1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL Z. Judy Fu Motorola Labs, Schaumburg IL Funded by.

Slides:



Advertisements
Similar presentations
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Advertisements

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 Security in Wireless Protocols Bluetooth, , ZigBee.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
ISBN Chapter 3 Describing Syntax and Semantics.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Temporal Logic of Actions (TLA) Leslie Lamport
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu.
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic.
Describing Syntax and Semantics
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Real-Time System Requirements & Design Specs Shaw - Chapters 3 & 4 Homework #2: 3.3.1, 3.4.1, Add Error states to Fig 4.1 Lecture 4/17.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Security CSCI 5857: Encoding and Encryption.
Vulnerabilities Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs) Lab for Internet & Security Tech, Northwestern Univ.
GENERAL CONCEPTS OF OOPS INTRODUCTION With rapidly changing world and highly competitive and versatile nature of industry, the operations are becoming.
UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
CS 363 Comparative Programming Languages Semantics.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Intrusion Tolerant Software Architectures Bruno Dutertre and Hassen Saïdi System Design Laboratory, SRI International OASIS PI Meeting.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
A Cost-Based Framework for Analysis of Denial of Service in Networks Author: Catherine Meadows Presenter: Ajay Mahimkar.
Network Protocols Network Systems Security Mort Anvari.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.
Wireless security Wi–Fi (802.11) Security
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Network Security Celia Li Computer Science and Engineering York University.
September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter,
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Security Protocols Analysis
Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)
IS 2935: Developing Secure Systems
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL Z. Judy Fu Motorola Labs, Schaumburg IL Funded by Motorola Center for Seamless Communications Automatic Vulnerability Checking of Wireless Protocols through TLA+

2 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

3 Motivation High-speed Wireless Metropolitan Area Networks (MAN) poised to become the Next Big Thing IEEE (WiMAX) with enormous backing from the industry is set to lead the broadband wireless network space Security is especially critical for open air wireless protocols However, security analysis of the IEEE protocol largely confined to manual analysis –Incomplete –Inaccurate

4 Motivation (II) Formal methods for automatic vulnerability checking highly desirable –With completeness and correctness guarantees Previous studies focus on security protocols and security properties only –CSP and FDR [Lowe96], MurØ [Shmatikov98], Symbolic traces and PS-LTL [Corin06] Non-security protocol analysis focus on resource exhaustion DoS attacks and ignore protocol malfunction attacks ! –[Yu88], [Meadow99], and [Meadow02]

5 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

6 Our Approach Systematic and automatic checking through formal methods. –Formally specify a protocol in TLA+ (Temporal Logic of Actions) –Formally model an attacker in TLA+ –Specify requested properties –Then automatically model-check for vulnerabilities Vulnerability analysis of e specs and WiMAX standards

7 Potential Benefits TLA+ specs of e can be used as golden model for implementations –Implementation correctness can be model-checked TLA+ attacker models and properties can be reused as test- benches when the protocol evolves –Correctness of modifications can be quickly checked

8 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

9 Why TLA+ A logic resulted from the past 20 years research on concurrent reactive systems One language for both system spec and proof logic Language is based on normal mathematics –Both abstract and detailed specs can be done at the right levels –System concepts are clean in math: composition: /\ nondeterministic: \/ implementation:  Modularity is employed for large specs Systems automatically model-checked by TLC

10 Intro to TLA+ TLA+ is a simple extension of linear temporal logic –Temporal operations: []—forever, <>—eventually –With primed variable (x’) for next state –A predicate with both non-primed and primed variables defines an action: x'=x-y /\ x>y A system is usually specified as Init /\ [] [Next] x −the system satisfies Init initially and satisfies Next for all transitions −Or simply, the system starts in Init and will do Next forever

11 TLA+ for Security A protocol can be specified as one monolithic system Or, it can be specified as a composition of many components: Protocol == CompA /\ CompB /\ \A i\in (1..n): Comp(i) An attacker can be specified similarly Checking security is to prove Protocol /\ Attacker  Property

12 Example: Simplifed SSL C  S: (C, VerC, SuiteC) S  C: (VerS, SuiteS, KeyS) C  S: (E KeyS (SecretC))

13 Protocol Spec Step 1: Client C sends message to server S: Step 2: Sever S responds to C with its public key KeyS: Step 3: Client C sends SecretC encrypted by KeyS:

14 Attacker Spec Intercept SC messages Intercept CS2 messages

15 Property of Secrecy Secrecy == [](secret=0) Model check: Protocol /\ Attacker  Secrecy

16 Result from TLC Error: Invariant Correctness is violated. The behavior up to this point is: STATE 1: /\ secret = 0 /\ msg = > STATE 2: /\ secret = 0 /\ msg = [type |-> "CS1", Name |-> "C", Ver |-> 1, Suite |-> 2] STATE 3: /\ secret = 0 /\ msg = [type |-> "SC", Ver |-> 6, Suite |-> 7, Key |-> 4] STATE 4: /\ secret = 0 /\ msg = [type |-> "SC", Ver |-> 6, Suite |-> 7, Key |-> 5] STATE 5: /\ secret = 0 /\ msg = [type |-> "CS2", Key |-> 5, Secret |-> 3] STATE 6: /\ secret = 3 /\ msg = [type |-> "CS2", Key |-> 4, Secret |-> 3] Secret is known by attacker Client and Sever do not know that the secret is not a “secret” now

