1 / 18

Tamarin-prover

Tamarin-prover. N ăstase George-Daniel. Purpose. Tamarin prover is a automated security protocol verification tool, it is used to show the vulnerabilities of a protocol. It is also used for its advanced analysis and cutting-edge features. Installation.

rhys
Download Presentation

Tamarin-prover

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tamarin-prover Năstase George-Daniel

  2. Purpose • Tamarinprover is a automated security protocol verification tool, it is used to show the vulnerabilities of a protocol. It is also used for its advanced analysis and cutting-edge features.

  3. Installation • Latest version cannot be installed, older versions have the same problem. This is because there is no maximum version specified for the used packages, the same problem lies within those packages used(which in turn use other packages). This is known as “dependency hell”. • The solution is to manually specify the version for problematic packages. • cabal install text-0.11.3.1 attoparsec-0.10.4.0 blaze-builder-0.3.1.0 blaze-markup-0.5.1.4 blaze-html-0.5.1.3 conduit-0.5.6 attoparsec-conduit-0.5.0.3 blaze-builder-conduit-0.5.0.3 cookie-0.4.0.1 tagged-0.2.3.1 cereal-0.3.5.2 cprng-aes-0.3.4 clientsession-0.8.1 crypto-conduit-0.4.3 unix-time-0.1.2 fast-logger-0.3.1 hashable-1.2.0.5 case-insensitive-0.4.0.4 http-date-0.0.4 http-types-0.7.3.0.1 mime-types-0.1.0.3 monad-logger-0.2.3.2 mtl-2.0.1.0 parsec-3.1.3 network-2.4.1.0 network-conduit-0.6.2.2 path-pieces-0.1.2 shakespeare-1.0.3 hamlet-1.1.6 shakespeare-css-1.0.2 shakespeare-i18n-1.0.0.2 simple-sendfile-0.2.10 system-filepath-0.4.7 system-fileio-0.3.11 tamarin-prover-utils-0.8.4.0 threads-0.5.0.1 unordered-containers-0.2.3.0 aeson-0.6.1.0 shakespeare-js-1.1.2 uniplate-1.6.10 derive-2.5.11 tamarin-prover-term-0.8.4.0 tamarin-prover-theory-0.8.4.0 vault-0.2.0.4 wai-1.3.0.2 cryptohash-0.7.8 wai-app-static-1.3.1 wai-logger-0.3.0 warp-1.3.7.2 yesod-routes-1.1.2 zlib-bindings-0.1.1.3 zlib-conduit-0.5.0.3 wai-extra-1.3.2.1 yesod-core-1.1.8 yesod-json-1.1.2 yesod-static-1.1.2 tamarin-prover-0.8.4.0 -f -no-gui

  4. Step by step installation • sudo apt-get install maudegraphviz zlib1g-dev • sudo apt-get install ghc cabal-install • sudo cabal update • sudocabal install alex happy • export PATH=$PATH:/root/.cabal/bin • sudocabalinstall (see previous slide)

  5. Comparison

  6. Comparison (continued)

  7. Pros/Cons • Protocols that need to keep the status of transactions, require to maintain a global, non-monotonic state, e.g., in the form of a database or register. Most existing automated verification tools do not support the analysis of such stateful security protocols. Tamarinprover, however, allows specifying protocols as multiset rewrite (msr) rules, a formalism expressive enough to encode state. • As multiset rewriting is a "low-level" specification language with no direct support for concurrent message passing, encoding protocols correctly is a difficult and error-prone process.

  8. About • In TAMARIN, the execution of a security protocol in the context of an adversary is modeled as a labeled transition system whose state consists of the adversary’s knowledge, the messages on the network, information about freshly generated values, and the protocol’s state. • The adversary and the protocol interact by updating network messages and freshness information.

  9. About • The prover models a security protocol interacting with a Dolev-Yao style intruder. • The state of the protocol and the intruder is modeled as a multiset. • The protocol itself is modeled as a set of rewriting rules on the multiset. • Written in Haskell. • Dynamic web interface(interactive GUI). • 29% of the source code lines are comments.

  10. Dolev- Yao model • The Dolev- Yao model is a formal model for proving properties of security protocols. • The attacker in the model is allowed to overhear messages, intercept them, and forge new ones. • The only limitation are cryptographic constraints - cryptography is assumed to be perfect. For example, the attacker can not recover the plaintext of an encrypted message without the corresponding key.

  11. State of the protocol and the intruder • The state of the protocol and the intruder is modeled as a multiset. • A multiset is a generalized set in which members can appear more than once. The state multiset contains so-called facts. • A fact is, in simplified terms, either a ground message or a message derived from a ground message. • A ground message could for example be a fixed string, with the encryption of that string being a derived message. • A fact can also be protocol specific. For example, a protocol model could introduce an new fact for keeping track of session keys.

  12. Protocol • The protocol itself is modeled as a set of rewriting rules on the multiset • Rules with no prerequisites can always be applied, rules with prerequisites can only be applied if all the required facts are in the multiset. • Application of a rule can rewrite its prerequisite or introduce new facts into the multiset. A set of multiple such rules is called a multiset rewriting system.

  13. Example protocol Role R contains two steps. (diagram above) This ensures that the second step can only be executed after the first one. It also allows to keep track of state for the execution of each role.

  14. Axioms and Lemmas • Axioms specify restrictions on the set of traces considered, i.e., they filter the set of traces of a protocol. • Lemmas specify security properties that have to be proven. By default, the given formula is interpreted as a property that must hold for all traces of the protocol of the security protocol theory.

  15. Built-in special rules and functions • The “Fresh” rule – generates a new random number that is guaranteed to be unique (the random number generator is assumed to be perfect). • The “Knows” rule – is used to denote values which are known to the intruder (for example Knows(k) denotes that the intruder has knowledge of k). • “diffie-hellman” needs to be enabled to parse terms containing exponentiations, e.g., g ^ x. • etc.

  16. Heuristics and Non-Termination • The problems tackled by the Tamarinprover are undecidable in general. Thus there will always be protocols satisfying properties that cannot be proven using the constraint-reduction rules implemented in the Tamarinprover. However, sometimes there would exist a proof, but the heuristic employed by the Tamarinprover does not select the right goals to solve. In this case you have two options: • construct your proof interactively in the GUI • try to twiddle with the '--heuristic' flag.

  17. Real-world example Needham-Schroeder Public-Key (NS-PK) protocol

  18. References • http://www.cs.ox.ac.uk/people/cas.cremers/tools/index.html • http://e-collection.library.ethz.ch/eserv/eth:6001/eth-6001-01.pdf • http://hackage.haskell.org/package/tamarin-prover-0.8.6.0/src/data/doc/MANUAL • http://www.infsec.ethz.ch/research/software/tamarin • http://www.infsec.ethz.ch/research/tamarin_group_sp.pdf • http://arxiv.org/abs/1403.1142

More Related