Model–Based Testing of Cryptographic Protocols
- 252 Downloads
Modeling is a popular way of representing the behavior of a system. A very useful type of model in computing is an abstract state machine which describes transitions over first order structures. The general purpose model-based testing tool SpecExplorer (used within Microsoft, also available externally) uses such a model, written in AsmL or Spec#, to perform a search that checks that all reachable states of the model are safe, and also to check conformance of an arbitrary .NET implementation to the model. Spec Explorer provides a variety of ways to cut down the state space of the model, for instance by finitizing parameter domains or by providing predicate abstraction. It has already found subtle bugs in production software.
First order structures and abstract state machines over them are also a useful way to think about cryptographic protocols, since models formulated in these terms arise by natural abstraction from computational cryptography.
In this paper we explain this abstraction process, ‘experiments as structures’, and argue for its faithfulness. We show how the Dolev–Yao intruder model fits into SpecExplorer. In a word, the actions of the Dolev–Yao intruder are the ‘controllable’ actions of the testing framework, whereas the actions of protocol participants are the ‘observable’ actions of the model. The unsafe states are the states violating say Lowe’s security guarantees. Under this view, the general purpose software testing tool quickly finds known attacks, such as Lowe’s attack on the Needham–Schroeder protocol.
KeywordsEncryption Scheme Turing Machine Cryptographic Protocol Negligible Probability Pairing Scheme
Unable to display preview. Download preview PDF.
- [ABS05]Adão, P., Bana, G., Scedrov, A.: Computational and information theoretic soundness and completeness of formal encryption. In: 18th IEEE Computer Security Foundations Workshop – CSFW 2005 (2005)Google Scholar
- [Ban04]Bana, G.: Soundness and Completeness of Formal Logics of Symmetric Encryption. PhD thesis, University of Pennsylvania (2004)Google Scholar
- [BDPR98]Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public–key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 26. Springer, Heidelberg (1998)Google Scholar
- [BG04a]Blass, A., Gurevich, Y.: Ordinary interactive small–step algorithms I. Technical Report MSR-TR-2004-16, Microsoft Research (2004)Google Scholar
- [BG04b]Blass, A., Gurevich, Y.: Ordinary interactive small–step algorithms II. Technical Report MSR-TR-2004-88, Microsoft Research (2004)Google Scholar
- [Gur05]Gurevich, Y.: Interactive algorithms 2005. Technical Report MSR-TR-2005-73, Microsoft Research (2005)Google Scholar
- [MW04a]Micciancio, D., Warinschi, B.: Completeness theorems for the Abadi-Rogaway language of encrypted expressions. Journal of Computer Security 12(1), 99–130 (2004)Google Scholar
- [RR05]Rosenzweig, D., Runje, D.: Some things algorithms cannot do. Technical Report MSR-TR-2005-52, Microsoft Research (2005)Google Scholar
- [AsmL]The AsmL webpage, http://research.microsoft.com/asml/
- [Spec#]Rosenzweig, D., Runje, D., Slani, N.: Privacy, abstract encryption and protocols: an ASM model – Part I. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) ASM 2003. LNCS, vol. 2589, pp. 372–390. Springer, Heidelberg (2003)Google Scholar
- [SpecExp]The SpecExplorer webpage, http://research.microsoft.com/specexplorer/