650 likes | 858 Views
Computer Security 463.10 Formal Methods. Fall 2005. Required. Reading J. M. Wing. A symbiotic relationship between formal methods and security. Proceedings NSF Workshop on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution. December 1998.
E N D
Computer Security463.10 Formal Methods Fall 2005
Required • Reading • J. M. Wing. A symbiotic relationship between formal methods and security. Proceedings NSF Workshop on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution. December 1998. • L. C. Paulson. Proving properties of security protocols by induction. Proceedings of the 10th Computer Security Foundations Workshop, 1997, page 70-83
Introduction • National Security Agency was the major source of funding formal methods research and development in the 70s and early 80s • Formal security models • Tools for reasoning about security • Applications of using these tools to prove systems secure • The use of Internet brings security to the attention of masses • What kind of problems can formal methods help to solve in security • What problems will formal methods never help to solve
The Limits of Formal Methods • Systems will never made 100% secure • Formal methods will not break this axiom • Assumptions about the system’s environment • Hard to state them explicitly • The system could be deployed in an environment not originally designed • For convenience or lack of an alternative • Clever intruders find out how to violate these assumptions • Security is not an either/or property • Pays more, gains more • Eg. Passwords, certificates, biometrics are measured in terms of degree of security for authentication
What Formal Methods Can Do • Delimit the system’s boundary: the system and its environment • Characterize a system’s behavior more precisely • Define the system’s desired properties precisely • Prove a system meets its specification • Tell under what circumstances a system cannot meet its specification
How They Can Help • These capabilities of formal methods help practitioner in two ways • Through specification, focusing on designer’s attention • What is interface • What are the assumptions about the system • What is the system supposed to do under this condition and that condition • What are the system’s invariant properties • Through verification • Prove a system meet its security goals • Find out the weakness of the system
History-Past • Early formal method research funded by the National Security Agency, centered on proving systems secure • Bell-LaPadula model • Biba integrity model • Clark-Wilson model • The systems of interest to prove secure were operating systems, more specifically, kernels
Process of Proving • Process of proving entails 3 parts • Formal specification • State the property of the system • For example: *-property • Model the system so that one can formally prove the property • Model might be a semantic structure like a state machine or a syntactic structure like a logical expression • Proof • Methods • Rely on induction over traces of the state machine model • Or rely on deduction to show that an implication holds • Automatically proved by machine or require interactive guidance of human
The Orange Book • US Trusted Computer System Evaluation Criteria – The Orange Book • Produced by NCSC (National Computer Security Center) in 1985 • Provide a standard metric for NCSC to compare the security of different computer systems • Guide computer system vendors in the design and development of secure systems • Provide a means for specifying security requirements in Government contracts • Levels: D, C1,C2,B1,B2,B3,A1,A2 • Certified A.1 means that one formally specify the system’s security requirements, formally model the system and formally prove that the model meets its specification
Major Results of Early 80s • Major results of early 80s were theorem proving tools with general purpose • Affirm (USC) • Support for reasoning about equational logic • Formal Development Methodology (FDM) System (System Development Corporation) • Support for non-deterministic state machine model • Gypsy (U. Texas Austin) • Support for program verification of a subset of Pascal, including a verification condition generator • (Enhanced) Hierarchy Development Methodology (HDM) (Stanford) • SPECIAL specification language • Collection of decision procedures for propositional logic
