Formal Models of Availability Carl A. Gunter University of Pennsylvania (Soon to be the University...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Formal Models of Availability Carl A. Gunter University of Pennsylvania (Soon to be the University...
Formal Models of Availability
Carl A. Gunter
University of Pennsylvania
(Soon to be the University of Illinois)
State of the Art in Formal Analysis of Security Excellent progress on the
formal analysis of integrity and confidentiality. Algebraic techniques
catch bugs quickly and can be automated. Many successful case studies with practical protocols.
Complexity-theoretic techniques provide more complete proofs.
Techniques are being derived to unify these.
Modest progress on the formal study of availability. Limited formal models.
Too conservative. Not realistic. Insufficient
nomenclature. No automation. Few case studies or
experimental validations. Fragile linkage to
implementations.
Toward Formal Analysis of DoS
Shared Channel Model Case study: DoS protection for authenticated
broadcast. Asymmetry Paradigm
Case study: TCP. Composition and testing of DoS-resistent protocols.
Case study: Layer three accounting (L3A). Unified algebraic model.
Formalization of authentication protocols. Probabilistic term rewriting.
C Gunter, S Khanna, K Tan, S Venkatesh
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
A Goodloe, C Gunter, MO Stehr
C Gunter, M Sherr, S Venkatesh
M Greenwald, C Gunter, S Khanna, J Meseguer, K Sen,
P Thati
Broadcast Authentication
Attacker
Internet television, shared spectrum radio, digital satellite, etc.
Challenge of Broadcast Authentication
Inefficient to use public key signatures for each packet.
Insecure to use a common distributed key. Inefficient, impractical, or impossible to use
unicast tunnels. Many proposals have been made to address
these problems. Delayed key release. Amortize costs of public key checks over
multiple packets.
Challenge of DoS for Broadcast
Attacks in broadcast case are more likely to be informed attacks in which sequence numbers and other aspects of protocol state are known. TCP is very vulnerable to informed attacks.
Authentication based on Public Key Checks (PKCs) are vulnerable to signature flooding.
Attacks on Forward Error Correction (FEC) lead to higher overheads.
Security Models for DoS
Common form of analysis: show that the victim can defend against an attack that occupies his whole channel. Effective, but too conservative.
Dolev-Yao: assume that the adversary controls the channel and can use the legitimate sender at will. Seems to give away the game.
Attacks based on limited modification. Not a common case.
“Tit for tat”: work commitment by initiator. Needs extension.
Wanted: a more realistic model of attack and countermeasures to exploit it.
Shared Channel Model
Adversary can replay and insert packets. Legitimate sender sends packets with a
maximum and minimum bandwidth. Legitimate sender experiences loss, but not
deliberate modification. Model is a four-tuple (W0, W1, A, p).
W0, W1 min and max sender b/w A attacker max b/w p loss rate of sender
Shared Channel Model Example
S1 S2 S4 S5S3A1 A2 A4A3
Sender Packet
Attacker Packet
Dropped Sender Packet
A5
Signature Flooding
Attack factor R = A / W1.
Proportionate attack R = 1. Disproportionate attack R > 1. Stock PC can handle about 8000 PKC/sec. 10Mbps link sends about 900 pkt/sec, 100Mbps link
sends about 9000 pkt/sec (assuming large packets). Processor is overwhelmed by too many signature
checks. Adversary can devote full b/w to bad signatures at no cost.
Budget: no more that 5% of processor on PKCs.
Broadcast Authentication Streams
Data Stream
Hash/Parity Stream
Signature Stream
Interleaving of Transmission Groups
01 1 1 1 01 1 1 1 01 1 1 1 1
-10 0 0 0 -10 0 0 0 -10 0 0 0 0
Signature
Data Hash
Parity
Selective Sequential Verification
The signature stream is vulnerable to signature flooding: the adversary can devote his entire channel to fake signature packets.
Countermeasure: Valid sender sends multiple copies of the
signature packet. receiver checks each incoming signature
packet with some probability (say, 25% or 1%).
Attack Profile
R
S requireslow b/w
channel withhigh processing
cost at R
A loadsthis channel
with bad packets
S
A
Selective Verification
RA
S
Selective Verification
RR makes channels
lossy
S addsredundancy
A getsreducedchannel
Tradeoff: bandwidth vs. processing
S
A
How to Choose Parameters
Parameters: Attack factor R Sender bandwidth W (packets/sec) Packet loss rate p Signature check budget K (per second)
Theorem: A client receives a valid signature with confidence at least 99% if the number of signature copies is 5W(R+1) / (1-p)K.
Intuition
Suppose we have 100 valid signature packets hidden in a large set of packets with invalid signatures.
If we check each packet in the large set with probability 5%, the probability that we do not find a valid signature packet is at most
(1-(5 / 100))100 = (1-(1 / 20))20*5
≈ 1 / e5 < .01
In More Detail
Suppose the client checks each signature packet with probability π.
The probability that a signature packet is successfully received and verified by the client is (1-p) π.
Let N be the number of signature packets. The probability that none of the N signature packets
is successfully received and verified by the client is (1-(1-p) π)N.
