Section: New Results

Modelling

Isolated Execution Environments (IEEs), such as ARM TrustZone and Intel SGX, offer the possibility to execute sensitive code in isolation from other malicious programs, running on the same machine, or a potentially corrupted OS. A key feature of IEEs is the ability to produce reports binding cryptographically a message to the program that produced it, typically ensuring that this message is the result of the given program running on an IEE. In collaboration with Jacomme (ENS Cachan) and Scerri (Univ. Bristol), Kremer presented a symbolic model for specifying and verifying applications that make use of such features. For this they introduced the S$\ell$APiC process calculus to reason about reports issued at given locations. They also provide tool support, extending the SAPIC/TAMARIN toolchain and demonstrate the applicability of their framework on several examples implementing secure outsourced computation (SOC), a secure licensing protocol and a one-time password protocol that all rely on such IEEs. This work has been accepted for publication at EuroS&P'17 [27].

Most security properties are modelled as safety properties (“bad things do not happen”). Another important class of properties is that of liveness properties (“eventually, good things happen”). Reasoning about the class of liveness properties of cryptographic protocols, has received little attention in the literature, even though this class is vital in many security-sensitive applications, such as fair exchange protocols, or security layers in industrial control systems. In collaboration with Backes and Künnemann (U. Saarland, Germany), Dreier and Kremer have designed a protocol and adversary model that are suitable for reasoning about liveness properties. Tool support is also provided by extending the SAPIC/TAMARIN tool chain and several case studies demonstrate the effectiveness of the approach. This work has been accepted for publication at EuroS&P'17 [20].

In e-voting, verifiability is the property meant to defend against voting devices and servers that have programming errors or are outright malicious. While the first formal definitions of verifiability were devised in the late 1980s already, new verifiability definitions are still being proposed. The definitions differ in various aspects, including the classes of protocols they capture and even their formulations of the very core of the meaning of verifiability. This is an unsatisfying state of affairs, leaving the research on the verifiability of e-voting protocols and systems in a fuzzy state. Cortier, in collaboration with Galindo (U. Birmingham, UK), Küsters, Müller (U. Trier, Germany) and Truderung (Polyas GmbH, Germany), review all formal definitions of verifiability proposed in the literature and cast them in a framework proposed by the KTV framework, yielding a uniform treatment of verifiability. This enables a detailed comparison of the various definitions of verifiability from the literature and a discussion of advantages and disadvantages, limitations and problems. Finally, a general definition of verifiability is distilled, which can be instantiated in various ways. This work has been presented at S&P'16 [26].

Industrial systems are nowadays regularly the target of cyberattacks, the most famous being Stuxnet. At the same time such systems are increasingly interconnected with other systems and insecure media such as Internet. In contrast to other IT systems, industrial systems often do not only require classical properties like data confidentiality or authentication of the communication, but have special needs due to their interaction with the physical world. For example, the reordering or deletion of some commands sent to a machine can cause the system to enter an unsafe state with potentially catastrophic effects. To prevent such attacks, the integrity of the message flow is necessary.

In joint work with Lafourcade (Université Clermont-Ferrand), Potet, and Puys (University Grenoble Alpes), Dreier developed a formal definition of Flow Integrity in the context of industrial systems. The framework is applied to two well-known industrial protocols: OPC-UA and MODBUS. Using TAMARIN, a cryptographic protocol verification tool, they identified several design flaws in some of the different versions of these protocols. We also discussed how to efficiently model counters and timestamps in TAMARIN, as they are key ingredients of the analyzed protocols. This work is currently under submission.