a security protocol compiler generating c source codes

8/12/2019 A Security Protocol Compiler Generating C Source Codes

1/6

A Security Protocol Compiler Generating C Source Codes

Shinsaku Kiyomoto, Haruki Ota, and Toshiaki TanakaKDDI R&D Laboratories Inc.

2-1-15 Ohara Fujimino-shi Saitama 356-8502, Japan

[email protected]

Abstract

In this paper, we propose a security protocol com-

piler that automatically generates security protocol mod-

ules based on a security protocol definition. Our security

compiler loads a security protocol definition file that can be

defined as a high-level specification of the protocol writtenin XML and it generates a C source code from the specifica-

tion. Our security protocol compiler realizes fast C source

code generation under 30 msec from the high-level secu-

rity protocol definition. To implement the security protocol

compiler on terminals, a security protocol can be modified

or replaced easily in accordance with situations. Thus, the

terminal is able to use several services without implementa-

tion of all security protocols for the services, and a vulner-

able security protocol is can be replaced quickly.

1. Introduction

Ubiquitous is a key phrase for new generation IT ser-

vices. In a ubiquitous network, multi-network, multi-

device, and multi-services exist. Many services have been

provided over communication networks such as the Internet

and local communication. In these services, many secu-

rity protocols that are used for authentication and key ex-

change are provided to ensure secure communication. The

security protocols are designed to meet specific security re-

quirements that differ from service to service. For example;

when a mobile terminal communicate with a gate device in

a public transportation system, a fast and lightweight secu-

rity protocol is needed. On the other hand, when the deviceconnects to an ATM or mobile banking services, a strict au-

thentication protocol is required. If a terminal uses many

services, the terminal will be required to handle numerous

security protocols.

On the other hand, security flaws on security protocols

are often found and they are updated by replacing entire

security protocol programs with new ones. The replace-

ment process usually incurs a high cost and is very time

consuming, even though a part of program should be modi-

fied. Thus, a fast and efficient method for replacing security

protocols is needed in order to fix security flaws.

Security protocol compilers have been researched in or-

der to realize dynamic generation and modification of secu-

rity protocols. The compilers generate source code or ex-

ecutable modules of security protocols from high-level se-curity protocol definitions. Thus, a security protocol can be

changed to input a protocol definition and execute the com-

pilers where the compilers are implemented on the termi-

nals. However, no compiler that generates C source code for

high-level security protocol specifications exists. The range

of executable environments of generated protocols is ex-

panded, if a security protocol compiler generates C source

code.

In this paper, we propose a new security compiler that

automatically generates security protocol modules based

on a security protocol definition. Furthermore, we imple-

mented the security protocol compiler and evaluated trans-

action time and generated code size. To implement the se-curity protocol compiler on terminals, a security protocol

can be modified or replaced easily in accordance with sit-

uations. Thus, the terminal is able to use several services

without implementation of all security protocols for the ser-

vices, and a vulnerable security protocol can be replaced

quickly. Our contribution is summarized as follows:

We designed and implemented a security protocol

compiler that loads a security protocol definition file

and generate a C source code. The protocol definition

file can be defined as a high-level specification of the

protocol and it is written in an extensible and interop-

erable language XML.

We evaluated our security protocol compiler and the

compiler realizes fast C source code generation under

30 msec from a high-level security protocol definition.

The paper is organized as follows: Section 2 introduces

related work on security protocol compilers. Next, we

present a security protocol compiler in Section 3. Evalu-

2008 International Conference on Information Security and Assurance

978-0-7695-3126-7/08 $25.00 2008 IEEE

DOI 10.1109/ISA.2008.13

20

2008 International Conference on Information Security and Assurance

978-0-7695-3126-7/08 $25.00 2008 IEEE

DOI 10.1109/ISA.2008.13

20


2/6

ation results are shown in Section 4. Finally, we conclude

this paper in Section 5.

2. Related Work

Languages for describing protocol specifications havebeen studied. Estelle[3] is a major protocol language based

on a finite state machine model. Estelle can be used for

semi-automatic implementations of protocols[11]. How-

ever, existing reports address only limited protocols and

the description is very complicated and difficult to define

high-level specifications of security protocols. Prolac[5]

is a statically-typed, object-oriented language for protocol

specifications. The Prolac compiler compiles a Prolac spec-

ification to a C code. The compiler can apply for several

protocol specifications; however, the language is similar to

C. Thus, writing a Prolac code is similar to programming

a C code. The Austin protocol compiler[8] transforms the

protocol specification written in timed abstract protocol no-tation to an executable code. The tool is applicable to basic

protocols without cryptographic computations.

