DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval, Vincent; Kremer, Steve; Rakotonirina, Itsaka

doi:10.1109/sp.2018.00033

Cited by 57 publications

(80 citation statements)

References 40 publications

(48 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We may want compilation to preserve this "runs faster than" relation between the two program behaviors against arbitrary target contexts. Similarly, in any source context, the behaviors of P 1 and P 2 may be equal and we may want the compiler to preserve such trace equivalence [17,28,32] in arbitrary target contexts. This last criterion, which we call Robust Trace Equivalence Preservation (RTEP) in Figure 1, is interesting because in various determinate settings [27,42] it coincides with preserving observational equivalence, the security-relevant part of full abstraction (see §5).…”

Section: Robustly Preserving Relational Hyperpropertiesmentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program's data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce.We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.(∀C T . ∀t 1 , .., t k , ..(∀i.C T [P i ] t i ) ⇒ (t 1 , .., t k , ..) ∈ R)

show abstract

Section: Robustly Preserving Relational Hyperpropertiesmentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…q the Helios e-voting protocol [2]. Automated analyses of this protocol exist when no revote is allowed, or is limited to one revote from a honest voter [3,16]. In this paper, we analyse several models covering revote scenarios for 7 emitted honest ballots.…”

Section: Contributionsmentioning

confidence: 99%

“…Partial order reduction techniques for equivalence properties were only introduced more recently by Baelde et al [5,6]: implementing these techniques in the APTE tool resulted in spectacular speed-ups. Other state-of-the-art tools, AKISS [14] and DeepSec [16], integrated these techniques as well. However, these existing techniques are limited in scope as they require protocols to be determinate.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

Cheval

Kremer

Rakotonirina

2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Verification of privacy-type properties for cryptographic protocols in an active adversarial environment, modelled as a behavioural equivalence in concurrent-process calculi, exhibits a high computational complexity. While undecidable in general, for some classes of common cryptographic primitives the problem is coNEXP-complete when the number of honest participants is bounded.In this paper we develop optimisation techniques for verifying equivalences, exploiting symmetries between the two processes under study. We demonstrate that they provide a significant (several orders of magnitude) speed-up in practice, thus increasing the size of the protocols that can be analysed fully automatically. CCS CONCEPTS• Security and privacy → Formal security models; Logic and verification.Security protocols are distributed programs transmitting data between several parties. The underlying messages may be sensitivefor economical, political, or privacy reasons-and communications are usually performed through an untrusted network such as the Internet. Therefore, such protocols need to guarantee strong security requirements in an active adversarial setting, i.e., when considering an adversary that has complete control over the communication network. Formal, symbolic methods, rooted in the seminal work of Dolev and Yao [26], have been successful in analysing complex protocols, including for instance the recent TLS 1.3 proposal [11,25] and the upcoming 5G standard [8].

show abstract

“…• If head((C 1 ) |q ) ≡ a (with a ∈ F ∪ N ) then, from the fact that C 0 C 1 we get that head((C 0 ) |q ) ≡ a, and that head((C 0 ) |q ) ≡ a. • If head((C 1 ) |q ) ≡ [] x then using (7) we get that We then mimic all reduction → R on C 1 by a reduction on C 0 , while maintaining and the invariant of (7). Mimicking rules in → R is easy as they are left-linear.…”

Section: B Well-nestednessmentioning

confidence: 99%

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability

Koutsos

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Computational indistinguishability is a key property in cryptography and verification of security protocols. Current tools for proving it rely on cryptographic game transformations.We follow Bana and Comon's approach [1], [2], axiomatizing what an adversary cannot distinguish. We prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an IND-CCA2 encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.

show abstract

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cited by 57 publications

References 40 publications

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability

Contact Info

Product

Resources

About