Roughly speaking, we set π = K / RW N = 5 / (1-p) π.
Sample Numbers
10Mbps with 20% loss and 2 second latency 1584 data packets 11 hash packets, 11 parity packets 20 signature packets, verification probability
25% 100Mbps with 40% loss and 1 second latency
8208 data packets 57 hash packets, 66 parity packets 200 signature packets, verification probability
2.5%
Selective Verification is Very Effective
0.00%
1.00%
2.00%
3.00%
4.00%
5.00%
6.00%
1 4 7 10 13 16 19 22 25 28 31 34
TGs x 64
auth
lo
ss r
ate
0
0.02
0.04
0.06
0.08
0.1
0.12
1 4 7 10 13 16 19 22 25 28 31 34
TGs x 64
sec/
TG
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1 4 7 10 13 16 19 22 25 28 31 34
TGs x 64
no
of
fake
sig
nat
ure
s
Authentication Loss
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
16.00%
18.00%
20.00%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Burst Rate (Pkts x 10)
Au
th L
oss
Rat
e(%
)
100-40
100-5
"10-40"
"10-5"
Throughputs Under Severe Attacks
100/40100/20100/5100/40100/20100/5
10/4010/2010/5
0
50
100
150
200
250
300
Th
rup
ut
(Mb
ps)
sender
receiver
Factor 10400 PKC/TG
Factor 51000 PKC/TG
Factor 5400 PKC/TG
8% sig o/h 3% sig o/h8% sig o/h
Little effect!
The Asymmetry Paradigm
Attackers leverage a feature that inflicts a great cost on the server at little expense to the client
Defenders leverage asymmetric goals: Attacker: acquire all of a resource. Client: acquire a single unit of resource.
Inflate the cost of a resource that the attacker consumes at a greater rate, so that it becomes a bottleneck for the attacker before being able to deny service.
Jujitsu: a martial art that forces attacker to use his size and weight against himself.
Is the Asymmetry Paradigm generally applicable?
Applicable: Are there typically resources consumed
by the attacker more quickly than by the clients? Effective: Does an application of the asymmetry
paradigm remove the threat of DoS?
Composition: Can the paradigm be applied without changing the existing protocol?
TCP/IP: A case study
Common Round Trip:
already have example for one-way protocol Susceptible to DoS attacks:
SYN flood and others Existing solutions as benchmark:
Increase size of SYN cache, random drop, SYN cookies
TCP/IP: A case study
Connection initiation SYN, SYN+ACK, ACK 3-way handshake Agree on source, dest, source port, dest port, source
seq. #, dest seq. #
SYNSSN=123SP, DP
SP,DP, SSN
SP
SP,DP,SSN, DSN
SYN,ACK=124SSN=456SP, DP
SP,DP,SSN, DSN
???
ACK=457SSN=124SP, DP
SP,DP,SSN, DSN
SP,DP,SSN, DSN
TCP’s Memory Requirements
TCB Control Block: SSN, RxMT, Acked Packet buffers:
Outgoing unacked data Incoming, unread + out-of-order data
Until ESTABLISHED, only need: portno, ISN, ACK SYN Cache of size B
Example:TCP SYN Cache Parameters:
Network capacity is rA = 300K SYNs/sec (100Mbps Fast Ethernet)
B = 10,000 Slots free at rate of B/tA
SYN cache occupancy: On timeout: tA = 100 seconds (30-120 seconds) On success: RTT = 10ms (<1 - 100 milliseconds)
SYN-flood defense: selective processing
If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit clients
B
SYN-flood defense: selective processing
If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit clients
Process SYNs w/ probability p <= f B/(tA rA)
Bp
SYN-flood defense: selective processing
If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit clients
Process SYNs w/ probability p <= f B/(tA rA) Increase connection rate by 1/p
Bp
X 1/p
X 1/p Limited by net capacity.
SYN-flood defense: selective processing
If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit clients
Process SYNs w/ probability p <= f B/(tA rA) Increase rate by 1/p Attacker rate of p rA cannot fill more than f B slots
Bp p rA
X 1/p
rA
SYN-flood defense: selective processing
Process SYNs w/ probability p <= f B/(tA rA) Examples:
If p = 10-3/6, then attacker can never occupy more than half of SYN cache, but clients rxmt 6000 SYNs/connection
If increase size to 30B, and p = .005 then same .5 limit, but client only rxmts 200 SYNs/connection. For 500KB file, this is only 2% overhead.
Without selective processing (p = 1) need B’ = 6 X 107 (= 6000B) to achieve the same level of defense.
Bp p rA
X 1/p
rA
Experimental validation:Successful connections vs. attack rate
Attack rate in SYNs/sec received at server
Graph shows successful connections per 450 threads
Defenseless kernel: >6 SYNs/sec shuts out client
Agg
rega
te c
o nn e
c tio
n s
Attack rate
Model predicts cliff
Conclusion
Progress is possible on formal analysis of availability.
New models are more realistic and point to new countermeasures.
Key concepts: Shared Channel Model Selective Processing Countermeasures Asymmetry Paradigm