a security protocol compiler generating c source codes
TRANSCRIPT
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
1/6
A Security Protocol Compiler Generating C Source Codes
Shinsaku Kiyomoto, Haruki Ota, and Toshiaki TanakaKDDI R&D Laboratories Inc.
2-1-15 Ohara Fujimino-shi Saitama 356-8502, Japan
Abstract
In this paper, we propose a security protocol com-
piler that automatically generates security protocol mod-
ules based on a security protocol definition. Our security
compiler loads a security protocol definition file that can be
defined as a high-level specification of the protocol writtenin XML and it generates a C source code from the specifica-
tion. Our security protocol compiler realizes fast C source
code generation under 30 msec from the high-level secu-
rity protocol definition. To implement the security protocol
compiler on terminals, a security protocol can be modified
or replaced easily in accordance with situations. Thus, the
terminal is able to use several services without implementa-
tion of all security protocols for the services, and a vulner-
able security protocol is can be replaced quickly.
1. Introduction
Ubiquitous is a key phrase for new generation IT ser-
vices. In a ubiquitous network, multi-network, multi-
device, and multi-services exist. Many services have been
provided over communication networks such as the Internet
and local communication. In these services, many secu-
rity protocols that are used for authentication and key ex-
change are provided to ensure secure communication. The
security protocols are designed to meet specific security re-
quirements that differ from service to service. For example;
when a mobile terminal communicate with a gate device in
a public transportation system, a fast and lightweight secu-
rity protocol is needed. On the other hand, when the deviceconnects to an ATM or mobile banking services, a strict au-
thentication protocol is required. If a terminal uses many
services, the terminal will be required to handle numerous
security protocols.
On the other hand, security flaws on security protocols
are often found and they are updated by replacing entire
security protocol programs with new ones. The replace-
ment process usually incurs a high cost and is very time
consuming, even though a part of program should be modi-
fied. Thus, a fast and efficient method for replacing security
protocols is needed in order to fix security flaws.
Security protocol compilers have been researched in or-
der to realize dynamic generation and modification of secu-
rity protocols. The compilers generate source code or ex-
ecutable modules of security protocols from high-level se-curity protocol definitions. Thus, a security protocol can be
changed to input a protocol definition and execute the com-
pilers where the compilers are implemented on the termi-
nals. However, no compiler that generates C source code for
high-level security protocol specifications exists. The range
of executable environments of generated protocols is ex-
panded, if a security protocol compiler generates C source
code.
In this paper, we propose a new security compiler that
automatically generates security protocol modules based
on a security protocol definition. Furthermore, we imple-
mented the security protocol compiler and evaluated trans-
action time and generated code size. To implement the se-curity protocol compiler on terminals, a security protocol
can be modified or replaced easily in accordance with sit-
uations. Thus, the terminal is able to use several services
without implementation of all security protocols for the ser-
vices, and a vulnerable security protocol can be replaced
quickly. Our contribution is summarized as follows:
We designed and implemented a security protocol
compiler that loads a security protocol definition file
and generate a C source code. The protocol definition
file can be defined as a high-level specification of the
protocol and it is written in an extensible and interop-
erable language XML.
We evaluated our security protocol compiler and the
compiler realizes fast C source code generation under
30 msec from a high-level security protocol definition.
The paper is organized as follows: Section 2 introduces
related work on security protocol compilers. Next, we
present a security protocol compiler in Section 3. Evalu-
2008 International Conference on Information Security and Assurance
978-0-7695-3126-7/08 $25.00 2008 IEEE
DOI 10.1109/ISA.2008.13
20
2008 International Conference on Information Security and Assurance
978-0-7695-3126-7/08 $25.00 2008 IEEE
DOI 10.1109/ISA.2008.13
20
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
2/6
ation results are shown in Section 4. Finally, we conclude
this paper in Section 5.
2. Related Work
Languages for describing protocol specifications havebeen studied. Estelle[3] is a major protocol language based
on a finite state machine model. Estelle can be used for
semi-automatic implementations of protocols[11]. How-
ever, existing reports address only limited protocols and
the description is very complicated and difficult to define
high-level specifications of security protocols. Prolac[5]
is a statically-typed, object-oriented language for protocol
specifications. The Prolac compiler compiles a Prolac spec-
ification to a C code. The compiler can apply for several
protocol specifications; however, the language is similar to
C. Thus, writing a Prolac code is similar to programming
a C code. The Austin protocol compiler[8] transforms the
protocol specification written in timed abstract protocol no-tation to an executable code. The tool is applicable to basic
protocols without cryptographic computations.
