We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dynamically loading and executing unknown (and potentially untrusted) code. The adversary’s capabilities are constrained by the system interface as defined in the programming model (leading to the name CSI-ADVERSARY). We develop a sound proof system for reasoning about programs, without explicitly reasoning about adversary actions. This form of reasoning was particularly difficult to codify for dynamically loaded unknown pieces of code. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal a surprising insecure interaction between the two protocols. 1

Abstract. Secrecy properties of network protocols assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by traceby-trace behavior of the protocol, we establish a trace-based protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5. 1

Internet authentication for popular end-user transactions, such as online banking and e-commerce, continues to be dominated by passwords entered through end-user personal computers (PCs). Most users continue to prefer (typically untrusted) PCs over smaller personal devices for actual transactions, due to usability features related to keyboard and screen size. However most such transactions and their existing underlying protocols are vulnerable to attacks including keylogging, phishing, and pharming, which can extract user identity and sensitive account information allowing account access. We propose a simple approach to counter such attacks, which cryptographically separates a user’s long-term secret input (typically low-entropy password) from the client PC. The latter continues to be used for most of the interaction and computations but has access only to temporary secrets, while the user’s long-term secret is input through an independent personal trusted device such as a cellphone which makes it available to the PC only after encryption under the intended far-end recipient’s public key. Our proposal is intended to safeguard passwords from the attacks mentioned above, as well as to provide transaction security to foil session hijacking. To facilitate a comparison to our proposal, we also provide a comprehensive survey of web authentication techniques that use an additional factor of authentication such as a cellphone, PDA (personal digital assistant) or hardware token; this survey may be of independent interest. A proof sketch of MP-Auth using the Protocol Composition Logic (PCL) is also provided.

We present a representative development in the science of security that includes a generic model of computer systems, their security properties and adversaries who actively interfere with such systems. We describe logic-based methods to reason about security properties of a system as a composition of properties of its components, and several successful applications of the method in explaining and predicting attacks in a wide-variety of systems.

We initiate a program to model and analyze end-to-end security properties of contemporary secure systems that rely on network protocols and memory protection. Specifically, this paper introduces the Logic of Secure Systems (LS 2). LS 2 extends an existing logic for security protocols by incorporating shared memory, time and limited forms of access control. The proof system for LS 2 supports high-level reasoning about secure systems in the presence of adversaries on the network and the local machine. We prove a soundness theorem for the proof system and illustrate its use by proving a relevant security property of a protocol inspired by the Transport Layer Protocol of the Secure Shell (SSH). 1

The IEEE 802.11s standard is tasked to provide ways of establishing and securing a wireless mesh network. One proposal establishes a Mesh Security Architecture (MSA), with an interesting key hierarchy and full protocol definitions. This paper proves the correctness and security of the MSA proposal and its corresponding protocols. We also propose and prove the security of an additional protocol (an abbreviated handshake) which offers a substantial efficiency improvement in certain instances. To prove the entire architecture secure, we utilize Protocol Composition Logic (PCL) to prove each protocol secure. From that basis, we can show the protocols compose securely to prove the entire architecture. We also contribute some novel concepts to PCL, to allow us to prove the security of the overall architecture.

Abstract. In recent years, there have been strong interests in the networking community in designing new Internet architectures that provide strong security guarantees. However, none of these proposals back their security claims by formal analysis. In this paper, we use a reductionbased approach to prove the route authenticity property in secure routing protocols. These properties require routes accepted and announced by honest nodes in the network are not tampered with by the adversary. We focus on protocols that rely on layered signatures to provide security: each route announcement is associated with a list of signatures attesting the authenticity of its subpaths. Our approach combines manual proofs with automated analysis. We define several reduction steps to reduce proving route authenticity properties to simple checks that can be automatically done by an automated tool Proverif. We show that our analysis is correct with respect to the trace semantics of the routing protocols. 1

Abstract—In recent years, there have been strong interests in the networking community in designing new Internet architectures that provide strong security guarantees. However, none of these proposals back their security claims by formal analysis. In this paper, we use a reduction-based approach to prove the route authenticity property in secure routing protocols. These properties require routes announced by honest nodes in the network not to be tampered with by the adversary. We focus on protocols that rely on layered signatures to provide security: each route announcement is associated with a list of signatures attesting the authenticity of its subpaths. Our approach combines manual proofs with automated analysis. We define several reduction steps to reduce proving route authenticity properties to simple checks that can be automatically done by an automated tool Proverif. We show that our analysis is correct with respect to the trace semantics of the routing protocols. I.