Abstract
We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for expressing pre- and post-conditions within first-order logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Well-typed programs enjoy assertion-based security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general-purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code.
- Abadi, M. 1999. Secrecy by typing in security protocols. J. ACM 46, 5, 749--786. Google Scholar
Digital Library
- Abadi, M. 2007. Access control in a core calculus of dependency. In Computation, Meaning, and Logic: Articles Dedicated to Gordon Plotkin, ENTCS, vol. 172. Elsevier, 5--31. Google Scholar
Digital Library
- Abadi, M. and Blanchet, B. 2005. Analyzing security protocols with secrecy types and logic programs. J. ACM 52, 1, 102--146. Google Scholar
Digital Library
- Abadi, M., Burrows, M., Lampson, B., and Plotkin, G. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 4, 706--734. Google Scholar
Digital Library
- Abadi, M. and Fournet, C. 2003. Access control based on execution history. In Proceedings of the 10th Annual Network and Distributed System Symposium (NDSS'03). Internet Society.Google Scholar
- Abadi, M. and Gordon, A. D. 1999. A calculus for cryptographic protocols: The spi calculus. Inform. Comput. 148, 1--70. Google Scholar
Digital Library
- Abadi, M. and Needham, R. 1996. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Engin. 22, 1, 6--15. Google Scholar
Digital Library
- Askarov, A., Hedin, D., and Sabelfeld, A. 2006. Cryptographically-masked flows. In Proceedings of the Static Analysis Symposium. Lecture Notes in Computer Science, vol. 4134. Springer, 353--369. Google Scholar
Digital Library
- Askarov, A. and Sabelfeld, A. 2005. Security-typed languages for implementation of cryptographic protocols: A case study. In Proceedings of the European Symposium on Research in Computer Security (ESORICS'05). Lecture Notes in Computer Science, vol. 3679. Springer, 197--221. Google Scholar
Digital Library
- Aspinall, D. and Compagnoni, A. 2001. Subtyping dependent types. Theor. Comput. Sci. 266, 1--2, 273--309. Google Scholar
Digital Library
- Aydemir, B., Chargéraud, A., Pierce, B. C., Pollack, R., and Weirich, S. 2008. Engineering formal metatheory. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'08). ACM, 3--17. Google Scholar
Digital Library
- Backes, M., Grochulla, M., Hriţcu, C., and Maffei, M. 2009. Achieving security despite compromise using zero-knowledge. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF'09). IEEE Computer Society, 308--323. Google Scholar
Digital Library
- Backes, M., Maffei, M., and Unruh, D. 2010. Computationally sound verification of source code. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, 387--398. Google Scholar
Digital Library
- Baltopoulos, I. and Gordon, A. D. 2009. Secure compilation of a multi-tier web language. In Proceedings of the ACM SIGPLAN Workshop on Types in Language Design and Implementation (TLDI'09). 27--38. Google Scholar
Digital Library
- Barnett, M., Leino, M., and Schulte, W. 2005. The Spec# programming system: An overview. In Proceedings of the CASSIS'05. Lecture Notes in Computer Science, vol. 3362. Springer, 49--69. Google Scholar
Digital Library
- Bellare, M. and Rogaway, P. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the ACM Conference on Computer and Communications Security. 62--73. Google Scholar
Digital Library
- Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2008. Refinement types for secure implementations. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08). 17--32. Google Scholar
Digital Library
- Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2010. Refinement types for secure implementations. Tech. rep. MSR--TR--2008--118, Microsoft Research.Google Scholar
- Bhargavan, K., Corin, R., Deniélou, P.-M., Fournet, C., and Leifer, J. J. 2009. Cryptographic protocol synthesis and verification for multiparty sessions. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF'09). 124--140. Google Scholar
Digital Library
- Bhargavan, K., Fournet, C., Corin, R., and Zalinescu, E. 2008a. Cryptographically verified implementations for TLS. In Proceedings of the ACM Conference on Computer and Communications Security. 459--468. Google Scholar
Digital Library
- Bhargavan, K., Fournet, C., and Gordon, A. D. 2010a. Modular verification of security protocol code by typing. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'10). ACM, 445--456. Google Scholar
Digital Library
- Bhargavan, K., Fournet, C., Gordon, A. D., and Tse, S. 2008b. Verified interoperable implementations of security protocols. ACM Trans. Program Lang. Syst. 31, 5. Google Scholar
Digital Library
