research-article

Open access

Formally sound implementations of security protocols with JavaSPI

Authors:

Riccardo Sisto,

Piergiuseppe Bettassa Copet,

Alfredo PirontiAuthors Info & Claims

Formal Aspects of Computing, Volume 30, Issue 2

Pages 279 - 317

https://doi.org/10.1007/s00165-017-0449-8

Published: 01 March 2018 Publication History

Abstract

Designing and coding security protocols is an error prone task. Several flaws are found in protocol implementations and specifications every year. Formal methods can alleviate this problem by backing implementations with rigorous proofs about their behavior. However, formally-based development typically requires domain specific knowledge available only to few experts and the development of abstract formal models that are far from real implementations. This paper presents a Java-based protocol design and implementation framework, where the user can write a security protocol symbolic model in Java, using a well defined subset of the language that corresponds to applied π-calculus. This Java model can be symbolically executed in the Java debugger, formally verified with ProVerif, and further refined to an interoperable Java implementation of the protocol. Soundness theorems are provided to prove that, under some reasonable assumptions, a simulation relation relates the Java refined implementation to the symbolic model verified by ProVerif, so that, for the usual security properties, a property verified by ProVerif on the symbolic model is preserved in the Java refined implementation. The applicability of the framework is evaluated by developing an extensive case study on the popular SSL protocol.

References

References

[1]

Almeida JB, Bangerter E, Barbosa M, Krenn S, Sadeghi AR, Schneider T (2010) A certifying compiler for zero-knowledge proofs of knowledge based on Σ-protocols. In: 15th European conference on research in computer security (ESORICS 2010). Lecture notes in computer science, vol 6345. Springer, Berlin, pp 151–167

[2]

Almeida JB, Barbosa M, Barthe G, Dupressoir F (2013) Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: 2013 ACM SIGSAC conference on computer and communications security (CCS 2013), ACM, pp 1217–1230

[3]

Avanesov T, Chevalier Y, Mekki MA, Rusinowitch M (2012) Web services verification and prudent implementation. In: Data privacy management and autonomous spontaneus security. Lecture notes in computer science, vol 7122. Springer, Berlin, pp 173–189

[4]

Abadi M and Fournet C Mobile values, new names, and secure communication ACM SIGPLAN Not 2001 36 3 104-115

Digital Library

[5]

Al Fardan NJ, Paterson KG (2013) Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE symposium on security and privacy (S & P 2013), IEEE, pp 526–540

[6]

Aizatulin M, Gordon AD, Jürjens J (2012) Computational verification of C protocol implementations by symbolic execution. In: 2012 ACM conference on computer and communications security (CCS 2012), ACM, pp 712–723

[7]

Apple goto fail bug (2014) CVE-2014-1266. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266

[8]

Avalle M, Pironti A, Pozza D, and Sisto R JavaSPI: a framework for security protocol implementation Int J Secure Softw Eng 2011 2 4 34-48

Digital Library

[9]

Avalle M, Pironti A, and Sisto R Formal verification of security protocol implementations: a survey Form Asp Comput 2014 26 1 99-123

Digital Library

[10]

Avalle M, Pironti A, Sisto R, Pozza D (2011) The JavaSPI framework for security protocol implementation. In: 6th international conference on availability, reliability and security (ARES 2011), IEEE Computer Society, pp 746–751

[11]

Albrecht MR, Paterson KG, Watson G (2009) Plaintext recovery attacks against ssh. In: IEEE symposium on security and privacy (S & P 2009), IEEE, pp 16–26

[12]

Bhargavan K, Corin R, Deniélou PM, Fournet C, Leifer JJ (2009) Cryptographic protocol synthesis and verification for multiparty sessions. In: 22nd IEEE computer security foundations symposium (CSF 2009), IEEE Computer Society, pp 124–140

[13]

Bettassa Copet P, Pironti A, Pozza D, Sisto R, Vivoli P (2012) Visual model-driven design, verification and implementation of security protocols. In: IEEE 14th international symposium on high-assurance systems engineering (HASE 2012), IEEE, pp 62–65

[14]

Basin D, Doser J, and Lodderstedt T Model driven security: from UML models to access control infrastructures ACM Trans Softw Eng Methodol 2006 15 1 39-91

Digital Library

[15]

Bhargavan K, Fournet C, Gordon AD, and Tse S Verified interoperable implementations of security protocols ACM Trans Program Lang Syst 2008 31 1 1-61

Digital Library

[16]

Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE workshop on computer security foundations (CSF 2001), IEEE Computer Society, pp 82–96

[17]

Blanchet B Automatic verification of correspondences for security protocols J Comput Secur 2009 17 4 363-434

[18]

Bhargavan K, Lavaud AD, Fournet C, Pironti A, Strub PY (2014) Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE symposium on security and privacy (S & P 2014), IEEE, pp 98–113

[19]

Bierman G, Parkinson M, Pitts A (2003) MJ: an imperative core calculus for Java and Java with effects. Technical report 563, Cambridge University Computer Laboratory

[20]

Cade D, Blanchet B (2012) From computationally-proved protocol specifications to implementations. In: 7th international conference on availability, reliability and security (ARES 2012), IEEE Computer Society, pp 65–74

[21]

Dupressoir F, Gordon AD, Jürjens J, and Naumann DA Guiding a general-purpose C verifier to prove cryptographic protocols J Comput Secur 2014 22 5 823-866

[22]

Dolev D and Yao A On the security of public key protocols IEEE Trans Inf Theory 1983 29 2 198-207

Digital Library

[23]

GnuTLS certificate verification issue (2014) CVE-2014-0092. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0092

[24]

Gorrieri R, Versari C (2015) Transition systems and behavioral equivalences. Springer, Berlin, pp 21–79

[25]

Heartbleed bug (2014) CVE-2014-0160. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

[26]

Heintze N and Tygar JD A model for secure protocols and their compositions IEEE Trans Softw Eng 1996 22 1 16-30

Digital Library

[27]

Jürjens J (2001) Secrecy-preserving refinement. In: Fiadeiro J, Zave P (eds) International symposium on formal methods Europe (FME). Lecture notes in computer science, vol 2021. Springer, Berlin, pp 135–152

[28]

Jürjens J Secure systems development with UML 2005 Berlin Springer

[29]

Kiyomoto S, Ota H, Tanaka T (2008) A security protocol compiler generating C source codes. In: Information security and assurance, IEEE, pp 20–25

[30]

Montrieux L, Jürjens J, Haley CB, Yu Y, Schobbens PY, Toussaint H (2010) Tool support for code generation from a umlsec property. In: IEEE/ACM international conference on automated software engineering (ASE 2010), ACM, pp 357–358

[31]

O’Shea N (2008) Using elyjah to analyse Java implementations of cryptographic protocols. In: Joint workshop on foundations of computer security, automated reasoning for security protocol analysis and issues in the theory of security, pp 221–226

[32]

Pironti A, Sisto R (2007) An experiment in interoperable cryptographic protocol implementation using automatic code generation. In IEEE Symposium on computers and communications, pages 839–844. IEEE

[33]

Pironti A and Sisto R Safe abstractions of data encodings in formal security protocol models Form Asp Comput 2014 26 1 125-167

Digital Library

[34]

Rescorla E, Ray M, Dispensa S, Oskov N (2010) Transport layer security (TLS) renegotiation indication extension. RFC 5746

[35]

Song DX, Perrig A, Phan D (2001) AGVI: automatic generation, verification, and implementation of security protocols. In: 13th international conference on computer aided verification (CAV 2001). Lecture notes in computer science, vol 2102. Springer, Berlin, pp 241–245

[36]

The Legion of Bouncy Castle. Bouncy castle crypto API. https://www.bouncycastle.org/java.html

Cited By

Arquint LSchwerhoff MMehta VMüller PMeng WJensen CCremers CKirda E(2023)A Generic Methodology for the Modular Verification of Security Protocol ImplementationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623105(1377-1391)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623105
Bhargavan KBichhawat ADo QHosseyni PKüsters RSchmitz GWürtele T(2021)$\text{DY}^{\star}$: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00042(523-542)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00042
He XLiu QChen SHuang CWang DMeng B(2020)Analyzing Security Protocol Web Implementations Based on Model Extraction With Applied PI CalculusIEEE Access10.1109/ACCESS.2020.29716158(26623-26636)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2971615

Recommendations

Provably correct Java implementations of Spi Calculus security protocols specifications

Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to ...
Automatic verification of correspondences for security protocols

We present a new technique for verifying correspondences in security protocols. In particular, correspondences can be used to formalize authentication. Our technique is fully automatic, it can handle an unbounded number of sessions of the protocol, and ...
JavaSPI: A Framework for Security Protocol Implementation

This paper presents JavaSPI, a "model-driven" development framework that allows the user to reliably develop security protocol implementations in Java, starting from abstract models that can be verified formally. The main novelty of this approach stands ...

Comments

Information & Contributors

Information

Published In

cover image Formal Aspects of Computing

Formal Aspects of Computing Volume 30, Issue 2

Mar 2018

136 pages

ISSN:0934-5043

EISSN:1433-299X

Issue’s Table of Contents

© British Computer Society 2017.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 March 2018

Accepted: 22 November 2017

Received: 11 August 2016

Published in FAC Volume 30, Issue 2

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
48
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)3

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Arquint LSchwerhoff MMehta VMüller PMeng WJensen CCremers CKirda E(2023)A Generic Methodology for the Modular Verification of Security Protocol ImplementationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623105(1377-1391)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623105
Bhargavan KBichhawat ADo QHosseyni PKüsters RSchmitz GWürtele T(2021)$\text{DY}^{\star}$: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00042(523-542)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00042
He XLiu QChen SHuang CWang DMeng B(2020)Analyzing Security Protocol Web Implementations Based on Model Extraction With Applied PI CalculusIEEE Access10.1109/ACCESS.2020.29716158(26623-26636)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2971615

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents