prasad narayana, ruiming chen, yao zhao, yan chen and hai zhou lab for internet and security...
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/1.jpg)
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou
Lab for Internet and Security TechnologyNorthwestern University, Evanston IL
Z. Judy FuMotorola Labs, Schaumburg IL
Automatic Vulnerability Checking of Wireless Protocols
through TLA+
![Page 2: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/2.jpg)
Motivation
•High-speed Wireless Metropolitan Area Networks (MAN) poised to become the Next Big Thing
•IEEE 802.16 (WiMAX) with enormous backing from the industry is set to lead the broadband wireless network space
•Security is especially critical for open air wireless protocols
•However, security analysis of the IEEE 802.16 protocol largely confined to manual analysis– Incomplete– Inaccurate
![Page 3: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/3.jpg)
Motivation (II)•Formal methods for automatic
vulnerability checking highly desirable–With completeness and correctness
guarantees
•Previous studies focus on security protocols and security properties only–CSP and FDR [Lowe96], MurØ
[Shmatikov98], Symbolic traces and PS-LTL [Corin06]
•Non-security protocol analysis focus on resource exhaustion DoS attacks and ignore protocol malfunction attacks !– [Yu88], [Meadow99], and [Meadow02]
![Page 4: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/4.jpg)
Our Approach
Systematic and automatic checking through formal methods. –Formally specify a protocol in TLA+ (Temporal
Logic of Actions)–Formally model an attacker in TLA+–Specify requested properties–Then automatically model-check for
vulnerabilities Vulnerability analysis of 802.16e specs
and WiMAX standards
![Page 5: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/5.jpg)
Potential Benefits
•TLA+ specs of 802.16e can be used as golden model for implementations– Implementation correctness can be
model-checked
•TLA+ attacker models and properties can be reused as test-benches when the protocol evolves–Correctness of modifications can be
quickly checked
![Page 6: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/6.jpg)
Outline
•Motivation and our approach•Background on TLA+•General methods and
challenges•Results on WiMAX initial ranging
and authentication•Conclusions and future work
![Page 7: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/7.jpg)
Why TLA+
• A logic resulted from the past 20 years research on concurrent reactive systems
• One language for both system spec and proof logic
• Modularity is employed for large specs• Systems automatically model-checked by TLC
• There are some lightweight formal techniques such as Alloy/Aloca– Limited expressiveness
» Cannot check temporal properties
– Cannot prove a property » Instead, check whether a property is satisfied by a trace
![Page 8: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/8.jpg)
TLA+ for Security
•A protocol can be specified as one monolithic system
•Or, it can be specified as a composition of many components:Protocol == CompA /\ CompB /\ \A i\in
(1..n): Comp(i)•An attacker can be specified
similarly•Checking security is to prove
Protocol /\ Attacker Property
![Page 9: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/9.jpg)
Outline
•Motivation and our approach•Background on TLA+•General methods and challenges
•Results on WiMAX initial ranging and authentication
•Conclusions and future work
![Page 10: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/10.jpg)
TLA+ Vulnerability Checking Flow
TLA+ Protocol
Specification
Attacker TLA+
Specification
TLC Model
Checking
Found Vulnerability ?
Analyze Severity
Weaken Attacker
Property TLA+
Specification
Stop
Yes
No
![Page 11: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/11.jpg)
TLA+ Protocol Specification
•Protocol specification in TLA+ can be easy or difficult–FSM easily translate to TLA+–Tricky from English description to TLA+
spec: ambiguity, re-design, etc.
•Process of protocol specification:– Identify principals–Modularize principal behaviour using
TLA+–Combine principal specs to form a
protocol spec
![Page 12: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/12.jpg)
TLA+ Protocol Specification Challenges
• Challenge: Vagueness in English specification and the correctness in its translation to TLA+.
• Common problem for all approaches• Solutions:
– No easy solution exists! – Best to design protocols in TLA+– Consult standards committee,
product implementation teams among other things
![Page 13: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/13.jpg)
Attacker Modelling
Attacker capability model similar to Dolev-Yao model:
•Basically, attackers can:–Eavesdrop on and store messages.–Replay old messages.– Inject or spoof unprotected messages.–Corrupt messages on the channel by
causing collisions.
•Assume the ideal cryptography: unforgeable signatures, safe encryption, and safe digest
![Page 14: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/14.jpg)
Attacker Modelling Challenges
• Challenge: How to find all realistic attacks?– Model too strong: hide stealthy attacks
– Model too weak: missing vulnerabilities• Our solution:
– Start with a relatively strong attacker model» TLC model-checks may yield unrealistic attacks.