Tools Specific for Security • Tools specific to reason about security • Specifies an insecure state and the tool searches backwards to determine whether that state is reachable • Interrogator • Based on Prolog, exhaustive search, fully automatic • NRL Protocol Analyzer • Based on Dolev and Yao’s work on algebraic term rewriting model for two-party cryptographic protocols • Less automatic • BAN logic – Logic of Authentication • Reason in terms of belief Logic • Accumulates belief during the run of the protocol • E.g., the freshness of message
Two Different Styles of Formal Methods • Two different styles of formal methods • The UK and European style • Focus was on specification, on the system’s high level design and on the paper-and-pencil analysis • The US and Canadian style • Focus was on verification, from the system’s high level design through its code-level implementation down to its bit-level representation in hardware, and on machine-assisted analysis
History-Present • Since early 90s, there was an explosion of new developments • Three threads in the development of formal methods • Model checking • hardware verification • Theorem proving • Software specification
Model Checking • Model Checking • In 1996, model checker FDR was used to exhibit a flaw in the Needham-Schroeder protocol • Since then many other model check tools or other proving tools showed the same thing • Other protocols were or are being checked • SSL by Stanford • IKE, SET by Meadows • Netbill electronic payment protocol
Theorem Proving • Theorem proving approaches • General purpose theorem prover Isabelle was used to reason 5 classic authentication protocols and their variation • Coq was used to analyze the Needham-Schroeder protocol and SET • PVS was used to verify authentication protocol
Hybrid Approaches • Hybrid approaches • Embodies both model checking and theorem proving functionalities • Improved NRL protocol analyzer analyze IKE and SET protocol • Improved NRL embodies both model checking (e.g., brute force search )and theorem proving (e.g., lemma generation)
Practice of Building Secure Systems • Build secure systems • Solid crypto base • Encryption, hash, signature • Protocols • Authentication, key exchange protocol • Standard reliable network protocol • Systems and general purpose programming language • Kerberos authentication • Applications • Online banking • Online shopping • Bill Payment Applications Systems/PL Protocols Crypto Crypto System Layers
Security Guarantees • Security guarantees reverse • Crypto base precisely tells us • What is guaranteed • What is not guaranteed • What is still open problem • Protocols • formal methods provide some guarantee • Systems/PL • Commercial technology like Authenticode, Active X, Java provide varying degrees of security • Applications • Not very much at all Applications Systems/PL Protocols Crypto Security Guarantees
A Case Study: Proving Properties of Security Protocols by Induction • Cryptographic protocols let agents communicate securely over insecure network • Secrecy: spy cannot read the contents of messages intended for others • Authenticity: agents can identify themselves to others, but nobody can masquerade as somebody else
Two Popular Approaches • Formal methods to analyze security protocols • State exploration • Model checking • Model protocol as finite state system • Verify by exhaustive search all reachable states • Pros: find attacks quickly • Cons: require drastic simplifying assumptions to make state space small • Belief logics • BAN Logic • Formally express what an agent may infer from messages received • Pros: short proof expressed at high level of abstraction • Cons: do not address secrecy
An Inductive Approach • Borrow elements from both approaches • From state exploration: concrete notion of events • From belief logic: derive guarantees from each protocol messages • Inductive approach • Traces of events: A sends X to B • Protocols are formalized as the set of all possible traces of events • An agent may extend a trace in any way permitted by the protocol, given what he can see in current trace • Any number of interleaved runs • Modeling Accidents and general attacker • Mechanize proofs • Properties proved by Induction on traces • Using theorem prover Isabelle
Why an Inductive Approach • Necessary formal tool is inductive definition • Inductive definition lists the possible actions an agent or system can perform • Corresponding induction rule helps to reason about the consequences of an arbitrary finite sequence of such actions • Highly general: used to specify the semantics of program languages for long time • Each security property is proved by induction over the protocol