- Bhargavan, K., Fournet, C., and Guts, N. 2010b. Typechecking higher-order security libraries. In Proceedings of the Asian Symposium on Programming Languages and Systems (APLAS'10). 47--62. Google Scholar
Digital Library
- Blanchet, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'01). 82--96. Google Scholar
Digital Library
- Blanchet, B. 2006. A computationally sound mechanized prover for security protocols. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 140--154. Google Scholar
Digital Library
- Blanchet, B., Abadi, M., and Fournet, C. 2008. Automated verification of selected equivalences for security protocols. J. Logic Algeb. Program. 75, 1, 3--51.Google Scholar
Cross Ref
- Borgström, J., Gordon, A. D., and Pucella, R. 2010. Roles, stacks, histories: A triple for Hoare. J. Function. Program. Cambridge University Press.Google Scholar
- Cardelli, L. 1986. Typechecking dependent types and subtypes. In Foundations of Logic and Functional Programming. Lecture Notes in Computer Science, vol. 306. Springer, 45--57. Google Scholar
Digital Library
- Chaki, S. and Datta, A. 2009. ASPIER: An automated framework for verifying security protocol implementations. In Proceedings of the IEEE Computer Security Foundations Symposium. 172--185. Google Scholar
Digital Library
- Chen, J., Chugh, R., and Swamy, N. 2010. Type-Preserving compilation for end-to-end verification of security enforcement. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'10). ACM, 412--423. Google Scholar
Digital Library
- Cirillo, A., Jagadeesan, R., Pitcher, C., and Riely, J. 2007. Do As I SaY! Programmatic access control with explicit identities. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF'07). 16--30. Google Scholar
Digital Library
- Cok, D. R. and Kiniry, J. 2004. ESC/Java2: Uniting ESC/Java and JML. In Proceedings of the CASSIS'05. Lecture Notes in Computer Science, vol. 3362. Springer, 108--128. Google Scholar
Digital Library
- Constable, R., Allen, S., Bromley, H., Cleaveland, W., Cremer, J., Harper, R., Howe, D., Knoblock, T., Mendler, N., Panangaden, P., et al. 1986. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall. Google Scholar
Digital Library
- Cooper, E., Lindley, S., Wadler, P., and Yallop, J. 2006. Links: Web Programming Without Tiers. In Proceedings of 5th International Symposium on Formal Methods for Components and Objects (FMCO). Lecture Notes in Computer Science. Springer-Verlag. Google Scholar
Digital Library
- Coquand, T. and Huet, G. 1988. The calculus of constructions. Inform. Comput. 76, 2-3, 95--120. Google Scholar
Digital Library
- Datta, A., Derek, A., Mitchell, J. C., and Roy, A. 2007. Protocol composition logic (PCL). In Electronic Notes in Theoretical Computer Science (Gordon D. Plotkin Festschrift), Vol. 172, Feb. 311--358. Google Scholar
Digital Library
- de Bruijn, N. G. 1972. Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem. Indagationes Mathematicae 34, 381--392.Google Scholar
Cross Ref
- de Moura, L. and Bjørner, N. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08). Lecture Notes in Computer Science, vol. 4963. Springer, 337--340. Google Scholar
Digital Library
- Dean, D., Felten, E., and Wallach, D. 1996. Java security: From HotJava to Netscape and beyond. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Detlefs, D., Nelson, G., and Saxe, J. 2005. Simplify: A theorem prover for program checking. J. ACM 52, 3, 365--473. Google Scholar
Digital Library
- Dolev, D. and Yao, A. 1983. On the security of public key protocols. IEEE Trans. Inform. Theory IT--29, 2, 198--208.Google Scholar
Digital Library
- Dummett, M. A. E. 1977. Elements of Intuitionism. Clarendon Press.Google Scholar
- Durgin, N., Mitchell, J. C., and Pavlovic, D. 2003. A compositional logic for proving security properties of protocols. J. Comput. Secur. (Special Issue of Selected Papers from CSFW-14) 11, 4, 677--721. Google Scholar
Digital Library
- Eastlake, D., Reagle, J., Solo, D., Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and Simon, E. 2002. XML-signature syntax and processing. W3C Recommendation. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. Google Scholar
Digital Library
- Filliâtre, J. and Marché, C. 2004. Multi-prover Verification of C Programs. In Proceedings of the International Conference on Formal Engineering Methods (ICFEM'04). Lecture Notes in Computer Science, vol. 3308. Springer, 15--29.Google Scholar
- Flanagan, C., Leino, K. R. M., Lillibridge, M., Nelson, G., Saxe, J. B., and Stata, R. 2002. Extended static checking for Java. SIGPLAN Not. 37, 5, 234--245. Google Scholar
Digital Library
- Fournet, C. 2009. On the computational soundness of cryptographic verification by typing. In Proceedings of the Workshop on Formal and Computational Cryptography (FCC'09).Google Scholar
