Results 1  10
of
114
Secure distributed programming with valuedependent types
 In: Proceedings of the 13th ACM SIGPLAN International Conference on Functional Programming (ICFP
, 2011
"... Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich librar ..."
Abstract

Cited by 80 (15 self)
 Add to MetaCart
(Show Context)
Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging. We present F ⋆ , a fullfledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F ⋆ provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sublanguages within F ⋆ and controls their interaction. F ⋆ subsumes two previous languages, F7 and Fine. We prove type soundness (with proofs mechanized in Coq) and logical consistency for F ⋆. We have implemented a compiler that translates F ⋆ to.NET bytecode, based on a prototype for Fine. F ⋆ provides access to libraries for concurrency, networking, cryptography, and interoperability with C#, F#, and the other.NET languages. The compiler produces verifiable binaries with 60 % code size overhead for proofs and types, as much as a 45x improvement over the Fine compiler, while still enabling efficient bytecode verification. To date, we have programmed and verified more than 20,000 lines of F ⋆ including (1) new schemes for multiparty sessions; (2) a zeroknowledge privacypreserving payment protocol; (3) a provenanceaware curated database; (4) a suite of 17 webbrowser extensions verified for authorization properties; and (5) a cloudhosted multitier web application with a verified reference monitor.
Modular verification of security protocol code by typing
 in: Proceedings of the 37th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL
, 2010
"... We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We develop cryptographic libraries that embed a logic model of their cryptographic structures and that specify preconditions and postcon ..."
Abstract

Cited by 50 (17 self)
 Add to MetaCart
(Show Context)
We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We develop cryptographic libraries that embed a logic model of their cryptographic structures and that specify preconditions and postconditions on their functions so as to maintain their invariants. We present a theory to justify the soundness of modular code verification via our method. We implement the method for protocols coded in F # and verified using F7, our SMTbased typechecker for refinement types, that is, types carrying formulas to record invariants. As illustrated by a series of programming examples, our method can flexibly deal with a range of different cryptographic constructions and protocols. We evaluate the method on a series of larger case studies of protocol code, previously checked using wholeprogram analyses based on ProVerif, a leading verifier for cryptographic protocols. Our results indicate that compositional verification by typechecking with refinement types is more scalable than the best domainspecific analysis currently available for cryptographic code.
Cryptographic protocol synthesis and verification for multiparty sessions
 In 22nd IEEE Computer Security Foundations Symposium (CSF’09
, 2009
"... We present a compiler for generating custom cryptographic protocols from highlevel multiparty sessions. Sessions specify prearranged patterns of message exchanges between distributed participants and their data accesses to a shared store. We define integrity and confidentiality properties of sessi ..."
Abstract

Cited by 47 (13 self)
 Add to MetaCart
(Show Context)
We present a compiler for generating custom cryptographic protocols from highlevel multiparty sessions. Sessions specify prearranged patterns of message exchanges between distributed participants and their data accesses to a shared store. We define integrity and confidentiality properties of sessions, in a setting where the network and arbitrary compromised parties may be controlled by an adversary. Our compiler enforces these security properties by guarding the sending and receiving of session messages by efficient cryptographic operations and checks. Given a session, our compiler generates an ML module and an interface that exposes send and receive functions that can be called by application code for each party. We prove that this generated code is secure by relying on a recent refinement type system for ML. Functions in the module interface are given dependent types
ASPIER: An Automated Framework for Verifying Security Protocol Implementations
"... Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodol ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
(Show Context)
Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodology for software model checking with a domainspecific protocol and symbolic attacker model. We have implemented the ASPIER tool and used it to verify authentication and secrecy properties of a part of an industrial strength protocol implementation – the handshake in OpenSSL – for configurations consisting of up to 3 servers and 3 clients. We have also implemented two distinct methods for reasoning about attacker message derivations, and evaluated them in the context of OpenSSL verification. ASPIER detected the “versionrollback ” vulnerability in OpenSSL 0.9.6c source code and successfully verified the implementation when clients and servers are only willing to run SSL 3.0. Keywordssecurity protocol; verification; model checking; abstraction refinement. I.
Enforcing Stateful Authorization and Information Flow Policies in FINE
"... Abstract. Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no securitytyped language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no securitytyped language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies which address a range of concerns including forms of access control and information flow tracking. This paper presents FINE, a new sourcelevel securitytyped language that, through the use of a simple module system and dependent, refinement, and affine types, checks the enforcement of dynamic security policies applied to real software. FINE is proven sound. A prototype implementation of the compiler and several example programs are available from
Semantic subtyping with an SMT solver
, 2010
"... We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
(Show Context)
We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; for example, intersection, union, negation, singleton, nullable, variant, and algebraic types are all derivable. We formulate a semantics in which expressions denote terms, and types are interpreted as firstorder logic formulas. Subtyping is defined as valid implication between the semantics of types. The formulas are interpreted in a specific model that we axiomatize using standard firstorder theories. On this basis, we present a novel typechecking algorithm able to eliminate many dynamic tests and to detect many errors statically. The key idea is to rely on an SMT solver to compute subtyping efficiently. Moreover, interpreting types as formulas allows us to call the SMT solver at runtime to compute instances of types.
Cosp: a general framework for computational soundness proofs
 In ACM Conference on Computer and Communications Security
, 2009
"... We describe CoSP, a general framework for conducting computational soundness proofs of symbolic models and for embedding these proofs into formal calculi. CoSP considers arbitrary equational theories and computational implementations, and it abstracts away many details that are not crucial for provi ..."
Abstract

