A Lightweight Formal Approach for Analyzing Security of Web Protocols
作者: Apurva Kumar
DOI: 10.1007/978-3-319-11379-1_10
关键词:
摘要: Existing model checking tools for cryptographic protocol analysis have two drawbacks, when applied to present day web based protocols. Firstly, they require expertise in specialized formalisms which limits their use a small fragment of scientific community. Secondly, do not support common constructs and attacks making the both cumbersome as well error-prone. In this paper, we propose novel security technique We provide explicit mechanisms an adversary capable exploiting browser-based interaction. Our approach has unique aspects. It represents only tool built using general purpose first-order logic modeling language – Alloy that can be used analyze industrial strength The other aspect is our inference system analyzes beliefs at honest participants simplify model. Despite its simplicity, demonstrate effectiveness through case-study SAML, where identify previously unknown vulnerability identity federation workflow.
springer.com
sci-hub.st 参考文章(30)
Jeannette M. Wing, Darrell Kindred, Fast, automatic checking of security protocols WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2. pp. 5- 5 ,(1996)
Cas J. F. Cremers, Pascal Lafourcade, Philippe Nadeau, Comparing State Spaces in Automatic Security Protocol Analysis Formal to Practical Security. pp. 70- 94 ,(2009) , 10.1007/978-3-642-02002-5_5
Holger Sturm, Nobu-Yuki Suzuki, Frank Wolter, Michael Zakharyaschev, Semi-qualitative Reasoning about Distances: A Preliminary Report Springer US. pp. 37- 56 ,(2000) , 10.1007/3-540-40006-0_4
Johann Schumann, Automatic Verification of Cryptographic Protocols with SETHEO conference on automated deduction. pp. 87- 100 ,(1997) , 10.1007/3-540-63104-6_12
Dawn Xiaodong Song, Sergey Berezin, Adrian Perrig, Athena: a novel approach to efficient automatic security protocol analysis Journal of Computer Security. ,vol. 9, pp. 47- 74 ,(2001) , 10.3233/JCS-2001-91-203
Alessandro Armando, Luca Compagna, SATMC: A SAT-based model checker for security protocols european conference on logics in artificial intelligence. pp. 730- 733 ,(2004) , 10.1007/978-3-540-30227-8_68
Formal to Practical Security Lecture Notes in Computer Science. ,vol. 5458, pp. 200- ,(2009) , 10.1007/978-3-642-02002-5
Martín Abadi, Cédric Fournet, Mobile values, new names, and secure communication Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '01. ,vol. 36, pp. 104- 115 ,(2001) , 10.1145/360204.360213
Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell, Dawn Song, Towards a Formal Foundation of Web Security ieee computer security foundations symposium. pp. 290- 304 ,(2010) , 10.1109/CSF.2010.27
Apurva Kumar, Using automated model analysis for reasoning about security of web protocols Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC '12. pp. 289- 298 ,(2012) , 10.1145/2420950.2420993