There are some compilers for generating security proto-

col implementations from high-level specifications of secu-

rity protocols. F. Muller and J. Millen proposed automatic

Java code generation from CAPSL or CIL specification lan-

guages [9]. The tool is used for cryptographic protocols

that only use symmetric key encryption. ACG (Automatic

Code Generator) is a part of the AGVI toolkit[12] and is

an automatic compiler that translates high-level specifica-

tions of security protocols into Java source code. COSP-

J[4] is a program that take a description of a security proto-

col in a simple, abstract language Casper[6] and it produces

a Java source code of the same program. ACG-C# pro-

duces C# implementation codes for security protocols with

Casper. Spi2Java[10] automatically generates Java code im-

plementing cryptographic protocols described in the formal

specification language spi calculus[1]. SPEAR II[7] pro-

vides Java code generation from an abstract protocol speci-

fication. These tools require that the protocol specification

is described in specific languages. We cannot change the

granularity of information such as the addition of detailed

protocol information. Thus, the description lacks flexibility

for minor changes of the security protocol that caused by

a variety of implementation environments such as crypto-graphic algorithm, padding rule, and initial values for vari-

ables. Furthermore, no compiler that generates C source

code for high-level specifications of security protocols ex-

ists.

We present a security protocol compiler generating C

source code from protocol specifications that can be de-

scribed as a high-level and flexible specification written in

XML language.

3 Security Protocol Compiler

In this section, we introduce hypothetical examples of

the use of the security protocol compiler, and then we ex-

plain the language for security protocol definition and the

mechanisms of the security protocol compiler.

3.1 Examples of Use

The security protocol compiler loads a security proto-

col definition file and generates an executable module of

the security protocol. Thus, a terminal dynamically adds

or modifies functions for authentication and key exchange,

enabling the security protocol compiler to be used without

the need to download new program files or patches. The

protocol definition file is a text file written in XML, mean-

ing that the download process is light weight and it is not

necessary to download all the modified programs. Further-

more, it is readable and easy to check whether the file corre-

sponds to the protocol specification. If the terminal down-

loads additional program modules, the terminal has to ver-

ify the program: for example, checking whether a computer

virus is present. Generally, it is difficult to perform a com-

plete check for an executable program. On the other hand,

the validity of the protocol definition file is ensured using

a digital signature of the flie and the content of the file is

readable. The following are hypothetical examples of the

use of the security protocol compiler;

Dynamic Generation of Security Protocols

The security protocol compiler dynamically generates

a security protocol if a terminal uses a new service.When a terminal uses a service for the first time, the

terminal downloads a security protocol definition file

and generates modules for authentication and the key

exchange protocol that is specific for each service. The

service providers can use their own protocols that are

designed in accordance with their security and perfor-

mance requirements.

Replacement of Vulnerable Security Protocols

When a security protocol found to be vulnerable, the

administrator can replace the vulnerable protocol with

a new secure protocol by using the security protocol

compiler. The administrator first makes a new securityprotocol definition file and sends it to all terminals and

servers. The terminals and servers execute the security

protocol compiler and replace the executable module

of the security protocol.

Temporary Modification of Security Protocols

The security protocol compiler enables rapid and tem-

porary modifications of the protocol to be made. For

2121


3/6

Figure 1. Protocol Definition File

example, if a network manager find signs that an at-

tacker has infiltrated is inside the office network, the

manager can change the security level of the office

network. In this situation, the manager changes cur-

rent security protocols to security protocols that are

designed for protecting the attacker; thus, the secu-

rity protocol should be changed until the attacker is

removed from the network. The manager sends a se-

curity protocol definition, which satisfies high level

security requirements, to all terminals and servers to

change the security protocol temporarily. After remov-

ing the attacker, the manager sends information to all

entities and the terminals and servers change the se-

curity protocol to the former protocol that meets low

level security requirements but is fast and convenient.