- Fournet, C., Gordon, A. D., and Maffeis, S. 2007a. A type discipline for authorization policies. ACM Trans. Program. Lang. Syst. 29, 5. Article 25. Google Scholar
Digital Library
- Fournet, C., Gordon, A. D., and Maffeis, S. 2007b. A type discipline for authorization policies in distributed systems. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF'07). 31--45. Google Scholar
Digital Library
- Fournet, C. and Rezk, T. 2008. Cryptographically sound implementations for typed information-flow security. In Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'08). 323--335. Google Scholar
Digital Library
- Freeman, T. and Pfenning, F. 1991. Refinement types for ML. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'91). ACM, 268--277. Google Scholar
Digital Library
- Gordon, A. D. 1994. A mechanisation of name-carrying syntax up to alpha-conversion. In Proceedings of the Conference on Higher Order Logic Theorem Proving and its Applications, J. J. Joyce and C.-J. H. Seger, Eds. Lecture Notes in Computer Science, vol. 780. Springer, 414--426. Google Scholar
Digital Library
- Gordon, A. D. and Fournet, C. 2010. Principles and applications of refinement types. In Logics and Languages for Reliability and Security: Proceedings of the NATO Summer School Marktoberdorf, J. Esparza, B. Spanfelner, and O. Grumberg, Eds., IOS Press, 73--104.Google Scholar
- Gordon, A. D. and Jeffrey, A. S. A. 2002. Cryptyc: Cryptographic protocol type checker. http://cryptyc.cs.depaul.edu/Google Scholar
- Gordon, A. D. and Jeffrey, A. S. A. 2003a. Authenticity by typing for security protocols. J. Comput. Secur. 11, 4, 451--521. Google Scholar
Digital Library
- Gordon, A. D. and Jeffrey, A. S. A. 2003b. Types and effects for asymmetric cryptographic protocols. J. Comput. Secur. 12, 3/4, 435--484. Google Scholar
Digital Library
- Gordon, A. D. and Jeffrey, A. S. A. 2005. Secrecy despite compromise: Types, cryptography, and the pi-calculus. In Proceedings of the CONCUR'05. Lecture Notes in Computer Science, vol. 3653. Springer, 186--201. Google Scholar
Digital Library
- Goubault-Larrecq, J. and Parrennes, F. 2005. Cryptographic protocol analysis on real C code. In Proceedings of the Conference on Verification Model-Checkior and Abstract Implementation (VMCAI'05). Lecture Notes in Computer Science, vol. 3385, Springer, 363--379. Google Scholar
Digital Library
- Gronski, J., Knowles, K., Tomb, A., Freund, S. N., and Flanagan, C. 2006. Sage: Hybrid checking for flexible specifications. In Proceedings of the Scheme and Functional Programming Workshop. R. Findler. Ed., 93--104.Google Scholar
- Gunter, C. 1992. Semantics of Programming Languages. MIT Press. Google Scholar
Digital Library
- Guts, N., Fournet, C., and Zappa Nardelli, F. 2009. Reliable evidence: Auditability by typing. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS'09). Lecture Notes in Computer Science, Springer, 168--183. Google Scholar
Digital Library
- Hubbers, E., Oostdijk, M., and Poll, E. 2003. Implementing a formally verifiable security protocol in Java Card. In Security in Pervasive Computing, 213--226.Google Scholar
- Jagadeesan, R., Jeffrey, A. S. A., Pitcher, C., and Riely, J. 2008. Lambda-RBAC: Programming with role-based access control. Logical Methods Comput. Sci. 4, 1.Google Scholar
Cross Ref
- Jia, L., Vaughan, J., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., and Zdancewic, S. 2008. Aura: A programming language for authorization and audit. In Proceedings of the International Conference on Functional Programming (ICFP'08). ACM, 27--38. Google Scholar
Digital Library
- Kawaguchi, M., Rondon, P., and Jhala, R. 2009. Type-based data structure verification. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'09). ACM, 304--315. Google Scholar
Digital Library
- Li, P. and Zdancewic, S. 2006. Encoding information flow in Haskell. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'06). 16--27. Google Scholar
Digital Library
- Maffeis, S., Abadi, M., Fournet, C., and Gordon, A. D. 2008. Code-carrying authorization. In Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS'08). Lecture Notes in Computer Science, vol. 5283. Springer, 563--579. Google Scholar
Digital Library
- Martin-Löf, P. 1984. Intuitionistic Type Theory. Bibliopolis.Google Scholar
- Morris, Jr., J. H. 1973. Protection in programming languages. Comm. ACM 16, 1, 15--21. Google Scholar
Digital Library
- Myers, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'99). 228--241. Google Scholar
Digital Library
- Nadalin, A., Kaler, C., Hallam-Baker, P., and Monzillo, R. 2004. OASIS Web services security: SOAP message security 1.0. http://www.oasis-open.org/committees/download.php/5941/oasis-200401-wss%-soap-message-security-1.0.pdfGoogle Scholar
