AVISPA Automated Validation of Internet Security Protocols and Applications

1
AVISPA Automated Validation of Internet Security
Protocols and Applications

• Slides adapted from Duminda Wijesekera as well as
  from Alessandro Armando

2
What is AVISPA?

• Push-button security protocol analyzer.
• Supports the specification of security protocols
  and properties by means of a modular and
  expressive specification language.
• Integrates different back-ends implementing a
  variety of state-of-the-art automatic analysis
  techniques for
• protocol falsification (by finding an attack on
  the input protocol)
• abstraction-based verification methods
• both for finite and infinite numbers of
  sessions.
• User interaction facilitated by an emacs mode and
  a Web interface.

3
Architecture
4
AVISPA Back-end Analyses

• Protocol falsification, and bounded and
  un-bounded verification.
• On-the-fly Model-Checker (OFMC)
• employs several symbolic techniques to explore
  the state space in a demand-driven way
• CL-AtSe (Constraint-Logic-based Attack Searcher)
• applies constraint solving with simplification
  heuristics and redundancy elimination techniques
• SAT-based Model-Checker (SATMC)
• builds a propositional formula encoding all the
  possible attacks (of bounded length) on the
  protocol and feeds the result to a
  state-of-the-art SAT solver.
• TA4SP (Tree Automata based on Automatic
  Approximations for the Analysis of Security
  Protocols)
• approximates the intruder knowledge by using
  regular tree languages and rewriting to produce
  under and over approximations.

5
High Level Protocol Specification Language.
(HLPSL)

• Supports symmetric and asymmetric keys,
  non-atomic keys, key-tables, Diffie-Hellman
  key-agreement, hash functions, algebraic
  functions, typed and untyped data, etc.
• Security properties different forms of
  authentication and secrecy.
• The intruder is modeled by the channel(s) over
  which the communication takes places
• Dolev-Yao intruder and (preliminarily) other
  intruder models.
• Role-based language
• a role for each (honest) agent,
• parallel and sequential composition glue roles
  together.

6
High Level Protocol Specification Language (HLPSL)

• Syntax used to specify protocols in AVISPA
• Strongly typed
• Supports
• modularity composition, hiding
• control flow
• explicit intruder knowledge
• cryptographic primitives
• nonces,
• hashes,
• signatures
• algebraic properties
• Xor
• exp

7
Entities in HLPSL

• Basic types and terms
• State-based formalism
• Roles
• Simple (agents such as Alice, Bob etc)
• Composite (communities of agents playing their
  roles as Alice Bob and the Dolev-Yao Intruder,
  Key Server synchronizing with each other)
• The environment
• (where all evil lives Intruder environment)
• Security Goals
• String authentication, authorization, anonymity,
  secrecy, etc.

8
States and Variables

• Kinds of variables
• State variables Those that are within the scope
  of a role.
• Declared at the top of a role
• Unprimed versions indicate current state
• Primed versions indicate next state

9
An example
role Alice (A, B agent,
Ka, Kb public_key, SND, RCV
channel (dy)) played_by A def local
Statenat, Natext (fresh), Nbtext init State
0 transition 1. State 0 /\
RCV(start) gt State'2 /\ SND(Na'.A_Kb)
/\ witness(A,B,na,Na') 2.
State 2 /\ RCV(Na.Nb'_Ka) gt State'4 /\
SND(Nb'_Kb) /\
request(A,B,nb,Nb') /\
secret(Na,B) end role
10
Basic types in HLPSL

• Agent names of principles
• public_key asymmetric keys
• symmetric key symmetric keys
• nat natural numbers
• function to model hash functions etc
• bool Boolean values for modeling flags

11
Aggregate types

• Lists
• Example
• KeyMap (agent, public_key) list
• init KeyMap
• in((B,Kb), KeyMap)

12
State and transition predicates

• State predicate First order formulas written
  using unprimed state variables.
• Example
• State Init
• State done
• Transition predicates First order formulas
  written using primed and unprimed state
  variables.
• Example
• (State2) /\ SND(Na'.A_Kb)
• /\ witness(A,B,na,Na)

