A Static Analysis Framework for Security Properties in Mobile and Cryptographic Systems
Total Page:16
File Type:pdf, Size:1020Kb
A Static Analysis Framework for Security Properties in Mobile and Cryptographic Systems Benyamin Y. Y. Aziz, M.Sc. School of Computing, Dublin City University A thesis presented in fulfillment of the requirements for the degree of Doctor of Philosophy Supervisor: Dr Geoff Hamilton September 2003 “Start by doing what’s necessary; then do what’s possible; and suddenly you are doing the impossible” St. Francis of Assisi To Yowell, Olivia and Clotilde Declaration I hereby certify that this material, which I now submit for assessment on the programme of study leading to the award of the degree of Doctor of Philosophy (Ph.D.) is entirely my own work and has not been taken from the work of others save and to the extent that such work has been cited and acknowledged within the text of my work. Signed: I.D. No.: Date: Acknowledgements I would like to thank all those people who were true sources of inspiration, knowledge, guidance and help to myself throughout the period of my doctoral research. In particular, I would like to thank my supervisor, Dr. Geoff Hamilton, without whom this work would not have seen the light. I would also like to thank Dr. David Gray, with whom I had many informative conversations, and my colleagues, Thomas Hack and Fr´ed´ericOehl, for their advice and guidance. Finally, I would like to mention that the work of this thesis was partially funded by project IMPROVE (Enterprise Ireland Strategic Grant ST/2000/94). Benyamin Aziz Abstract We introduce a static analysis framework for detecting instances of security breaches in infinite mobile and cryptographic systems specified using the languages of the π-calculus and its cryptographic extension, the spi calculus. The framework is composed from three components: First, standard denotational semantics of the π-calculus and the spi calculus are constructed based on domain theory. The resulting model is sound and adequate with respect to transitions in the operational semantics. The standard semantics is then extended correctly to non-uniformly capture the property of term substitution, which occurs as a result of communications and successful cryptographic operations. Finally, the non-standard semantics is abstracted to operate over finite domains so as to ensure the termination of the static analysis. The safety of the abstract semantics is proven with respect to the non- standard semantics. The results of the abstract interpretation are then used to capture breaches of the secrecy and authenticity properties in the analysed systems. Two initial prototype implementations of the security analysis for the π-calculus and the spi calculus are also included in the thesis. The main contributions of this thesis are summarised by the following. In the area of denotational semantics, the thesis introduces a domain-theoretic model for the spi calculus that is sound and adequate with respect to transitions in the structural operational seman- tics. In the area of static program analysis, the thesis utilises the denotational approach as the basis for the construction of abstract interpretations for infinite systems modelled by the π-calculus and the spi calculus. This facilitates the use of computationally significant mathematical concepts like least fixed points and results in an analysis that is fully compo- sitional. Also, the thesis demonstrates that the choice of the term-substitution property in mobile and cryptographic programs is rich enough to capture breaches of security properties, like process secrecy and authenticity. These properties are used to analyse a number of mo- bile and cryptographic protocols, like the file transfer protocol and the Needham-Schroeder, SPLICE/AS, Otway-Rees, Kerberos, Yahalom and Woo Lam authentication protocols. Contents 1 Introduction 1 1.1 The Problem of Computer Security . 1 1.2 Mobile Systems . 