Formally sound implementations of security protocols with JavaSPI-Reference-Cited by-同舟云学术

Formally sound implementations of security protocols with JavaSPI

Published:2018-03 Issue:2 Volume:30 Page:279-317
ISSN:0934-5043
Container-title:Formal Aspects of Computing
language:en
Short-container-title:Form. Asp. Comput.

Author:

Sisto Riccardo¹^ORCID,Bettassa Copet Piergiuseppe¹,Avalle Matteo¹,Pironti Alfredo²

Affiliation:

1. Dipartimento di Automatica e Informatica, Politecnico di Torino, Turin, Italy

2. IOActive, Madrid, Spain

Abstract

Abstract Designing and coding security protocols is an error prone task. Several flaws are found in protocol implementations and specifications every year. Formal methods can alleviate this problem by backing implementations with rigorous proofs about their behavior. However, formally-based development typically requires domain specific knowledge available only to few experts and the development of abstract formal models that are far from real implementations. This paper presents a Java-based protocol design and implementation framework, where the user can write a security protocol symbolic model in Java, using a well defined subset of the language that corresponds to applied π -calculus. This Java model can be symbolically executed in the Java debugger, formally verified with ProVerif, and further refined to an interoperable Java implementation of the protocol. Soundness theorems are provided to prove that, under some reasonable assumptions, a simulation relation relates the Java refined implementation to the symbolic model verified by ProVerif, so that, for the usual security properties, a property verified by ProVerif on the symbolic model is preserved in the Java refined implementation. The applicability of the framework is evaluated by developing an extensive case study on the popular SSL protocol.

Publisher

Association for Computing Machinery (ACM)

Subject

Theoretical Computer Science,Software

Link

http://link.springer.com/article/10.1007/s00165-017-0449-8/fulltext.html

Reference36 articles.

1. Almeida JB Bangerter E Barbosa M Krenn S Sadeghi AR Schneider T (2010) A certifying compiler for zero-knowledge proofs of knowledge based on Σ-protocols. In: 15th European conference on research in computer security (ESORICS 2010). Lecture notes in computer science vol 6345. Springer Berlin pp 151–167

2. Almeida JB Barbosa M Barthe G Dupressoir F (2013) Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: 2013 ACM SIGSAC conference on computer and communications security (CCS 2013) ACM pp 1217–1230

3. Avanesov T Chevalier Y Mekki MA Rusinowitch M (2012) Web services verification and prudent implementation. In: Data privacy management and autonomous spontaneus security. Lecture notes in computer science vol 7122. Springer Berlin pp 173–189

4. Mobile values, new names, and secure communication

5. Al Fardan NJ Paterson KG (2013) Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE symposium on security and privacy (S & P 2013) IEEE pp 526–540

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Generic Methodology for the Modular Verification of Security Protocol Implementations;Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security;2023-11-15

2. Sound Verification of Security Protocols: From Design to Interoperable Implementations;2023 IEEE Symposium on Security and Privacy (SP);2023-05

3. $\text{DY}^{\star}$: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code;2021 IEEE European Symposium on Security and Privacy (EuroS&P);2021-09

4. Analyzing Security Protocol Web Implementations Based on Model Extraction With Applied PI Calculus;IEEE Access;2020