Code Security Analysis of a Biometric Authentication System Using Automated Theorem Provers

nauseatingcynicalSecurity

Feb 22, 2014 (3 years and 6 months ago)

78 views

Code SecurityAnalysis of a
BiometricAuthenticationSystem
UsingAutomatedTheorem Provers
Jan Jürjens
Software & Systems Engineering
Technical University of Munich
http://www4.in.tum.de/~juerjens
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers2
SecurityAnalysis of C Programs
Logic-basedprogramunderstanding
of
cryptoprotocols
in
C
whichisas
automatic
and
complete
as possible.
Note: cantbebothperfectlyautomatedand
complete: Securityin general
undecidable
.
Abstract
and
approximatesafely
.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers3
Security Analysis
Following Dolev, Yao(1982): To analyze
system, verify against attacker model from
threat scenarios in deployment diagrams who
may
participate
in some protocol runs,
knows
some data in advance,
may
intercept
messages on some links,
injects
messages that it can produce in some
links
may access certain nodes.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers4
Abstraction, Preprocessing
Enableefficientautomatedanalysisby
abstraction
(e.g. functionsorcode-blocks):
symbolic
representationof
cryptographic
or
arithmeticroutines
technicalinfrastructure
(packet_send,
buffer_copy, )
datastructures
(e.g. a->b)
Factorout
pointers
usage. Transformto SSA.
Eliminatesideeffects.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers5
Security Analysis in First-order Logic
Approximate
setof possible
datavalues
flowingthroughsystem
fromabove
.
Predicate
knows(E)
meaning that the
adversary may get to know
E
during the
execution of the protocol.
E.g.
secrecy
: For any secret
s
, check
whether can derive
knows(s)
using
automated theorem prover.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers6
First-order Logic: Basic Rules
Define
knows(E)
for any
E
initially known to the
adversary.
For evolving knowledge define
E1,E
2,S.(knows(E1)

knows(E2)

knows(E1::
SE2)

knows({E
1;S}
E2
)

knows(Dec
E2
(E
1;S))

knows(Sign
E2
(E
1;S))

knows(Ext
E2
(E
1;S)))
E,S.(knows(E)

knows(head(E;S))

knows(tail(E;S)))
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers7
Generate
controlflow
graph
(e.g. with
aicall(Absint)).
Transformto
statemachine
:
trans(state,inpattern,condition,action,nextstate)
whereactioncanbeoutpatternor
localvar:=value.
ControlFlowGraph
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers8
Translateto First Order Logic
Graph transition
TR1=(in(msg_in),cond(msg_in),out(msg_out))
followedby
TR2
givespredicate
PRED(TR1)=

msg_in. [knows(msg_in)

cond(msg_in)
⇒
knows(msg_out)

PRED(TR2)]
Abstraction
(e.g. from senders, receivers): find
all attacks, mayhavefalsepositives.
Analyzewithautomatedprover.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers9
Example: Proposed Variant of TLS (SSL)
Presented at IEEE
Infocom1999.
Goal: send secret
protected by
session key using
fewer server
resources.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers10
TLS
Overview
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers11
Example: Translationto Logic
knows(N)

knows(KC)

knows(Sign
KC-1
(C::K
C))
∧∀
init
1,init
2,init
3.[knows(init
1)

knows(init
2)

knows(init
3)

snd(Ext
init2
(init
3))= init
2

knows({Sign
KS-1
()}

)

[]

[

...]]
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers12
Surprise
￿Completely insecure wrtstated goals.
But why ? Use prolog-based attack
generator.
Can derive
knows(s)
.
That is: Protocol
does
not
preserve
secrecy of
s
against
adversaries.
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers13
Tool Support
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers14
BiometricAuthenticationSystem
In developmentbycompanyin joint
project.
Store bio-referencetemplateon smart-card.
Discovered
threemajorattacks
against
subsequentlyimprovedversions(
misuse
countercircumvented
bydropping/ replaying
messages,
smart-cardinsufficiently
authenticated
byrecombingsessions).
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers15
Decrease
misusecounter
Authent. ProtocolPt. 2: Problem ?
Messageorder ?
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers16
Authent. ProtocolPt. 2: Problem.
Drop
message
11 
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers17
Authent. ProtocolPt. 2: Improvement
Check
whether
FBZ
decreased
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers18
Authent. Prot. Pt. 2: Improvement?
Note:
skh=sksc
FBZ2=FBZ2
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers19
Authent. Prot. Pt. 2: Problem
Replay
MAC
skh
(FBZ2)
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers20
Authent. Prot. Pt. 2: Improvement(?)
Subst.
MAC
skh
(FBZ2)
by
MAC
skh
(write::FBZ2)
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers21
Mutualauthenticationwith
challenge& response
Generatesharedkey
Authentic.
Protocol
Part 1:
Problem ?
Authentic. vs. keygen. ?
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers22
Mutualauthenticationwith
challenge& response
Generatesharedkey
Authentic.
Protocol
Part 1:
Problem.
Forgedsmart-cardafterauthentic.;
replayoldsessionkey
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers23
Mutualauthenticationwith
challenge& response
Generatesharedkey
Authentic.
Protocol
Part 1:
Improve-
ment(!)
Use(both) random
numbersin Macs
Jan Jürjens, TU Munich: Code Security Analysis Using Automated TheoremProvers24
Conclusions
UnderstandingSecurityGoals
usingFirst-Order-Logic:
formallybased
approach
automated
,
powerfultool
support
successfuluse
in
industrialprojects
Furtherwork:
assertions
.
Moreinformation:
http://www4.in.tum.de/~juerjens