1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign

2 Security Tunnels A technique in which a pair of nodes share state that enables them to apply transformations to messages to ensure their security.  SSL, IPsec.  Our work assumes network layer tunnels, but not a specific technology. Key-establishment protocols are employed to create a shared key.  Internet Key Exchange Protocol (IKE).  Secrecy and integrity of shared crypto information is typically the focus of formal analysis. Not our focus.

3 Road Warrior Example

4 Hierarchy of Gateways

5 Gateways + Tunnels Tunnels and gateways can ensure that traffic is authenticated and authorized as satisfying some policy.  Firewalls do authorization, but not authentication of packets.  We assume VPN gtateways. The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy. Tunnel complex configuration typically requires manual activity.  Discovery protocols that discover gateways and set up tunnels automate this task.  Establishment is a component of such protocols.

6 Authenticated Traversal Ingress traffic to a gateway’s administrative domain must be authenticated and authorized  Want to control what traffic is on your networks.  Protection against denial of service. Egress traffic from an administrative domain must be authenticated and authorized  Wireless gateways that are billing for services.  Protection against exfiltration.

7 Modeling Tunnels A secure tunnel can be viewed “type- theoretically”as a rule for applying a constructor at the source and a destructor at the destination. Security Association – the constructor destructor pair.  Security association database (SAD). Security Parameter Index (SPI) – uniquely identifies association. Security Mechanism - directs traffic into the proper association.  Security mechanism database (SMD). IPsec SPD.

8 Tunnel Example G AB A  B:[In(A,ί 1 )] P(A,G,S(ί 1,P(A,B,S(ί 3,P(A,B,y))))) A  B:[Out(B,ί 2 )] A  B:[In(A,ί, 3 )In(G,ί 2 )] P(G,B,S(ί 2,P(A,B,S(ί 3,P(A,B,y)) P(A,B,S(ί 3,P(A,B,y))) P(A,B,y) ί1ί1 ί2 ί2 ί3ί3 A  B:[Out(B,ί 3 ) Out(G,ί 1 )]

9 Establishment A B P(A,B, X(Req(S, D, ί A, K))) In(A,ί B ) S  D:[in(A, ί B )] Out(A,ί A ) D  S:[Out(A, ί A )] P(B,A, X(Rep(S, D, ί A ί B, K’))) P(B,A, X(Rep(S, D, ί A, ί B, K’))) Out(B,ί B ) S  D:[Out(B, ί B )] In(B,ί A ) D  S:[In(B, ί A )]

10 Friendly Fire A B P(A,B,X(Req)) P(A,B,X(Req)) B  A:[ί A ] A  B:[ί B ] P(B,A,X(Rep)) P(A,B,X(Rep))

11 Preventing Deadlock Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier.  Session identifiers are similar to protocol identifiers.  Session identifiers included in messages. Session matching property. Packets match filters installed for a particular session. Security associations may be shared among different sessions.

12 With SolutionA B P(A,B,X(Req(v 2 ))) P(A,B,X(Req(v 1 ))) B  A:v 1 :[ί A ] A  B:v 2 :[ί B ] P(B,A,X(Rep(v 2 ))) P(A,B,X(Rep(v 1 )))

13 Objective II Want a formal proof that state installed in session u does not interfere with the messages of session v. Introduce the tunnel calculus. Noninterference theorem. Progress theorem.

14 Tunnel Calculus Operational semantics for protocol stack.  Provides an abstract foundation for future tunnel protocols in light of their use in tunnel complexes.  A suitable version could be used to model IPsec, but not our current focus. Based on multiset term rewriting modulo equations. Allows one to reason about interactions between state installed at nodes and protocols.

15 Tunnel Calculus Layers Packet Forwarding Security Processing Authorization Establishment Discovery

16 Grammar Send secure packet Secure message sent Message from the secure layer Pass state from one rule to the next and enforce an order of execution

17 Layer Interaction Node a Node b Higher Layer Sec Fwd

18 Forwarding Layer Rules

19 Secure Layer Find the matching entry in MDB, select bundle, apply the constructors in the bundle, and send the message to forwarding layer

20 Trace Semantics

21 Observing Messages Given a trace M1, M2, M3 we want to observe only the secure send and receive messages in a session. Q(u) – infinite set of secure send/receive terms of session u.

22 Equivalent Traces During each run of the protocol some values are generated by the TC new operator.  SPI, acknowledgement identifiers. t 1 ~t 2 iff they only differ in values generated by new. M 1 ~M 2 T 1 ~T 2

23 Simulation Lemma M1M1M1M1 M2M2M2M2 M’ 2 M’ 1 ~ ~

24 Observational Commutativity Theorem

25 Noninterference Theorem Suppose T= M 1 …M n is a trace in which session v is complete, where v not in Free(M 1 ). Suppose T’ = M’ 1 …M’ m is a trace in which session v is complete, where M 1 ~ M’ 1, Then

26 Progress Theorem

27 Google Tunnel Calculus