Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ 2nd International Workshop on Foundations for Secure/Survivable Systems and Networks Tokyo, October 27th, 2001 Type flaws Example W Outline or ki np ro gr es s • Type-confusion attacks Positions Contribution MSR 2.0 Example Typing DAS • Type-Flaw Attacks in MSR Execution Intruder Type flaws Simulation DY Intruder Big steps • Simulation with Dolev-Yao Intruder Type flaws Expressing Type-Flaw Attacks in a Strongly Typed Language 2 Type-Flaw Attacks • Functionalities seen as “types” Type flaws Example Positions Contribution MSR 2.0 Simulation Names Nonces Keys, … • Violation Principal misinterprets data • Type flaw/confusion attack Intruder manipulates message Principal led to misuse data Expressing Type-Flaw Attacks in a Strongly Typed Language 3 A → B: {A, nA}kB Example: NSL B → A: {nA, nB, B}kA A → B: {nB}kB [Millen] I A {A, I}kB Type flaws Example Positions Contribution MSR 2.0 Simulation B {I, nB,B}kA {I, nB, B}kA Confusion 1: name/nonce Confusion 2: pair/nonce {nB,B, nA, A}kI {nB}kB B is fooled! “Unlikely type violation” Expressing Type-Flaw Attacks in a Strongly Typed Language 4 Advocates Type-flaw attacks are serious threats Type flaws Example Positions Contribution MSR 2.0 Simulation • Push type-free specifications Catch all “normal” attacks … and type-confusion attacks too Types are not real! Expressing Type-Flaw Attacks in a Strongly Typed Language 5 Opponents Most type-flaw attacks are unrealistic Type flaws Example Positions Contribution MSR 2.0 Simulation • Push typed specification languages Catch “real” attacks Types guide search fast Type-flaw attacks too low-level anyway Expressing Type-Flaw Attacks in a Strongly Typed Language 6 Prog. Languages vs. Security • Types in Type flaws programming languages Example Positions Contribution MSR 2.0 Simulation Whole Wild Interesting World Exciting World • Types in security Symbolic Ugh! Tolerated World World Expressing Type-Flaw Attacks in a Strongly Typed Language Desired World 7 … in Reality Type discriminants Type flaws Example Positions Contribution MSR 2.0 Simulation Data length Redundancy Explicit checks • Resolve many situations … • … but not all “I so far found only one realistic type-flaw attack” Expressing Type-Flaw Attacks in a Strongly Typed Language [Meadows] 8 Contribution • Reconcile Type flaws Example Positions Contribution MSR 2.0 Simulation Typed languages Type violations • User specifies confusable types Flexible Abstract • Support efficient simulation Expressing Type-Flaw Attacks in a Strongly Typed Language 9 MSR • Follows the Dolev-Yao abstraction • Based on Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation Multiset rewriting, linear logic, type theory • Used to prove Undecidability of protocol verification Completeness of Dolev-Yao intruder • Related to strands CIL spi-calculus, … Expressing Type-Flaw Attacks in a Strongly Typed Language 10 What’s in MSR 2.0 ? • Multiset rewriting with existentials Type flaws MSR 2.0 Example • Dependent types w/ subsorting Ne w Typing DAS Execution Intruder • Memory predicates Ne w Type flaws Simulation • Constraints Ne w Expressing Type-Flaw Attacks in a Strongly Typed Language 11 The Dolev-Yao Model of Security • Symbolic data No bits Type flaws MSR 2.0 Example Typing 01001011010… ka • Black-box cryptography No guessing of keys DAS Execution Intruder Type flaws Simulation • Partially abstract data access Knowledge soup a kb ka s Found in most