There are some compilers for generating security proto-
col implementations from high-level specifications of secu-
rity protocols. F. Muller and J. Millen proposed automatic
Java code generation from CAPSL or CIL specification lan-
guages [9]. The tool is used for cryptographic protocols
that only use symmetric key encryption. ACG (Automatic
Code Generator) is a part of the AGVI toolkit[12] and is
an automatic compiler that translates high-level specifica-
tions of security protocols into Java source code. COSP-
J[4] is a program that take a description of a security proto-
col in a simple, abstract language Casper[6] and it produces
a Java source code of the same program. ACG-C# pro-
duces C# implementation codes for security protocols with
Casper. Spi2Java[10] automatically generates Java code im-
plementing cryptographic protocols described in the formal
specification language spi calculus[1]. SPEAR II[7] pro-
vides Java code generation from an abstract protocol speci-
fication. These tools require that the protocol specification
is described in specific languages. We cannot change the
granularity of information such as the addition of detailed
protocol information. Thus, the description lacks flexibility
for minor changes of the security protocol that caused by
a variety of implementation environments such as crypto-graphic algorithm, padding rule, and initial values for vari-
ables. Furthermore, no compiler that generates C source
code for high-level specifications of security protocols ex-
ists.
We present a security protocol compiler generating C
source code from protocol specifications that can be de-
scribed as a high-level and flexible specification written in
XML language.
3 Security Protocol Compiler
In this section, we introduce hypothetical examples of
the use of the security protocol compiler, and then we ex-
plain the language for security protocol definition and the
mechanisms of the security protocol compiler.
3.1 Examples of Use
The security protocol compiler loads a security proto-
col definition file and generates an executable module of
the security protocol. Thus, a terminal dynamically adds
or modifies functions for authentication and key exchange,
enabling the security protocol compiler to be used without
the need to download new program files or patches. The
protocol definition file is a text file written in XML, mean-
ing that the download process is light weight and it is not
necessary to download all the modified programs. Further-
more, it is readable and easy to check whether the file corre-
sponds to the protocol specification. If the terminal down-
loads additional program modules, the terminal has to ver-
ify the program: for example, checking whether a computer
virus is present. Generally, it is difficult to perform a com-
plete check for an executable program. On the other hand,
the validity of the protocol definition file is ensured using
a digital signature of the flie and the content of the file is
readable. The following are hypothetical examples of the
use of the security protocol compiler;
Dynamic Generation of Security Protocols
The security protocol compiler dynamically generates
a security protocol if a terminal uses a new service.When a terminal uses a service for the first time, the
terminal downloads a security protocol definition file
and generates modules for authentication and the key
exchange protocol that is specific for each service. The
service providers can use their own protocols that are
designed in accordance with their security and perfor-
mance requirements.
Replacement of Vulnerable Security Protocols
When a security protocol found to be vulnerable, the
administrator can replace the vulnerable protocol with
a new secure protocol by using the security protocol
compiler. The administrator first makes a new securityprotocol definition file and sends it to all terminals and
servers. The terminals and servers execute the security
protocol compiler and replace the executable module
of the security protocol.
Temporary Modification of Security Protocols
The security protocol compiler enables rapid and tem-
porary modifications of the protocol to be made. For
2121
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
3/6
Figure 1. Protocol Definition File
example, if a network manager find signs that an at-
tacker has infiltrated is inside the office network, the
manager can change the security level of the office
network. In this situation, the manager changes cur-
rent security protocols to security protocols that are
designed for protecting the attacker; thus, the secu-
rity protocol should be changed until the attacker is
removed from the network. The manager sends a se-
curity protocol definition, which satisfies high level
security requirements, to all terminals and servers to
change the security protocol temporarily. After remov-
ing the attacker, the manager sends information to all
entities and the terminals and servers change the se-
curity protocol to the former protocol that meets low
level security requirements but is fast and convenient.
