May 5, 2005 1 Copyright © 2005

On the Evolution of Adversary Models for Security Protocols*

Virgil D. Gligor Electrical and Computer Engineering

University of MarylandCollege Park, MD. 20742

gligor@umd.edu

Florida State UniversityTallahassee, FL. 32306

May 5, 2005

*based on joint work with H. Chan, B. Parno and A. Perrig

May 5, 2005 2 Copyright © 2005

Overview

1. A Security Perspective with some Old ExamplesNew Technologies ~> New Vulnerabilities ~> New Adversary Models

… <~> New Security Protocol Analysis Methods and Tools “~>” = almost always implies)

2. A New Example New Technology: sensor networksNew Vulnerabilities: (variable number of) nodes captured and replicatedNew Application: distributed SensingNew Adversary: different from both Dolev-Yao and Byzantine adversariesNew Tools: emergent properties, protocols

3. Conclusions

May 5, 2005 3 Copyright © 2005

Technology ~> Vulnerability ~> Adversary < ~> Methods & Tools

A Security Perspective and some Old Examples

- sharing programs confidentiality and untrusted user sys. vs. user mode (’62 ->)& data; integrity breaches; programs (TH) rings, sec. kernel (’65, ‘67)

- computing utility system penetration; FHM (’75) theory/tool (’91)*(early – mid ’60s) DoS instances DoS instances ex. (’67-’75)

acc. policy models (’71 ->)

- shared services; denial of service untrusted user DoS general def. (’83-’85)*e.g., DBMS, net. prot. os, net. protocols processes; formal spec. & verif. (’88)*(early - mid ’70s) concurrent, coord. models (’92 -> )

attacks

- PCs, LANs; read, modify, block, man-in-the-middle, informal: NS, DS (’78–81)public-domain Crypto replay, forge untrusted user semi-formal: DY (‘81)(early – mid ’70s) messages processes; Byzantine (‘82 –>)

active, adaptive, crypto models (‘84->)*, mobile adv. auth. prot. analysis (87->)

- internetworking; large-scale effects: distributed, virus scans, tracebacks E2E argument worms, viruses, coordinated intrusion detection (mid – late ’80s) DDoS (e.g., flooding) attacks (mid ’90s ->)

- etc.

May 5, 2005 4 Copyright © 2005

A Security Perspective …

New Technology ~>

New Vulnerability ~>

New Adversary Model <~>

New AnalysisMethod & Tools

+/- O(months) +O(years)

+O(years)

Reuse of Old (Secure)Protocols

New Technology ~>

New Vulnerability

OldAdversary Model

Long delays …

… cause problems

mismatch

May 5, 2005 5 Copyright © 2005

New Technology: Sensor Networks

1. Ease of Scalable Deployment and Extension- simply drop sensors at desired locations- net. connectivity => neither administrative intervention

nor base-station interaction- key sharing => simple neighbor discovery protocols, path keys- comm.: radio broadcast => Adv. cannot block-modify-retransmit

2. Nodes: Low-Cost, Commodity Hardware- low cost => physical node shielding is impractical

=> ease of access to internal node state (Q: how good should physical node shielding be to prevent access to a sensor’s internal state ? A: most likely, impractically good)

3. Unattended Node Operation in Hostile Areas => adversary can capture & replicate nodes, insert replicas at chosen locations within a network

May 5, 2005 6 Copyright © 2005

NEIGHBORHOOD i

1

3i

2

Captured Node

3

A New Attack: Node Capture and Replication

shared keyoutside neighborhood

shared keyoutside neighborhood

NEIGHBORHOOD j

NEIGHBORHOOD k

May 5, 2005 7 Copyright © 2005

NEIGHBORHOOD j

NEIGHBORHOOD i

1

3i

2

Captured Node

3

NEIGHBORHOOD k

3

Node

Replica 1

3

Node

Replica 2

Note: Replica IDs are cryptographically bound to pre-distributed keys and cannot be changed

A New Attack: Node Capture and Replication (ctnd.)

