Cryptographic Protocol Analysis on Real C Code

  • Jean Goubault-Larrecq
  • Fabrice Parrennes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3385)


Implementations of cryptographic protocols, such as OpenSSL for example, contain bugs affecting security, which cannot be detected by just analyzing abstract protocols (e.g., SSL or TLS). We describe how cryptographic protocol verification techniques based on solving clause sets can be applied to detect vulnerabilities of C programs in the Dolev-Yao model, statically. This involves integrating fairly simple pointer analysis techniques with an analysis of which messages an external intruder may collect and forge. This also involves relating concrete run-time data with abstract, logical terms representing messages. To this end, we make use of so-called trust assertions. The output of the analysis is a set of clauses in the decidable class \(\mathcal{H}_1\), which can then be solved independently. This can be used to establish secrecy properties, and to detect some other bugs.


Horn Clause Cryptographic Protocol Abstract Semantic Concrete Semantic IEEE Computer Security Foundation Workshop 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amadio, R.M., Charatonik, W.: On name generation and set-based analysis in the Dolev- Yao model. In: Brim, L., Jančar, P., Křetínský, M., Kucera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 499–514. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Andersen, L.O.: Program Analysis and Specialization for the C Programming Language. PhD thesis, DIKU, University of Copenhagen (DIKU report 94/19) (1994)Google Scholar
  3. 3.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), Cape Breton, Nova Scotia, Canada, June, pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  4. 4.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: Design and Implementation of a Special-Purpose Static Program Analyzer for Safety- Critical Real-Time Embedded Software. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 85–108. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software. In: ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLD 2003), San Diego, California, June, pp. 196–207. ACM Press, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Boury, P., Elkhadi, N.: Static Analysis of Java Cryptographic Applets. In: ECOOP 2001 Workshop on Formal Techniques for Java Programs. Fern Universität Hagen (2001)Google Scholar
  7. 7.
    Comon-Lundh, H., Cortier, V.: Security properties: Two agents are sufficient. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 99–113. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Dolev, D., Yao, A.C.: On security of public key protocols. IEEE trans. on Information Theory, IT 30, 198–208 (1983)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Heintze, N., Clarke, E. (eds.) Proceedings of the Workshop on Formal Methods and Security Protocols – FMSP, Trento, Italy (July 1999)Google Scholar
  10. 10.
    Freier, A., Karlton, P., Kocher, P.: The SSL protocol. Version 3.0 (1996),
  11. 11.
    Gay, O.: Exploitation avancée de buffer overflows. Technical report, LASEC, Ecole Polytechnique Fédérale de Lausanne (June 2002),
  12. 12.
    Goubault-Larrecq, J. (ed.): Special Issue on Models and Methods for Cryptographic Protocol Verification, Warsaw, Poland, December. Instytut Łącsności (Institute of Telecommunications), vol. 4 (2002)Google Scholar
  13. 13.
    Goubault-Larrecq, J.: Une fois qu’on n’a pas trouvé de preuve, comment le faire comprendre à un assistant de preuve? In: Actes 15èmes journées francophones sur les langages applicatifs (JFLA 2004), Sainte-Marie-de-Ré France, Janvier (2004) INRIAGoogle Scholar
  14. 14.
    Heintze, N., Tardieu, O.: Ultra-fast aliasing analysis using cla: a million lines of c code in a second. In: Proc. of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pp. 254–263. ACM Press, New York (2001)CrossRefGoogle Scholar
  15. 15.
    Hind, M.: Pointer analysis: haven’t we solved this problem yet? In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 54–61. ACM Press, New York (2001)CrossRefGoogle Scholar
  16. 16.
    Kadhi, N.E.: Automatic verification of confidentiality properties of cryptographic programs. Networking and Information Systems 3(6) (2001)Google Scholar
  17. 17.
    Lowe, G.: An attack on the needham-schroeder public-key authentication protocol. Information Processing Letters 56(3), 131–133 (1995)zbMATHCrossRefGoogle Scholar
  18. 18.
    Milner, R.: Communication and concurrency. Prentice Hall International (UK) Ltd., Englewood Cliffs (1995)Google Scholar
  19. 19.
    Needham, R., Schroeder, M.: Using encryption for authentification in large networks of computers. Communications of the ACM 21(12) (December 1978)Google Scholar
  20. 20.
    Nielson, F., Riis Nielson, H., Seidl, H.: Normalizable horn clauses, strongly recognizable relations, and spi. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 20–35. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Parrennes, F.: The CSur project (2004),
  22. 22.
    Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Prog. Lang. Sys. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  23. 23.
    Selinger, P.: Models for an adversary-centric protocol logic. Electronic Notes in Theoretical Computer Science 55(1), 73–87 (2001): Goubault-Larrecq, J. (ed.) Proceedings of the 1st Workshop on Logical Aspects of Cryptographic Protocol Verification, LACPV 2001 (2001)Google Scholar
  24. 24.
    Simon, A., King, A.: Analyzing string buffers in C. In: Kirchner, H., Ringeissen, C. (eds.) AMAST 2002. LNCS, vol. 2422, pp. 365–379. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Distributed System Security Symposium, San Diego, CA, February, pp. 3–17 (2000)Google Scholar
  26. 26.
    Weidenbach, C.: Towards an automatic analysis of security protocols. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 314–328. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  27. 27.
    Weidenbach, C., Brahm, U., Hillenbrand, T., Keen, E., Theobald, C., Topic, D.: SPASS version 2.0. In: Voronkov, A. (ed.) CADE 2002. LNCS (LNAI), vol. 2392, pp. 275–279. Springer, Heidelberg (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jean Goubault-Larrecq
    • 1
  • Fabrice Parrennes
    • 1
    • 2
  1. 1.LSV/CNRS UMR 8643 & INRIA Futurs projet SECSI & ENS CachanCachan
  2. 2.RATP, EST/ISF/QS LAC VC42Fontenay-sous-Bois

Personalised recommendations