Formal Aspects of Computing

, Volume 30, Issue 2, pp 279–317 | Cite as

Formally sound implementations of security protocols with JavaSPI

  • Riccardo Sisto
  • Piergiuseppe Bettassa Copet
  • Matteo Avalle
  • Alfredo Pironti
Original Article


Designing and coding security protocols is an error prone task. Several flaws are found in protocol implementations and specifications every year. Formal methods can alleviate this problem by backing implementations with rigorous proofs about their behavior. However, formally-based development typically requires domain specific knowledge available only to few experts and the development of abstract formal models that are far from real implementations. This paper presents a Java-based protocol design and implementation framework, where the user can write a security protocol symbolic model in Java, using a well defined subset of the language that corresponds to applied π-calculus. This Java model can be symbolically executed in the Java debugger, formally verified with ProVerif, and further refined to an interoperable Java implementation of the protocol. Soundness theorems are provided to prove that, under some reasonable assumptions, a simulation relation relates the Java refined implementation to the symbolic model verified by ProVerif, so that, for the usual security properties, a property verified by ProVerif on the symbolic model is preserved in the Java refined implementation. The applicability of the framework is evaluated by developing an extensive case study on the popular SSL protocol.


Security protocols Formal methods Formal verification Model-driven development 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ABB+10.
    Almeida JB, Bangerter E, Barbosa M, Krenn S, Sadeghi AR, Schneider T (2010) A certifying compiler for zero-knowledge proofs of knowledge based on Σ-protocols. In: 15th European conference on research in computer security (ESORICS 2010). Lecture notes in computer science, vol 6345. Springer, Berlin, pp 151–167Google Scholar
  2. ABBD13.
    Almeida JB, Barbosa M, Barthe G, Dupressoir F (2013) Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: 2013 ACM SIGSAC conference on computer and communications security (CCS 2013), ACM, pp 1217–1230Google Scholar
  3. ACMR12.
    Avanesov T, Chevalier Y, Mekki MA, Rusinowitch M (2012) Web services verification and prudent implementation. In: Data privacy management and autonomous spontaneus security. Lecture notes in computer science, vol 7122. Springer, Berlin, pp 173–189Google Scholar
  4. AF01.
    Abadi M, Fournet C: Mobile values, new names, and secure communication. ACM SIGPLAN Not 36(3), 104–115 (2001)CrossRefMATHGoogle Scholar
  5. AFP13.
    Al Fardan NJ, Paterson KG (2013) Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE symposium on security and privacy (S & P 2013), IEEE, pp 526–540Google Scholar
  6. AGJ12.
    Aizatulin M, Gordon AD, Jürjens J (2012) Computational verification of C protocol implementations by symbolic execution. In: 2012 ACM conference on computer and communications security (CCS 2012), ACM, pp 712–723Google Scholar
  7. App14.
    Apple goto fail bug (2014) CVE-2014-1266.
  8. APPS11.
    Avalle M, Pironti A, Pozza D, Sisto R: JavaSPI: a framework for security protocol implementation. Int J Secure Softw Eng 2(4), 34–48 (2011)CrossRefGoogle Scholar
  9. APS14.
    Avalle M, Pironti A, Sisto R: Formal verification of security protocol implementations: a survey. Form Asp Comput 26(1), 99–123 (2014)CrossRefGoogle Scholar
  10. APSP11.
    Avalle M, Pironti A, Sisto R, Pozza D (2011) The JavaSPI framework for security protocol implementation. In: 6th international conference on availability, reliability and security (ARES 2011), IEEE Computer Society, pp 746–751Google Scholar
  11. APW09.
    Albrecht MR, Paterson KG, Watson G (2009) Plaintext recovery attacks against ssh. In: IEEE symposium on security and privacy (S & P 2009), IEEE, pp 16–26Google Scholar
  12. BCD+09.
    Bhargavan K, Corin R, Deniélou PM, Fournet C, Leifer JJ (2009) Cryptographic protocol synthesis and verification for multiparty sessions. In: 22nd IEEE computer security foundations symposium (CSF 2009), IEEE Computer Society, pp 124–140Google Scholar
  13. BCPP+12.