- Needham, R. and Schroeder, M. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21, 12, 993--999. Google Scholar
Digital Library
- Parent, C. 1995. Synthesizing proofs from programs in the calculus of inductive constructions. Math. Program Construct. 947, 351--379. Google Scholar
Digital Library
- Paulson, L. C. 1987. Logic and Computation: Interactive Proof with Cambridge LCF. Cambridge University Press. Google Scholar
Digital Library
- Paulson, L. C. 1991. Isabelle: A Generic Theorem Prover. Lecture Notes in Computer Science, vol. 828. Springer.Google Scholar
- Pierce, B. and Sangiorgi, D. 1996. Typing and subtyping for mobile processes. Math. Struct. Comput. Sci. 6, 5, 409--454.Google Scholar
Cross Ref
- Poll, E. and Schubert, A. 2007. Verifying an implementation of SSH. In Proceedings of the Workshop on Information Technologies and Systems Meetings (WITS'07). 164--177.Google Scholar
- Pottier, F. and Simonet, V. 2003. Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 1, 117--158. Google Scholar
Digital Library
- Pottier, F., Skalka, C., and Smith, S. 2001. A systematic approach to access control. In Proceedings of the Conference on Programming Languages and Systems (ESOP'01). Lecture Notes in Computer Science, vol. 2028. Springer, 30--45. Google Scholar
Digital Library
- Régis-Gianas, Y. and Pottier, F. 2008. A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction. Lecture Notes in Computer Science, vol. 5133. Springer, 305--335. Google Scholar
Digital Library
- Rondon, P., Kawaguchi, M., and Jhala, R. 2008. Liquid types. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI'08). ACM, 159--169. Google Scholar
Digital Library
- Rondon, P., Kawaguchi, M., and Jhala, R. 2010. Low-level liquid types. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'10). ACM, 131--144. Google Scholar
Digital Library
- Rushby, J., Owre, S., and Shankar, N. 1998. Subtypes for specifications: Predicate subtyping in PVS. IEEE Trans. Softw. Engin. 24, 9, 709--720. Google Scholar
Digital Library
- Sabry, A. and Felleisen, M. 1993. Reasoning about programs in continuation-passing style. LISP Symb. Comput. 6, 3-4, 289--360. Google Scholar
Digital Library
- Sumii, E. and Pierce, B. 2007. A bisimulation for dynamic sealing. Theor. Comput. Sci. 375, 1-3, 169--192. Google Scholar
Digital Library
- Swamy, N., Chen, J., and Chugh, R. 2010. Enforcing stateful authorization and information flow policies in Fine. In Proceedings of the 19th European Symposium on Programming (ESOP'10). 529--549. Google Scholar
Digital Library
- Swamy, N., Corcoran, B. J., and Hicks, M. 2008. Fable: A language for enforcing user-defined security policies. In Proceedings of the IEEE Symposium on Security and Privacy. 96--110. Google Scholar
Digital Library
- Syme, D., Granicz, A., and Cisternino, A. 2007. Expert F#. Apress.Google Scholar
- Vaughan, J. A., Jia, L., Mazurak, K., and Zdancewic, S. 2008. Evidence-Based audit. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08). 177--191. Google Scholar
Digital Library
- Vaughan, J. A. and Zdancewic, S. 2007. A cryptographic decentralized label model. In Proceedings of the IEEE Symposium on Security and Privacy. 192--206. Google Scholar
Digital Library
- Woo, T. and Lam, S. 1993. A semantic model for authentication protocols. In Proceedings of the IEEE Symposium on Security and Privacy. 178--194. Google Scholar
Digital Library
- Xi, H. and Pfenning, F. 1999. Dependent types in practical programming. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'99). ACM, 214--227. Google Scholar
Digital Library
- Xu, D. N. 2006. Extended static checking for Haskell. In Proceedings of the ACM SIGPLAN Workshop on Haskell (Haskell'06). ACM, 48--59. Google Scholar
Digital Library
Index Terms
Refinement types for secure implementations
Recommendations
Refinement Types for Secure Implementations
CSF '08: Proceedings of the 2008 21st IEEE Computer Security Foundations SymposiumWe present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for ...
Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations
Foundational Aspects of SecurityWe present a new type system for verifying the security of reference implementations of cryptographic protocols written in a core functional programming language. The type system combines prior work on refinement types, with union, intersection, and ...
Type reconstruction for general refinement types
ESOP'07: Proceedings of the 16th European Symposium on ProgrammingGeneral refinement types allow types to be refined by predicates written in a general-purpose programming language, and can express function pre- and postconditions and data structure invariants. In this setting, with expressive and possibly verbose ...






Comments