Verifying Cryptographic Code in C: Some Experience and the Csec Challenge

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7140)


The security of much critical infrastructure depends in part on cryptographic software coded in C, and yet vulnerabilities continue to be discovered in such software. We describe recent progress on checking the security of C code implementing cryptographic software. In particular, we describe projects that combine verification-condition generation and symbolic execution techniques for C, with methods for stating and verifying security properties of abstract models of cryptographic protocols. We illustrate these techniques on C code for a simple two-message protocol.


Security Property Symbolic Execution Cryptographic Protocol Symbolic Expression Secrecy Property 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: ACM POPL, pp. 104–115 (2001)Google Scholar
  2. Aizatulin, M., Dupressoir, F., Gordon, A., Jürjens, J.: Verifying cryptographic code in C: Some experience and the Csec challenge. Technical Report MSR-TR-2011-118, Microsoft Research (November 2011a)Google Scholar
  3. Aizatulin, M., Gordon, A., Jürjens, J.: Extracting and verifying cryptographic models from C protocol code by symbolic execution. In: 18th ACM Conference on Computer and Communications Security, CCS 2011 (2011),
  4. Backes, M., Hofheinz, D., Unruh, D.: CoSP: A general framework for computational soundness proofs. In: ACM CCS 2009, pp. 66–78 (November 2009); preprint on IACR ePrint 2009/080Google Scholar
  5. Barbosa, M., Pinto, J., Filliâtre, J., Vieira, B.: A deductive verification platform for cryptographic software. In: Proceedings of the Fourth International Workshop on Foundations and Techniques for Open Source Software Certification (OpenCert 2010). Electronic Communications of the EASST, vol. 33. EASST (2010)Google Scholar
  6. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: 21st IEEE Computer Security Foundations Symposium (CSF 2008), pp. 17–32 (2008)Google Scholar
  7. Bhargavan, K., Fournet, C., Gordon, A.D.: Modular verification of security protocol code by typing. In: ACM Symposium on Principles of Programming Languages (POPL 2010), pp. 445–456 (2010)Google Scholar
  8. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 82–96 (2001)Google Scholar
  9. Cadar, C., Dunbar, D., Engler, D.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), San Diego, CA (December 2008)Google Scholar
  10. Chaki, S., Datta, A.: ASPIER: An automated framework for verifying security protocol implementations. In: Computer Security Foundations Workshop, pp. 172–185 (2009), doi:10.1109/CSF.2009.20Google Scholar
  11. Cohen, E., Dahlweid, M., Hillebrand, M.A., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A Practical System for Verifying Concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. Corin, R., Manzano, F.A.: Efficient Symbolic Execution for Analysing Cryptographic Protocol Implementations. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 58–72. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. Dupressoir, F., Gordon, A., Jürjens, J., Naumann, D.: Guiding a general-purpose C verifier to prove cryptographic protocols. In: 24th IEEE Computer Security Foundations Symposium, pp. 3–17 (2011)Google Scholar
  14. Dutertre, B., de Moura, L.: The Yices SMT Solver. Technical report (2006)Google Scholar
  15. Erkök, L., Carlsson, M., Wick, A.: Hardware/software co-verification of cryptographic algorithms using Cryptol. In: FMCAD (2009)Google Scholar
  16. Fournet, C., Bhargavan, K., Gordon, A.D.: Cryptographic Verification by Typing for a Sample Protocol Implementation. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 66–100. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. Fournet, C., Kohlweiss, M., Strub, P.-Y.: Modular code-based cryptographic verification. In: 18th ACM Conference on Computer and Communications Security, CCS 2011 (2011) Technical report, sample code, and formal proofs available from,
  18. Godefroid, P., Khurshid, S.: Exploring Very Large State Spaces using Genetic Algorithms. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 266–280. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Programming Language Design and Implementation (PLDI 2005), pp. 213–223. ACM (2005)Google Scholar
  20. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2008. The Internet Society (2008)Google Scholar
  21. Goubault-Larrecq, J., Parrennes, F.: Cryptographic Protocol Analysis on Real C Code. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 363–379. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. Hriţcu, C.: Union, Intersection, and Refinement Types and Reasoning About Type Disjointness for Security Protocol Analysis. PhD thesis, Department of Computer Science, Saarland University (2011)Google Scholar
  23. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)zbMATHCrossRefGoogle Scholar
  24. McGrew, D.A., Viega, J.: Flexible and efficient message authentication in hardware and software. manuscript and software available at (2005),
  25. Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In: Proceedings of the 11th International Conference on Compiler Construction, CC 2002, pp. 213–228. Springer, London (2002) ISBN 3-540-43369-4, Google Scholar
  26. PolarSSL. PolarSSL,
  27. Polikarpova, N., Moskal, M.: Verifying implementations of security protocols by refinement. In: Verified Software: Theories, Tools and Experiments, VSTTE 2012 (to appear, 2012)Google Scholar
  28. Project EVA. Security protocols open repository (2007),
  29. Udrea, O., Lumezanu, C., Foster, J.S.: Rule-Based static analysis of network protocol implementations. In: Proceedings of the 15Th Usenix Security Symposium, pp. 193–208 (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.The Open UniversityUK
  2. 2.Microsoft Research and University of EdinburghUK
  3. 3.TU Dortmund and Fraunhofer ISSTGermany

Personalised recommendations