Mohammad Torabi Dashti

The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures

The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backends (CL-AtSe, OFMC, and SATMC), which provide a range of complementary automated reasoning techniques (including service orchestration, compositional reasoning, model checking, and abstract interpretation). We have applied the platform to a large number of industrial case studies, collected into the AVANTSSAR Library of validated problem cases. In doing so, we unveiled a number of problems and vulnerabilities in deployed services. These include, most notably, a serious flaw in the SAML-based Single Sign-On for Google Apps (now corrected by Google as a result of our findings). We also report on the migration of the platform to industry.

A framework for automatically checking anonymity with µCRL

We present a powerful and flexible method for automatically checking anonymity in a possibilistic general-purpose process algebraic verification toolset. We propose new definitions of a choice anonymity degree and a player anonymity degree, to quantify the precision with which an intruder is able to single out the true originator of a given event or to associate the right event to a given protocol participant. We show how these measures of anonymity can be automatically calculated from a protocol specification in µCRL, by using a combination of dedicated tools and existing state-of-the-art µCRL tools. To illustrate the flexibility of our method we test the Dining Cryptographers problem and the FOO 92 voting protocol. Our definitions of anonymity provide an accurate picture of the different ways that anonymity can break down, due for instance to coallitions of inside intruders. Our calculations can be performed on a cluster of machines, allowing us to check protocols for large numbers of participants.

SecFuzz: fuzz-testing security protocols

We propose a light-weight, yet effective, technique for fuzz-testing security protocols. Our technique is modular, it exercises (stateful) protocol implementations in depth, and handles encrypted traffic. We use a concrete implementation of the protocol to generate valid inputs, and mutate the inputs using a set of fuzz operators. A dynamic memory analysis tool monitors the execution as an oracle to detect the vulnerabilities exposed by fuzz-testing. We provide the fuzzer with the necessary keys and cryptographic algorithms in order to properly mutate encrypted messages. We present a case study on two widely used, mature implementations of the Internet Key Exchange (IKE) protocol and report on two new vulnerabilities discovered by our fuzz-testing tool. We also compare the effectiveness of our technique to two existing model-based fuzz-testing tools for IKE.

An intruder model for verifying liveness in security protocols

We present a process algebraic intruder model for verifying a class of liveness properties of security protocols. For this class, the proposed intruder model is proved to be equivalent to a Dolev-Yao intruder that does not delay indefinitely the delivery of messages. In order to prove the equivalence, we formalize the resilient communication channels assumption. As an application of the proposed intruder model, formal verification of fair exchange protocols is discussed.

A Privacy-Friendly RFID Protocol Using Reusable Anonymous Tickets

A majority of the existing privacy-friendly RFID protocols use the output of a cryptographic hash function in place of real identity of an RFID tag to ensure anonymity and untraceability. In order to provide unique identification for the tags, these protocols assume that the hash functions are collision resistant. We show that, under this assumption on the hash functions, a substantial number of the existing protocols suffer from a trace ability problem that causes differentiating a tag from another. We propose a scalable privacy-friendly RFID protocol and describe its design and implementation issues. Our protocol substitutes the hash functions used for identification with anonymous tickets, thus avoiding the aforementioned trace ability problem. The anonymous tickets are reusable. They nevertheless identify the tags uniquely, at any given point in time. The query and search algorithm of our proposed protocol is of O(1) time complexity, and it imposes small storage overhead on the back-end database. We show that the protocol is scalable, and compare its storage and computational requirements to some existing protocols. We formally prove the security requirements of our protocol, and mechanically analyze some of its requirements using the model checker OFMC.

Pruning state spaces with extended beam search

This paper focuses on using beam search, a heuristic search algorithm, for pruning state spaces while generating. The original beam search is adapted to the state space generation setting and two new search variants are devised. The resulting framework encompasses some known algorithms, such as A*. We also report on two case studies based on an implementation of beam search in µCRL.

VERA: A Flexible Model-Based Vulnerability Testing Tool

There exist an abundant number of tools for aiding developers and penetration testers to spot common software security vulnerabilities. However, testers are often confronted with situations where existing tools are of little help because a) they do not account for a particular configuration of the SUT and b) they do not include tests for certain vulnerabilities. To cope with this we propose a tool that allows users to define attacker models where the payloads and the behavior are cleanly separated and that abstract away from low-level implementation details such as HTTP requests.

Semi-valid input coverage for fuzz testing

We define semi-valid input coverage (SVCov), the first coverage criterion for fuzz testing. Our criterion is applicable whenever the valid inputs can be defined by a finite set of constraints. SVCov measures to what extent the tests cover the domain of semi-valid inputs, where an input is semi-valid if and only if it satisfies all the constraints but one. We demonstrate SVCovs practical value in a case study on fuzz testing the Internet Key Exchange protocol (IKE). Our study shows that it is feasible to precisely define and efficiently measure SVCov. Moreover, SVCov provides essential information for improving the effectiveness of fuzz testing and enhancing fuzz-testing tools and libraries. In particular, by increasing coverage under SVCov, we have discovered a previously unknown vulnerability in a mature IKE implementation.

Minimal Message Complexity of Asynchronous Multi-party Contract Signing

Multi-party contract signing protocols specify how a number of signers can cooperate in achieving a fully signed contract, even in the presence of dishonest signers. This problem has been studied in different settings, yielding solutions of varying complexity. Here we assume the presence of a trusted third party that will be contacted only in case of a conflict, asynchronous communication, and a total ordering of the protocol steps. Our goal is to develop a lower bound on the number of messages in such a protocol. Using the notion of abort chaining, a specific type of attack on fairness of signing protocols, we derive the lower bound alpha^2 + 1, with alpha being the number of signers involved. We obtain the lower bound by relating the problem of developing fair signing protocols to the open combinatorial problem of finding shortest permutation sequences. This relation also indicates a way to construct signing protocols which are shorter than state-of-the-art protocols. We illustrate our approach by presenting the shortest three-party fair contract signing protocol.

Decentralized Composite Access Control

Formal foundations for access control policies with both authority delegation and policy composition operators are partial and limited. Correctness guarantees cannot therefore be formally stated and verified for decentralized composite access control systems, such as those based on XACML 3. To address this problem we develop a formal policy language BelLog that can express both delegation and composition operators. We illustrate, through examples, how BelLog can be used to specify practical policies. Moreover, we present an analysis framework for reasoning about BelLog policies and we give decidability and complexity results for policy entailment and policy containment in BelLog.