– Then weaken the attacker model» E.g.: the attacker can continuously corrupt a response
from the BS. » Add restrictions on attacker to exclude such attacks.
• This dynamic modification of attacker model will end up with – a complete robustness proof OR– report of all attacks
![Page 15: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/15.jpg)
Model Checking by TLC
•TLC is a model checker for TLA+•Has both simulation mode and model
checking mode–We run simulations before a complete model
checking
•Terminate w/o violation: robustness proved
•Produce violation sequence: attack trace
![Page 16: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/16.jpg)
Model Checking Challenges
• Challenge: State space explosions
• Our Solutions– Combine similar states without loss of
functionality into one state
– Identify symmetry in system, which will treat the different states as one common state.
– Replace some random numbers with constants having some additional properties to simulate the effects of randomness
![Page 17: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/17.jpg)
Outline
•Motivation and our approach•Background on TLA+•General methods and
challenges•Results on WiMAX initial ranging and authentication
•Conclusions and future work
![Page 18: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/18.jpg)
Case Studies
•Initial ranging •Authentication process
•Choices based on the criticality of function and the probability of vulnerability
![Page 19: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/19.jpg)
Initial Ranging Process• Initial ranging: the first step
an SS communicates with a BS via message exchanges.
• An SS acquires correct timing offset and power adjustments
• The request-response communication happens until the BS is satisfied with the ranging parameters.
• ’Actual’ data communication can happen only if the initial ranging is successful.
![Page 20: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/20.jpg)
Property to Check
•SS can get service (getting into “Done” state) infinitely often
[]<>(SSstate = “Done”)–Need to make sure that such a property is
true even without an attacker (weakest attacker model)
![Page 21: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/21.jpg)
DOS during Initial Ranging (found by TLC Model
Checking)
DL SubframeContention-based Initial Ranging Slots
UL Subframe
REQ
REQ
REQ
REQ
![Page 22: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/22.jpg)
Conclusions•First step towards automatic
vulnerability checking of WiMAX protocol with completeness and correctness guarantees
•Use TLA+/TLC to model malfunction DoS attacks–Avoid state space explosion in property
checking–Model attackers’ capabilities for finding
realistic attacks
•Analyzed initial ranging and authentication process in 802.16 protocols
![Page 23: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/23.jpg)
Ongoing Work
•Development of a rigorous process in protocol specification using TLA+
•Enhance the attacker model•Check vulnerabilities in other parts
of 802.16 standards such as mobility support and handoff procedures
•Examination of WiMAX upper layer protocols: Proxy Mobile IPv4, Mobile IPv6, etc.
![Page 24: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/24.jpg)
Thanks !http://
list.cs.northwestern.edu/
![Page 25: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/25.jpg)
Intro to TLA+
• TLA+ is a simple extension of linear temporal logic– Temporal operations: []—forever, <>—eventually
– With primed variable (x’) for next state
– A predicate with both non-primed and primed variables defines an action: x'=x-y /\ x>y
• A system is usually specified as
Init /\ [] [Next]x
−the system satisfies Init initially and satisfies Next for all transitions
−Or simply, the system starts in Init and will do Next forever
![Page 26: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/26.jpg)
Property Spec
•Focus on malfunction DoS attacks currently–Client needs to reach a termination
<>[] (\A i\in PartySet: Party[i].state=ObjState)
–Client may not terminate[]<>(\A \in PartySet: Party[i].state=ObjState)
![Page 27: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/27.jpg)
Property Spec Challenges
• Challenge: TLC cannot check all properties expressible in TLA+
• Our Solution: Specify properties in restricted format
![Page 28: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/28.jpg)
28<#>
PKMv2 Authentication Process
BS SS/MS
Auth Response
SATEK Challenge
SATEK Response
Key Response
Auth Request
Auth ACK
SATEK Request
Key Request
• SS and BS mutually authenticate each other and exchange keys for data encryption
• PKMv2 is directed by two state machines in the SS – Authentication State Machine
– TEK State Machine
• PKMv2 employs a SATEK three-way handshake for the BS and the SS to exchange security capabilities
![Page 29: Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu](https://reader030.vdocuments.mx/reader030/viewer/2022032704/56649d695503460f94a478aa/html5/thumbnails/29.jpg)
29<#>
Authentication – TLA Model
• Each key has a life time, so the SS needs to get authorized from time to time– SS will reach the “Authorized” state infinite times
[]<>(SSstate =”Authorized”)
• TLC encounters space explosion problem–We restrict the SS to reach “Authorized”
state at most a given # of times.• With our attacker model, TLC model checking
completed w/o violation• Hence, authentication process is resistant to
any attempt under the given attacker model