AVISPA Automated Validation of Internet Security Protocols and Applications
description
Transcript of AVISPA Automated Validation of Internet Security Protocols and Applications
1
Carnegie Mellon
Maintaining Consistent Replication through Program AnalysisJoe Slember
AVISPA Automated Validation of
Internet Security Protocols and Applications
Slides adapted from Duminda Wijesekera as well as from Alessandro Armando
2
Carnegie Mellon
What is AVISPA?
Push-button security protocol analyzer.
Supports the specification of security protocols and properties by means of a modular and expressive specification language.
Integrates different back-ends implementing a variety of state-of-the-art automatic analysis techniques for protocol falsification (by finding an attack on the input protocol) abstraction-based verification methods
both for finite and infinite numbers of sessions.
User interaction facilitated by an emacs mode and a Web interface.
3
Carnegie Mellon
Architecture
4
Carnegie Mellon
AVISPA Back-end Analyses
Protocol falsification, and bounded and un-bounded verification.
On-the-fly Model-Checker (OFMC) employs several symbolic techniques to explore the state space in a demand-driven
way
CL-AtSe (Constraint-Logic-based Attack Searcher) applies constraint solving with simplification heuristics and redundancy
elimination techniques
SAT-based Model-Checker (SATMC) builds a propositional formula encoding all the possible attacks (of bounded
length) on the protocol and feeds the result to a state-of-the-art SAT solver.
TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols) approximates the intruder knowledge by using regular tree languages and rewriting
to produce under and over approximations.
5
Carnegie Mellon
High Level Protocol Specification Language. (HLPSL) Supports symmetric and asymmetric keys, non-atomic keys,
key-tables, Diffie-Hellman key-agreement, hash functions, algebraic functions, typed and untyped data, etc.
Security properties: different forms of authentication and secrecy.
The intruder is modeled by the channel(s) over which the communication takes places: Dolev-Yao intruder and (preliminarily) other intruder models.
Role-based language: a role for each (honest) agent, parallel and sequential composition glue roles together.
6
Carnegie Mellon
High Level Protocol Specification Language (HLPSL) Syntax used to specify protocols in AVISPA: Strongly typed Supports
modularity: composition, hiding control flow explicit intruder knowledge
cryptographic primitives: nonces, hashes, signatures
algebraic properties: Xor exp
7
Carnegie Mellon
Entities in HLPSL
Basic types and terms State-based formalism Roles
Simple (agents such as Alice, Bob etc) Composite (communities of agents playing their roles as Alice Bob
and the Dolev-Yao Intruder, Key Server synchronizing with each other)
The environment (where all evil lives = Intruder = environment)
Security Goals String authentication, authorization, anonymity, secrecy, etc.
8
Carnegie Mellon
States and Variables
Kinds of variables: State variables: Those that are within the scope of a role. Declared at the top of a role Unprimed versions indicate current state Primed versions indicate next state
9
Carnegie Mellon
An example
role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
10
Carnegie Mellon
Basic types in HLPSL
Agent: names of principles
public_key: asymmetric keys
symmetric key: symmetric keys
nat: natural numbers
function: to model hash functions etc
bool: Boolean values for modeling flags
11
Carnegie Mellon
Aggregate types
Lists
Example:KeyMap: (agent, public_key) list
init KeyMap = []
in((B,Kb’), KeyMap)
12
Carnegie Mellon
State and transition predicates
State predicate: First order formulas written using unprimed state variables.
Example: State = Init State= done
Transition predicates First order formulas written using primed and unprimed state variables.
Example:
(State‘=2) /\ SND({Na'.A}_Kb)
/\ witness(A,B,na,Na‘)
13
Carnegie Mellon
Roles
Description of entity behavior
Two kinds: Basic Roles:
Schematic descriptions of atomic behavior Composed Roles:
Instantiations of other roles composed using operators
Roles are translated to TLA for operational semantics
14
Carnegie Mellon
Role Definition
1. Role declaration: its name and the list of formal arguments, along with (in the case of basic
roles) a player declaration;
2. Declaration of local variables and ownership rules, if any;
3. Initialization of variables, if required;
4. Declaration of accepting states, if any;
5. Knowledge declarations, if applicable;
6. Either (optionally) : a transition section (for basic roles) or a composition section (for composed roles).
15
Carnegie Mellon
Basic Roles
role Basic_Role (…)
played_by … def=
owns {θ: Θ}
local {ε}
init Init
accepts Accept
transition
event1 action1
event2 action2
end role
role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
General Pattern Initiator Role in NSPK
16
Carnegie Mellon
Composed Roles: Parallel Composition
role Par_Role (…)
def= owns {θ:Θ}
local {ε}
init Init
accepts Accept
composition
A B
end role
Pattern
Example
role Kerberos (..) composition Client /\ Authn_Server /\ TGS /\ Serverend role
17
Carnegie Mellon
Composed Roles: Sequential Composition
role Seq_Role (…)
def= owns {θ:Θ}
local {ε}
init Init
accepts Accept
composition
A ; B
end role
General Pattern
Example
role Alice (..) establish_TLS_Tunnel(server_ authn_only); present_credentials; main_protocol(request, response)end role
18
Carnegie MellonState predicates, events and actions
A state predicate: Predicates that do not have primed variables.
Stuttering step: A transition predicate that does not change any value Example: X’=X /\ Y=Y’
Action: transition predicates p(v,v’) satisfying v v’ p(v,v’)
Events: transition predicates containing at least one X ≠X’
19
Carnegie Mellon
Communication in HLPSL
Synchronous, via immediate transitions
Runtime ensures that SND and RCV are executed simultaneously, over channels
How communication is modeled: SND(msg) in RHS of rule shorthand for SND’=msg RCV(masg) in LHS is shorthand for
(RCV-flag’≠RCV-flag)/\(RCV’=Msg) where
RCV-flag is a binary flag toggled whenever the channel has a new message.
20
Carnegie Mellon
Role composition
No transition section
Have a composition section that instantiate other roles
Operators: Parallel /\ Sequential ;
Top level role is named Environment
21
Carnegie Mellon
The NSPK example: Alice
role Alice (A,B:agent,Ka,Kb:public_key,SND,RCV: channel(dy))
played_by A def=
exists State : nat, Na : text (fresh), Nb: text
init State=0
knowledge(A) = { inv(Ka) }
transition
step1. State=0 /\ RCV(start)=|>
State’=1/\ SND({Na’.A}Kb)
step2. State=1 /\ RCV({Na.Nb’}Ka) =|>
State’=2 /\ SND({Nb’}Kb)
end role
22
Carnegie Mellon
The NSPK: Composition
role NSPK(S, R: agent -> channel (dy),
Instances: (agent,agent, public_key,public_key) set)
def=
exists A, B: agent, Ka, Kb: public_key
composition
/\_{in((A,B,Ka,Kb),Instances)}
Alice(A,B,Ka,Kb,S(A),R(A))
/\ Bob(A,B,Ka,Kb,S(B),R(B))
end role
23
Carnegie Mellon
References
http://www.avispa-project.org
http://www.avispa-project.org/talks.html
http://www3.ietf.org/proceedings/05mar/slides/saag-1/sld1.htm