3.2 Language of Security Protocol Defini-tion

The protocol definition for our security protocol com-

piler is a high-level protocol specification written in XML

language. The high-level definition is easy to write flows

and calculations in the protocol and it is assumed to be in-

dependent from environments. XML is a standard languageand widely used for several environments; thus, the proto-

col definition file has interoperability between several com-

pilers that run on different environments. Furthermore, the

XML description is easy to add specific information to the

high-level protocol definition. For example, if they wish,

protocol designers can describe detailed parameters such

as parameters for cryptographic algorithms and initial val-

ues of variables. The description is highly flexible with re-

gard to adding and removing information; thus, the proto-

col specification can include not only a common high-level

specification of the security protocol but also specific infor-

mation for environments. This flexibility allows compilers

to be customized for particular environments such as smart

card. The protocol definition file can be used for a range of

security protocol compilers.

We describe security protocols based on definitions of

data, functions, and flows. A flow is described as all data

sending by one transaction between entities and informa-

tion of sender and receiver. A function indicates a crypto-

graphic operation and it is described as input data and algo-

rithm name. Data is minimum blocks to construct a security

protocol definition. Security protocols definition consist of

several flows, and these flows consist of data and functions.

Furthermore, we describe additional information in the pro-

tocol definitions, such as purpose of the protocol, informa-

tion of entities on a header field. The definition file includes

information for all entities which execute the protocol. Our

security protocol definition is divided into five parts: Header Information Field

The header information field defines the purpose of a

protocol such as authentication and key exchange, and

security parameters.

Entity Information Field

The entity information field stores information on each

entity. Entity information includes which entity should

be authenticated, role of the entity (initiator of the pro-

tocol or responder to the protocol), and the data list that

the entity knows before the protocol starts. The infor-

mation also includes key generation function info and

validation function info. The key generation functioninforefers to a function for generating a session key in

a key exchange protocol, and the validation function

inforefers to a function for authentication whereby the

entity computes the function to verify the authenticity

of an entity.

Data Information Field

The data information field is for definition of data.

Data information consists of data-id, data type, length,

creator, label, algorithm, value, usage, source, store,

and comment as shown Table 1.

Function Information Field

The function information field consists of function def-

initions. Function information includes function iden-

tifier, algorithm type, length of output, and input data.

Function information optionally includes detailed in-

formation for a cryptographic algorithm such as OID

and padding type.

Flow Information Field

All protocol flows and computations between flows are

2222


4/6

Table 1. Data InformationField Name Man. Opt. Content

data-id mandatory Identifier of data

data type mandatory Data type selected from

{Identifier, Random, Text, Counter,Password, Symmetric Key,

Public Key, Private Key,

Temporary Public Key,Temporary Private Key,}length mandatory Length of the data

creator mandatory Name of creating the data:

entity names or public

label optional Global name of the data that is used

for other security definition files

algorithm optional Related algorithm.

This field is mandatory, where the data

is public key, private key, temporary

public key, or temporary private key.

usage optional Usage of the data

value optional (Initial) value of the data

source optional File name or pass to load

the data as a initial value

store optional File name or pass to save

the data when the protocol is finishedcomment optional For arbitrary description

written in the flow information field. Flow information

includes information of sender, receiver, and sending

data and function.

The data type Identifier, Random, Password,

Counter, and Text indicates that the data is an identifier

of an entity, random number, password, counter value, andother type of data, respectively. Temporal Public Key and

Temporal Private Keyindicates that the data are public key

and private key generated in the protocol respectively.

Functions for the security protocol are defined by infor-

mation of function-id, input data, function type, and length

of the output. Flows of the security protocol are described

as information of flow-id, sender, receiver, and sending data

and functions. Data and functions can be referred using

data-id and function-id. A flow has a special label for defin-

ing action after receiving the flow. For example, a label

for authentication indicates the flow that the receiver en-

tity judges whether the sender entity is valid. A label forkey exchange means that the receiver entity calculates a

session key after receiving the flow. A function for each en-

tity is defined as a special function calculating a session key

in the entity information field. An example of the protocol

definition file is shown in Figure 1. A digital signature of a

trusted third party is attached to the security protocol defini-

tion file, and we assume that the security protocol definition

file is unforgeable and trusted.

Figure 2. Protocol Input GUI

3.3 Protocol Input GUI

We create a program that is used to input a security pro-tocol using a convenient GUI as shown in Figure 2. A de-

signer of security protocol can easily input his/her protocol

and generate protocol definition files in written XML.

3.4 Architecture of Terminal

Figure 3 shows the architecture of terminals that incor-

porate the security protocol compiler. We assume an appli-

cation program runs on each terminal. A manager program

provides protocol modification and execution function for

the application program. A protocol definition file is input

into the protocol compiler by the manager program. The

protocol compiler is executed by the manager program andreturns C source code to the manager program. The man-

ager program then executes C compiler and makes an exe-

cutable module from the source. After generating the exe-

cutable module, the application program can execute a new

protocol to call the executable module via a common API

that the manager program provides. Thus, the application

ignores the modification of security protocols.

