Union and Intersection Types for Secure Protocol Implementations

  • Michael Backes
  • Cătălin Hriţcu
  • Matteo Maffei
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6993)

Abstract

We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the type-based analyses of protocol implementations. In particular, our types can statically characterize: (i) more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; (ii) authenticity and integrity properties achieved by showing knowledge of secret data; (iii) applications based on zero-knowledge proofs. The type system comes with a mechanized proof of correctness and an efficient type-checker.

Keywords

Type System Intersection Type Cryptographic Protocol Protocol Implementation Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Abadi, M., Blanchet, B.: Secrecy types for asymmetric communication. Theoretical Computer Science 3(298), 387–415 (2003)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. Journal of the ACM 52(1), 102–146 (2005)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proc. 28th Symposium on Principles of Programming Languages (POPL), pp. 104–115. ACM Press, New York (2001)Google Scholar
  4. 4.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Information and Computation 148(1), 1–70 (1999)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Amadio, R.M., Cardelli, L.: Subtyping recursive types. ACM Transactions on Programming Languages and Systems (TOPLAS) 15(4), 575–631 (1993)CrossRefGoogle Scholar
  6. 6.
    Backes, M., Grochulla, M.P., Hriţcu, C., Maffei, M.: Achieving security despite compromise using zero-knowledge. In: 22th IEEE Symposium on Computer Security Foundations (CSF 2009). IEEE Computer Society Press, Los Alamitos (July 2009)Google Scholar
  7. 7.
    Backes, M., Hriţcu, C., Maffei, M.: Union and intersection types for secure protocol implementations. Long version, formalization and implementation, http://www.infsec.cs.uni-sb.de/projects/F5/
  8. 8.
    Backes, M., Hriţcu, C., Maffei, M.: Type-checking zero-knowledge. In: 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 357–370. ACM Press, New York (2008)Google Scholar
  9. 9.
    Backes, M., Maffei, M., Pecina, K.: A security API for distributed social networks. In: 18th Annual Network & Distributed System Security Symposium (NDSS 2011), pp. 35–51. Internet Society, San Diego (2011)Google Scholar
  10. 10.
    Backes, M., Maffei, M., Unruh, D.: Zero-knowledge in the applied pi-calculus and automated verification of the direct anonymous attestation protocol. In: Proc. of 29th IEEE Symposium on Security and Privacy, pp. 202–215. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  11. 11.
    Backes, M., Maffei, M., Unruh, D.: Computationally sound verification of source code. In: Proc. 17th ACM Conference on Computer and Communications Security (CCS), pp. 387–398. ACM Press, New York (2010)CrossRefGoogle Scholar
  12. 12.
    Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: Proc. 21th IEEE Symposium on Computer Security Foundations (CSF), pp. 17–32. IEEE Computer Society Press, Los Alamitos (2008), long version appeared as MSR-TR-2008-118. November 2010 revision that fixes the problems we pointed out is http://research.microsoft.com/en-us/um/people/adg/Publications/MSR-TR-2008-118-SP2.pdf CrossRefGoogle Scholar
  13. 13.
    Bhargavan, K., Corin, R., Fournet, C., Zălinescu, E.: Cryptographically verified implementations for TLS. In: 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 459–468. ACM Press, New York (2008)Google Scholar
  14. 14.
    Bhargavan, K., Fournet, C., Gordon, A.D.: Modular verification of security protocol code by typing. In: Proc. 37th Symposium on Principles of Programming Languages (POPL 2010), pp. 445–456 (2010)Google Scholar
  15. 15.
    Bhargavan, K., Fournet, C., Gordon, A.D., Tse, S.: Verified interoperable implementations of security protocols. In: Proc. 19th IEEE Computer Security Foundations Workshop (CSFW), pp. 139–152. IEEE Computer Society Press, Los Alamitos (2006)CrossRefGoogle Scholar
  16. 16.
    Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Proc. 14th IEEE Computer Security Foundations Workshop (CSFW), pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  17. 17.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  18. 18.
    Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proc. 11th ACM Conference on Computer and Communications Security, pp. 132–145. ACM Press, New York (2004)Google Scholar
  19. 19.
    Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Formal analysis of Kerberos 5. Theoretical Computer Science 367(1), 57–87 (2006)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Cardelli, L.: Type systems. In: The Computer Science and Engineering Handbook, pp. 2208–2236 (1997)Google Scholar