17 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

18 TLA+ Vulnerability Checking Flow

19 TLA+ Protocol Specification Protocol specification in TLA+ can be easy or difficult –FSM easily translate to TLA+ –Tricky from English description to TLA+ spec: ambiguity, re-design, etc. Process of protocol specification: –Identify principals –Modularize principal behaviour using TLA+ –Combine principal specs to form a protocol spec

20 TLA+ Protocol Specification Challenges Challenge: Vagueness in English specification and the correctness in its translation to TLA+. Common problem for all approaches Solutions: –No easy solution exists! –Best designing protocols in TLA+ –Consult standards committee, product implementation teams among other things

21 Attacker Modelling Attacker capability model similar to Dolev-Yao model: Basically, attackers can: –Eavesdrop on and store messages. –Replay old messages. –Inject or spoof unprotected messages. –Corrupt messages on the channel by causing collisions. Assume the ideal cryptography: unforgeable signatures, safe encryption, and safe digest

22 Attacker Modelling Challenges Challenge: How to find all realistic attacks? –Model too strong: hide stealthy attacks –Model too weak: missing vulnerabilities Our solution: –Start with a relatively strong attacker model »TLC model-checks may yield unrealistic attacks. –Then weaken the attacker model »E.g.: the attacker can continuously corrupt a response from the BS. »Add restrictions on attacker to exclude such attacks. This dynamic modification of attacker model will end up with –a complete robustness proof OR –report of all attacks

23 Property Spec Focus on malfunction DoS attacks currently –Client needs to reach a termination <>[] (\A i\in PartySet: Party[i].state=ObjState) –Client may not terminate []<>(\A \in PartySet: Party[i].state=ObjState)

24 Property Spec Challenges Challenge: TLC cannot check all properties expressible in TLA+ Our Solution: Specify properties in restricted format

25 Model Checking by TLC TLC is a model checker for TLA+ Has both simulation mode and model checking mode –We run simulations before a complete model checking Terminate w/o violation: robustness proved Produce violation sequence: attack trace

26 Model Checking Challenges Challenge: State space explosions Our Solutions –Combine similar states without loss of functionality into one state –Identify symmetry in system, which will treat the different states as one common state. –Replace some random numbers with constants having some additional properties to simulate the effects of randomness

27 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

28 Case Studies Initial ranging Authentication process Choices based on the criticality of function and the probability of vulnerability

29 Initial Ranging Process Initial ranging: the first step an SS communicates with a BS via message exchanges. An SS acquires correct timing offset and power adjustments The request-response communication happens until the BS is satisfied with the ranging parameters. ’Actual’ data communication can happen only if the initial ranging is successful.

30 Property to Check SS can get service (getting into “Done” state) infinitely often []<>(SSstate = “Done”) –Need to make sure that such a property is true even without an attacker (weakest attacker model)

31 DOS during Initial Ranging (found by TLC Model Checking) DL Subframe Contention-based Initial Ranging Slots UL Subframe REQ

32 PKMv2 Authentication Process SS and BS mutually authenticate each other and exchange keys for data encryption PKMv2 is directed by two state machines in the SS –Authentication State Machine –TEK State Machine PKMv2 employs a SATEK three-way handshake for the BS and the SS to exchange security capabilities

33 Authentication – TLA Model Each key has a life time, so the SS needs to get authorized from time to time –SS will reach the “Authorized” state infinite times []<>(SSstate =”Authorized”) TLC encounters space explosion problem –We restrict the SS to reach “Authorized” state at most a given # of times. With our attacker model, TLC model checking completed w/o violation Hence, authentication process is resistant to any attempt under the given attacker model

34 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

35 Conclusions First step towards automatic vulnerability checking of WiMAX protocol with completeness and correctness guarantees Use TLA+/TLC to model malfunction DoS attacks –Avoid state space explosion in property checking –Model attackers’ capabilities for finding realistic attacks Analyzed initial ranging and authentication process in protocols

36 Future Work Development of a rigorous process in protocol specification using TLA+ Check vulnerabilities in other parts of standards such as mobility support and handoff procedures Exploration of more security properties: secrecy, resource exhaustion DoS

37 Thanks

38 Our Approach

39 Related Work (2) Automatically check with formal language –For security network protocols »CSP and FDR [Lowe96] »MurØ [Shmatikov98] »Symbolic traces and PS-LTL [Corin06] –For DoS attack »“A formal specification and verification method for the prevention of denial of service” [Yu88] »“Game-based analysis of denial-of-service prevention protocols” [Mahimkar05]

40 Example: Euclid's Algorithm Init == x=a /\ y=b Next == (x>y /\ x'=x-y) \/ (y>x /\ y'=y-x) Euclid(a,b) == Init /\ [][Next] Property == <>[](x=GCD(a,b)) Correct == (a>0 /\ b>0) /\ Euclid(a,b) =>Property

41 DOS during Initial Ranging (found by TLC Model Checking) DL Subframe Contention-based Initial Ranging Slots UL Subframe Attacker fills all slots, making its requests collide with requests from other SS, thereby denying all new SS a chance to complete ranging

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.