Overview • Method includes • Theory of message analysis • Theory describing standard features of protocols • Individual protocol description rest on the former two common base • Formalization assume an encrypted message can neither be altered nor read without the appropriate key
Messages • Messages items may include • Agent names A, B,… • Nonces Na, Nb, … • Keys Ka, Kb , Kab , … • Compound messages {| X, X’|} • Encrypted messages Crypt K X • Structure of each message is explicit • Different types of components cannot be confused Note: (K-1)-1 = K
Message Analysis • H: an agent’s initial knowledge and the history of all messages sent in a trace • parts H :obtained from H by repeatedly adding components of compound messages and the bodies of encrypted messages • Crypt K X 2parts H ) X 2parts H • analz H : obtained from H by repeatedly adding components of compound messages and by decrypting messages whose keys are in analz H • Represents maximum knowledge a spy can learn without breaking ciphers • Crypt K X 2analz H, K-12analz H) X 2analz H • synth H : repeatedly adding agent names, forming compound messages and encrypting with keys obtained in H • Model the messages a spy could build up from elements of H • X 2synth H, K 2 H ) Crypt K X 2synth H
Model the attacker • Observe all traffic, that is H • Sends fraudulent messages from synth (analz H ) • May be able to get a set of “lost” long-term keys of those agents • May be able to get session keys accidentally lost • May be an agent by itself, so as to sent normal protocol messages and fraudulent ones
Modeling a protocol • Each event in a trace has form Says A B X • Each agent’s state is • represented by its initial knowledge • Its key shared with the server • The list of events he can see • Honest agents only read messages addressed to themselves
Example Protocol • A variant of Otway-Rees protocol • A ! B: Na, A, B, {| Na, A, B|}Ka • B ! S: Na,A,B,{| Na, A, B|}Ka,Nb,{| Na,A, B|}Kb • S ! B: Na,{| Na,Kab |}Ka,{| Nb, Kab |}Kb • B ! A: Na ,{| Na,Kab |}Ka
Model its steps • Protocol steps are modeled as possible extensions of a trace with new events • If evs is a trace and N_a is unused, may add • Says A B {|Na, A, B, {|Na,A,B|}Ka|} • If evs has Says A’ B {|Na, A, B, X|} and Nb is unused, may add • Says B S {|Na, A, B, X, Nb, {|Na,A,B|}Kb|} • A’ instead of A is because B does not know the true sender • Using X is because B cannot read {|Na,A,B|}Ka
If evs has Says B’ S {|Na, A, B, {|Na,A,B|}Ka, Nb, {|Na,A,B|}Kb|} and Kab is unused, may add • Says S B {| Na,{| Na,Kab |}Ka,{| Nb, Kab |}Kb |} • If evs has Says B S {|Na, A, B, X, Nb, {|Na,A,B|}Kb|} and Says S’ B {| Na,X,{| Nb, Kab |}Kb |}, may add • Says B A {| Na,X |} • An agent may be in several protocol runs concurrently, the trace represents his state in all these runs • Agents may respond to past events, no matter how old they are. They may respond any number of times or never
Three Additional Rules for Protocol • Protocol description usually requires three additional rules: • The empty list [ ], is a trace • Fake:If evs is a trace, X 2synth(analz H ) is a fraudulent message and B Spy, then add • Says Spy B X • Modeling attacks • Oops: If evs is a trace and S distributed key K to A, Na and Nb were used, then add • Says ASpy {| Na ,Nb ,K |} • Models accidental loss of session keys • Nonces identify the protocol run
Attack to the Example Protocol • An attack to the protocol • A ! B £: Na, A, B, {| Na, A, B|}Ka 1’.C ! A :Nc, C, A, {| Nc, C, A|}Kc 2’.A ! S £: Nc, C, A, {| Nc, C, A|}Kc ,Na’, {| Nc, C, A|}Ka 2’’. CA! S : Nc, C, A, {| Nc, C, A|}Kc ,Na, {| Nc, C, A|}Ka 3’. S ! A £: Nc,{| Nc,Kca |}Kc,{| Na, Kca |}Ka • CB! A : Na ,{| Na,Kca |}Ka Replacing Na’ by A’s original nonce Na eventually cause A to accept key Kca as a key shared with B
A Mechanized Theory of Messages • Mechanized using Isabelle/HOL • an instantiation of generic theorem prover Isabelle to higher-order logic • Why Isabelle • Support for inductively defined sets • its automatic tools for proving
Brief Introduction to Isabelle • Working with Isabelle means creating theories • A named collection of types, functions and theorems theory T= B1+…+Bn: declarations, definitions, proofs end
exampleTheory theory exampleTheory = Main: datatype 'a list = Nil | Cons 'a “ 'a list” consts append :: “ 'a list => 'a list => 'a list” primrec "append Nil ys = ys" "append (Cons x xs) ys = Cons x (app xs ys)“ lemma [simp]: "append xs Nil = xs" apply (induct xs) apply auto done end datatype: datatype declaration consts: function declaration primrec: recursive definition of a function lemma:definea theorem and its proving process simp: an attribute for a lemma
