BibTeX
@MISC{Aizatulin08verifyingimplementations,
author = {Mihhail Aizatulin},
title = {Verifying implementations of security protocols in C},
year = {2008}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
Our goal is verification of cryptographic protocol implementations (such as OpenSSL or Kerberos), motivated by the desire to minimise the gap between verified and executable code. Very little has been done in this area. There are numerous tools to find low-level bugs in code (such as buffer overflows and zero division) and there are verifiers for cryptographic protocols that work on fairly abstract descriptions, but so far very few attempts have been done to verify cryptographic security directly on the code, especially for low-level languages like C. We attempt to verify the protocol code by extracting an abstract model that can be used in high-level cryptographic verification tools such as ProVerif or CryptoVerif. This is the first such approach that we are aware of. Currently we investigate the feasibility of the approach by extracting the model from running code, using the so called concolic (concrete + symbolic) execution. We run the protocol implementation normally, but at the same time we record all the operations performed on binary values and then replay those operations on
Keyphrases
security protocol executable code binary value abstract model numerous tool low-level language buffer overflow protocol code cryptographic security first approach cryptographic protocol concrete symbolic abstract description cryptographic protocol implementation high-level cryptographic verification tool low-level bug protocol implementation
