copyright © 2005 may 5, 2005 1 on the evolution of adversary models for security protocols* virgil...
TRANSCRIPT
May 5, 2005 1 Copyright © 2005
On the Evolution of Adversary Models for Security Protocols*
Virgil D. Gligor Electrical and Computer Engineering
University of MarylandCollege Park, MD. 20742
Florida State UniversityTallahassee, FL. 32306
May 5, 2005
*based on joint work with H. Chan, B. Parno and A. Perrig
May 5, 2005 2 Copyright © 2005
Overview
1. A Security Perspective with some Old ExamplesNew Technologies ~> New Vulnerabilities ~> New Adversary Models
… <~> New Security Protocol Analysis Methods and Tools “~>” = almost always implies)
2. A New Example New Technology: sensor networksNew Vulnerabilities: (variable number of) nodes captured and replicatedNew Application: distributed SensingNew Adversary: different from both Dolev-Yao and Byzantine adversariesNew Tools: emergent properties, protocols
3. Conclusions
May 5, 2005 3 Copyright © 2005
Technology ~> Vulnerability ~> Adversary < ~> Methods & Tools
A Security Perspective and some Old Examples
- sharing programs confidentiality and untrusted user sys. vs. user mode (’62 ->)& data; integrity breaches; programs (TH) rings, sec. kernel (’65, ‘67)
- computing utility system penetration; FHM (’75) theory/tool (’91)*(early – mid ’60s) DoS instances DoS instances ex. (’67-’75)
acc. policy models (’71 ->)
- shared services; denial of service untrusted user DoS general def. (’83-’85)*e.g., DBMS, net. prot. os, net. protocols processes; formal spec. & verif. (’88)*(early - mid ’70s) concurrent, coord. models (’92 -> )
attacks
- PCs, LANs; read, modify, block, man-in-the-middle, informal: NS, DS (’78–81)public-domain Crypto replay, forge untrusted user semi-formal: DY (‘81)(early – mid ’70s) messages processes; Byzantine (‘82 –>)
active, adaptive, crypto models (‘84->)*, mobile adv. auth. prot. analysis (87->)
- internetworking; large-scale effects: distributed, virus scans, tracebacks E2E argument worms, viruses, coordinated intrusion detection (mid – late ’80s) DDoS (e.g., flooding) attacks (mid ’90s ->)
- etc.
May 5, 2005 4 Copyright © 2005
A Security Perspective …
New Technology ~>
New Vulnerability ~>
New Adversary Model <~>
New AnalysisMethod & Tools
+/- O(months) +O(years)
+O(years)
Reuse of Old (Secure)Protocols
New Technology ~>
New Vulnerability
OldAdversary Model
Long delays …
… cause problems
mismatch
May 5, 2005 5 Copyright © 2005
New Technology: Sensor Networks
1. Ease of Scalable Deployment and Extension- simply drop sensors at desired locations- net. connectivity => neither administrative intervention
nor base-station interaction- key sharing => simple neighbor discovery protocols, path keys- comm.: radio broadcast => Adv. cannot block-modify-retransmit
2. Nodes: Low-Cost, Commodity Hardware- low cost => physical node shielding is impractical
=> ease of access to internal node state (Q: how good should physical node shielding be to prevent access to a sensor’s internal state ? A: most likely, impractically good)
3. Unattended Node Operation in Hostile Areas => adversary can capture & replicate nodes, insert replicas at chosen locations within a network
May 5, 2005 6 Copyright © 2005
NEIGHBORHOOD i
1
3i
2
Captured Node
3
A New Attack: Node Capture and Replication
shared keyoutside neighborhood
shared keyoutside neighborhood
NEIGHBORHOOD j
NEIGHBORHOOD k
May 5, 2005 7 Copyright © 2005
NEIGHBORHOOD j
NEIGHBORHOOD i
1
3i
2
Captured Node
3
NEIGHBORHOOD k
3
Node
Replica 1
3
Node
Replica 2
Note: Replica IDs are cryptographically bound to pre-distributed keys and cannot be changed
A New Attack: Node Capture and Replication (ctnd.)
