Mobile telephony equipment is daily carried by billions of subscribers everywhere they go. Avoiding linkability of subscribers by third parties, and protecting the privacy of those subscribers is one of the goals of mobile telecommunication protocols. We use formal methods to model and analyse the security properties of 3G protocols. We expose two novel threats to the user privacy in 3G telephony systems, which make it possible to trace and identify mobile telephony subscribers, and we demonstrate the feasibility of a low cost implementation of these attacks. We propose fixes to these privacy issues, which also take into account and solve other privacy attacks known from the literature. We successfully prove that our privacy-friendly fixes satisfy the desired unlinkability and anonymity properties using the automatic verification tool ProVerif.

/pdf/new-privacy-issues-in-mobile-telephony-fix-and-verification-t5pyxr5372.pdf

New privacy issues in mobile telephony: fix and verification

JavaScript is widely used to provide client-side functionality in Web applications. To provide services ranging from maps to advertisements, Web applications may incorporate untrusted JavaScript code from third parties. The trusted portion of each application may then expose an API to untrusted code, interposing a reference monitor that mediates access to security-critical resources. However, a JavaScript reference monitor can only be effective if it cannot be circumvented through programming tricks or programming language idiosyncrasies. In order to verify complete mediation of critical resources for applications of interest, we define the semantics of a restricted version of JavaScript devised by the ECMA Standards committee for isolation purposes, and develop and test an automated tool that can soundly establish that a given API cannot be circumvented or subverted. Our tool reveals a previously-undiscovered vulnerability in the widely-examined Yahoo! AD Safe filter and verifies confinement of the repaired filter and other examples from the Object-Capability literature.

/pdf/automated-analysis-of-security-critical-javascript-apis-47vmlfulyg.pdf

Automated Analysis of Security-Critical JavaScript APIs

Research on smart meters has shown that fine-grained energy usage data poses privacy risks since it allows inferences about activities inside the home. While smart meter deployments are very limited, more than 40 million meters in the United States have been equipped with Automatic Meter Reading (AMR) technology over the past decades. AMR utilizes wireless communication for remotely collecting usage data from electricity, gas, and water meters. Yet to the best of our knowledge, AMR has so far received no attention from the security research community. In this paper, we conduct a security and privacy analysis of this technology. Based on our reverse engineering and experimentation, we find that the technology lacks basic security measures to ensure privacy, integrity, and authenticity of the data. Moreover, the AMR meters we examined continuously broadcast their energy usage data over insecure wireless links every 30s, even though these broadcasts can only be received when a truck from the utility company passes by. We show how this design allows any individual to monitor energy usage from hundreds of homes in a neighborhood with modest technical effort and how this data allows identifying unoccupied residences or people's routines. To cope with the issues, we recommend security remedies, including a solution based on defensive jamming that may be easier to deploy than upgrading the meters themselves.

/pdf/neighborhood-watch-security-and-privacy-analysis-of-4mb7mqdtyt.pdf

Neighborhood watch: security and privacy analysis of automatic meter reading systems

Model-based security testing relies on models to test whether a software system meets its security requirements. It is an active research field of high relevance for industrial applications, with many approaches and notable results published in recent years. This article provides a taxonomy for model-based security testing approaches. It comprises filter criteria i.e.i¾?model of system security, security model of the environment and explicit test selection criteria as well as evidence criteria i.e.i¾?maturity of evaluated system, evidence measures and evidence level. The taxonomy is based on a comprehensive analysis of existing classification schemes for model-based testing and security testing. To demonstrate its adequacy, 119 publications on model-based security testing are systematically extracted from the five most relevant digital libraries by three researchers and classified according to the defined filter and evidence criteria. On the basis of the classified publications, the article provides an overview of the state of the art in model-based security testing and discusses promising research directions with regard to security properties, coverage criteria and the feasibility and return on investment of model-based security testing. Copyright © 2015 John Wiley & Sons, Ltd.

https://qe-informatik.uibk.ac.at/wp-content/uploads/2014/03/Felderer_et_al-2015-Software_Testing_Verification_and_Reliability.pdf

Model-based security testing: a taxonomy and systematic classification

We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel. In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the 'million message attack' in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case. We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average 3 800 median. For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient. We demonstrate the vulnerabilities on a number of commercially available cryptographic devices, including security tokens, smartcards and the Estonian electronic ID card. The attacks are efficient enough to be practical: we give timing details for all the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack. We give mathematical analysis of the effectiveness of the attacks, extensive empirical results, and a discussion of countermeasures.

