Final Report Summary - END2ENDSECURITY (Practical design and analysis of certifiably secure protocols - theory and tools for end-to-end security)
Currently deployed information systems are under constant attacks and are struggling to keep pace with the variety of possible security vulnerabilities. Though emerging, there are still only few suitable guidelines or automated tools for the design or the analysis of security properties. The lack of a consistent methodology and tools for analyzing security protocols throughout the various stages of their design not only hinders the early detection, and therefore prevention, of security vulnerabilities but also complicates a subsequent comprehensive analysis of these protocols. Moreover, even state-of-the-art verification techniques and tools only address particular narrow aspects of a protocol's security, and they require expert knowledge; thus these tools are not suitable for typical protocol designers.
In the course of this END2ENDSecurity project, we developed general methodologies and tools for guaranteeing end-to-end security - from a high-level specification of the desired security requirements for a given task, to a specification of a security protocol that relies on innovative cryptography, to a secure program.
We have contributed to many key challenges that we have laid out in the research agenda. A selection includes: frameworks for secure protocol design (NDSS'11, PODC'11, WWW'12, NFM'12), a framework against traffic side-channels (NDSS'13), detection and mitigation of novel side-channel attacks (USENIX'10, DPM'13), dynamic verification techniques for mobile devices (TACAS'13, DPM'13,ESSoS'13), the analysis and construction of cryptographic protocols (ESORICS'10, PODC'10, PETS'10, ASIACRYPT'11, CSF'12, WPES'12,S&P'12,CT-RSA'13, ESORICS'13, CCS'13, WPES'13), in particular the construction underlying SHA-3 (CSF'12), formalization of security properties and automated verification (CPP'11,S&P'12,CSF'13, Special issue JCS for TOSCA-SecCo'13), verification of executable programs (CCS'10), computational soundness (FSTTCS'10, Journal or Information Security10(2), Journal of Computer Security 18(6), CCS'12, POST'13, POST'14). All these results were published at within the leading conferences and journals in this research fields. For the sake of brevity and due to space constraints, we omit detailed references but highlight three major results: (a) AppGuard - a dynamic verification for apps on mobiles devices (TACAS'13,DPM'13,ESSoS'13), (b) the privacy friendly online behavioral advertisement (OBA) system: ObliviAd (S&P'12), and (c) the verification of SHA-3 candidates (CSF'12).
AppGuard (a): The Android permission system turned out to be inadequate to protect the user against security and privacy threats. AppGuard allows the user to enforce fine-grained security and privacy policies on third-party apps using inline reference monitoring. These policies enforced by AppGuard restrict the outreach of vulnerabilities both in third-party applications and the operating system. Our technique exhibits very little space and runtime overhead. AppGuard is publicly available, has been invited to the Samsung Apps market, and has had more than 500,000 downloads so far.
ObliviAd (b): Online behavioral advertising (OBA) involves the tracking of web users' online activities in order to deliver tailored advertisements. ObliviAd constitutes a practical and provably secure architecture for privacy friendly OBA. The distinguishing features of our approach are the usage of secure hardware-based private information retrieval for distributing advertisements and high-latency mixing of electronic tokens for billing adver- tisers without disclosing any information about client profiles to brokers. ObliviAd does not assume any trusted party and provides brokers an economical alternative that preserves the privacy of users without hampering the precision of advertisement selection.
Verifying SHA-3 (c): Cryptographic hash functions provide a basic data authentication mechanism and are used pervasively as building blocks to realize many cryptographic functionalities. We presented the first machine-checked and independently-verifiable proofs for the foundational properties of SHA-3 and many other hash functions: the collision-resistance and in differentiability of Merkle-Damgaard. Our proofs are built and verified using an extension of the Easy Crypt framework, which relies on state-of-the-art verification tools such as automated theorem provers, SMT solvers, and interactive proof assistants.
In the course of this END2ENDSecurity project, we developed general methodologies and tools for guaranteeing end-to-end security - from a high-level specification of the desired security requirements for a given task, to a specification of a security protocol that relies on innovative cryptography, to a secure program.
We have contributed to many key challenges that we have laid out in the research agenda. A selection includes: frameworks for secure protocol design (NDSS'11, PODC'11, WWW'12, NFM'12), a framework against traffic side-channels (NDSS'13), detection and mitigation of novel side-channel attacks (USENIX'10, DPM'13), dynamic verification techniques for mobile devices (TACAS'13, DPM'13,ESSoS'13), the analysis and construction of cryptographic protocols (ESORICS'10, PODC'10, PETS'10, ASIACRYPT'11, CSF'12, WPES'12,S&P'12,CT-RSA'13, ESORICS'13, CCS'13, WPES'13), in particular the construction underlying SHA-3 (CSF'12), formalization of security properties and automated verification (CPP'11,S&P'12,CSF'13, Special issue JCS for TOSCA-SecCo'13), verification of executable programs (CCS'10), computational soundness (FSTTCS'10, Journal or Information Security10(2), Journal of Computer Security 18(6), CCS'12, POST'13, POST'14). All these results were published at within the leading conferences and journals in this research fields. For the sake of brevity and due to space constraints, we omit detailed references but highlight three major results: (a) AppGuard - a dynamic verification for apps on mobiles devices (TACAS'13,DPM'13,ESSoS'13), (b) the privacy friendly online behavioral advertisement (OBA) system: ObliviAd (S&P'12), and (c) the verification of SHA-3 candidates (CSF'12).
AppGuard (a): The Android permission system turned out to be inadequate to protect the user against security and privacy threats. AppGuard allows the user to enforce fine-grained security and privacy policies on third-party apps using inline reference monitoring. These policies enforced by AppGuard restrict the outreach of vulnerabilities both in third-party applications and the operating system. Our technique exhibits very little space and runtime overhead. AppGuard is publicly available, has been invited to the Samsung Apps market, and has had more than 500,000 downloads so far.
ObliviAd (b): Online behavioral advertising (OBA) involves the tracking of web users' online activities in order to deliver tailored advertisements. ObliviAd constitutes a practical and provably secure architecture for privacy friendly OBA. The distinguishing features of our approach are the usage of secure hardware-based private information retrieval for distributing advertisements and high-latency mixing of electronic tokens for billing adver- tisers without disclosing any information about client profiles to brokers. ObliviAd does not assume any trusted party and provides brokers an economical alternative that preserves the privacy of users without hampering the precision of advertisement selection.
Verifying SHA-3 (c): Cryptographic hash functions provide a basic data authentication mechanism and are used pervasively as building blocks to realize many cryptographic functionalities. We presented the first machine-checked and independently-verifiable proofs for the foundational properties of SHA-3 and many other hash functions: the collision-resistance and in differentiability of Merkle-Damgaard. Our proofs are built and verified using an extension of the Easy Crypt framework, which relies on state-of-the-art verification tools such as automated theorem provers, SMT solvers, and interactive proof assistants.