May 5, 2005 8 Copyright © 2005
New (Replication) vs. Old (Dolev-Yao) Adversary
New (Replication) Adversary =/= Old (Dolev-Yao) Adversary - can block/modify/insert messages only at specific node (replica) locations - replicated nodes can adaptively modify network and trust topology
Old (Dolev-Yao) Adversary can - control network operation
- man-in-the-middle: read, replay, forge, block, modify, insert messages anywhere in the network
- send/receive any message to/from any legitimate principal (e.g., node) - act as a legitimate principal of the network
Old (Dolev-Yao) Adversary cannot - perform unbounded computations - perform cryptanalysis; e.g., discover a legitimate principal’s secrets - capture and coerce the behavior of legitimate principals’ nodes - replicate nodes adaptively, modify network and trust topology
May 5, 2005 9 Copyright © 2005
Distributed Sensing:A New Application and its Adversary
Application: a set of m sensors observe and signal a global event - each sensor broadcasts “1” whenever it senses the global event;
else, it does nothing - if t broadcasts are “1,” all m sensors signal the event; else they do nothing
Operational Constraints - absence of the global event cannot be sensed
(e.g., no periodic “0” broadcasts) - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than m - broadcasts are reliable and synchronous (i.e., counted in sessions)
Adversary Goals: violate integrity (i.e., any set of t < m false broadcasts ) deny service (i.e., suppress m-t+1 broadcasts)
New (Distributed-Sensing) Adversary - captures insiders (i.e., any of m) nodes forge, replay or suppress broadcasts
(within same or across different sessions) - increases broadcast membership: increases m with outsider nodes
May 5, 2005 10 Copyright © 2005
An Example of Distributed Sensing:distributed revocation decision
Distributed Revocation Decision: - d local neighbors sense the misbehavior of target node with which they
share a pairwise private key - each local neighbor broadcasts “revoke” whenever it senses target
misbehavior; else, it does nothing
- if t (<= d) broadcasts are “revoke,” all d sensors revoke their key shared with the target (and propagate “revoke” decision to non-neighbor nodes that
share a pairwise private key with target); else they do nothing.
Operational Constraints - absence of target misbehavior cannot be sensed - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than d - broadcasts (and “revoke” propagations) are reliable and synchronous
Distributed Node-Revocation Decision => Distributed Sensing
May 5, 2005 11 Copyright © 2005
New (Distributed Sensing) vs. Old (Byzantine) Adversary
Q: Byzantine Agreement Problem (with similar operational constraints) ? - reactive: both global event and its absence are (“1/0”) broadcast by each node - no PKI => no authenticated broadcast => t > 2/3m honest (not captured) nodes - broadcasts are reliable and synchronous (i.e., counted in sessions)
A: No. Byzantine Agreement Problem => => Constrained Distributed Sensing (i.e., with “1/0” broadcasts, t > 2/3m) (=> Constrained Distributed-Revocation Decision) => Distributed Sensing
New (Distributed-Sensing) Adv. =/= Old (Byzantine) Adv. - new adversary need not forge, initiate, or replay “0 broadcasts - t < 2/3m => new integrity adversary is stronger; otherwise, same or weaker - new adversary may attempt to modify membership
Note: Replication Adversary must also be countered - Replication Adversary => membership violation (not possible with Byzantine Adversaries)
May 5, 2005 12 Copyright © 2005
New Vulnerabilities
1. Collusion to Subvert Applications - Ex. 1: subvert aggregation of sensor data; blocks legitimate
transmissions, modifies and injects false data - Ex. 2: can subvert “distributed sensing”
e.g., sense false events, deny sensing of real events
3. Circumvent Intrusion Detection (and net’s “immune” system) - Ex: spread abnormal behavior over multiple replicas to avoid detection
2. Collusion to Subvert Network Operation - Ex. 1: replicated nodes cooperate to block traffic & partition the network
- Ex. 2: revokes legitimate nodes and disconnects network using legitimate, distributed-revocation protocol
May 5, 2005 13 Copyright © 2005
Conclusions
1. New Technologies ~> New Vulnerabilities ~> New Adversary Models … ~> New Protocol Analysis Methods and Tools
2. Time Gap between New Technologies and New Protocol Analysis Methods and Tools is Substantial and Must be Decreased
=> must anticipate New Vulnerabilities and define Adversary Models => adversary models must be realistic
4. Re-examination of Formal Methods and Analyzed Protocols is also Required if (Old) Protocols are Reused
5. Some adversaries are best countered by “emergent detection protocols”- distributed node replication- distributed sensing adversary (that captures over t nodes)(viz., examples given in papers co-authored with H. Chen, B. Parno and A. Perrig)