The document describes a goal of developing a tool for automated security analysis of cryptographic protocol implementations written in C. It aims to take source code as input, perform a sound and scalable analysis, and output either known security flaws or a proof of security. Symbolic execution is proposed as a method to simplify programs and extract their meaning, mapping low-level C code to a formal language model that can be analyzed by existing tools like ProVerif. Current status is that symbolic execution has been implemented for fixed bitstring lengths and linear control flow. Further work is needed to support variable lengths, arbitrary control flow, and full format abstraction before integrating with a protocol verifier.

1. Verifying Implementations
of Security Protocols in C
Mihhail Aizatulin1
supervised by
Andrew Gordon2 , Jan J¨rjens3 , Bashar Nuseibeh1
u
1 The Open University
2 Microsoft Research Cambridge
3 Dortmund University
CRC PhD Student Conference
Open University
June 3-4, 2010
M. Aizatulin Verifying Implementations of Security Protocols in C

2. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation
Our tools
List of all potential
security flaws or proof
of security
M. Aizatulin Verifying Implementations of Security Protocols in C

3. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation The analysis should be
automated,
Our tools
List of all potential
security flaws or proof
of security
M. Aizatulin Verifying Implementations of Security Protocols in C

4. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation The analysis should be
automated,
sound (not miss any bugs),
Our tools
List of all potential
security flaws or proof
of security
M. Aizatulin Verifying Implementations of Security Protocols in C

5. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verify
Our tools OpenSSL or Kerberos).
List of all potential
security flaws or proof
of security
M. Aizatulin Verifying Implementations of Security Protocols in C

6. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verify
Our tools OpenSSL or Kerberos).
We assume that
cryptographic primitives are
implemented correctly,
List of all potential
security flaws or proof
of security
M. Aizatulin Verifying Implementations of Security Protocols in C

7. The Goal
Source code of a Our goal is a tool for security
cryptographic protocol analysis at implementation level.
implementation The analysis should be
automated,
sound (not miss any bugs),
scalable (aim to verify
Our tools OpenSSL or Kerberos).
We assume that
cryptographic primitives are
implemented correctly,
List of all potential
security flaws or proof cryptography is unbreakable
of security (for now).
M. Aizatulin Verifying Implementations of Security Protocols in C

8. Motivation (I)
OpenSSL library bug, January 2009:
int c h e c k c e r t i f i c a t e (){
...
if ( certificate malformed )
r e t u r n −1;
else i f (! c e r t i f i c a t e c h e c k o k )
return 0;
else return 1;}
// l a t e r i n code :
...
i f ( c h e c k c e r t i f i c a t e ( ) ) // o o p s !
{
trust certificate ();
}
M. Aizatulin Verifying Implementations of Security Protocols in C

9. Motivation (II)
An attacker can craft a malformed certificate, pretending to be
someone else:
paypal.com Certificate?
Malformed Certificate
Client Attacker (= Internet) paypal.com
M. Aizatulin Verifying Implementations of Security Protocols in C

10. Motivation (III)
Now the attacker can impersonate the client and the bank to each
other:
Password? Password?
Password Password + “get $$$”
Client Attacker (= Internet) paypal.com
M. Aizatulin Verifying Implementations of Security Protocols in C

11. Background
Machine Languages Formal Languages
(C, Java) (π-calculus, LySa)
low-level properties
(NULL dereference,
division by zero)
high-level properties
(secrecy, authentica-
tion)
M. Aizatulin Verifying Implementations of Security Protocols in C

12. Background
There has been great progress in
static software analysis,
Machine Languages Formal Languages
(C, Java) (π-calculus, LySa)
low-level properties VCC Frama-C
(NULL dereference, ESC/Java
division by zero)
SLAM
high-level properties
(secrecy, authentica-
tion)
M. Aizatulin Verifying Implementations of Security Protocols in C

13. Background
There has been great progress in
static software analysis,
verification of protocol specifications.
Machine Languages Formal Languages
(C, Java) (π-calculus, LySa)
low-level properties VCC Frama-C
(NULL dereference, ESC/Java
division by zero)
SLAM
high-level properties ProVerif/CryptoVerif
(secrecy, authentica- AVISPA
tion) LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C

14. Background
There has been great progress in
static software analysis,
verification of protocol specifications.
But so far very little progress in where the two meet.
Machine Languages Formal Languages
(C, Java) (π-calculus, LySa)
low-level properties VCC Frama-C
(NULL dereference, ESC/Java
division by zero)
SLAM
high-level properties ProVerif/CryptoVerif
CSur
(secrecy, authentica- AVISPA
Our Goal
tion) LySatool
M. Aizatulin Verifying Implementations of Security Protocols in C

