Abstract
We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for expressing pre- and post-conditions within first-order logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Well-typed programs enjoy assertion-based security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general-purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code.
- Abadi, M. 1999. Secrecy by typing in security protocols. J. ACM 46, 5, 749--786. Google ScholarDigital Library
- Abadi, M. 2007. Access control in a core calculus of dependency. In Computation, Meaning, and Logic: Articles Dedicated to Gordon Plotkin, ENTCS, vol. 172. Elsevier, 5--31. Google ScholarDigital Library
- Abadi, M. and Blanchet, B. 2005. Analyzing security protocols with secrecy types and logic programs. J. ACM 52, 1, 102--146. Google ScholarDigital Library
- Abadi, M., Burrows, M., Lampson, B., and Plotkin, G. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 4, 706--734. Google ScholarDigital Library
- Abadi, M. and Fournet, C. 2003. Access control based on execution history. In Proceedings of the 10th Annual Network and Distributed System Symposium (NDSS'03). Internet Society.Google Scholar
- Abadi, M. and Gordon, A. D. 1999. A calculus for cryptographic protocols: The spi calculus. Inform. Comput. 148, 1--70. Google ScholarDigital Library
- Abadi, M. and Needham, R. 1996. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Engin. 22, 1, 6--15. Google ScholarDigital Library
- Askarov, A., Hedin, D., and Sabelfeld, A. 2006. Cryptographically-masked flows. In Proceedings of the Static Analysis Symposium. Lecture Notes in Computer Science, vol. 4134. Springer, 353--369. Google ScholarDigital Library
- Askarov, A. and Sabelfeld, A. 2005. Security-typed languages for implementation of cryptographic protocols: A case study. In Proceedings of the European Symposium on Research in Computer Security (ESORICS'05). Lecture Notes in Computer Science, vol. 3679. Springer, 197--221. Google ScholarDigital Library
- Aspinall, D. and Compagnoni, A. 2001. Subtyping dependent types. Theor. Comput. Sci. 266, 1--2, 273--309. Google ScholarDigital Library
- Aydemir, B., Chargéraud, A., Pierce, B. C., Pollack, R., and Weirich, S. 2008. Engineering formal metatheory. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'08). ACM, 3--17. Google ScholarDigital Library
- Backes, M., Grochulla, M., Hriţcu, C., and Maffei, M. 2009. Achieving security despite compromise using zero-knowledge. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF'09). IEEE Computer Society, 308--323. Google ScholarDigital Library
- Backes, M., Maffei, M., and Unruh, D. 2010. Computationally sound verification of source code. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, 387--398. Google ScholarDigital Library
- Baltopoulos, I. and Gordon, A. D. 2009. Secure compilation of a multi-tier web language. In Proceedings of the ACM SIGPLAN Workshop on Types in Language Design and Implementation (TLDI'09). 27--38. Google ScholarDigital Library
- Barnett, M., Leino, M., and Schulte, W. 2005. The Spec# programming system: An overview. In Proceedings of the CASSIS'05. Lecture Notes in Computer Science, vol. 3362. Springer, 49--69. Google ScholarDigital Library
- Bellare, M. and Rogaway, P. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the ACM Conference on Computer and Communications Security. 62--73. Google ScholarDigital Library
- Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2008. Refinement types for secure implementations. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08). 17--32. Google ScholarDigital Library
- Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2010. Refinement types for secure implementations. Tech. rep. MSR--TR--2008--118, Microsoft Research.Google Scholar
- Bhargavan, K., Corin, R., Deniélou, P.-M., Fournet, C., and Leifer, J. J. 2009. Cryptographic protocol synthesis and verification for multiparty sessions. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF'09). 124--140. Google ScholarDigital Library
- Bhargavan, K., Fournet, C., Corin, R., and Zalinescu, E. 2008a. Cryptographically verified implementations for TLS. In Proceedings of the ACM Conference on Computer and Communications Security. 459--468. Google ScholarDigital Library
- Bhargavan, K., Fournet, C., and Gordon, A. D. 2010a. Modular verification of security protocol code by typing. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'10). ACM, 445--456. Google ScholarDigital Library
- Bhargavan, K., Fournet, C., Gordon, A. D., and Tse, S. 2008b. Verified interoperable implementations of security protocols. ACM Trans. Program Lang. Syst. 31, 5. Google ScholarDigital Library
