Citation
"ASPIER: An Automated Framework for Verifying Security Protocol Implementations". S. Chaki, A. Datta (eds.), 22nd IEEE Computer Security Foundations Symposium, July, 2009.
Abstract
We present ASPIER – the first framework that
combines software model checking with a standard protocol
security model to automatically analyze authentication and
secrecy properties of protocol implementations in C. The
technical approach extends the iterative abstraction-refinement
methodology for software model checking with a domainspecific
protocol and symbolic attacker model. We have implemented
the ASPIER tool and used it to verify authentication
and secrecy properties of a part of an industrial strength
protocol implementation – the handshake in OpenSSL – for
configurations consisting of up to 3 servers and 3 clients. We
have also implemented two distinct methods for reasoning
about attacker message derivations, and evaluated them in
the context of OpenSSL verification. ASPIER detected the
“version-rollback” vulnerability in OpenSSL 0.9.6c source code
and successfully verified the implementation when clients and
servers are only willing to run SSL 3.0.
Electronic downloads
- chaki-datta-csf09.pdf · application/pdf · 260 kbytes
| Citation formats |
- HTML
<a href="http://www.truststc.org/pubs/752.html" ><i>ASPIER: An Automated Framework for Verifying Security Protocol Implementations</i></a>, S. Chaki, A. Datta (eds.), 22nd IEEE Computer Security Foundations Symposium, July, 2009.
- Plain text
"ASPIER: An Automated Framework for Verifying Security Protocol Implementations". S. Chaki, A. Datta (eds.), 22nd IEEE Computer Security Foundations Symposium, July, 2009.
- BibTeX
@proceedings{ChakiDatta09_ASPIERAutomatedFrameworkForVerifyingSecurityProtocol, title = {ASPIER: An Automated Framework for Verifying Security Protocol Implementations}, editor = {S. Chaki, A. Datta}, organization = {22nd IEEE Computer Security Foundations Symposium}, month = {July}, year = {2009}, abstract = {We present ASPIER â the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstraction-refinement methodology for software model checking with a domainspecific protocol and symbolic attacker model. We have implemented the ASPIER tool and used it to verify authentication and secrecy properties of a part of an industrial strength protocol implementation â the handshake in OpenSSL â for configurations consisting of up to 3 servers and 3 clients. We have also implemented two distinct methods for reasoning about attacker message derivations, and evaluated them in the context of OpenSSL verification. ASPIER detected the âversion-rollbackâ vulnerability in OpenSSL 0.9.6c source code and successfully verified the implementation when clients and servers are only willing to run SSL 3.0.}, URL = {http://www.truststc.org/pubs/752.html} }
Posted by Jessica Gamble on 5 May 2010.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.