1 reasoning about concurrency for security tunnels alwyn e. goodloe university of pennsylvania carl...
TRANSCRIPT
![Page 1: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/1.jpg)
1
Reasoning about Concurrency for Security Tunnels
Alwyn E. Goodloe
University of Pennsylvania
Carl A. Gunter
University of Illinois Urbana-Champaign
![Page 2: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/2.jpg)
2
Security Tunnels A technique in which a pair of nodes share state
that enables them to apply transformations to messages to ensure their security. SSL, IPsec. Our work assumes network layer tunnels, but not a
specific technology. Key-establishment protocols are employed to
create a shared key. Internet Key Exchange Protocol (IKE). Secrecy and integrity of shared crypto information is
typically the focus of formal analysis. Not our focus.
![Page 3: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/3.jpg)
3
Road Warrior Example
BobAlice
Coyote Co.
![Page 4: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/4.jpg)
4
Hierarchy of Gateways
b
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
![Page 5: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/5.jpg)
5
Gateways + Tunnels Tunnels and gateways can ensure that traffic is
authenticated and authorized as satisfying some policy. Firewalls do authorization, but not authentication of
packets. We assume VPN gtateways.
The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy.
Tunnel complex configuration typically requires manual activity. Discovery protocols that discover gateways and set up
tunnels automate this task. Establishment is a component of such protocols.
![Page 6: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/6.jpg)
6
Authenticated Traversal
Ingress traffic to a gateway’s administrative domain must be authenticated and authorized Want to control what traffic is on your networks. Protection against denial of service.
Egress traffic from an administrative domain must be authenticated and authorized Wireless gateways that are billing for services. Protection against exfiltration.
![Page 7: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/7.jpg)
7
Modeling Tunnels
A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination.
Security Association – the constructor destructor pair. Security association database (SAD).
Security Parameter Index (SPI) – uniquely identifies association.
Security Mechanism - directs traffic into the proper association. Security mechanism database (SMD).
IPsec SPD.
![Page 8: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/8.jpg)
8
Tunnel Example
GA B
AB:[In(A,ί1)]
P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))
AB:[Out(B,ί2)] AB:[In(A,ί,3)In(G,ί2)]
P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))
P(A,B,S(ί3,P(A,B,y)))
P(A,B,y)
P(A,B,y)
ί1 ί2
ί3AB:[Out(B,ί3)
Out(G,ί1)]
![Page 9: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/9.jpg)
9
Establishment
AA BBP(A,B, X(Req(S, D, P(A,B, X(Req(S, D, ίίAA, K))), K)))
In(A,In(A,ίίBB) )
SSD:[in(A, D:[in(A, ίίBB)])]
Out(A,Out(A,ίίAA) )
DDS:[Out(A, S:[Out(A, ίίAA)])]
P(B,A, X(Rep(S, D, P(B,A, X(Rep(S, D, ίίAA , ίίBB, K’))), K’)))
Out(B,Out(B,ίίBB))
SSD:[Out(B, D:[Out(B, ίίBB)])]In(B,In(B,ίίAA) )
DDS:[In(B, S:[In(B, ίίAA)])]
![Page 10: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/10.jpg)
10
Friendly FireAA BB
P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))
BBA:[A:[ίίAA]] AAB:[B:[ίίBB]]
P(B,A,X(Rep))P(B,A,X(Rep)) P(A,B,X(Rep))P(A,B,X(Rep))
![Page 11: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/11.jpg)
11
Preventing Deadlock
Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier. Session identifiers are similar to protocol identifiers. Session identifiers included in messages.
Session matching property. Packets match filters installed for a particular session.
Security associations may be shared among different sessions.
![Page 12: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/12.jpg)
12
With Solution
AA BB
P(A,B,X(Req(vP(A,B,X(Req(v22))))))P(A,B,X(Req(vP(A,B,X(Req(v11))))))
BBA:vA:v11:[:[ίίAA]] AAB:vB:v22:[:[ίίBB]]
P(B,A,X(Rep(vP(B,A,X(Rep(v22)))))) P(A,B,X(Rep(vP(A,B,X(Rep(v11))))))
![Page 13: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/13.jpg)
14
Tunnel Calculus
Operational semantics for protocol stack. Provides an abstract foundation for future tunnel
protocols in light of their use in tunnel complexes. A suitable version could be used to model IPsec, but
not our current focus. Based on multiset term rewriting modulo
equations.
Allows one to reason about interactions between state installed at nodes and protocols.
![Page 14: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/14.jpg)
15
Tunnel Calculus Layers
Packet Forwarding
Security Processing
Authorization
Establishment
Discovery
![Page 15: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/15.jpg)
16
Grammar
Send secure packet
Secure message
sentMessage from
the secure layer
Pass state from one rule to the next and enforce an order of execution
![Page 16: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/16.jpg)
17
Layer Interaction
Node a Node b
Higher Layer
Sec
Fwd
![Page 17: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/17.jpg)
18
Forwarding Layer Rules
![Page 18: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/18.jpg)
19
Secure LayerFind the matching
entry in MDB, select bundle, apply the
constructors in the bundle, and send the
message to forwarding layer
![Page 19: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/19.jpg)
20
Trace Semantics
![Page 20: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/20.jpg)
21
Observing Messages Given a trace M1, M2, M3 we want to observe
only the secure send and receive messages in a session.
Q(u) – infinite set of secure send/receive terms of session u.
![Page 21: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/21.jpg)
22
Equivalent Traces
During each run of the protocol some values are generated by the TC new operator. SPI, acknowledgement identifiers.
t1~t2 iff they only differ in values generated by new.
M1~M2
T1~T2
![Page 22: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/22.jpg)
23
Simulation Lemma
MM11
MM22 M’M’22
M’M’11
~~
~~
![Page 23: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/23.jpg)
24
Observational Commutativity Theorem
![Page 24: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/24.jpg)
25
Noninterference Theorem
Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1).
Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then
![Page 25: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/25.jpg)
26
Progress Theorem
![Page 26: 1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign](https://reader035.vdocuments.mx/reader035/viewer/2022081511/56649e755503460f94b77189/html5/thumbnails/26.jpg)
27
Google Tunnel Calculus