3.2 Language of Security Protocol Defini-tion
The protocol definition for our security protocol com-
piler is a high-level protocol specification written in XML
language. The high-level definition is easy to write flows
and calculations in the protocol and it is assumed to be in-
dependent from environments. XML is a standard languageand widely used for several environments; thus, the proto-
col definition file has interoperability between several com-
pilers that run on different environments. Furthermore, the
XML description is easy to add specific information to the
high-level protocol definition. For example, if they wish,
protocol designers can describe detailed parameters such
as parameters for cryptographic algorithms and initial val-
ues of variables. The description is highly flexible with re-
gard to adding and removing information; thus, the proto-
col specification can include not only a common high-level
specification of the security protocol but also specific infor-
mation for environments. This flexibility allows compilers
to be customized for particular environments such as smart
card. The protocol definition file can be used for a range of
security protocol compilers.
We describe security protocols based on definitions of
data, functions, and flows. A flow is described as all data
sending by one transaction between entities and informa-
tion of sender and receiver. A function indicates a crypto-
graphic operation and it is described as input data and algo-
rithm name. Data is minimum blocks to construct a security
protocol definition. Security protocols definition consist of
several flows, and these flows consist of data and functions.
Furthermore, we describe additional information in the pro-
tocol definitions, such as purpose of the protocol, informa-
tion of entities on a header field. The definition file includes
information for all entities which execute the protocol. Our
security protocol definition is divided into five parts: Header Information Field
The header information field defines the purpose of a
protocol such as authentication and key exchange, and
security parameters.
Entity Information Field
The entity information field stores information on each
entity. Entity information includes which entity should
be authenticated, role of the entity (initiator of the pro-
tocol or responder to the protocol), and the data list that
the entity knows before the protocol starts. The infor-
mation also includes key generation function info and
validation function info. The key generation functioninforefers to a function for generating a session key in
a key exchange protocol, and the validation function
inforefers to a function for authentication whereby the
entity computes the function to verify the authenticity
of an entity.
Data Information Field
The data information field is for definition of data.
Data information consists of data-id, data type, length,
creator, label, algorithm, value, usage, source, store,
and comment as shown Table 1.
Function Information Field
The function information field consists of function def-
initions. Function information includes function iden-
tifier, algorithm type, length of output, and input data.
Function information optionally includes detailed in-
formation for a cryptographic algorithm such as OID
and padding type.
Flow Information Field
All protocol flows and computations between flows are
2222
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
4/6
Table 1. Data InformationField Name Man. Opt. Content
data-id mandatory Identifier of data
data type mandatory Data type selected from
{Identifier, Random, Text, Counter,Password, Symmetric Key,
Public Key, Private Key,
Temporary Public Key,Temporary Private Key,}length mandatory Length of the data
creator mandatory Name of creating the data:
entity names or public
label optional Global name of the data that is used
for other security definition files
algorithm optional Related algorithm.
This field is mandatory, where the data
is public key, private key, temporary
public key, or temporary private key.
usage optional Usage of the data
value optional (Initial) value of the data
source optional File name or pass to load
the data as a initial value
store optional File name or pass to save
the data when the protocol is finishedcomment optional For arbitrary description
written in the flow information field. Flow information
includes information of sender, receiver, and sending
data and function.
The data type Identifier, Random, Password,
Counter, and Text indicates that the data is an identifier
of an entity, random number, password, counter value, andother type of data, respectively. Temporal Public Key and
Temporal Private Keyindicates that the data are public key
and private key generated in the protocol respectively.
Functions for the security protocol are defined by infor-
mation of function-id, input data, function type, and length
of the output. Flows of the security protocol are described
as information of flow-id, sender, receiver, and sending data
and functions. Data and functions can be referred using
data-id and function-id. A flow has a special label for defin-
ing action after receiving the flow. For example, a label
for authentication indicates the flow that the receiver en-
tity judges whether the sender entity is valid. A label forkey exchange means that the receiver entity calculates a
session key after receiving the flow. A function for each en-
tity is defined as a special function calculating a session key
in the entity information field. An example of the protocol
definition file is shown in Figure 1. A digital signature of a
trusted third party is attached to the security protocol defini-
tion file, and we assume that the security protocol definition
file is unforgeable and trusted.
Figure 2. Protocol Input GUI
3.3 Protocol Input GUI
We create a program that is used to input a security pro-tocol using a convenient GUI as shown in Figure 2. A de-
signer of security protocol can easily input his/her protocol
and generate protocol definition files in written XML.
3.4 Architecture of Terminal
Figure 3 shows the architecture of terminals that incor-
porate the security protocol compiler. We assume an appli-
cation program runs on each terminal. A manager program
provides protocol modification and execution function for
the application program. A protocol definition file is input
into the protocol compiler by the manager program. The
protocol compiler is executed by the manager program andreturns C source code to the manager program. The man-
ager program then executes C compiler and makes an exe-
cutable module from the source. After generating the exe-
cutable module, the application program can execute a new
protocol to call the executable module via a common API
that the manager program provides. Thus, the application
ignores the modification of security protocols.
