Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.

Published byEdwina Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and."— Presentation transcript:

1 Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and Gabi Nakibly Tel-Aviv University, December 5, 2013 1

2 Motivation Attacks on network protocols, taking advantage of built-in vulnerabilities, are not easy to identify –Rely on legitimate functionality of the protocol –May involve only a small number of messages –Identifying attacks is done mostly manually, by experts, in an ad hoc manner

3 Goals Develop automatic methods for identifying attacks in network protocols Using methods and tools for formal verification of software and hardware –Model checking

4 4 Model Checking [CE81,QS82] An efficient procedure that receives:  A finite-state model describing a system  A temporal logic formula describing a property It returns yes, if the system has the property no + Counterexample, otherwise

5 5 Mutual Exclusion Example Two process mutual exclusion with shared semaphore Each process has three states Non-critical (N) Trying (T) Critical (C) Semaphore can be available (sem=1) or taken (sem=0) Initially both processes are in the Non-critical state and the semaphore is available --- N 1 N 2 S 0 S 0 denotes sem=0 S 1 denotes sem=1

6 Mutual Exclusion Example P = P 1 || P 2 P i :: while (true) { if (v i == N) v i = T; else if (v i == T && sem=1) {v i = C; sem=0;} else if (v i == C) {v i = N; sem=1;} } Initial state: (v 1 == N, v 2 == N, sem=0) 6

7 7 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) The two processes are never in their critical states at the same time The state with (C 1  C 2 ) is not reachable

8 8 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 0

9 9 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 1

10 10 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 2

11 11 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 3

12 12 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 4  S 0  …  S 3 

13 13 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 ) The two processes are never in their trying states at the same time

14 14 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 )

15 15 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 )

16 16 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M |  AG  (T 1  T 2 ) A violating state has been found

17 17 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M |  AG  (T 1  T 2 ) Model checking returns a counterexample

18 Our goals To search for attacks using model checking For this purpose, we define: Model –Represents the protocol’s behaviors –Includes an attacker with predefined capabilities Specification –Specifies “suspect” states

19 Challenges Building a model which is –Sufficiently detailed: to enable identifying attacks based on the protocol's functionality –Sufficiently reduced: feasible for model checking tools Write general specification to identify different kinds of attacks with different techniques

20 Advantages of our approach We do not need to define an attack, but only its possible outcome. –Specifying suspect states requires less knowledge and efforts than defining an attack –May enable finding new attacks, unknown by now

21 Routing in the Internet How do packets get from A to B in the Internet? A B Internet

22 Routing in the Internet Each router makes a local decision on how to forward a packet towards B A B R1 R4 R2 R3 R6 R7 R5 R8

23 Research Focus - OSPF We focused on the routing protocol Open Shortest Path First (OSPF) OSPF is widely used for routing in the Internet –Finding attacks on OSPF is significant OSPF is a complex protocol –We may be able to derive insights from its modeling to modeling of other network protocols

24 OSPF Each router compiles a database of the most recent OSPF messages received from all routers in the network A B R1 R4 R2 R3 R6 R7 R5 R8 OriginatorList of neighbors Links costs r1r4,r6,r2, r3 … r2r3,r1,r8… ……… database network Using this database a router obtains a complete view of the network topology

25 OSPF OSPF messages are flooded through the network OriginatorList of neighbors Links costs r6r4,r1,r8… OSPF message M A B R1 R4 R2 R3 R6 R7 R5 R8 network M M M M M M M M

26 OSPF Attacks The goal of an OSPF attacker is to advertise fake messages on behalf of some other router(s) in the network. OriginatorList of neighbors Links costs r5 r3,r8… fake OSPF message M A B R1 R4 R2 R3 R6 R7 R5 R8 network M

27 OSPF Attacks A B R1 R4 R2 R6 R7 R5 R8 A B R1 R4 R2 R3 R6 R7 R5 R8 M Routing path before from A to B R3 Routing path after from A to B

28 OSPF Fight Back Mechanism A B R1 R4 R2 R6 R7 R5 R8 M M M M M M When a router receives a message in its own name that it didn't originate, it sends a fight back message to all its neighbors The fight back message is supposed to revert the effect of the attack eventually M R3 M M Originato r List of neighbors Links costs r5r3,r8… fake OSPF message - M

29 OSPF Attacks An attack is a run of the protocol that creates a fake topology view for some routers in the network An attack is called persistent if the fake topology view remains in some routers' databases We are interested in finding persistent attacks

30 OSPF Concrete Model A fixed network topology Router Model –Models a legitimate router Attacker Model –Models a malicious router can send any random message to any random destination router can ignore incoming messages.