May 5, 2005 8 Copyright © 2005

New (Replication) vs. Old (Dolev-Yao) Adversary

New (Replication) Adversary =/= Old (Dolev-Yao) Adversary - can block/modify/insert messages only at specific node (replica) locations - replicated nodes can adaptively modify network and trust topology

Old (Dolev-Yao) Adversary can - control network operation

- man-in-the-middle: read, replay, forge, block, modify, insert messages anywhere in the network

- send/receive any message to/from any legitimate principal (e.g., node) - act as a legitimate principal of the network

Old (Dolev-Yao) Adversary cannot - perform unbounded computations - perform cryptanalysis; e.g., discover a legitimate principal’s secrets - capture and coerce the behavior of legitimate principals’ nodes - replicate nodes adaptively, modify network and trust topology

May 5, 2005 9 Copyright © 2005

Distributed Sensing:A New Application and its Adversary

Application: a set of m sensors observe and signal a global event - each sensor broadcasts “1” whenever it senses the global event;

else, it does nothing - if t broadcasts are “1,” all m sensors signal the event; else they do nothing

Operational Constraints - absence of the global event cannot be sensed

(e.g., no periodic “0” broadcasts) - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than m - broadcasts are reliable and synchronous (i.e., counted in sessions)

Adversary Goals: violate integrity (i.e., any set of t < m false broadcasts ) deny service (i.e., suppress m-t+1 broadcasts)

New (Distributed-Sensing) Adversary - captures insiders (i.e., any of m) nodes forge, replay or suppress broadcasts

(within same or across different sessions) - increases broadcast membership: increases m with outsider nodes

May 5, 2005 10 Copyright © 2005

An Example of Distributed Sensing:distributed revocation decision

Distributed Revocation Decision: - d local neighbors sense the misbehavior of target node with which they

share a pairwise private key - each local neighbor broadcasts “revoke” whenever it senses target

misbehavior; else, it does nothing

- if t (<= d) broadcasts are “revoke,” all d sensors revoke their key shared with the target (and propagate “revoke” decision to non-neighbor nodes that

share a pairwise private key with target); else they do nothing.

Operational Constraints - absence of target misbehavior cannot be sensed - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than d - broadcasts (and “revoke” propagations) are reliable and synchronous

Distributed Node-Revocation Decision => Distributed Sensing

May 5, 2005 11 Copyright © 2005

New (Distributed Sensing) vs. Old (Byzantine) Adversary

Q: Byzantine Agreement Problem (with similar operational constraints) ? - reactive: both global event and its absence are (“1/0”) broadcast by each node - no PKI => no authenticated broadcast => t > 2/3m honest (not captured) nodes - broadcasts are reliable and synchronous (i.e., counted in sessions)

A: No. Byzantine Agreement Problem => => Constrained Distributed Sensing (i.e., with “1/0” broadcasts, t > 2/3m) (=> Constrained Distributed-Revocation Decision) => Distributed Sensing

New (Distributed-Sensing) Adv. =/= Old (Byzantine) Adv. - new adversary need not forge, initiate, or replay “0 broadcasts - t < 2/3m => new integrity adversary is stronger; otherwise, same or weaker - new adversary may attempt to modify membership

Note: Replication Adversary must also be countered - Replication Adversary => membership violation (not possible with Byzantine Adversaries)

May 5, 2005 12 Copyright © 2005

New Vulnerabilities

1. Collusion to Subvert Applications - Ex. 1: subvert aggregation of sensor data; blocks legitimate

transmissions, modifies and injects false data - Ex. 2: can subvert “distributed sensing”

e.g., sense false events, deny sensing of real events

3. Circumvent Intrusion Detection (and net’s “immune” system) - Ex: spread abnormal behavior over multiple replicas to avoid detection

2. Collusion to Subvert Network Operation - Ex. 1: replicated nodes cooperate to block traffic & partition the network

- Ex. 2: revokes legitimate nodes and disconnects network using legitimate, distributed-revocation protocol

May 5, 2005 13 Copyright © 2005

Conclusions

1. New Technologies ~> New Vulnerabilities ~> New Adversary Models … ~> New Protocol Analysis Methods and Tools

2. Time Gap between New Technologies and New Protocol Analysis Methods and Tools is Substantial and Must be Decreased

=> must anticipate New Vulnerabilities and define Adversary Models => adversary models must be realistic

4. Re-examination of Formal Methods and Analyzed Protocols is also Required if (Old) Protocols are Reused

5. Some adversaries are best countered by “emergent detection protocols”- distributed node replication- distributed sensing adversary (that captures over t nodes)(viz., examples given in papers co-authored with H. Chen, B. Parno and A. Perrig)