The executable program uses a cryptographic library to
compute cryptographic algorithms. We define interfaces to
call algorithms in the cryptographic library. The interface
is defined by types of cryptographic algorithm such as sym-
metric key encryption, hash function, etc. To identify algo-
rithms, input information of the interface includes algorithm
name or algorithm OID.
3.5 Automatic Generation of Source Code
Execution of the security protocol compiler consists of
two steps: 1) the parsing and analyzing step, and 2) the
source code generation step. The compilation process of
2323
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
5/6
Application Program
Security Protocol
CompilerC Compiler
Manager Program
Protocol
Definition C Source
Executable Program
Cryptographic Lib.
OKC Source
Protocol
Definition
Execute
Cryptographic Computation
Run Protocol
Figure 3. Architecture of Terminal
Parse XML Structure
Protocol
Definition File
Store into Data Tables
Analyze Relationships
between Data
Update Index Table
Generate Lists from
Tables
Generate Source Code
Source
Code
Parsing and Analyzing Step
Source Code
Generation Step
Figure 4. Compilation Process
the security protocol compiler is shown in Figure 4. A gen-
erated source code is input into a general compiler program
such as g.c.c. and it is transformed into an executable mod-
ules. The details of each step are as follows:
3.5.1 Parsing and Analyzing Step
In this step, the security protocol compiler first parses a pro-
tocol definition file and dividing it into nodes, and then gen-
erates data tables as shown in Figure 5. The compiler has
four data tables: flow table, entity table, function table, and
data table. Data, function, flow, and entity are stored in re-
lated data tables, along with related elements. Information
on each data and entity are stored in one record of the data
tables. Flow information is divided into sender information
and receiver information and these are stored in different
records. Information on functions is also divided into in-
put and output information and they are stored in different
records. Pointer information of all the data table records isgenerated and stored in an index table. Next, the compiler
analyzes the relationship between them and stores pointer
information in the corresponding record. For example, a
function record stores pointer information of all data that is
input into the function, and an entity record stores pointer
information of all the flows that the entity sends and re-
ceives. Furthermore, the compiler assigns outputs of all
functions with new data and stores the data into the data
Protocol
Entity
Flow
Function
Data
Entity
Flow
Function
Data
Data
Entity
Flow
Function
Data
Data
Entity Table
Flow Table
Function Table
Data TableProtocol Definition File
Figure 5. Generation of Table Files
table. After storing pointer information, the compiler as-
certains the relationships between data, function, flow, and
entities. The compiler updates the index table using data
tables. Next, the compiler generates six lists from the data
and index tables: entity list, known data list, entity data list,
function list, algorithm list, and flow list. The entity list
stores the pointer information of the entities. The known
data list indicates data that an entity knows before starting
the protocol, and the entity data list stores pointer infor-
mation of data that the entity generates during the proto-col. The function list and flow list are the pointer informa-
tion of functions and the flows of each entity, respectively.
The algorithm list shows the algorithm identifiers that are
used for functions by an entity. The compiler generates
run-sequence description from an entity flow list and an en-
titys information (key generation function info and valida-
tion function info). The description denotes the execution
procedure of the protocol for the entity.
3.5.2 Source Code Generation Step
In the second step, the security protocol compiler generates
a source code for executing a security protocol. The com-
piler generates source code from the lists and tables shown
in Figure 6. The compiler loads the algorithm and generates
the information to be included by using the algorithm list.
The compiler generates codes for initialization of variables
and variable declaration based on the known data list and
entity data list, respectively. Then, the compiler generates
code function declarations and functions (cryptographic al-
gorithms) call based on the function list. Next, the flow is
translated into codes using the flow list. The codes for flows
consist of data descriptions and functions that are included
in the flow and call of send/receive functions. The send and
receive functions that are pre-defined functions to send orreceive data, which the compiler has. Finally, the compiler
writes codes for the main body of a program using a run
sequence description, and adds error handling codes to the
end of the source code.