15. ProVerif
ProVerif is a protocol verifier we would like to use. Its models are
much more abstract than C.
M. Aizatulin Verifying Implementations of Security Protocols in C

16. ProVerif
ProVerif is a protocol verifier we would like to use. Its models are
much more abstract than C.
ProVerif
M ::= expression
a, b, c name
x, y, z variable
f (M1 , . . . , Mn ) constructor
M. Aizatulin Verifying Implementations of Security Protocols in C

17. ProVerif
ProVerif is a protocol verifier we would like to use. Its models are
much more abstract than C.
ProVerif C
M ::= expression M, N ::= expression
a, b, c name 0, . . . , ’a’, . . . constant
x, y, z variable M op N operator
f (M1 , . . . , Mn ) constructor u lvalue
&u reference
u ::= lvalue
x, y, z variable
∗u dereference
u.f ield field access
u[i] array access
M. Aizatulin Verifying Implementations of Security Protocols in C

18. Symbolic Execution
Symbolic execution is a tool to simplify programs and extract their
meaning.
Concrete: Symbolic:
x = 2 y = 3 x = a y = b
i n t f ( i n t x , i n t y ){ i n t f ( i n t x , i n t y ){
r e t u r n ++x ∗ y++;} r e t u r n ++x ∗ y++;}
9 (a + 1)b
M. Aizatulin Verifying Implementations of Security Protocols in C

19. Method (I)
m, hash(m, kshared )
A − − − − − − → B.
−−−−−−
M. Aizatulin Verifying Implementations of Security Protocols in C

20. Method (I)
m, hash(m, kshared )
A − − − − − − → B.
−−−−−−
Client side implemented as:
c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) {
i n t m s g l e n = 5 + l e n + SHA1 LEN ;
char ∗ msg = m a l l o c ( m s g l e n ) ;
char ∗ p = msg ;
∗p = l e n ; p += 4 ; // add l e n g t h
∗ ( p++) = 1 ; // add t h e t a g
memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d
s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h
s e n d ( msg , m s g l e n ) ; // s e n d
}
M. Aizatulin Verifying Implementations of Security Protocols in C

21. Method (II)
c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) {
i n t m s g l e n = 5 + l e n + SHA1 LEN ;
char ∗ msg = m a l l o c ( m s g l e n ) ;
char ∗ p = msg ;
∗p = l e n ; p += 4 ; // add l e n g t h
∗ ( p++) = 1 ; // add t h e t a g
memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d
s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h
s e n d ( msg , m s g l e n ) ; // s e n d
}
M. Aizatulin Verifying Implementations of Security Protocols in C

22. Method (II)
c l i e n t ( char ∗ p a y l o a d , i n t p a y l o a d l e n ) {
i n t m s g l e n = 5 + l e n + SHA1 LEN ;
char ∗ msg = m a l l o c ( m s g l e n ) ;
char ∗ p = msg ;
∗p = l e n ; p += 4 ; // add l e n g t h
∗ ( p++) = 1 ; // add t h e t a g
memcpy ( p a y l o a d , p , l e n ) ; // add t h e p a y l o a d
s h a 1 ( msg , 5 + l e n , p ) ; // add t h e h a s h
s e n d ( msg , m s g l e n ) ; // s e n d
}
Symbolic Execution
out(len(payload )|01| payload
|sha1(len(payload )|01| payload, kshared ))
M. Aizatulin Verifying Implementations of Security Protocols in C

23. Method (III)
...
Symbolic Execution
out(len(payload )|01| payload
|sha1(len(payload )|01| payload, kshared ))
M. Aizatulin Verifying Implementations of Security Protocols in C

24. Method (III)
...
Symbolic Execution
out(len(payload )|01| payload
|sha1(len(payload )|01| payload, kshared ))
Format Abstraction
out(f1 (payload, hash1 (payload, kshared )))
M. Aizatulin Verifying Implementations of Security Protocols in C

25. Method (III)
...
Symbolic Execution
out(len(payload )|01| payload
|sha1(len(payload )|01| payload, kshared ))
Format Abstraction
out(f1 (payload, hash1 (payload, kshared )))
ProVerif (+ Server Side)
Integrity verified.
M. Aizatulin Verifying Implementations of Security Protocols in C

26. Current Status
Done:
Implemented symbolic execution for fixed bitstring lengths
and linear control flow.
Proved correctness of format abstraction.
To do:
Implement symbolic execution for variable bitstring lengths.
Implement format abstraction.
Add support for arbitrary control flow.
M. Aizatulin Verifying Implementations of Security Protocols in C

27. Thank you!
M. Aizatulin Verifying Implementations of Security Protocols in C