction and –for the main study, in particular– that the protocol is unbounded in state, placing its verification beyond the reach of model checkers.
Correctness in all contexts is crucial for our goal of layered, refinement-based developments. This is ensured by our semantics in which the program constructors are monotonic with respect to “security-aware” refinement, which is in turn a generalisation of compositionality.
KeywordsRefinement of security formalised secrecy hierarchical security reasoning compositional semantics
Unable to display preview. Download preview PDF.
- 1.Appendices are available at, www.cse.unsw.edu.au/~carrollm/probs/bibliographyBody.html#McIver:09
- 2.Černý, P.: Private communication (February 2009)Google Scholar
- 4.Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D., Nielsen, J.B., Nielsen, K., Pagter, J., Schwartzbach, M., Toft, T.: Secure multiparty computation goes live, http://eprint.iacr.org/2008/068
- 7.Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proc. IEEE Symp. on Security and Privacy, pp. 75–86 (1984)Google Scholar
- 10.Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay — A secure two-party computation system. In: Proc. 13th Conf. on USENIX Security Symposium. USENIX Association (2004)Google Scholar
- 11.Mantel, H.: Preserving information flow properties under refinement. In: Proc. IEEE Symp. Security and Privacy, pp. 78–91 (2001)Google Scholar
- 15.Morgan, C.C.: The Shadow Knows: Refinement of ignorance in sequential programs. Science of Computer Programming 74(8) (2009) Treats Oblivious TransferGoogle Scholar
- 16.Paulson, L.: Proving properties of security protocols by induction, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-409.pdf
- 17.Rabin, M.O.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University (1981), http://eprint.iacr.org/2005/187
- 18.Rivest, R.: Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, M.I.T (1999), http://theory.lcs.mit.edu/~rivest/Rivest-commitment.pdf
- 19.Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, B.: Modelling and Analysis of Security Protocols. Addison-Wesley, Reading (2000)Google Scholar
- 21.Schoenmakers, B.: Cryptography lecture notes, http://www.win.tue.nl/~berry/2WC13/LectureNotes.pdf
- 23.Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: Annual Symposium on Foundations of Computer Science (FOCS 1982), pp. 160–164 (1982)Google Scholar