Title :
ASPIER: An Automated Framework for Verifying Security Protocol Implementations
Author :
Chaki, Sagar ; Datta, Anupam
Author_Institution :
Software Eng. Inst., PA, USA
Abstract :
We present ASPIER - the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstraction-refinement methodology for software model checking with a domain-specific protocol and symbolic attacker model. We have implemented the ASPIER tool and used it to verify authentication and secrecy properties of a part of an industrial strength protocol implementation - the handshake in OpenSSL - for configurations consisting of up to 3 servers and 3 clients. We have also implemented two distinct methods for reasoning about attacker message derivations, and evaluated them in the context of OpenSSL verification. ASPIER detected the "version-rollback" vulnerability in OpenSSL 0.9.6c source code and successfully verified the implementation when clients and servers are only willing to run SSL 3.0.
Keywords :
protocols; security of data; OpenSSL verification; SSL 3.0; aspier tool; iterative abstraction-refinement methodology; security protocol implementations verfication; software model checking; standard protocol security model; symbolic attacker model; version-rollback vulnerability; Algebra; Authentication; Computer languages; Computer security; Concrete; Context modeling; Cryptographic protocols; Cryptography; Libraries; Software standards; abstraction refinement; model checking; security protocol; verification;
Conference_Titel :
Computer Security Foundations Symposium, 2009. CSF '09. 22nd IEEE
Conference_Location :
Port Jefferson, NY
Print_ISBN :
978-0-7695-3712-2
DOI :
10.1109/CSF.2009.20
