Proceedings Foundations of Computer Security Affiliated with LICS’02 FLoC’02 Copenhagen, Denmark July 25–26, 2002 Edited by Iliano Cervesato With support from Office of Naval Research International Field Office Table of Contents Preface . iii Workshop Committees . v Foundations of Security On the Decidability of Cryptographic Protocols with Open-ended Data Structures . 3 Ralf Küsters Game Strategies In Network Security . 13 Kong-Wei Lye and Jeannette M. Wing Modular Information Flow Analysis for Process Calculi . 23 Sylvain Conchon Logical Approaches A Trustworthy Proof Checker . 37 Andrew W. Appel, Neophytos Michael, Aaron Stump, and Roberto Virga Finding Counterexamples to Inductive Conjectures ... 49 Graham Steel, Alan Bundy, and Ewen Denney Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning . 59 Alessandro Armando and Luca Compagna Invited Talk Defining security is difficult and error prone . 71 Dieter Gollmann i ii TABLE OF CONTENTS Verification of Security Protocols Identifying Potential Type Confusion in Authenticated Messages . 75 Catherine Meadows Proving Cryptographic Protocols Safe From Guessing Attacks . 85 Ernie Cohen Programming Language Security More Enforceable Security Policies. 95 Lujo Bauer, Jarred Ligatti and David Walker A Component Security Infrastructure . 105 Yu David Liu and Scott F. Smith Static Use-Based Object Confinement . 117 Christian Skalka and Scott F. Smith Panel The Future of Protocol Verification . 129 Serge Auxetier, Iliano Cervesato and Heiko Mantel (moderators) Author Index . 130 Preface Computer security is an established field of Computer Science of both theoretical and practical sig- nificance. In recent years, there has been increasing interest in logic-based foundations for various methods in computer security, including the formal specification, analysis and design of crypto- graphic protocols and their applications, the formal definition of various aspects of security such as access control mechanisms, mobile code security and denial-of-service attacks, and the modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. This workshop continues a tradition, initiated with the Workshops on Formal Methods and Security Protocols — FMSP — in 1998 and 1999 and then the Workshop on Formal Methods and Computer Security — FMCS — in 2000, of bringing together formal methods and the security community. The aim of this particular workshop is to provide a forum for continued activity in this area, to bring computer security researchers in contact with the FLoC community, and to give FLoC attendees an opportunity to talk to experts in computer security. Given the affinity of themes, FCS was synchronized with the FLoC’02 Verification Workshop (VERIFY). Sessions with a likely overlap in audience were held jointly. Moreover, authors who thought their paper to be of interest for both FCS and VERIFY could indicate that it be considered a joint submission, and it was reviewed by members of both program committees. FCS received 22 submissions, 10 of which were joint with VERIFY. The review phase selected 11 of them for presentation; 5 of these were joint with VERIFY. This unexpected number of papers lead to extending FCS by one day. Many people have been involved in the organization of the workshop. John Mitchell, assisted by the Organizing Committee, is to be thanked for bringing FCS into existence as part of FLoC. The Program Committee did an outstanding job selecting the papers to be presented, in particular given the short review time. We are very grateful to the VERIFY chairs, Heiko Mantel and Serge Autexier, for sharing the organizational load and for the numerous discussions. Sebastian Skalberg, Henning Makholm and Klaus Ebbe Grue, our interface to FLoC, turned a potential bureaucratic nightmare into a smooth ride. Finally we are grateful to the authors, the panelists and the attendees who make this workshop an enjoyable and fruitful event. Iliano Cervesato FCS’02 Program Chair iii iv PREFACE Workshop Committees Program Committee Iliano Cervesato (chair), ITT Industries, USA Véronique Cortier, ENS Cachan, France Grit Denker, SRI International, USA Carl Gunter, University of Pennsylvania, USA Alan Jeffrey, DePaul University, USA Somesh Jha, University of Wisconsin — Madison, USA Trevor Jim, AT&T Labs, USA Heiko Mantel, DFKI Saarbrücken, Germany Catherine Meadows, Naval Research Laboratory, USA Flemming Nielson, Technical University of Denmark Birgit Pfitzmann, IBM Zürich, Switzerland David Sands, Chalmers University of Technology, Sweden Stephen Weeks, InterTrust, USA Organizing Committee Martín Abadi, University of California — Santa Cruz, USA Hubert Comon, ENS Cachan, France Joseph Halpern, Cornell University, USA Gavin Lowe, Oxford