- Bhargavan, K., Fournet, C., and Guts, N. 2010b. Typechecking higher-order security libraries. In Proceedings of the Asian Symposium on Programming Languages and Systems (APLAS'10). 47--62. Google ScholarDigital Library
- Blanchet, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'01). 82--96. Google ScholarDigital Library
- Blanchet, B. 2006. A computationally sound mechanized prover for security protocols. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 140--154. Google ScholarDigital Library
- Blanchet, B., Abadi, M., and Fournet, C. 2008. Automated verification of selected equivalences for security protocols. J. Logic Algeb. Program. 75, 1, 3--51.Google ScholarCross Ref
- Borgström, J., Gordon, A. D., and Pucella, R. 2010. Roles, stacks, histories: A triple for Hoare. J. Function. Program. Cambridge University Press.Google Scholar
- Cardelli, L. 1986. Typechecking dependent types and subtypes. In Foundations of Logic and Functional Programming. Lecture Notes in Computer Science, vol. 306. Springer, 45--57. Google ScholarDigital Library
- Chaki, S. and Datta, A. 2009. ASPIER: An automated framework for verifying security protocol implementations. In Proceedings of the IEEE Computer Security Foundations Symposium. 172--185. Google ScholarDigital Library
- Chen, J., Chugh, R., and Swamy, N. 2010. Type-Preserving compilation for end-to-end verification of security enforcement. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'10). ACM, 412--423. Google ScholarDigital Library
- Cirillo, A., Jagadeesan, R., Pitcher, C., and Riely, J. 2007. Do As I SaY! Programmatic access control with explicit identities. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF'07). 16--30. Google ScholarDigital Library
- Cok, D. R. and Kiniry, J. 2004. ESC/Java2: Uniting ESC/Java and JML. In Proceedings of the CASSIS'05. Lecture Notes in Computer Science, vol. 3362. Springer, 108--128. Google ScholarDigital Library
- Constable, R., Allen, S., Bromley, H., Cleaveland, W., Cremer, J., Harper, R., Howe, D., Knoblock, T., Mendler, N., Panangaden, P., et al. 1986. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall. Google ScholarDigital Library
- Cooper, E., Lindley, S., Wadler, P., and Yallop, J. 2006. Links: Web Programming Without Tiers. In Proceedings of 5th International Symposium on Formal Methods for Components and Objects (FMCO). Lecture Notes in Computer Science. Springer-Verlag. Google ScholarDigital Library
- Coquand, T. and Huet, G. 1988. The calculus of constructions. Inform. Comput. 76, 2-3, 95--120. Google ScholarDigital Library
- Datta, A., Derek, A., Mitchell, J. C., and Roy, A. 2007. Protocol composition logic (PCL). In Electronic Notes in Theoretical Computer Science (Gordon D. Plotkin Festschrift), Vol. 172, Feb. 311--358. Google ScholarDigital Library
- de Bruijn, N. G. 1972. Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem. Indagationes Mathematicae 34, 381--392.Google ScholarCross Ref
- de Moura, L. and Bjørner, N. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08). Lecture Notes in Computer Science, vol. 4963. Springer, 337--340. Google ScholarDigital Library
- Dean, D., Felten, E., and Wallach, D. 1996. Java security: From HotJava to Netscape and beyond. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Detlefs, D., Nelson, G., and Saxe, J. 2005. Simplify: A theorem prover for program checking. J. ACM 52, 3, 365--473. Google ScholarDigital Library
- Dolev, D. and Yao, A. 1983. On the security of public key protocols. IEEE Trans. Inform. Theory IT--29, 2, 198--208.Google ScholarDigital Library
- Dummett, M. A. E. 1977. Elements of Intuitionism. Clarendon Press.Google Scholar
- Durgin, N., Mitchell, J. C., and Pavlovic, D. 2003. A compositional logic for proving security properties of protocols. J. Comput. Secur. (Special Issue of Selected Papers from CSFW-14) 11, 4, 677--721. Google ScholarDigital Library
- Eastlake, D., Reagle, J., Solo, D., Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and Simon, E. 2002. XML-signature syntax and processing. W3C Recommendation. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. Google ScholarDigital Library
- Filliâtre, J. and Marché, C. 2004. Multi-prover Verification of C Programs. In Proceedings of the International Conference on Formal Engineering Methods (ICFEM'04). Lecture Notes in Computer Science, vol. 3308. Springer, 15--29.Google Scholar
- Flanagan, C., Leino, K. R. M., Lillibridge, M., Nelson, G., Saxe, J. B., and Stata, R. 2002. Extended static checking for Java. SIGPLAN Not. 37, 5, 234--245. Google ScholarDigital Library
- Fournet, C. 2009. On the computational soundness of cryptographic verification by typing. In Proceedings of the Workshop on Formal and Computational Cryptography (FCC'09).Google Scholar
