Files in this item



application/pdfsasse_ralf.pdf (2MB)
(no description provided)PDF


Title:Security models in rewriting logic for cryptographic protocols and browsers
Author(s):Sasse, Ralf
Director of Research:Meseguer, José
Doctoral Committee Chair(s):Meseguer, José
Doctoral Committee Member(s):King, Samuel T.; Roşu, Grigore; Meadows, Catherine; Chen, Shuo
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Subject(s):browser security
visual invariants
same origin policy
semantic unification
variant narrowing
cryptographic protocol analysis
rewriting logic
Abstract:This dissertation tackles crucial issues of web browser security. Web browsers are now a central part of the trusted code base of any end-user computer system, as more and more usage shifts to services provided by web sites that are accessed through those browsers. Towards this goal we identify three key aspects of web browser security: (i) the \emph{machine-to-user communication}, (ii) \emph{internal browser security concerns} and (iii) \emph{machine-to-machine communication}. We address aspects (i) and (ii) by developing a methodology that creates a formal model of a web browser and analyzes that model. We showcase this on the graphical user interface of both Internet Explorer and the Illinois Browser Operating System (IBOS) web browsers. Internal security aspects are addressed in the IBOS browser for the same origin policy. For aspect (iii) we look at the formal analysis of cryptographic protocols, independent of any particular browser. We focus on the formal analysis of protocols \emph{modulo algebraic properties} of their cryptographic functions, since it is well-known the protocol verification methods that ignore such algebraic properties using a standard Dolev-Yao model can verify as correct protocols that can be in fact broken using the algebraic properties. We adopt a symbolic approach and use the Maude-NPA cryptographic protocol analysis tool, which has extended unification capabilities modulo theories based on the new narrowing strategy we developed. We present case studies showing that appropriate protocols can be analyzed so that either attacks are found, or the absence of attacks can be proven.
Issue Date:2012-09-18
Rights Information:Copyright 2012 Ralf Sasse
Date Available in IDEALS:2012-09-18
Date Deposited:2012-08

This item appears in the following Collection(s)

Item Statistics