Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Validation of Security Protocols Joint work with Gul Agha, Michael Greenwald, Carl Gunter, Sanjeev Khanna, Darko Marinov, Jose Meseguer, Prasanna Thati,

Similar presentations


Presentation on theme: "1 Validation of Security Protocols Joint work with Gul Agha, Michael Greenwald, Carl Gunter, Sanjeev Khanna, Darko Marinov, Jose Meseguer, Prasanna Thati,"— Presentation transcript:

1 1 Validation of Security Protocols Joint work with Gul Agha, Michael Greenwald, Carl Gunter, Sanjeev Khanna, Darko Marinov, Jose Meseguer, Prasanna Thati, Mahesh Viswanathan Koushik Sen

2 2/32 Formal Analysis of Cryptographic Protocols Integrity and Confidentiality  Recipient not fooled or leaks information  algebraic techniques assumes idealized cryptographic primitives  complexity-theoretic techniques based on complexity assumptions

3 3/32 Availability Attack Availability threats  whether recipient available to valid sender  algebraic and/or complexity theoretic methods are not suitable for finding availability threats assumes adversary can insert, delete, or replay messages  availability attack is assured as the adversary can delete any valid packet

4 4/32 Availability Attack Availability threats  whether recipient available to valid sender  algebraic and/or complexity theoretic methods are not suitable for finding availability threats assumes adversary can insert, delete, or replay messages  availability attack is assured as the adversary can delete any valid packet  How to model and analyze availability formally?

5 5/32 Our Goal Given a protocol P, let properties T hold for P  P is a traditional non-deterministic specification  T is a set of integrity and confidentiality properties Extend P to P * and T to T *  P * is DoS hardened P  T * includes availability properties in addition to T Goal  Prove that T * hold for P * without re-proving that T hold for P

6 6/32 Our Results Given a protocol P, let properties T hold for P  P is a traditional non-deterministic specification  T is a set of integrity and confidentiality properties Extend P to P * and T to T *  P * is DoS hardened P  T * includes availability properties in addition to T Goal  Prove that T * hold for P * without re-proving that T hold for P ?

7 7/32 Modeling and Analysis Probabilistic Rewrite Theories  PMaude  Unified Algebraic Model  Probabilistic Object Model Properties in Continuous stochastic logic (CSL)  Statistical Model-checking [Sen et al. CAV’04, CAV’05, QEST’05] using VESTA using Monte Carlo simulation and statistical hypothesis testing QuaTEx  Quantitative Temporal Expressions  Query language to gain quantitative insight about a model  Statistical computation of QuaTEx [QAPL’05] in VESTA

8 8/32 Achievements In the last meeting we presented our preliminary ideas  On formal modeling and analysis of DoS resistant security protocols This year we have worked out the details  Specified TCP/IP 3-way handshaking protocol in PMaude  Model-checked availability properties using the VESTA tool  Designed a language to query more informative quantitative information about a model QuaTEx  Published our results at FCS 05, QAPL 05, CAV 05, and QEST 05

9 9/32 TCP/IP: A case study Common Susceptible to DoS attacks:  SYN flood and others Existing solutions as benchmark:  Increase size of SYN cache, random drop, SYN cookies

10 10/32 Selective Sequential Verification SYN flood attack: the adversary can devote his entire channel to fake SYN packets Countermeasure :  Valid sender sends multiple copies of the SYN packet  receiver checks each incoming SYN packet with some probability (say, 25% or 1%) Specified DoS hardened TCP/IP 3-way handshaking protocol in PMaude C Gunter, S Khanna, K Tan, S Venkatesh 2004

11 11/32 Availability Property Property: The probability that eventually the attacker X successfully fills up the SYN cache of B is less than 0.01. P <0.01 [§(sucessful_attack())] Statistical Model-checking using Vesta model-checker K Sen, M Viswanathan, G Agha (CAV 2005)

12 12/32 Results Cache-size = 10,000 timeout = 10 seconds number of valid senders = 100 G. Agha, M. Greenwald, C. Gunter, S. Khanna, J. Meseguer, P. Thati (FCS 05)

13 13/32 Quantitative Queries Using QuaTEx What is the expected number of clients that successfully connect to S? CountConnected() = if completed() then count() else ° (CountConnected()) fi; eval E[CountConnected()] G Agha, J Meseguer, K Sen (QAPL 2005)

14 14/32 Quantitative Queries Using QuaTEx What is the probability that a client connected to S within 10 seconds after it initiated the connection request? Prob() = if globaltime()>10 then 0.0 else if connected() then 1.0 else ° (Prob()) fi fi; eval E[Prob()] G Agha, J Meseguer, K Sen (QAPL 2005)

15 15/32 Linux Kernel Test Attack rate in SYNs/sec received at server Graph shows successful connections per 450 threads Defenseless kernel: >6 SYNs/sec shuts out client Aggregate connections Attack rate Model predicts cliff M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