protocol analysis tools • Tractability Expressing Type-Flaw Attacks in a Strongly Typed Language 12 Role state pred. var. declarations Roles • Generic Type flaws roles MSR 2.0 Typing Execution Intruder Type flaws Simulation ∀x:τ. lhs ∀x:τ. lhs … Example DAS ∃L: τ’1 … (x1) x … x τ’n (xn) → ∃y:τ’. rhs → ∃y:τ’. rhs … ∀A … Role owner • Anchored roles A ∃L: τ’1(x1) x … x τ’n(xn) … ∀x:τ. lhs → ∃y:τ’. rhs ∀x:τ. lhs → ∃y:τ’. rhs … … Expressing Type-Flaw Attacks in a Strongly Typed Language … 13 Rules Type flaws MSR 2.0 ∀x1: τ1. … ∀xn: τn. lhs → ∃y1: τ’1. … ∃yn’: τ’n’. rhs Example Typing DAS Execution Intruder Type flaws Simulation • N(t) Network • L(t, …, t) Local state • MA(t, …, t) Memory •χ Constraints • N(t) Network • L(t, …, t) Local state • MA(t, …, t) Memory Expressing Type-Flaw Attacks in a Strongly Typed Language 14 A → B: {A, nA}kB NSL Initiator B → A: {nA, nB, B}kA A → B: {nB}kB ∀A ∃L: princ x princ(B) x pubK B x nonce. Type flaws MSR 2.0 Example Typing DAS ∀B: princ ∀kB: pubK B • → L(A,B,kB,nA) ∃nA:nonce. N({A, nA}kB) Execution Intruder Type flaws Simulation ∀… ∀kA: pubK A ∀ k’A: privK kA ∀nA,nB: nonce L(A,B,kB,nA) N({nA,nB,B}kA) → Expressing Type-Flaw Attacks in a Strongly Typed Language N({nB}kB) 15 A → B: {A, nA}kB NSL Responder B → A: {nA, nB, B}kA A → B: {nB}kB ∃L: princ(B) x pubK B(kB) x privK kB x nonce. ∀B Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation ∀kB: pubK B ∀k’B: privK kB ∀A: princ ∀nA: nonce ∀kA: pubK A ∀… ∀nB: nonce N({A,nA}kB) → ∃nB:nonce. L(B,kB,k’B,nB) N({nB}kB) → Expressing Type-Flaw Attacks in a Strongly Typed Language L(B,kB,k’B,nB) N({nA,nB ,B}kA) • 16 Types of Terms Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation • A: princ • n: nonce • k: shK A B • k: pubK A • k’: privK k Types can depend on term • Captures relations between objects • … (definable) Expressing Type-Flaw Attacks in a Strongly Typed Language 17 Subtyping princ :: msg nonce :: msg pubK A :: msg Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation • Allows atomic terms in messages • Definable Non-transmittable terms Sub-hierarchies Expressing Type-Flaw Attacks in a Strongly Typed Language 18 Type Checking t has type τ in Γ Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation Ne w Σ |— P Γ |— t : τ • Catches: P is welltyped in Σ Encryption with a nonce Transmission of a long term key Circular key hierarchies, … • Static and dynamic uses • Decidable Expressing Type-Flaw Attacks in a Strongly Typed Language 20 Data Access Specification MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation • Catches w Σ ‖— P r is DAS-valid for A in Γ Type flaws Ne Γ ‖—A r A signing/encrypting with B’s key A accessing B’s private data, … P is DASvalid in Σ • Static & Decidable • Gives meaning to Dolev-Yao intruder Completeness Reconstructibility Expressing Type-Flaw Attacks in a Strongly Typed Language 21 Configurations Active role set C = [S]RΣ Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation State •N(t) •Ll(t, …, t) •MA(t, …, t) Signature •a:τ • Ll : τ • M_: τ Expressing Type-Flaw Attacks in a Strongly Typed Language 22 Execution Model Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation 1-step firing P C → C’ • Activate roles • Generates new role state pred. names • Instantiate variables • Apply rules • Skips rules Expressing Type-Flaw Attacks in a Strongly Typed Language 23 Variable Instantiation Type flaws MSR 2.0 Example Typing DAS Σ |— t : τ A R (∀x:τ.r,ρ) [S] Σ → A R ([t/x]r,ρ) [S] Σ Execution Intruder Type flaws Simulation Type checking guarantees proper usage Expressing Type-Flaw Attacks in a Strongly Typed Language 24 Rule Application r = F, Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation χ → ∃n:τ. G(n) • Constraint check Σ |= χ (constraint handler) • Firing A [S1]R(r,ρ) Σ → S, F A Rρ [S2] Σ, c:τ c not in S1 S, G(c) Expressing Type-Flaw Attacks in a Strongly Typed Language 25 Execution with an Attacker P, PI C → C’ Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation • Selected principal(s): I • Generic capabilities: PI Well-typed DAS-valid • Modeled completely within MSR Expressing Type-Flaw Attacks in a Strongly Typed Language 26 Expressing Type Violations ? • Impossible ! Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Σ |— t : τ A R (∀x:τ.r,ρ) [S] Σ → A R ([t/x]r,ρ) [S] Σ Simulation Typing forces principal to play by the rules Expressing Type-Flaw Attacks in a Strongly Typed Language 27 Expressing Type Violations ! Distinguish Type flaws MSR 2.0 Static type-checking Dynamic type-checking Example Typing How things should be on paper How things are in realty DAS Execution Intruder Type flaws Simulation |— Σ |— D: τ D t A R (∀x:τ.r,ρ) [S] Σ → A R ([t/x]r,ρ) [S] Σ Expressing Type-Flaw Attacks in a Strongly Typed Language 28 Subtyping Revisited Γ, a:τ, Γ’ |— a : τ • Most rules have Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation a rigid format • Subtyping provides hook τ’ :: τ Γ |— t : τ’ Γ |— t : τ Extend subtyping with confusable types Expressing Type-Flaw Attacks in a Strongly Typed Language 29 {A, I}kB A First Solution {I, nB,B}kA {I, nB, B}kA {nB,B, nA, A}kI Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation princ :: msg nonce :: msg pubK A :: msg static princ msg dynamic extension :: nonce :: nonce • Works … • … but very raw not every msg mistaken as a nonce unwanted recursion Expressing Type-Flaw Attacks in a Strongly Typed Language 30 Towards a Polymorphic MSR Type flaws MSR 2.0 princ :: nonce :: pubK A :: pair α β :: msg msg msg msg nonce+ princ nonce pair princ nonce :: :: :: :: msg nonce+ nonce+ nonce+ Example Typing DAS Execution Intruder pair : type -> type -> type. _,_ : α -> β -> pair α β. Type flaws Simulation Fine grained Captures what we want Recursion is up to us Expressing Type-Flaw Attacks in a Strongly Typed Language Confusable nonces 31 Summary • Type violation (attacks) expressible in MSR Type flaws MSR 2.0 Example Typing DAS Execution Intruder Type flaws Simulation • Simple • Flexible You decide confusable types Shades of gray in black/white positions Types are good Expressing Type-Flaw Attacks in a Strongly Typed Language 32 Simulation • No attacker Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws Prototype • With attacker Verification Model checking Theorem proving Process equivalence Expressing Type-Flaw Attacks in a Strongly Typed Language 33 The Dolev-Yao Intruder Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data Found in most protocol analysis tools Modeled completely within MSR Generated automatically (mostly) Expressing Type-Flaw Attacks in a Strongly Typed Language 34 Intruder Simulation Approaches • Take protocol text into account? Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws Blind / Focused • Size of intruder steps Small / Big • Intruder representation Explicit / Implicit Expressing Type-Flaw Attacks in a Strongly Typed Language 35 Type flaws MSR 2.0 Simulation focused Graphically… Paulson spi CAPSL ? Casper ? NPA blind DY Intruder Big steps Type flaws MSR Strands MSR, … small big Expressing Type-Flaw Attacks in a Strongly Typed Language Good for proving theorems 36 Intruder Activity Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws No need to remember No need to construct Expressing Type-Flaw Attacks in a Strongly Typed Language 37 Intruder Activity Comparison Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws Disassembly • Blind Take pieces apart until Atomic Key unavailable • Focused Anticipate message contents Memorize only what is needed Assembly • Blind Put pieces together until meaningful message is built • Focused Build only usable messages Expressing Type-Flaw Attacks in a Strongly Typed Language 38 Big-Step Message Disassembly • Take typing derivation of Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws (incoming) messages • Encryption defines regions • 1 role for each message 1 rule for each region Interface rule Expressing Type-Flaw Attacks in a Strongly Typed Language Γ |— t : τ 39 A → B: {A, nA}kB NSL – 1st Message B → A: {nA, nB, B}kA A → B: {nB}kB I ∃L: princ x msg. Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws ∀m: msg N(m) ∀ A: princ ∀kB: pubK B ∀k’B: privK kB ∀nA: nonce L(I, {A, nA}kB) MI({A, nA}kB) MI(k’B) → → L(I,m) MI(m) MI(A) MI(nA) MI(k’B) • MI(m) “forgotten” as soon as k’B is known • Special case if k’B known right away Expressing Type-Flaw Attacks in a Strongly Typed Language 40 Big-Step Message Assembly • Take typing derivation of Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws (outgoing) messages • Encryption defines regions • 1 role for each region • Extras for generated data Expressing Type-Flaw Attacks in a Strongly Typed Language Γ |— t : τ 41 A → B: {A, nA}kB NSL – 1st Message ∀m: msg Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws ∀A,B: princ ∀kB: pubK B ∀nA: nonce ∀A,B: princ ∀kB: pubK B MI(m) MI(A) MI(nA) MI(kB) MI(A) MI(kB) → → → B → A: {nA, nB, B}kA A → B: {nB}kB N(m) I N({A, nA}kB) MI(A),MI(nA),MI(kB) ∃nA:nonce. N({A, nA}kB) MI(A),MI(nA),MI(kB) I I What about confusable types ? Expressing Type-Flaw Attacks in a Strongly Typed Language 42 Creating Confusion • Mark confusable objects • Add rules for each option Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws I ∃L: princ x nonce+. L(I, (C,n)) ∀C: princ ∀n: nonce MI(C) MI(n) → ∀n: nonce MI(n) → L(I, n), MI(n) ∀C: princ MI(C) → L(I, C), MI(C) ∀A,B: princ ∀kB: pubK B ∀n: nonce+ L(I,n) MI(A) MI(kB) → MI(C),MI(n) + similar rule with ∃n:nonce N({A, n}kB) MI(A),MI(kB) Expressing Type-Flaw Attacks in a Strongly Typed Language 43 Making Sense of Confusion ∃L’: princ x nonce+. ∃L: princ x msg. Type flaws MSR 2.0 Simulation DY Intruder Big steps I L(I,m) ∀m: msg N(m) ∀ A: princ ∀kB: pubK B ∀k’B: privK kB ∀nA: nonce+ L(I, {A, nA}kB) MI({A, nA}kB) MI(k’B) → MI(A) L'(I,nA) MI(k’B) ∀n: nonce L'(I,n) → MI(n) ∀A: princ L'(I,A) → MI(A) → MI(A) MI(n) Type flaws ∀A: princ ∀n: nonce L'(I,(A,n)) → Expressing Type-Flaw Attacks in a Strongly Typed Language MI(m) 44 Further Optimizations • Fold added rules in (unless confusion type is recursive) Type flaws MSR 2.0 Simulation DY Intruder Big steps Type flaws Type-check in static type system Bigger steps • Simplify result using DAS rules More compact Formalizes “regions” Automation Expressing Type-Flaw Attacks in a Strongly Typed Language 45 Future Work • Polymorphic MSR Type flaws MSR 2.0 Simulation • Strategies Expressing Type-Flaw Attacks in a Strongly Typed Language 46