Model Checking Security APIs

Devices which operate on sensitive data are becoming an ever-increasing part of our lives, and we are placing a continually growing amount of trust in them. However, their ability to provide the proper level of data protection is typically only checked through analysis by hand. This method cannot be known to be complete, and as a result it can be possible to obtain data which should remain secret. It is only recently that formal methods have been applied to the analysis of such devices. We present results from the application of a model checker to the analysis of the API used by a number of security modules in Automated Teller Machine networks — IBM’s Common Cryptographic Architecture API. We show that it is capable of rediscovering all known attacks on the API, using models containing a greater set of API commands. We also analyse the set of recommendations released, in response to one of the discovered attacks, by IBM and show that, under certain assumptions, they do not prevent the attack. We use a revised set of assumptions, under which they do prevent the attack, to determine a number of our own recommendations aimed at the design and implementation of the API. Finally, we discuss various issues concerning the analysis of security APIs, based on our experiences of carrying out the work presented.