/pdf/efficient-padding-oracle-attacks-on-cryptographic-hardware-27at0eenly.pdf

Efficient Padding Oracle Attacks on Cryptographic Hardware

We show how to extract sensitive cryptographic keys from a variety of commercially available tamper resistant cryptographic security tokens, exploiting vulnerabilities in their RSA PKCS#11 based APIs. The attacks are performed by Tookan, an automated tool we have developed, which reverse-engineers the particular token in use to deduce its functionality, constructs a model of its API for a model checker, and then executes any attack trace found by the model checker directly on the token. We describe the operation of Tookan and give results of testing the tool on 17 commercially available tokens: 9 were vulnerable to attack, while the other 8 had severely restricted functionality. One of the attacks found by the model checker has not previously appeared in the literature. We show how Tookan may be used to verify patches to insecure devices, and give a secure configuration that we have implemented in a patch to a software token simulator. This is the first such configuration to appear in the literature that does not require any new cryptographic mechanisms to be added to the standard. We comment on lessons for future key management APIs.

/pdf/attacking-and-fixing-pkcs-11-security-tokens-omy7yj3qh0.pdf

Attacking and fixing PKCS#11 security tokens

We examine some known attacks on the PIN verification framework, based on weaknesses of the security API for the tamperresistant Hardware Security Modules used in the network. We specify this API in an imperative language with cryptographic primitives, and show how its flaws are captured by a notion of robustness that extends the one of Myers, Sabelfeld and Zdancewic to our cryptographic setting. We propose an improved API, give an extended type system for assuring integrity and for preserving confidentiality via randomized and nonrandomized encryptions, and show our new API to be type-checkable.

/pdf/type-based-analysis-of-pin-processing-apis-39k67gxy03.pdf

Type-based analysis of PIN processing APIs

We study noninterference in the setting of multi-threaded distributed programs in which threads share local memories and multi-threaded processes communicate over an insecure network using encryption primitives to secure messages. We extend a simple imperative language with cryptographic operations which are modelled as special expressions respecting the Dolev-Yao assumptions. Then, we adapt to our setting the notion of patterns proposed by Abadi and Rogaway for modelling the equivalence of cryptographic expressions. Based on this notion, we naturally obtain a definition of strongly secure programs corresponding to the one proposed by Sabelfeld and Sands for programs without cryptography. This is, to the best of our knowledge, the first definition of noninterference in a multi-threaded distributed setting, with insecure channels and cryptography. We prove compositionality of secure programs and we adapt the type system of Sabelfeld and Sands to our setting, proving its correctness.

/pdf/information-flow-security-of-multi-threaded-distributed-2o97sqwu7n.pdf

Information flow security of multi-threaded distributed programs

PKCS#11, is a security API for cryptographic tokens. It is known to be vulnerable to attacks which can directly extract, as cleartext, the value of sensitive keys. In particular, the API does not impose any limitation on the different roles a key can assume, and it permits to perform conflicting operations such as asking the token to wrap a key with another one and then to decrypt it. Fixes proposed in the literature, or implemented in real devices, impose policies restricting key roles and token functionalities. In this paper we define a simple imperative programming language, suitable to code PKCS#11 symmetric key management, and we develop a type-based analysis to prove that the secrecy of sensitive keys is preserved under a certain policy. We formally analyse existing fixes for PKCS#11 and we propose a new one, which is type-checkable and prevents conflicting roles by deriving different keys for different roles. We develop a prototype type-checker for a software token emulator written in C and we experiment on various working configurations.

/pdf/type-based-analysis-of-key-management-in-pkcs-11-29myufqxf4.pdf

Type-based analysis of key management in PKCS#11 cryptographic devices

PKCS#11, is a security API for cryptographic tokens. It is known to be vulnerable to attacks which can directly extract, as cleartext, the value of sensitive keys. In particular, the API does not impose any limitation on the different roles a key can assume, and it permits to perform conflicting operations such as asking the token to wrap a key with another one and then to decrypt it. Fixes proposed in the literature, or implemented in real devices, impose policies restricting key roles and token functionalities. In this paper we define a simple imperative programming language, suitable to code PKCS#11 symmetric key management, and we develop a type-based analysis to prove that the secrecy of sensitive keys is preserved under a certain policy. We formally analyse existing fixes for PKCS#11 and we propose a new one, which is type-checkable and prevents conflicting roles by deriving different keys for different roles.

/pdf/type-based-analysis-of-pkcs-11-key-management-1ipmlrzgxk.pdf

Matteo Centenaro

Papers

Attacking and fixing PKCS#11 security tokens

Type-based analysis of PIN processing APIs

Information flow security of multi-threaded distributed programs

Type-based analysis of key management in PKCS#11 cryptographic devices

Type-Based analysis of PKCS#11 key management