Main Datatype Definition datatype agent = Server | Friend nat | Spy datatype msg = Agent agent | Nonce nat | Key key | Mpair msg msg | Crypt key msg
Induction Definition for parts H For parts H X 2 H Crypt K X 2parts H X 2parts H X 2parts H {|X,Y|} 2parts H{|X,Y|} 2parts H X 2parts HY 2parts H
Induction Definition for analz H For analz H X 2 H X 2analz H Crypt K X 2analz HK-12analz H X 2analz H {|X,Y|} 2analz H{|X,Y|} 2analz H X 2analz HY 2analz H
Induction Definition for synth H For synth H X 2 H X 2synth HK 2synth H X 2synth H Crypt K X 2synth H X 2synth HY 2synth HAgent A 2synth H {|X,Y|} 2synth H
Isabella Syntax for analz H consts analz :: msg set => msg set inductive “analz H” intros Inj “X2 H ) X 2analz H” Fst “{|X,Y|}2analz H ) X 2analz H” Snd “{|X,Y|}2analz H ) Y 2analz H” Decrypt “[| Crypt K X 2analz H; Key (invKey K) 2analz H|] ) X 2analz H ” • Inductive definition on analz H • Inj, Fst, Snd and Decrypt are introduction rules
Simplification Rules • They are monotonic (let G µ H) parts Gµparts H analz Gµanalz H synth Gµsynth H • They are idempotent parts (parts H) = parts H analz (analz H) = analz H synth (synth H) = synth H • Other equations parts (analz H) = parts H analz (parts H) = parts H parts (synth H) = parts H [ synth H analz (synth H) = analz H [ synth H synth (parts H) = ? irreducible synth (analz H) = ? irreducible
Symbolic Evaluation: parts H For parts H ins X H = {X} [ H parts(ins(Agent A) H)=ins(Agent A) (parts H) parts(ins(Nonce N) H)=ins(Nonce N)(parts H) parts(ins (Key K) H)=ins(Key K)(parts H) parts(ins({|X,Y|}) H)=ins{|X,Y|}(parts (ins X (ins Y H))) parts(ins(Crypt K X) H)=ins(Crypt K X)(parts (ins X H))
Symbolic Evaluation: analz H For analz H analz(ins(Agent A) H)=ins(Agent A)(analz H) analz(ins(Nonce N) H)=ins(Nonce N)(analz H) analz(ins({|X,Y|}) H)=ins{|X,Y|}(analz (ins X (ins Y H)))
keysFor H = {K-1 | 9 X. Crypt K X 2 H} K keysFor (analz H ) analz (ins (Key K) H) = ins (Key K) (analz H) analz (ins (Crypt K X) H) = • ins (Crypt K X) (analz (ins X H)) if K-12analz H • ins (Crypt K X) (analz H) otherwise Nested encryption give rise to nested if-then-else expression
Symbolic Evaluation: synth H • Symbolic evaluation of synth is impossible since its result is infinite. • No necessary to do the symbolic evaluation • Instead need to simplify assumption of the form X 2synth H, which arise when considering whether a certain message might be fraudulent • Nonce N 2synth H ) Nonce N 2 H • Key K 2synth H ) Key K 2 H (Key and Nonce are unguessable) • Crypt K X 2synth H ) • Crypt K X 2 H or • X 2synth H and K 2 H • If know K H , then Crypt K X is a replay rather a spoof
Statistics for Simplification Rules • Over 90 theorems are proved about parts, analz, synth, keysFor • Most are proved by induction with respect to the relevant inductive definition, which only needs three command each • Most of them can be later used by other theorems for automatic simplification
Events and Agent Knowledge • datatype event = Says agent agent msg • Function sees models the set of messages an agent receives from a trace sees lost A ((Says A’ B X) || evs) = • ins X ( sees lost A evs) if A 2 {B, Spy} • sees lost A evsotherwise lost: a set of agents whose keys have been lost to the spy A: who sees in this action
Initial Knowledge • From the empty trace, an agent sees his initial state sees lost A [ ] = initState lost A • Each agent share a long term key with Server, E.g. shrK A initState lost Server = all long term keys initState lost (Friend i)={Key(shrK(Friend i))} initState lost Spy= {Key(shrK(A))| A 2lost}
The Formal Protocol Specification • A variant of Otway-Rees protocol • A ! B: Na, A, B, {| Na, A, B|}Ka • B ! S: Na,A,B,{| Na, A, B|}Ka,Nb,{| Na,A, B|}Kb • S ! B: Na,{| Na,Kab |}Ka,{| Nb, Kab |}Kb • B ! A: Na ,{| Na,Kab |}Ka
Rules for Modeling the Protocol Nil[ ] 2otway Fake[|evs 2otway; B Spy; X2synth( analz ( sees lost Spy evs) )|] )Says Spy B X || evs 2otway OR1[|evs 2otway; A B; B Server; Nonce NA usedevs|] )Says A B {| Nonce NA, Agent A, Agent B, Crypt (ShrK A) {| Nonce NA, Agent A, Agent B|} |} || evs 2otway OR2[|evs 2otway; B Server; Nonce NB usedevs; Says A’ B {| Nonce NA, Agent A, Agent B, X|} 2 set_of_list evs |] )Says B Server {| Nonce NA, Agent A, Agent B, X, Nonce NB, Crypt (ShrK B) {| Nonce NA, Agent A, Agent B|} |} || evs 2otway OR3[|evs 2otway; B Server; Key Kabusedevs; Says B’ Server {| Nonce NA, Agent A, Agent B, Crypt (ShrK A) {| Nonce NA, Agent A, Agent B|}, Nonce NB, Crypt (ShrK B) {| Nonce NA, Agent A, Agent B|} |} 2 set_of_list evs |] )Says Server B {| Nonce NA, Crypt (ShrK A) {| Nonce NA, Key Kab |} Crypt (ShrK B) {| Nonce NB, Key Kab |} |} || evs 2otway