- Fournet, C., Gordon, A. D., and Maffeis, S. 2007a. A type discipline for authorization policies. ACM Trans. Program. Lang. Syst. 29, 5. Article 25. Google ScholarDigital Library
- Fournet, C., Gordon, A. D., and Maffeis, S. 2007b. A type discipline for authorization policies in distributed systems. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF'07). 31--45. Google ScholarDigital Library
- Fournet, C. and Rezk, T. 2008. Cryptographically sound implementations for typed information-flow security. In Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'08). 323--335. Google ScholarDigital Library
- Freeman, T. and Pfenning, F. 1991. Refinement types for ML. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'91). ACM, 268--277. Google ScholarDigital Library
- Gordon, A. D. 1994. A mechanisation of name-carrying syntax up to alpha-conversion. In Proceedings of the Conference on Higher Order Logic Theorem Proving and its Applications, J. J. Joyce and C.-J. H. Seger, Eds. Lecture Notes in Computer Science, vol. 780. Springer, 414--426. Google ScholarDigital Library
- Gordon, A. D. and Fournet, C. 2010. Principles and applications of refinement types. In Logics and Languages for Reliability and Security: Proceedings of the NATO Summer School Marktoberdorf, J. Esparza, B. Spanfelner, and O. Grumberg, Eds., IOS Press, 73--104.Google Scholar
- Gordon, A. D. and Jeffrey, A. S. A. 2002. Cryptyc: Cryptographic protocol type checker. http://cryptyc.cs.depaul.edu/Google Scholar
- Gordon, A. D. and Jeffrey, A. S. A. 2003a. Authenticity by typing for security protocols. J. Comput. Secur. 11, 4, 451--521. Google ScholarDigital Library
- Gordon, A. D. and Jeffrey, A. S. A. 2003b. Types and effects for asymmetric cryptographic protocols. J. Comput. Secur. 12, 3/4, 435--484. Google ScholarDigital Library
- Gordon, A. D. and Jeffrey, A. S. A. 2005. Secrecy despite compromise: Types, cryptography, and the pi-calculus. In Proceedings of the CONCUR'05. Lecture Notes in Computer Science, vol. 3653. Springer, 186--201. Google ScholarDigital Library
- Goubault-Larrecq, J. and Parrennes, F. 2005. Cryptographic protocol analysis on real C code. In Proceedings of the Conference on Verification Model-Checkior and Abstract Implementation (VMCAI'05). Lecture Notes in Computer Science, vol. 3385, Springer, 363--379. Google ScholarDigital Library
- Gronski, J., Knowles, K., Tomb, A., Freund, S. N., and Flanagan, C. 2006. Sage: Hybrid checking for flexible specifications. In Proceedings of the Scheme and Functional Programming Workshop. R. Findler. Ed., 93--104.Google Scholar
- Gunter, C. 1992. Semantics of Programming Languages. MIT Press. Google ScholarDigital Library
- Guts, N., Fournet, C., and Zappa Nardelli, F. 2009. Reliable evidence: Auditability by typing. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS'09). Lecture Notes in Computer Science, Springer, 168--183. Google ScholarDigital Library
- Hubbers, E., Oostdijk, M., and Poll, E. 2003. Implementing a formally verifiable security protocol in Java Card. In Security in Pervasive Computing, 213--226.Google Scholar
- Jagadeesan, R., Jeffrey, A. S. A., Pitcher, C., and Riely, J. 2008. Lambda-RBAC: Programming with role-based access control. Logical Methods Comput. Sci. 4, 1.Google ScholarCross Ref
- Jia, L., Vaughan, J., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., and Zdancewic, S. 2008. Aura: A programming language for authorization and audit. In Proceedings of the International Conference on Functional Programming (ICFP'08). ACM, 27--38. Google ScholarDigital Library
- Kawaguchi, M., Rondon, P., and Jhala, R. 2009. Type-based data structure verification. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'09). ACM, 304--315. Google ScholarDigital Library
- Li, P. and Zdancewic, S. 2006. Encoding information flow in Haskell. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'06). 16--27. Google ScholarDigital Library
- Maffeis, S., Abadi, M., Fournet, C., and Gordon, A. D. 2008. Code-carrying authorization. In Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS'08). Lecture Notes in Computer Science, vol. 5283. Springer, 563--579. Google ScholarDigital Library
- Martin-Löf, P. 1984. Intuitionistic Type Theory. Bibliopolis.Google Scholar
- Morris, Jr., J. H. 1973. Protection in programming languages. Comm. ACM 16, 1, 15--21. Google ScholarDigital Library
- Myers, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'99). 228--241. Google ScholarDigital Library
- Nadalin, A., Kaler, C., Hallam-Baker, P., and Monzillo, R. 2004. OASIS Web services security: SOAP message security 1.0. http://www.oasis-open.org/committees/download.php/5941/oasis-200401-wss%-soap-message-security-1.0.pdfGoogle Scholar