  21. 21.
    Chaki, S., Datta, A.: ASPIER: An automated framework for verifying security protocol implementations. Technical report, CMU CyLab (October 2008)Google Scholar
  22. 22.
    Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: A secure voting system. In: Proc. 29th IEEE Symposium on Security and Privacy, pp. 354–368. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  23. 23.
    Compagnoni, A.B.: Subject reduction and minimal types for higher order subtyping. Technical Report ECS-LFCS-97-363, LFCS, University of Edinburgh (August 1997)Google Scholar
  24. 24.
    Davies, R., Pfenning, F.: Intersection types and computational effects. In: Proc. International Conference on Functional Programming (ICFP 2000), pp. 198–208 (2000)Google Scholar
  25. 25.
    de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Communications of the ACM 24(8), 533–536 (1981)CrossRefGoogle Scholar
  27. 27.
    Dunfield, J.: Untangling typechecking of intersections and unions. In: Workshop on Intersection Types and Related Systems (ITRS) (July 2010)Google Scholar
  28. 28.
    Dunfield, J., Pfenning, F.: Tridirectional typechecking. In: Proc. 31th Symposium on Principles of Programming Languages (POPL 2004), pp. 281–292. ACM Press, New York (2004)Google Scholar
  29. 29.
    Eigner, F.: Type-based verification of electronic voting systems. Master’s thesis, Saarland University (2009)Google Scholar
  30. 30.
    Fisher, D.: Millions of .Net Passport accounts put at risk. eWeek (May 2003) (Flaw detected by Muhammad Faisal Rauf Danka)Google Scholar
  31. 31.
    Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization in distributed systems. In: Proc. 20th IEEE Symposium on Computer Security Foundations (CSF), pp. 31–45. IEEE Computer Society Press, Los Alamitos (2007)CrossRefGoogle Scholar
  32. 32.
    Goubault-Larrecq, J., Parrennes, F.: Cryptographic protocol analysis on real C code. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 363–379. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Harper, B., Lillibridge, M.: ML with callcc is unsound. Post to TYPES mailing list (July 8, 1991), archived at http://www.seas.upenn.edu/~sweirich/types/archive/1991/msg00034.html
  34. 34.
    Jhala, R., Majumdar, R., Rybalchenko, A.: HMC: Verifying functional programs using abstract interpreters. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 470–485. Springer, Heidelberg (2011), http://arxiv.org/abs/1004.2884v2 CrossRefGoogle Scholar
  35. 35.
    Morris Jr., J.H.: Protection in programming languages. Communications of the ACM 16(1), 15–21 (1973)CrossRefMATHGoogle Scholar
  36. 36.
    Kobayashi, N.: Types and higher-order recursion schemes for verification of higher-order programs. In: Proc. 36th Symposium on Principles of Programming Languages (POPL 2009), pp. 416–428 (2009)Google Scholar
  37. 37.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  38. 38.
    Mendler, N.P.: Inductive types and type constraints in the second-order lambda calculus. Annals of Pure and Applied Logic 51(1-2), 159–172 (1991)MathSciNetCrossRefMATHGoogle Scholar
  39. 39.
    Pierce, B.C.: Programming with intersection types, union types, and polymorphism. Technical Report CMU-CS-91-106, Carnegie Mellon University (1991)Google Scholar
  40. 40.
    Pierce, B.C.: Intersection types and bounded polymorphism. Mathematical Structures in Computer Science 7(2), 129–193 (1997)MathSciNetCrossRefMATHGoogle Scholar
  41. 41.
    Reynolds, J.C.: Design of the programming language Forsythe. Technical Report CMU-CS-96-146, Carnegie Mellon University (June 1996); Reprinted in O’Hearn, Tennent: ALGOL-like Languages, vol. 1, pp. 173–233. Birkhäuser, Basel (1997)Google Scholar
  42. 42.
    Rondon, P.M., Kawaguchi, M., Jhala, R.: Liquid types. In: Proc. ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (PLDI 2008), pp. 159–169 (2008)Google Scholar
  43. 43.
    Sumii, E., Pierce, B.C.: A bisimulation for dynamic sealing. Theoretical Computer Science 375(1-3), 169–192 (2007)MathSciNetCrossRefMATHGoogle Scholar
  44. 44.
    Urzyczyn, P.: Positive recursive type assignment. In: Hájek, P., Wiedermann, J. (eds.) MFCS 1995. LNCS, vol. 969, pp. 382–391. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  45. 45.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. 2nd USENIX Workshop on Electronic Commerce, pp. 29–40 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Cătălin Hriţcu
    • 1
  • Matteo Maffei
    • 1
  1. 1.Saarland UniversityGermany
  2. 2.Max Planck Institute for Software Systems (MPI-SWS)Germany

Personalised recommendations