The executable program uses a cryptographic library to

compute cryptographic algorithms. We define interfaces to

call algorithms in the cryptographic library. The interface

is defined by types of cryptographic algorithm such as sym-

metric key encryption, hash function, etc. To identify algo-

rithms, input information of the interface includes algorithm

name or algorithm OID.

3.5 Automatic Generation of Source Code

Execution of the security protocol compiler consists of

two steps: 1) the parsing and analyzing step, and 2) the

source code generation step. The compilation process of

2323


5/6

Application Program

Security Protocol

CompilerC Compiler

Manager Program

Protocol

Definition C Source

Executable Program

Cryptographic Lib.

OKC Source

Protocol

Definition

Execute

Cryptographic Computation

Run Protocol

Figure 3. Architecture of Terminal

Parse XML Structure

Protocol

Definition File

Store into Data Tables

Analyze Relationships

between Data

Update Index Table

Generate Lists from

Tables

Generate Source Code

Source

Code

Parsing and Analyzing Step

Source Code

Generation Step

Figure 4. Compilation Process

the security protocol compiler is shown in Figure 4. A gen-

erated source code is input into a general compiler program

such as g.c.c. and it is transformed into an executable mod-

ules. The details of each step are as follows:

3.5.1 Parsing and Analyzing Step

In this step, the security protocol compiler first parses a pro-

tocol definition file and dividing it into nodes, and then gen-

erates data tables as shown in Figure 5. The compiler has

four data tables: flow table, entity table, function table, and

data table. Data, function, flow, and entity are stored in re-

lated data tables, along with related elements. Information

on each data and entity are stored in one record of the data

tables. Flow information is divided into sender information

and receiver information and these are stored in different

records. Information on functions is also divided into in-

put and output information and they are stored in different

records. Pointer information of all the data table records isgenerated and stored in an index table. Next, the compiler

analyzes the relationship between them and stores pointer

information in the corresponding record. For example, a

function record stores pointer information of all data that is

input into the function, and an entity record stores pointer

information of all the flows that the entity sends and re-

ceives. Furthermore, the compiler assigns outputs of all

functions with new data and stores the data into the data

Protocol

Entity

Flow

Function

Data

Entity

Flow

Function

Data

Data

Entity

Flow

Function

Data

Data

Entity Table

Flow Table

Function Table

Data TableProtocol Definition File

Figure 5. Generation of Table Files

table. After storing pointer information, the compiler as-

certains the relationships between data, function, flow, and

entities. The compiler updates the index table using data

tables. Next, the compiler generates six lists from the data

and index tables: entity list, known data list, entity data list,

function list, algorithm list, and flow list. The entity list

stores the pointer information of the entities. The known

data list indicates data that an entity knows before starting

the protocol, and the entity data list stores pointer infor-

mation of data that the entity generates during the proto-col. The function list and flow list are the pointer informa-

tion of functions and the flows of each entity, respectively.

The algorithm list shows the algorithm identifiers that are

used for functions by an entity. The compiler generates

run-sequence description from an entity flow list and an en-

titys information (key generation function info and valida-

tion function info). The description denotes the execution

procedure of the protocol for the entity.

3.5.2 Source Code Generation Step

In the second step, the security protocol compiler generates

a source code for executing a security protocol. The com-

piler generates source code from the lists and tables shown

in Figure 6. The compiler loads the algorithm and generates

the information to be included by using the algorithm list.

The compiler generates codes for initialization of variables

and variable declaration based on the known data list and

entity data list, respectively. Then, the compiler generates

code function declarations and functions (cryptographic al-

gorithms) call based on the function list. Next, the flow is

translated into codes using the flow list. The codes for flows

consist of data descriptions and functions that are included

in the flow and call of send/receive functions. The send and

receive functions that are pre-defined functions to send orreceive data, which the compiler has. Finally, the compiler

writes codes for the main body of a program using a run

sequence description, and adds error handling codes to the

end of the source code.