16 16/32 Results Expected number of clients out of 100 clients that get connected with the server under DoS attack G. Agha, M. Greenwald, C. Gunter, S. Khanna, J. Meseguer, P. Thati (FCS 05)

17 17/32 Results Expected number of clients out of 100 clients that get connected with the server under DoS attack Experiments with Linux kernel involved 30 days of work Experiments with PMaude model involved only 1 day work G. Agha, M. Greenwald, C. Gunter, S. Khanna, J. Meseguer, P. Thati (FCS 05)

18 18/32 Discussion A general framework for modeling and verifying DoS properties of communication protocols. Capable of expressing and proving key availability properties. Performance limitations require us to use scaled down version of parameters. Future Work  Addressing efficiency limitations  Verifying the properties for general systems

19 19/32 Testing Security Protocol Implementations Integrity and Confidentiality properties  Verification techniques

20 20/32 Testing Security Protocol Implementations Integrity and Confidentiality properties  Verification techniques  How about verifying real implementations? Intractable

21 21/32 Testing Security Protocol Implementations Integrity and Confidentiality properties  Verification techniques  How about verifying real implementations? Intractable  How about trying to find security bugs? Concolic testing

22 22/32 Our Testing Approach CUTE: A Concolic Unit Testing Engine for e  A scalable automated unit testing tool  Combines concrete and symbolic execution  Can test real-world C programs Tested C implementation of security protocols  Needham-Schroeder, TMN, …  Discovered known security attacks in a few seconds K Sen, D Marinov, G Agha (ACM SIGSOFT ESEC/FSE 2005)

23 23/32 Goal of Concolic Testing Automated Scalable Unit Testing of real- world C Programs  Generate test inputs  Execute unit under test on generated test inputs so that all reachable statements are executed  Any assertion violation gets caught

24 24/32 Goal of Concolic Testing Automated Scalable Unit Testing of real- world C Programs  Generate test inputs  Execute unit under test on generated test inputs so that all reachable statements are executed  Any assertion violation gets caught Our Approach:  Explore all execution paths of an Unit for all possible inputs Exploring all execution paths ensure that all reachable statements are executed

25 25/32 Execution Paths of a Program Can be seen as a binary tree with possibly infinite depth  Computation tree Each node represents the execution of a “if then else” statement Each edge represents the execution of a sequence of non-conditional statements Each path in the tree represents an equivalence class of inputs 0 1 00 0 0 1 1 1 1 1 1

26 26/32 Execution Paths of a Program Can be seen as a binary tree with possibly infinite depth  Computation tree Each node represents the execution of a “if then else” statement Each edge represents the execution of a sequence of non-conditional statements Each path in the tree represents an equivalence class of inputs 0 1 00 0 0 1 1 1 1 1 1 Explicit Path Model Checking

27 27/32 Existing Approach I Random testing  generate random inputs  execute the program on generated inputs Probability of reaching an error can be astronomically less test_me(int x){ if(x==94389){ ERROR; } Probability of hitting ERROR = 1/2 32

28 28/32 Existing Approach II Symbolic Execution  use symbolic values for input variables  execute the program symbolically on symbolic input values  collect symbolic path constraints  use theorem prover to check if a branch can be taken Does not scale for large programs test_me(int x){ if((x%10)*4!=17){ ERROR; } else { ERROR; } Symbolic execution will say both branches are reachable: False positive

29 29/32 Approach Combine concrete and symbolic execution for unit testing  Concrete + Symbolic = Concolic In a nutshell  Use concrete execution over a concrete input to guide symbolic execution  Concrete execution helps Symbolic execution to simplify complex and unmanageable symbolic expressions by replacing symbolic values by concrete values Achieves Scalability  Higher branch coverage than random testing  No false positives or scalability issue like in symbolic execution based testing

30 30/32 Experiments: Needham-Schroeder Protocol Tested a C implementation of a security protocol (Needham-Schroeder) with a known attack  270 lines of code  Took less than 8 seconds on a machine with 1.8GHz processor to discover middle-man attack In contrast, a software model-checker (VeriSoft) took 8 hours on a similar implementation

31 31/32 Experiments: TMN Protocol Tested a C implementation of TMN protocol  Tatebayashi, Matsuzaki, and Newman (TMN) Protocol: a protocol for distribution of a fresh symmetric key.  329 lines of code  Took less than 6 seconds on a machine with 1.8GHz processor to discover an attack an intruder can establish a parallel session through eavesdropping and obtain the secret key

32 32/32 Discussion CUTE is  light-weight  dynamic analysis (compare with static analysis) ensures no false alarms  concrete execution and symbolic execution run simultaneously symbolic execution consults concrete execution whenever dynamic analysis becomes intractable  real tool that works on all C programs completely automatic Requires actual code that can be fully compiled Can sometime reduce to Random Testing Complementary to Static Analysis Tools


Download ppt "1 Validation of Security Protocols Joint work with Gul Agha, Michael Greenwald, Carl Gunter, Sanjeev Khanna, Darko Marinov, Jose Meseguer, Prasanna Thati,"

Similar presentations


Ads by Google