    Bettassa Copet P, Pironti A, Pozza D, Sisto R, Vivoli P (2012) Visual model-driven design, verification and implementation of security protocols. In: IEEE 14th international symposium on high-assurance systems engineering (HASE 2012), IEEE, pp 62–65Google Scholar
  14. BDL06.
    Basin D, Doser J, Lodderstedt T: Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol 15(1), 39–91 (2006)CrossRefGoogle Scholar
  15. BFGT08.
    Bhargavan K, Fournet C, Gordon AD, Tse S: Verified interoperable implementations of security protocols. ACM Trans Program Lang Syst 31(1), 1–61 (2008)CrossRefMATHGoogle Scholar
  16. Bla01.
    Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE workshop on computer security foundations (CSF 2001), IEEE Computer Society, pp 82–96Google Scholar
  17. Bla09.
    Blanchet B: Automatic verification of correspondences for security protocols. J Comput Secur 17(4), 363–434 (2009)CrossRefGoogle Scholar
  18. BLF+14.
    Bhargavan K, Lavaud AD, Fournet C, Pironti A, Strub PY (2014) Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE symposium on security and privacy (S & P 2014), IEEE, pp 98–113Google Scholar
  19. BPP03.
    Bierman G, Parkinson M, Pitts A (2003) MJ: an imperative core calculus for Java and Java with effects. Technical report 563, Cambridge University Computer LaboratoryGoogle Scholar
  20. CB12.
    Cade D, Blanchet B (2012) From computationally-proved protocol specifications to implementations. In: 7th international conference on availability, reliability and security (ARES 2012), IEEE Computer Society, pp 65–74Google Scholar
  21. DGJN14.
    Dupressoir F, Gordon AD, Jürjens J, Naumann DA: Guiding a general-purpose C verifier to prove cryptographic protocols. J Comput Secur 22(5), 823–866 (2014)CrossRefGoogle Scholar
  22. DY83.
    Dolev D, Yao A: On the security of public key protocols. IEEE Trans Inf Theory 29(2), 198–207 (1983)MathSciNetCrossRefMATHGoogle Scholar
  23. Gnu14.
    GnuTLS certificate verification issue (2014) CVE-2014-0092.
  24. GV15.
    Gorrieri R, Versari C (2015) Transition systems and behavioral equivalences. Springer, Berlin, pp 21–79Google Scholar
  25. Hea14.
  26. HT96.
    Heintze N, Tygar JD: A model for secure protocols and their compositions. IEEE Trans Softw Eng 22(1), 16–30 (1996)CrossRefGoogle Scholar
  27. Jür01.
    Jürjens J (2001) Secrecy-preserving refinement. In: Fiadeiro J, Zave P (eds) International symposium on formal methods Europe (FME). Lecture notes in computer science, vol 2021. Springer, Berlin, pp 135–152Google Scholar
  28. Jür05.
    Jürjens J: Secure systems development with UML. Springer, Berlin (2005)MATHGoogle Scholar
  29. KOT08.
    Kiyomoto S, Ota H, Tanaka T (2008) A security protocol compiler generating C source codes. In: Information security and assurance, IEEE, pp 20–25Google Scholar
  30. MJH+10.
    Montrieux L, Jürjens J, Haley CB, Yu Y, Schobbens PY, Toussaint H (2010) Tool support for code generation from a umlsec property. In: IEEE/ACM international conference on automated software engineering (ASE 2010), ACM, pp 357–358Google Scholar
  31. O’S08.
    O’Shea N (2008) Using elyjah to analyse Java implementations of cryptographic protocols. In: Joint workshop on foundations of computer security, automated reasoning for security protocol analysis and issues in the theory of security, pp 221–226Google Scholar
  32. PS07.
    Pironti A, Sisto R (2007) An experiment in interoperable cryptographic protocol implementation using automatic code generation. In IEEE Symposium on computers and communications, pages 839–844. IEEEGoogle Scholar
  33. PS14.
    Pironti A, Sisto R: Safe abstractions of data encodings in formal security protocol models. Form Asp Comput 26(1), 125–167 (2014)MathSciNetCrossRefMATHGoogle Scholar
  34. RRDO10.
    Rescorla E, Ray M, Dispensa S, Oskov N (2010) Transport layer security (TLS) renegotiation indication extension. RFC 5746Google Scholar
  35. SPP01.
    Song DX, Perrig A, Phan D (2001) AGVI: automatic generation, verification, and implementation of security protocols. In: 13th international conference on computer aided verification (CAV 2001). Lecture notes in computer science, vol 2102. Springer, Berlin, pp 241–245Google Scholar
  36. The.
    The Legion of Bouncy Castle. Bouncy castle crypto API.

Copyright information

© British Computer Society 2017

Authors and Affiliations

  1. 1.Dipartimento di Automatica e InformaticaPolitecnico di TorinoTurinItaly
  2. 2.IOActiveMadridSpain

Personalised recommendations