TY - GEN
T1 - Layered Symbolic Security Analysis in DY*
AU - Bhargavan, Karthikeyan
AU - Bichhawat, Abhishek
AU - Hosseyni, Pedram
AU - Küsters, Ralf
AU - Pruiksma, Klaas
AU - Schmitz, Guido
AU - Waldmann, Clara
AU - Würtele, Tim
PY - 2024/1/12
Y1 - 2024/1/12
N2 - While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer be- low it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY⋆ protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F⋆ modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY⋆ with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.
AB - While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer be- low it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY⋆ protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F⋆ modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY⋆ with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest.
U2 - 10.1007/978-3-031-51479-1_1
DO - 10.1007/978-3-031-51479-1_1
M3 - Conference contribution
SN - 978-3-031-51478-4
T3 - Lecture Notes in Computer Science
SP - 3
EP - 21
BT - 28th European Symposium on Research in Computer Security (ESORICS 2023)
ER -