Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic."— Presentation transcript:

1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+

2 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

3 Motivation High-speed Wireless Metropolitan Area Networks (MAN) poised to become the Next Big Thing IEEE 802.16 (WiMAX) with enormous backing from the industry is set to lead the broadband wireless network space Security, as always, is key for its functioning and growth However, security Analysis of the IEEE 802.16 protocol largely confined to manual analysis –Incomplete –Inaccurate

4 Motivation (II) Formal methods for automatic vulnerability checking highly desirable –With completeness and correctness guarantees Previous studies focus on security protocols and security properties only –CSP and FDR [Lowe96], MurØ [Shmatikov98], Symbolic traces and PS-LTL [Corin06] Non-security protocol analysis focus on resource exhaustion DoS attacks and ignore protocol malfunction attacks ! –[Yu88], [Meadow99], and [Meadow02]

5 Our Approach Vulnerability analysis of 802.16e specs and WiMAX standards –Systematic and automatic checking through formal methods. –First specify the specs and potential capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions) –Then model check for any possible attacks –The formal analysis can also help guide fixing of the flaws

6 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

7 TLA+ TLA: a logic designed for specifying and reasoning about concurrent systems. –TLA+: a complete spec language based on TLA First translate the natural language spec into a TLA+ spec, sys –Correctness request postulated as a TLA+ property, prop Then to verify the correctness, prove sys → prop –Proof done automatically by model checker, TLC

8 Intro to TLA+ TLA+ is a simple extension of linear temporal logic –With primed variable (x’) for next state –Temporal operations: []—forever A system is specified as Init /\ [] [Next] x −system satisfies Init initially and satisfies Next for all transitions

9 TLA+ for Security A protocol can be specified as one monolithic system Or it can be specified as a composition of many components: –CompA /\ CompB /\ \A i: Comp(i) An attacker can be specified and composed with a protocol –System == Protocol /\ Attacker Check security by –System => Properties

10 TLA Modeling Process

11 TLA+ Protocol Specification Protocol specification in TLA+ can be easy or difficult –FSM easily translate to TLA+ –Tricky from English description to TLA+ spec: ambiguity, re-design, etc. Process of protocol specification: –Identify principals –Modularize principal behavior using TLA+ –Compose a series of states and transitions for each principal –Specify flow of control between principals

12 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

13 TLA+ Protocol Specification – Challenges (I) Vagueness in English specification and the correctness in its translation to TLA+. Solutions –No good solution exists! –Better having protocols in TLA+ –Consult standards committee, product implementation teams among other things

14 TLA+ Protocol Specification – Challenges (II) State space explosion Solutions –Combine similar states without loss of functionality into one state –Replace some random variables with constants with some additional properties to simulate the effects of randomness –Define principals symmetric, which will treat the different states as one common state.

15 Attacker Model Attacker capability model similar to Dolev-Yao model Basically, attackers can: –Eavesdrop on and store messages. –Replay old messages. –Inject or spoof unprotected messages. –Corrupt messages on the channel by causing collisions. We also assume the ideal cryptography, which means unforgeable signatures, safe encryption and safe digest

16 Attacker Model - Challenges Challenge: How to find realistic attacks under such an attacker model ? Our solution: –Start with a very strong attacker model »TLC model-checks may yield unrealistic attacks. –Then weaken the attacker model »E.g.: the attacker can continuously corrupt a response from the BS. »Since we are only interested in realistic attacks, we put restrictions on attacker behavior to remove such attacks. This dynamic modification of attacker model will end up with –a complete robustness proof OR –a report of a realistic attack

17 Property Specification Focus on Denial of Service (DoS) currently –Client may reach a termination <>[] (\A i\in PartySet: Party[i].state=ObjState –Client may not terminate []<>(\A \in PartySet: Party[i].state=ObjState)

18 Model Checking with TLC TLC is a model checker for TLA+ Has both simulation mode and model checking mode –We run simulations before a complete model checking Since TLA+ is very expressive, TLC currently can only check safety properties

19 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

20 Case Studies Initial Ranging Authentication processes Choices based on the criticality of function and the probability of vulnerability

21 Initial Ranging Process Initial ranging: the first step in which an SS communicates with a BS via message exchanges. An SS acquires correct timing offset and power adjustments The request-response communication happens until the BS is satisfied with the ranging parameters. ’Actual’ data communication can happen only if the initial ranging is successful.

22 Initial Ranging – TLA Model In the TLA model, the correctness property is set as: ∃ i ∈ ContentionSlots: ∧ slot[i]≠<> ∧ slot[i].type = “REQ” ⇒ slot[i].source.pendrequest = slot[i] Attacker may affect the behavior of normal parties Enforce SSs to go to the “Done” state without the attacker: □◊ ( SSstate = “DONE”)

23 DOS during Initial Ranging (found by TLC Model Checking) DL Subframe Contention-based Initial Ranging Slots UL Subframe REQ

24 PKMv2 Authentication Process SS and BS mutually authenticate each other and exchange keys for data encryption PKMv2 is directed by two state machines in the SS –Authentication State Machine –TEK State Machine PKMv2 employs a SATEK- three-way-handshake for the BS and the SS/MS to exchange the security capabilities

25 Authentication – TLA Model Each key has a life time, so the SS needs to get authorized from time to time –SSes should reach the “Authorized” state infinite times –The correctness condition is □◊ ( SSstate = “Authorized”) TLC encounters space explosion problem –We restrict the SS can reach “Authorized” state at most a given # of times. With our attacker model, TLC model checking shows no suspicious trace Hence, authentication process is resistant to any attempt using our attacker capability model

26 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

27 Conclusions First step towards automatic vulnerability checking of any network protocols with completeness and correctness guarantees Use TLA+/TLC to model all DoS attacks –Avoid state space explosion in property checking –Model attackers’ capabilities for finding realistic attacks Study the initial ranging and authentication processes in 802.16 protocols

28 Future Work Development of a rigorous process in protocol specification using TLA+ language Modeling of inter-relationships of processes/components Check vulnerabilities in other parts of 802.16 standards such as mobility support and handoff procedures.

29 Backup Slides

30 Our Approach

31 Related Work (2) Automatically check with formal language –For security network protocols »CSP and FDR [Lowe96] »MurØ [Shmatikov98] »Symbolic traces and PS-LTL [Corin06] –For DoS attack »“A formal specification and verification method for the prevention of denial of service” [Yu88] »“Game-based analysis of denial-of-service prevention protocols” [Mahimkar05]

32 DOS during Initial Ranging (found by TLC Model Checking) DL Subframe Contention-based Initial Ranging Slots UL Subframe Attacker fills all slots, making its requests collide with requests from other SS, thereby denying all new SS a chance to complete ranging

Download ppt "Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.

AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Similar presentations

Ads by Google