31 In our model: Messages originated by the attacker are marked with a special flag isFake This flag is not part of the OSPF standard, and legitimate routers do not make use of it This flag allows us to easily define the specifications for the model

32 OSPF Concrete Model Our formal model for OSPF is a finite state machine with global states and transitions The model is a simplified version of OSPF, which includes the fight back mechanism

33 Specification A global state is considered attacked if: –Some router has a fake message in its database –No message resides in any router's queue An attacked state defines the outcome of a successful persistent attack regardless of a specific attack technique

34 Model Checking We implemented the model of OSPF in C, and used the Bounded Model Checking tool CBMC to find persistent attacks on OSPF A counterexample returned by CBMC is an attack

35 Example of Attacks on OSPF Attack #1 –The attacker (r3) originates a fake message: dest = r2, orig = r4 r0r0 r2r2 r1r1 r4r4 r3r3

36 Example of Attacks on OSPF Attack #2 The attacker (r3) sends two fake messages: m1 = (dest = r4, orig = r1, sequence_number = 1) m2 = (dest = r4, orig = r1, sequence_number = 2) r0r0 r2r2 r1r1 r4r4 r3r3 1 2 1 1 2 2 2 2

37 Another demonstration of attack #2 on a different topology r0r0 r2r2 r1r1 r4r4 r3r3 2 2 2 r5r5 2 r8r8 r7r7 r6r6 2 2 2

38 Concrete Model - Problems state explosion problem –Models that can be handled are very small in size and hence restricted in their topologies and functionality –We would like to extend our search for attacks to larger and more complex topologies

39 Abstract Model We are interested in general attacks –insensitive to most of the topology's details –can be applied in a family of topologies We define an abstract model which: –represents a family of concrete models –under-approximates each member in the family.

40 Abstract Model The abstract model consists of an abstract topology and an abstract protocol We defined several levels of abstract components An abstract topology may also contain some un- abstracted routers The attacker is always an un-abstracted router

41 Main Property of the Abstract Model If an attack is found on an abstract network, then there is a corresponding attack on each one of the concrete networks represented by it.

42 Example of an Abstract Attack on OSPF in the Abstract Model –The attacker sends a fake message with: dest=2, orig=4 a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

43 Example of an attack in a concrete instantiation of the abstract model a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

44 Example of a similar attack on another possible instantiation of the abstract model a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

45 Examples of attacks on OSPF in the abstract model Attack # 2 –The attacker (designated router) originates a fake message on behalf of sr1: m = (dest = sr5; orig = sr1; seq = 1; isFake = T) DR

46 Correctness of Our Method Lemma –For each abstract transition on the abstract topology, there is a corresponding concrete finite run on each matching concrete topology Abstract run Matching concrete run

47 Correctness of Our Method Theorem –An abstract attack found on an abstract topology T A, has a corresponding attack on each matching concrete topology T C.

48 Exposed OSPF vulnerabilities: a message is opened only by its destination the flooding procedure does not flood a message back to its source –As a result, a fake message in the name of router r might be sent through r –If the attacker plays the role of a designated router, then by ignoring messages it can stop message flooding, including fight back messages

49 Conclusion We automatically found attacks on small concrete models We automatically found general attacks on small abstract models The general attacks are applicable to huge networks, with possibly thousands of routers –No model checker can be applied directly to such networks

50 Conclusion We developed a novel technique for parameterized networks suitable for finding a counterexample (in our case an attack) on each member of the family

51 Thank You 51

Download ppt "Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
PROJECT IN COMPUTER SECURITY - 236349 IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012.

PROJECT IN COMPUTER SECURITY IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.

By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Formal Verification of AODV Protocol using Cadence SMV Xin Liu and Jun Wang (CPSC513 Course.

Formal Verification of AODV Protocol using Cadence SMV Xin Liu and Jun Wang (CPSC513 Course.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Effects of Applying Mobility Localization on Source Routing Algorithms for Mobile Ad Hoc Network Hridesh Rajan presented by Metin Tekkalmaz.

Effects of Applying Mobility Localization on Source Routing Algorithms for Mobile Ad Hoc Network Hridesh Rajan presented by Metin Tekkalmaz.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

Similar presentations

Ads by Google