Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage

Bruno Blanchet and Avik Chaudhuri

Abstract
We study formal security properties of a state-of-the-art protocol for secure file sharing on untrusted storage, in the automatic protocol verifier ProVerif. As far as we know, this is the first automated formal analysis of a secure storage protocol. The protocol, designed as the basis for the file system Plutus, features a number of interesting schemes like lazy revocation and key rotation. These schemes improve the protocol's performance, but complicate its security properties. Our analysis clarifies several ambiguities in the design and reveals some unknown attacks on the protocol. We propose corrections, and prove precise security guarantees for the corrected protocol.

PDF

BibTeX
@inproceedings{afapsfsus-BC08,
    author = {Bruno Blanchet and Avik Chaudhuri},
    title = {Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage},
    booktitle = {Proceedings of the 29th IEEE Symposium on Security and Privacy (S&P'08)},
    year = {2008},
    pages = {417-431},
    publisher = {IEEE}
}


OCaml generators for ProVerif models of Plutus
 Download OCaml
 Models without server-verified writes (Usage: plutusgen.exe -<options> maxrev; Options: plutusgen.exe -help)
 Models with server-verified writes (Usage: plutusgenSVW.exe -<options> maxrev; Options: plutusgenSVW.exe -help)

 Download ProVerif
 A shell script to generate and test models

Some models that appear in the paper
 The basic model in Theorems 4.4 and 4.6, for maxrev=1
 The model with fix F in Theorem 4.7, for maxrev=1
 The model with fix F and server-verified writes in Theorem 4.9, for maxrev=1
 The flawed model with unchanged modulus in Section 4.3.1, for maxrev=1
 The flawed model with unchanged token in Section 4.3.2, for maxrev=1