13
Roles

• Description of entity behavior
• Two kinds
• Basic Roles
• Schematic descriptions of atomic behavior
• Composed Roles
• Instantiations of other roles composed using
  operators
• Roles are translated to TLA for operational
  semantics

14
Role Definition

• Role declaration
• its name and the list of formal arguments, along
  with (in the case of basic roles)
• a player declaration
• Declaration of local variables and ownership
  rules, if any
• Initialization of variables, if required
• Declaration of accepting states, if any
• Knowledge declarations, if applicable
• Either (optionally)
• a transition section (for basic roles) or
• a composition section (for composed roles).

15
Basic Roles
General Pattern
Initiator Role in NSPK

• role Basic_Role ()
• played_by def
• owns ? T
• local e
• init Init
• accepts Accept
• transition
• event1 ? action1
• event2 ? action2
• end role

role Alice (A, B agent,
Ka, Kb public_key, SND, RCV
channel (dy)) played_by A def local
Statenat, Natext (fresh), Nbtext init State
0 transition 1. State 0 /\
RCV(start) gt State'2 /\ SND(Na'.A_Kb)
/\ witness(A,B,na,Na') 2.
State 2 /\ RCV(Na.Nb'_Ka) gt State'4 /\
SND(Nb'_Kb) /\
request(A,B,nb,Nb') /\
secret(Na,B) end role
16
Composed Roles Parallel Composition
Pattern

• role Par_Role ()
• def owns ?T
• local e
• init Init
• accepts Accept
• composition
• A ? B
• end role

Example
role Kerberos (..) composition Client /\
Authn_Server /\ TGS /\ Server end role
17
Composed Roles Sequential Composition
General Pattern

• role Seq_Role ()
• def owns ?T
• local e
• init Init
• accepts Accept
• composition
• A B
• end role

Example
role Alice (..) establish_TLS_Tunnel(server_
authn_only) present_credentials
main_protocol(request, response) end role
18
State predicates, events and actions

• A state predicate Predicates that do not have
  primed variables.
• Stuttering step A transition predicate that does
  not change any value
• Example XX /\ YY
• Action transition predicates p(v,v) satisfying
  ?v ? v p(v,v)
• Events transition predicates containing at least
  one X ?X

19
Communication in HLPSL

• Synchronous, via immediate transitions
• Runtime ensures that SND and RCV are executed
  simultaneously, over channels
• How communication is modeled
• SND(msg) in RHS of rule shorthand for SNDmsg
• RCV(masg) in LHS is shorthand for
• (RCV-flag?RCV-flag)/\(RCVMsg) where
• RCV-flag is a binary flag toggled whenever the
  channel has a new message.

20
Role composition

• No transition section
• Have a composition section that instantiate other
  roles
• Operators
• Parallel /\
• Sequential
• Top level role is named Environment

21
The NSPK example Alice

• role Alice (A,Bagent,Ka,Kbpublic_key,SND,RCV
  channel(dy))
• played_by A def
• exists State nat, Na text (fresh), Nb text
• init State0
• knowledge(A) inv(Ka)
• transition
• step1. State0 /\ RCV(start)gt
• State1/\ SND(Na.AKb)
• step2. State1 /\ RCV(Na.NbKa) gt
• State2 /\ SND(NbKb)
• end role

22
The NSPK Composition

• role NSPK(S, R agent -gt channel (dy),
• Instances (agent,agent, public_key,public_key)
  set)
• def
• exists A, B agent, Ka, Kb public_key
• composition
• /\_in((A,B,Ka,Kb),Instances)
• Alice(A,B,Ka,Kb,S(A),R(A))
• /\ Bob(A,B,Ka,Kb,S(B),R(B))
• end role

23
References

• http//www.avispa-project.org
• http//www.avispa-project.org/talks.html
• http//www3.ietf.org/proceedings/05mar/slides/saag
  -1/sld1.htm