University, UK Jonathan K. Millen, SRI International, USA Michael Mislove, Tulane University, USA John Mitchell (chair), Stanford University, USA Bill Roscoe, Oxford University, UK Peter Ryan, University of Newcastle upon Tyne, UK Steve Schneider, Royal Holloway University of London, UK Vitaly Shmatikov, SRI International, USA Paul Syverson, Naval Research Laboratory, USA Michael Waidner, IBM Zürich, Switzerland Rebecca Wright, AT&T Labs, USA v vi WORKSHOP COMMITTEES Session I Foundations of Security 1 On the Decidability of Cryptographic Protocols with Open-ended Data Structures Ralf Küsters Institut für Informatik und Praktische Mathematik Christian-Albrechts-Universität zu Kiel, Germany [email protected] Abstract receive-send action; see Section 2 for concrete examples. This paper addresses open-ended protocols, and thus, Formal analysis of cryptographic protocols has mainly deals with one of the challenges pointed out by Meadows concentrated on protocols with closed-ended data struc- [17]. The goal is to devise a protocol model rich enough tures, where closed-ended data structure means that the to capture a large class of open-ended protocols such that messages exchanged between principals have fixed and fi- security is decidable; the long-term goal is to develop tools nite format. However, in many protocols the data struc- for automatic verification of open-ended protocols. tures used are open-ended, i.e., messages have an un- Open-ended protocols make it necessary to model prin- bounded number of data fields. Formal analysis of pro- cipals who can perform in one receive-send action an un- tocols with open-ended data structures is one of the chal- bounded number of internal actions; only then can they lenges pointed out by Meadows. This work studies de- handle open-ended data structures. Therefore, the first cidability issues for such protocols. We propose a proto- problem is to find a good computational model for receive- col model in which principals are described by transduc- send actions. It turns out that one cannot simply ex- ers, i.e., finite automata with output, and show that in this tend the existing models. More specifically, Rusinowitch model security is decidable and PSPACE-hard in presence and Turuani [21] describe receive-send actions by single of the standard Dolev-Yao intruder. rewrite rules and show security to be NP-complete. In this model, principals have unbounded memory. Furthermore, 1 Introduction the terms in the rewrite rules may be non-linear, i.e., multi- ple occurrence of one variable is allowed, and thus, a prin- Formal methods are very successful in analyzing the se- cipal can compare messages of arbitrary size for equality. curity of cryptographic protocols. Using these methods, To handle open-ended protocols, we generalize the model many flaws have been found in published protocols. By by Rusinowitch and Turuani in a canonical way and show now, a large variety of different methods and tools for that if receive-send actions are described by sets of rewrite cryptographic protocol analysis is available (see [17] for rules, security is undecidable, even with i) finite memory an overview). In particular, for different interesting classes and non-linear terms, or ii) unbounded memory and linear of protocols and intruders, security has been shown to be terms. Consequently, we need a computational model in decidable, usually based on the Dolev-Yao model [7] (see which principals have finite memory and cannot compare the paragraph on related work). messages of arbitrary size for equality. Previous work has mostly concentrated on protocols For this reason, we propose to use transducers, i.e., fi- with closed-ended data structures, where messages ex- nite automata with output, as the computational model for changed between principals have fixed and finite format. receive-send actions, since transducers satisfy the above In what follows, we will refer to these protocols as closed- restrictions — they have finite memory and cannot com- ended protocols. In many protocols, however, the data pare messages of arbitrary size for equality —, and still structures are open-ended: the exchanged messages may can deal with open-ended data structures. In Section 5.1 have an unbounded number of data fields that must be pro- our so-called transducer-based model is discussed in de- cessed by a principal in one receive-send action, where tail. The main technical result of this paper is that receive-send action means that a principal receives a mes- in the transducer-based model, security is decidable and sage and reacts, after some internal computation, by send- PSPACE-hard under the following assumptions: the num- ing a message. One can, for example, think of a message