The source code automatically includes check logics for

input of invalid data in the protocol execution, which makes

the source code secure. The logic checks lengths of data

and data format to protect against attacks that an attacker

2424


6/6

Source Code

Include

Variable Declaration

& Initialization

Function Declaration

Flow Declaration

Body

Error Routine

Source Code

Algorithm List

Known Data List

Entity Data List

Function List

Flow List

Run-sequence

description

Index Table

Data Table

Function Table

Flow Table

Entity Table

Source Code

GenerationInformation Link

Figure 6. Source Code Generation

Table 2. Data Information

Protocol Gen. Time. (ms) Program Size (KB) Exe. Time. (ms)

AKEP1 23.00 99 445.67

AKEP2 23.67 97 322.00

SSL like 26.33 108 599.00

alters sending data to overflow buffers of an entity and try

to execute invalid programs on the entity.

4 Evaluation Result

We implemented the security protocol compiler on PC

Linux (2.4 GHz CPU 1GB Memory, kernel-2.6.18). Wegenerated AKEP1[2], AKEP2[2], and SSL-like authenti-

cated key exchange protocols using a public key encryp-

tion algorithm, and we evaluated the generation transaction

time. Furthermore, we generated executable modules of the

protocols using gcc-4.1.1 and evaluated the transaction time

of executing the protocols and program sizes of the mod-

ules. The evaluation results are shown in Table 2. Trans-

action time of source code generation is less than 30 msec.

The program sizes of executable files and the transaction

time of running protocols is feasible for real services.

5 Conclusion

In this paper, we proposed a new security protocol

compiler that generates a C source code from a protocol

definition written in an extensible and interoperable lan-

guage XML. The protocol definition is written as a high-

level specification and it is flexible for environmentally-

dependent specifications. We implemented the security pro-

tocol compiler on PC Linux and evaluated transaction time

for protocol generation. We also evaluate generated module

sizes and protocol transaction time of the generated mod-

ules. The security protocol compiler realized fast source

code generation of less than 30 msec, and the program sizes

of executable files and transaction time of the running proto-

cols were shown to be feasible for real services. A security

protocol can be modified or replaced easily in accordance

with situations, by using our security protocol compiler.

Acknowledgement

A part of this work is supported by the National Institute

of Information and Communication Technology (NICT).

References

[1] M. Abadi and D. Gordon. A calculus for cryptographic pro-

tocols the spi calculus. Inf. Comput., 148(1):170, 1999.[2] M. Bellare and P. Rogaway. Entity authentication and key

distribution. InProc. of CRYPTO 93, LNCS, volume 773,pages 232249. Springer Verg., 1994.

[3] P. Dembinski and S. Budkowski. Specification language es-

telle. The formal description technique Estelle, pages 3575,

1989.[4] X. Didelot. A compiler for security protocols. Available

at http://web.comlab.ox.ac.uk/oucl/work/

gavin.lowe/Security/Casper/COSPJ/s%ecu.

pdf, 2003.[5] E. Kohler, M. F. Kaashoek, and D. R. Montgomery. A read-

able tcp in the prolac protocol language. In Proc. of SIG-

COMM 99, pages 313. ACM, 1999.[6] G. Lowe. Casper: A compiler for the analysis of security

protocols. InProc. of 10th IEEE Computer Security Foun-

dations Workshop, pages 1830. IEEE, 1997.[7] S. Lukell and C. Veldman. Automated attack analysis and

code generation in a multi-dimensional security protocol en-

gineering framework. InProc. of Southern African Telecom-

munications Networks and Applications Conference 2003

(SATNAC 2003), 2003.[8] T. M. McGuire and M. G. Gouda.The Austin protocol com-

piler, Advances in information security, Vol.13. Springer

Verg., 2004.[9] F. Muller and J. Millen. Cryptographic protocol generation

from capsl. Technical Report SRI-CSL-01-07, SRI Interna-

tional, 2001.[10] D. Pozza, R. Sisto, and L. Durante. Spi2java: Automatic

cryptographic protocol java code generation from spi calcu-

lus. InProc. of 18th International Conference on Advanced

Information Networking and Application (AINA04), pages400405. IEEE, 2004.

[11] D. Sidhu, A. Chung, and T. P. Blumer. A formal description

technique for protocol engineering. Technical Report CS-

TR-2505, Univ. of Maryland, July 1990.[12] D. Song, A. Perrig, and D. Phan. Agvi automatic genera-

tion, verification, and implementation of security protocols.

InProc. of 13th Conference on Computer Aided Verification

(CAV), pages 241255. Springer Verg., 2001.

2525

a security protocol compiler generating c source codes

Documents