Cited by 24 (8 self)
 Add to MetaCart
We describe CoSP, a general framework for conducting computational soundness proofs of symbolic models and for embedding these proofs into formal calculi. CoSP considers arbitrary equational theories and computational implementations, and it abstracts away many details that are not crucial for proving computational soundness, such as message scheduling, corruption models, and even the internal structure of a protocol. CoSP enables soundness results, in the sense of preservation of trace properties, to be proven in a conceptually modular and generic way: proving x cryptographic primitives sound for y calculi only requires x + y proofs (instead of x · y proofs without this framework), and the process of embedding calculi is conceptually decoupled from computational soundness proofs of cryptographic primitives. We exemplify the usefulness of CoSP by proving the first computational soundness result for the fullfledged applied πcalculus under active attacks. Concretely, we embed the applied πcalculus into CoSP and give a sound implementation of publickey encryption and digital signatures.
Typepreserving Compilation for Endtoend Verification of Security Enforcement
"... A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessar ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proofcarrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables endtoend verification is missing. In this paper, we present a typepreserving compiler that translates programs written in FINE, a sourcelevel functional language with dependent refinements and affine types, to DCIL, a new extension of the.NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCFstyle proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proofcarrying authorization, and evidencebased auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a pluginbased email client to a conference management server.
Computationally sound verification of source code
, 2010
"... Increasing attention has recently been given to the formal verification of the source code of cryptographic protocols. The standard approach is to use symbolic abstractions of cryptography that make the analysis amenable to automation. This leaves the possibility of attacks that exploit the mathema ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
Increasing attention has recently been given to the formal verification of the source code of cryptographic protocols. The standard approach is to use symbolic abstractions of cryptography that make the analysis amenable to automation. This leaves the possibility of attacks that exploit the mathematical properties of the cryptographic algorithms themselves. In this paper, we show how to conduct the protocol analysis on the source code level (F # in our case) in a computationally sound way, i.e., taking into account cryptographic security definitions. We build upon the prominent F7 verification framework (Bengtson et al., CSF 2008) which comprises a security typechecker for F # protocol implementations using symbolic idealizations and the concurrent lambda calculus RCF to model a core fragment of F#. To leverage this prior work, we give conditions under which symbolic security of RCF programs using cryptoraphic idealizations implies computational security of the same programs using cryptographic algorithms. Combined with F7, this yields a computationally sound, automated verification of F# code containing publickey encryptions and signatures. For the actual computational soundness proof, we use the CoSP framework (Backes, Hofheinz, and Unruh, CCS 2009). We thus inherit the modularity of CoSP, which allows for easily extending our proof to other cryptographic primitives.
Typechecking zeroknowledge
 In CCS 2008
, 2008
"... This paper presents the first type system for statically analyzing security protocols that are based on zeroknowledge proofs. We show how certain properties offered by zeroknowledge proofs can be characterized in terms of authorization policies and statically enforced by a type system. The analysis ..."
Abstract

Cited by 22 (11 self)
 Add to MetaCart
(Show Context)
This paper presents the first type system for statically analyzing security protocols that are based on zeroknowledge proofs. We show how certain properties offered by zeroknowledge proofs can be characterized in terms of authorization policies and statically enforced by a type system. The analysis is modular and compositional, and provides security proofs for an unbounded number of protocol executions. We develop a new typechecker that conducts the analysis in a fully automated manner. We exemplify the applicability of our technique to realworld protocols by verifying the authenticity and secrecy properties of the Direct Anonymous Attestation (DAA) protocol. The analysis of DAA takes less than three seconds.