The source code automatically includes check logics for
input of invalid data in the protocol execution, which makes
the source code secure. The logic checks lengths of data
and data format to protect against attacks that an attacker
2424
-
8/12/2019 A Security Protocol Compiler Generating C Source Codes
6/6
Source Code
Include
Variable Declaration
& Initialization
Function Declaration
Flow Declaration
Body
Error Routine
Source Code
Algorithm List
Known Data List
Entity Data List
Function List
Flow List
Run-sequence
description
Index Table
Data Table
Function Table
Flow Table
Entity Table
Source Code
GenerationInformation Link
Figure 6. Source Code Generation
Table 2. Data Information
Protocol Gen. Time. (ms) Program Size (KB) Exe. Time. (ms)
AKEP1 23.00 99 445.67
AKEP2 23.67 97 322.00
SSL like 26.33 108 599.00
alters sending data to overflow buffers of an entity and try
to execute invalid programs on the entity.
4 Evaluation Result
We implemented the security protocol compiler on PC
Linux (2.4 GHz CPU 1GB Memory, kernel-2.6.18). Wegenerated AKEP1[2], AKEP2[2], and SSL-like authenti-
cated key exchange protocols using a public key encryp-
tion algorithm, and we evaluated the generation transaction
time. Furthermore, we generated executable modules of the
protocols using gcc-4.1.1 and evaluated the transaction time
of executing the protocols and program sizes of the mod-
ules. The evaluation results are shown in Table 2. Trans-
action time of source code generation is less than 30 msec.
The program sizes of executable files and the transaction
time of running protocols is feasible for real services.
5 Conclusion
In this paper, we proposed a new security protocol
compiler that generates a C source code from a protocol
definition written in an extensible and interoperable lan-
guage XML. The protocol definition is written as a high-
level specification and it is flexible for environmentally-
dependent specifications. We implemented the security pro-
tocol compiler on PC Linux and evaluated transaction time
for protocol generation. We also evaluate generated module
sizes and protocol transaction time of the generated mod-
ules. The security protocol compiler realized fast source
code generation of less than 30 msec, and the program sizes
of executable files and transaction time of the running proto-
cols were shown to be feasible for real services. A security
protocol can be modified or replaced easily in accordance
with situations, by using our security protocol compiler.
Acknowledgement
A part of this work is supported by the National Institute
of Information and Communication Technology (NICT).
References
[1] M. Abadi and D. Gordon. A calculus for cryptographic pro-
tocols the spi calculus. Inf. Comput., 148(1):170, 1999.[2] M. Bellare and P. Rogaway. Entity authentication and key
distribution. InProc. of CRYPTO 93, LNCS, volume 773,pages 232249. Springer Verg., 1994.
[3] P. Dembinski and S. Budkowski. Specification language es-
telle. The formal description technique Estelle, pages 3575,
1989.[4] X. Didelot. A compiler for security protocols. Available
at http://web.comlab.ox.ac.uk/oucl/work/
gavin.lowe/Security/Casper/COSPJ/s%ecu.
pdf, 2003.[5] E. Kohler, M. F. Kaashoek, and D. R. Montgomery. A read-
able tcp in the prolac protocol language. In Proc. of SIG-
COMM 99, pages 313. ACM, 1999.[6] G. Lowe. Casper: A compiler for the analysis of security
protocols. InProc. of 10th IEEE Computer Security Foun-
dations Workshop, pages 1830. IEEE, 1997.[7] S. Lukell and C. Veldman. Automated attack analysis and
code generation in a multi-dimensional security protocol en-
gineering framework. InProc. of Southern African Telecom-
munications Networks and Applications Conference 2003
(SATNAC 2003), 2003.[8] T. M. McGuire and M. G. Gouda.The Austin protocol com-
piler, Advances in information security, Vol.13. Springer
Verg., 2004.[9] F. Muller and J. Millen. Cryptographic protocol generation
from capsl. Technical Report SRI-CSL-01-07, SRI Interna-
tional, 2001.[10] D. Pozza, R. Sisto, and L. Durante. Spi2java: Automatic
cryptographic protocol java code generation from spi calcu-
lus. InProc. of 18th International Conference on Advanced
Information Networking and Application (AINA04), pages400405. IEEE, 2004.
[11] D. Sidhu, A. Chung, and T. P. Blumer. A formal description
technique for protocol engineering. Technical Report CS-
TR-2505, Univ. of Maryland, July 1990.[12] D. Song, A. Perrig, and D. Phan. Agvi automatic genera-
tion, verification, and implementation of security protocols.
InProc. of 13th Conference on Computer Aided Verification
(CAV), pages 241255. Springer Verg., 2001.
2525