Verifying C Cryptographic Protocol Implementations by Symbolic Execution

Many applications rely on complex cryptographic protocols for communicating over the insecure Internet (e.g., online banking, electronic commerce, social networks, etc). The C programming language is largely used in writing cryptographic software. Both the design of protocols and their C implementation are error prone. Recent years have seen a real progress in the formal verification of cryptographic protocols as illustrated by the development of several tools both in the symbolic model (Proverif [Bla01], AVISPA [ABB05], Hermes [BEJ05]) and in the computational model (CryptoVerif [Bla08], CertiCrypt [BGZB09], EasyCrypt [BGHB11]). There remains however a large gap between what we verify (the protocol usually described in a process algebra, as pi calculus for example) and what we rely on (the implementation which is usually done in a «real» language, like C). The need to verify the code is now well recognized, but only a few recent works try to propose solutions. One of the first attempts at cryptographic verification of C code is the CSur ([GLP05]): one extracts from a C program a set of Horn clauses that are then solved using a theorem prover. Some limits of this approach: 1) it can be used to prove secrecy, but it is not clear how one can apply the tool to handle authentication properties (the order of instructions is completely ignored); 2) the results that are obtained are sound only in the symbolic (Dolev-Yao) model of cryptography. A second line of research, based on symbolic execution ([Kin76]), is that of [CM11], [CM12]: [CM11] extends the KLEE test-generation tool ([CDE08]) by treating certain concrete functions, like cryptographic primitives, as symbolic functions, that is, their execution is avoided, and their behaviour is modelled via rewriting rules. However, their work does not extend the class of properties supported by KLEE, in particular they do not take into account how the inputs provided by an adversary depend on the knowledge learnt by the same adversary. [CM12] extends the previous work with a tainting mechanism that tracks information flows of data, but this work suffers from several limitations: