Presentation is loading. Please wait.

Presentation is loading. Please wait.

AVISPA Automated Validation of Internet Security Protocols and Applications Slides adapted from Duminda Wijesekera as well as from Alessandro Armando.

Published byKathrine Aase Modified over 6 years ago

Similar presentations

Presentation on theme: "AVISPA Automated Validation of Internet Security Protocols and Applications Slides adapted from Duminda Wijesekera as well as from Alessandro Armando."— Presentation transcript:

1 AVISPA Automated Validation of Internet Security Protocols and Applications
Slides adapted from Duminda Wijesekera as well as from Alessandro Armando

2 What is AVISPA? Push-button security protocol analyzer.
Supports the specification of security protocols and properties by means of a modular and expressive specification language. Integrates different back-ends implementing a variety of state-of-the-art automatic analysis techniques for protocol falsification (by finding an attack on the input protocol) abstraction-based verification methods both for finite and infinite numbers of sessions. User interaction facilitated by an emacs mode and a Web interface.

3 Architecture

4 AVISPA Back-end Analyses
Protocol falsification, and bounded and un-bounded verification. On-the-fly Model-Checker (OFMC) employs several symbolic techniques to explore the state space in a demand-driven way CL-AtSe (Constraint-Logic-based Attack Searcher) applies constraint solving with simplification heuristics and redundancy elimination techniques SAT-based Model-Checker (SATMC) builds a propositional formula encoding all the possible attacks (of bounded length) on the protocol and feeds the result to a state-of-the-art SAT solver. TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols) approximates the intruder knowledge by using regular tree languages and rewriting to produce under and over approximations.

5 High Level Protocol Specification Language. (HLPSL)
Supports symmetric and asymmetric keys, non-atomic keys, key-tables, Diffie-Hellman key-agreement, hash functions, algebraic functions, typed and untyped data, etc. Security properties: different forms of authentication and secrecy. The intruder is modeled by the channel(s) over which the communication takes places: Dolev-Yao intruder and (preliminarily) other intruder models. Role-based language: a role for each (honest) agent, parallel and sequential composition glue roles together.

6 High Level Protocol Specification Language (HLPSL)
Syntax used to specify protocols in AVISPA: Strongly typed Supports modularity: composition, hiding control flow explicit intruder knowledge cryptographic primitives: nonces, hashes, signatures algebraic properties: Xor exp

7 Entities in HLPSL Basic types and terms State-based formalism Roles
Simple (agents such as Alice, Bob etc) Composite (communities of agents playing their roles as Alice Bob and the Dolev-Yao Intruder, Key Server synchronizing with each other) The environment (where all evil lives = Intruder = environment) Security Goals String authentication, authorization, anonymity, secrecy, etc.

8 States and Variables Kinds of variables:
State variables: Those that are within the scope of a role. Declared at the top of a role Unprimed versions indicate current state Primed versions indicate next state

9 An example role Alice (A, B: agent, Ka, Kb: public_key,
SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0 transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B) end role

10 Basic types in HLPSL Agent: names of principles
public_key: asymmetric keys symmetric key: symmetric keys nat: natural numbers function: to model hash functions etc bool: Boolean values for modeling flags

11 Aggregate types Lists Example: KeyMap: (agent, public_key) list
init KeyMap = [] in((B,Kb’), KeyMap)

12 State and transition predicates
State predicate: First order formulas written using unprimed state variables. Example: State = Init State= done Transition predicates First order formulas written using primed and unprimed state variables. (State‘=2) /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na‘)

13 Roles Description of entity behavior Two kinds:
Basic Roles: Schematic descriptions of atomic behavior Composed Roles: Instantiations of other roles composed using operators Roles are translated to TLA for operational semantics

14 Role Definition Role declaration:
its name and the list of formal arguments, along with (in the case of basic roles) a player declaration; Declaration of local variables and ownership rules, if any; Initialization of variables, if required; Declaration of accepting states, if any; Knowledge declarations, if applicable; Either (optionally) : a transition section (for basic roles) or a composition section (for composed roles).

15 Basic Roles role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε}
General Pattern Initiator Role in NSPK role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε} init Init accepts Accept transition event1  action1 event2  action2 end role role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0 transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B) end role

16 Composed Roles: Parallel Composition
Pattern role Par_Role (…) def= owns {θ:Θ} local {ε} init Init accepts Accept composition A  B end role Example role Kerberos (..) composition Client /\ Authn_Server /\ TGS /\ Server end role

17 Composed Roles: Sequential Composition
General Pattern role Seq_Role (…) def= owns {θ:Θ} local {ε} init Init accepts Accept composition A ; B end role Example role Alice (..) establish_TLS_Tunnel(server_ authn_only); present_credentials; main_protocol(request, response) end role

18 State predicates, events and actions
A state predicate: Predicates that do not have primed variables. Stuttering step: A transition predicate that does not change any value Example: X’=X /\ Y=Y’ Action: transition predicates p(v,v’) satisfying v  v’ p(v,v’) Events: transition predicates containing at least one X ≠X’

19 Communication in HLPSL
Synchronous, via immediate transitions Runtime ensures that SND and RCV are executed simultaneously, over channels How communication is modeled: SND(msg) in RHS of rule shorthand for SND’=msg RCV(masg) in LHS is shorthand for (RCV-flag’≠RCV-flag)/\(RCV’=Msg) where RCV-flag is a binary flag toggled whenever the channel has a new message.

20 Role composition No transition section
Have a composition section that instantiate other roles Operators: Parallel /\ Sequential ; Top level role is named Environment

21 The NSPK example: Alice
role Alice (A,B:agent,Ka,Kb:public_key,SND,RCV: channel(dy)) played_by A def= exists State : nat, Na : text (fresh), Nb: text init State=0 knowledge(A) = { inv(Ka) } transition step1. State=0 /\ RCV(start)=|> State’=1/\ SND({Na’.A}Kb) step2. State=1 /\ RCV({Na.Nb’}Ka) =|> State’=2 /\ SND({Nb’}Kb) end role

22 The NSPK: Composition role NSPK(S, R: agent -> channel (dy),
Instances: (agent,agent, public_key,public_key) set) def= exists A, B: agent, Ka, Kb: public_key composition /\_{in((A,B,Ka,Kb),Instances)} Alice(A,B,Ka,Kb,S(A),R(A)) /\ Bob(A,B,Ka,Kb,S(B),R(B)) end role

23 References http://www.avispa-project.org

Download ppt "AVISPA Automated Validation of Internet Security Protocols and Applications Slides adapted from Duminda Wijesekera as well as from Alessandro Armando."

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Automated Validation of Internet Security Protocols and Applications Shared cost RTD (FET open) project IST-2001-39252 The AVISPA Project: Automated Validation.

Automated Validation of Internet Security Protocols and Applications Shared cost RTD (FET open) project IST The AVISPA Project: Automated Validation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Architecture Representation

Architecture Representation
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.

An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.
Duminda WijesekeraFall 20051 AVISPA Class Notes for ISA 780 Made from many publications available from the AVISPA web site

Duminda WijesekeraFall AVISPA Class Notes for ISA 780 Made from many publications available from the AVISPA web site
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.

© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.
An algebra of Connectors for modeling CommUnity with Tiles joint work with Roberto Bruni Ugo Montanari Dipartimento di Informatica Università di Pisa Ivan.

An algebra of Connectors for modeling CommUnity with Tiles joint work with Roberto Bruni Ugo Montanari Dipartimento di Informatica Università di Pisa Ivan.

Similar presentations

Ads by Google