3 1.3 Denotational Semantics . 6 1.4 Static Program Analysis . 8 1.4.1 Data Flow Analysis . 8 1.4.2 Control Flow Analysis . 11 1.4.3 Abstract Interpretation . 13 1.4.4 Type Systems . 15 1.5 Security Properties . 18 1.5.1 Secrecy . 18 1.5.2 Authenticity . 21 1.6 Further Reading . 23 1.7 Outline of Our Approach . 23 2 Related Work 25 2.1 Introduction . 25 2.2 Static Analysis Techniques for Program Security . 25 2.2.1 Control Flow Analysis . 25 2.2.2 Abstract Interpretation . 26 2.2.3 Type Systems . 27 2.2.4 Other Approaches . 30 2.3 Denotational Semantics of Nominal Calculi . 31 2.4 Conclusion . 33 3 Nominal Calculi 34 3.1 Introduction . 34 vi 3.2 The π-calculus . 34 3.2.1 Syntax . 35 3.2.2 Structural Operational Semantics . 36 3.2.3 Denotational Semantics . 37 3.3 The Spi Calculus . 42 3.3.1 Syntax . 43 3.3.2 Structural Operational Semantics . 45 3.3.3 Denotational Semantics . 46 3.4 Conclusion . 52 4 Abstract Interpretation 53 4.1 Introduction . 53 4.2 The π-calculus . 54 4.2.1 Non-standard Semantics . 54 4.2.2 Abstract Semantics . 57 4.2.3 The Intruder I ............................... 62 4.2.4 The FTP Server Example . 63 4.3 The Spi Calculus . 67 4.3.1 Non-standard Semantics . 68 4.3.2 Abstract Semantics . 71 4.3.3 The Intruder I . 78 4.3.4 The Needham-Schroeder Public-Key Protocol Example . 79 4.3.5 The SPLICE/AS Protocol Example . 83 4.3.6 The Otway-Rees Protocol Example . 86 4.3.7 The Kerberos Protocol Example . 90 4.3.8 The Yahalom Protocol Example . 93 4.3.9 The Woo-Lam One-Way Authentication Protocol Example . 95 4.4 Conclusion . 98 5 Security Properties 99 5.1 Introduction . 99 5.2 Secrecy . 99 5.2.1 Mobile Systems . 100 5.2.2 Cryptographic Protocols . 101 5.3 Authenticity . 102 5.3.1 Mobile Systems . 103 vii 5.3.2 Cryptographic Protocols . 104 5.4 Examples . 105 5.4.1 The FTP Server Example . 105 5.4.2 The Needham-Schroeder Public-Key Protocol Example . 107 5.4.3 The SPLICE/AS Protocol Example . 109 5.4.4 The Otway-Rees Protocol Example . 110 5.4.5 The Kerberos Protocol Example . 112 5.4.6 The Yahalom Protocol Example . 114 5.4.7 The Woo-Lam Protocol Example . 115 5.5 Conclusion . 117 6 Automatic Tools 118 6.1 Introduction . 118 6.2 Picasso: A Pi-Calculus Analyser for Secrecy and Security Objectives . 118 6.3 Spicasso: A Spi-Calculus Analyser for Secrecy and Security Objectives . 123 6.4 Conclusion . 127 7 Conclusion and Future Work 128 7.1 Research Contributions . 130 7.1.1 Denotational Semantics . 130 7.1.2 The Static Analysis of Nominal Calculi . 130 7.1.3 Program Security . 131 7.2 Future Work . 132 7.2.1 Communication Secrecy . 132 7.2.2 Message Independence . 132 7.2.3 Language Extensions . 134 A Proofs 150 A.1 Safety of the ∪φ operation in the π-calculus (Lemma 1) . 150 A.2 Safety of the abstract semantics of the π-calculus (Theorem 5) . 152 A.3 Safety of the ∪φ operation in the spi calculus (Lemma 2) . 160 A.4 Safety of the abstract semantics for the spi calculus (Theorem 8) . 162 viii List of Figures 1.1 The flow graph of the factorial program. 9 1.2 The solution of the reaching definitions analysis for the factorial program. 10 1.3 Types for the reaching definitions analysis. 16 3.1 Syntax of the π-calculus. 35 3.2 Rules of the labelled transition relation in the π-calculus. 36 3.3 Elements of In, Out and P i⊥............................ 38 3.4 The definition of new for the π-calculus. 39 3.5 The denotational semantics of the π-calculus. 40 3.6 The syntax of the spi calculus. 44 3.7 Rules of the labelled transition relation in the spi calculus. 46 3.8 Elements of the predomain of terms T ....................... 48 3.9 Elements of In, Out, and Spi ⊥........................... 48 3.10 The definition of new for the spi calculus. 49 3.11 The denotational semantics of the spi calculus. 50 4.1 The non-standard semantics of the π-calculus. 56 4.2 The abstract semantics of the π-calculus. 59 4.3 The non-standard semantics of the spi calculus. 69 4.3 The non-standard semantics of the spi.