- Needham, R. and Schroeder, M. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21, 12, 993--999. Google ScholarDigital Library
- Parent, C. 1995. Synthesizing proofs from programs in the calculus of inductive constructions. Math. Program Construct. 947, 351--379. Google ScholarDigital Library
- Paulson, L. C. 1987. Logic and Computation: Interactive Proof with Cambridge LCF. Cambridge University Press. Google ScholarDigital Library
- Paulson, L. C. 1991. Isabelle: A Generic Theorem Prover. Lecture Notes in Computer Science, vol. 828. Springer.Google Scholar
- Pierce, B. and Sangiorgi, D. 1996. Typing and subtyping for mobile processes. Math. Struct. Comput. Sci. 6, 5, 409--454.Google ScholarCross Ref
- Poll, E. and Schubert, A. 2007. Verifying an implementation of SSH. In Proceedings of the Workshop on Information Technologies and Systems Meetings (WITS'07). 164--177.Google Scholar
- Pottier, F. and Simonet, V. 2003. Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 1, 117--158. Google ScholarDigital Library
- Pottier, F., Skalka, C., and Smith, S. 2001. A systematic approach to access control. In Proceedings of the Conference on Programming Languages and Systems (ESOP'01). Lecture Notes in Computer Science, vol. 2028. Springer, 30--45. Google ScholarDigital Library
- Régis-Gianas, Y. and Pottier, F. 2008. A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction. Lecture Notes in Computer Science, vol. 5133. Springer, 305--335. Google ScholarDigital Library
- Rondon, P., Kawaguchi, M., and Jhala, R. 2008. Liquid types. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'08). ACM, 159--169. Google ScholarDigital Library
- Rondon, P., Kawaguchi, M., and Jhala, R. 2010. Low-level liquid types. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'10). ACM, 131--144. Google ScholarDigital Library
- Rushby, J., Owre, S., and Shankar, N. 1998. Subtypes for specifications: Predicate subtyping in PVS. IEEE Trans. Softw. Engin. 24, 9, 709--720. Google ScholarDigital Library
- Sabry, A. and Felleisen, M. 1993. Reasoning about programs in continuation-passing style. LISP Symb. Comput. 6, 3-4, 289--360. Google ScholarDigital Library
- Sumii, E. and Pierce, B. 2007. A bisimulation for dynamic sealing. Theor. Comput. Sci. 375, 1-3, 169--192. Google ScholarDigital Library
- Swamy, N., Chen, J., and Chugh, R. 2010. Enforcing stateful authorization and information flow policies in Fine. In Proceedings of the 19th European Symposium on Programming (ESOP'10). 529--549. Google ScholarDigital Library
- Swamy, N., Corcoran, B. J., and Hicks, M. 2008. Fable: A language for enforcing user-defined security policies. In Proceedings of the IEEE Symposium on Security and Privacy. 96--110. Google ScholarDigital Library
- Syme, D., Granicz, A., and Cisternino, A. 2007. Expert F#. Apress.Google Scholar
- Vaughan, J. A., Jia, L., Mazurak, K., and Zdancewic, S. 2008. Evidence-Based audit. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08). 177--191. Google ScholarDigital Library
- Vaughan, J. A. and Zdancewic, S. 2007. A cryptographic decentralized label model. In Proceedings of the IEEE Symposium on Security and Privacy. 192--206. Google ScholarDigital Library
- Woo, T. and Lam, S. 1993. A semantic model for authentication protocols. In Proceedings of the IEEE Symposium on Security and Privacy. 178--194. Google ScholarDigital Library
- Xi, H. and Pfenning, F. 1999. Dependent types in practical programming. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'99). ACM, 214--227. Google ScholarDigital Library
- Xu, D. N. 2006. Extended static checking for Haskell. In Proceedings of the ACM SIGPLAN Workshop on Haskell (Haskell'06). ACM, 48--59. Google ScholarDigital Library
Index Terms
- Refinement types for secure implementations
Recommendations
Gradual refinement types
POPL '17Refinement types are an effective language-based verification technique. However, as any expressive typing discipline, its strength is its weakness, imposing sometimes undesired rigidity. Guided by abstract interpretation, we extend the gradual typing ...
Refinement Types for Secure Implementations
CSF '08: Proceedings of the 2008 21st IEEE Computer Security Foundations SymposiumWe present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for ...
Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations
Foundational Aspects of SecurityWe present a new type system for verifying the security of reference implementations of cryptographic protocols written in a core functional programming language. The type system combines prior work on refinement types, with union, intersection, and ...
Comments