Véronique
Cortier Abstract: Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this talk, we present several approaches that enable to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Back to WITS'07 Program |
Thomas
Jensen Abstract: We present a formal model of the access control mechanism for Java-enabled mobile interactive devices (mobile telephones, in particular). Being somewhat restricted, we propose a more flexible extension to this model based on the notion of user-granted access control permissions with multiplicities. Based on this model, we develop static permission flow analysis with which it is possible to engineer a formal proof that an applet will not consume resources for which it does not have permissions. From such proofs we construct compact certificates, allowing the receiving device to verify the resource consumption behaviour of a down-loaded applet. Back to WITS'07 Program |
Han
Gao, Pierpaolo
Degano,
Chiara
Bodei and
Hanne
Riis Nielson. Abstract: We present a reduction semantics for the LYSA calculus extended with session information and a static analysis for it. If a protocol passes the analysis then it is free of replay attacks. Back to WITS'07 Program |
Laurent Mazare. Computationally Sound Analysis of Protocols using Bilinear Pairings Abstract: In this paper, we introduce a symbolic model to analyse protocols that use a bilinear pairing between two cyclic groups. This model consists in an extension of the Abadi-Rogaway logic and we prove that the logic is still computationally sound: symbolic indistinguishability implies computational indistinguishability provided that the Bilinear Decisional Diffie-Hellman assumption is verified and that the encryption scheme is IND-CPA secure. We illustrate our results on classical protocols using bilinear pairing like Joux tripartite Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols. Back to WITS'07 Program |
Gavin Lowe. On information flow and refinement-closure Abstract:
The question of information flow considers whether a
high-level user of a multi-level security system can pass
information to a low-level user. One family of information flow
properties is non-deducibility on compositions: that for all
possible high-level Back to WITS'07 Program |
Christopher Dilloway and Gavin Lowe. On the Specification of Secure Channels Abstract: Security architectures often make use of secure transport protocols to protect network messages: the transport protocols provide secure channels between hosts. In this paper we present a hierarchy of specifications for secure channels. We give trace specifications capturing a number of different confidentiality and authentication properties that secure channels might satisfy, and compare their strengths. We give examples of transport layer protocols that we believe satisfy the channel specifications. Back to WITS'07 Program |
Catalin Dima and Constantin Enea. Nondeduciblity on strategies in the temporal logic of knowledge Abstract: We provide a syntactic characterization of Nondeducibility on Strategies in CTL$^*$ with knowledge and past time operators, based on prior work by Halpern and O'Neill. Our characterization is provided by means of a number of axioms that have to be satisfied by formulas specifying sets of strategies. Back to WITS'07 Program |
Erik Poll and Aleksy Schubert. Verifying an implementation of SSH Abstract:
We present a case study in the formal verification of an open
source Java implementation of SSH. We discuss the
security flaws we found and fixed by means of formal
specification and verification -- using the specification
language JML and the program verification tool ESC/Java2 -- and
by more basic manual code inspection. Of more general interest is
the methodology we propose to formalise security protocols such
as SSH using finite state machines. This provides a precise but
accessible formal specification, that is not only useful for
formal verification, but also for development, testing, and for
clarification of official specification in natural Back to WITS'07 Program |
Wan Fokkink, Mohammad Torabi Dashti and Anton Wijs. Partial Order Reduction for Branching Security Protocols Abstract: We extend the partial order reduction algorithm of Clarke et al.\ \cite{clarke} to handle branching security protocols, such as optimistic fair exchange protocols. Applications of the proposed algorithm in both model checking and constraint solving approaches are discussed. We also report some experimental results using a $\mu$CRL implementation of the algorithm. Back to WITS'07 Program |
Ran Canetti, Ling Cheung, Nancy Lynch and Olivier Pereira. On the Role of Scheduling in Simulation-Based Security Abstract: In a series of papers, Küsters et al. investigated the relationships between various notions of simulation-based security. Two main factors, the placement of a ``master process'' and the existence of ``forwarder processes'', were found to affect the equivalence between different definitions. In this extended abstract, we add a new dimension to the analysis of simulation-based security, namely, the scheduling of concurrent processes. We show that, when we move from sequential scheduling (as used in previous studies) to task-based scheduling, the same logical statement gives rise to incomparable notions of security. Under task-based scheduling, the hierarchy based on placement of ``master process'' becomes obsolete, because no such designation is necessary to obtain meaningful runs of a system. On the other hand, the existence of ``forwarder processes'' remains an important factor. Back to WITS'07 Program |
Michael Backes, Agostino Cortesi and Matteo Maffei. Causality-based Abstraction of Multiplicity in Security Protocols Abstract: This paper presents a novel technique for analyzing security protocols based on an abstraction of the program semantics. This technique is based on a novel structure called causal net which captures the causality among program events within a finite graph. A core property of causal nets is that they abstract away from the multiplicity of protocol sessions, hence constituting a concise tool for reasoning about an even infinite number of concurrent protocol sessions; deciding security only requires a traversal of the causal net, thus yielding a decidable, and typically very efficient, approach for security protocol analysis. Additionally, causal nets allow for dealing with different security properties such as secrecy and authenticity in a uniform manner. Both the construction of the causal net from a given protocol description and the subsequent analysis are fully automated. Back to WITS'07 Program |
Joshua Guttman, Shaddin Doghmi and F. Javier Thayer. Skeletons and the Shapes of Bundles Abstract: Skeletons model partial information about regular (honest) behavior in an execution of a cryptographic protocol. A homomorphism between skeletons is an information-preserving map. Much protocol analysis may be regarded as an exploration of the properties of the category of skeletons and homomorphisms. In particular, the strand space authentication tests are special homomorphisms. These ideas suggest an approach to mechanizing protocol analysis. Back to WITS'07 Program |
Arnab Roy, Anupam Datta, Ante Derek and John Mitchell. Inductive Trace Properties Imply Computational Security Abstract: Protocol authentication properties are generally trace-based, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computationally distinguish a system that transmits a secret from one that does not is measured by overall success on the \textit{set} of all traces of each system. This presents a challenge for inductive or compositional methods: induction is a natural way of reasoning about traces of a system, but it does not appear applicable to non-trace properties. We therefore investigate the semantic connection between trace properties that could be established by induction and non-trace-based security requirements. Specifically, we prove that a certain trace property implies computational secrecy and authentication properties, assuming the encryption scheme provides chosen ciphertext security and ciphertext integrity. We also prove a similar theorem for computational secrecy assuming Decisional Diffie-Hellman and a chosen plaintext secure encryption scheme. Back to WITS'07 Program |
Michael Backes, Agostino Cortesi, Riccardo Focardi and Matteo Maffei. A Calculus of Challanges and Responses Abstract: This paper presents a novel approach for concisely abstracting authentication protocols and for subsequently analyzing those abstractions in a sound manner, i.e., deriving authentication guarantees for protocol abstractions suffices for proving these guarantees for the actual protocols. The abstractions are formalized in a novel calculus which constitutes a higher-level abstraction of the r-spi calculus and is specifically tailored towards reasoning about challenge-response mechanisms within authentication protocols. Furthermore, it allows for expressing protocols without having to include details on the specific structure of exchanged messages. This in particular entails that many authentication protocols share a common abstraction so that a single validation of this abstraction already gives rise to security guarantees for all these protocols. Such an abstract validation can be automatically performed using static analysis techniques based on an effect system proposed in this paper. Finally, extensions to abstractions of additional protocol classes immediately enjoy a soundness theorem provided that these extensions satisfy certain explicit, easily checkable conditions. Back to WITS'07 Program |