formal modeling and analysis of dos using probabilistic rewrite theories
DESCRIPTION
Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories. Gul Agha Michael Greenwald Carl Gunter Sanjeev Khanna. Jose Meseguer Koushik Sen Prasanna Thati. Formal Analysis of Cryptographic Protocols. Integrity and Confidentiality Recipient not fooled or leaks information - PowerPoint PPT PresentationTRANSCRIPT
1
Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories
Gul Agha
Michael Greenwald
Carl Gunter
Sanjeev Khanna
Jose MeseguerKoushik SenPrasanna Thati
2/28
Formal Analysis of Cryptographic Protocols Integrity and Confidentiality
Recipient not fooled or leaks information algebraic techniques
assumes idealized cryptographic primitives complexity-theoretic techniques
based on complexity assumptions
3/28
Availability Attack Availability threats
whether recipient available to valid sender algebraic and/or complexity theoretic methods are
not suitable for finding availability threats assumes adversary can insert, delete, or replay
messages availability attack is assured as the adversary can delete
any valid packet
4/28
Availability Attack Availability threats
whether recipient available to valid sender algebraic and/or complexity theoretic methods are
not suitable for finding availability threats assumes adversary can insert, delete, or replay
messages availability attack is assured as the adversary can delete
any valid packet
How to model and analyze availability formally?
5/28
Our Goal Given a protocol P, let properties T hold for P
P is a traditional non-deterministic specification T is a set of integrity and confidentiality properties
Extend P to P* and T to T*
P* is DoS hardened P T* includes availability properties in addition to T
Goal Prove that T* hold for P*
without re-proving that T hold for P
6/28
Our Results Given a protocol P, let properties T hold for P
P is a traditional non-deterministic specification T is a set of integrity and confidentiality properties
Extend P to P* and T to T*
P* is DoS hardened P T* includes availability properties in addition to T
Goal Prove that T* hold for P*
without re-proving that T hold for P
?
7/28
Modeling and Analysis Probabilistic Rewrite Theories
Unified Algebraic Model Probabilistic Object Model
Properties in Continuous stochastic logic (CSL) Statistical Model-checking [Sen et al. CAV’04, CAV’05,
QEST’05] using Monte Carlo simulation and statistical hypothesis testing
QuaTEx Quantitative Temporal Expressions Query language to gain quantitative insight about a model Statistical computation of QuaTEx [QAPL’05]
8/28
DoS Models and Counter-measures “Shared Memory” model
adversary cannot delete packet adversary can replay or insert message in the network
“Asymmetry Paradigm” adversary attacks by recognizing:
certain operations at recipient are expensive whereas invoking them is easy so it uses all of its bandwidth to invoke expensive operations creates a difference (asymmetry)
receiver can increase the burden on attacker “selective verification” is our approach
C Gunter, S Khanna, K Tan, S Venkatesh 2004
9/28
Selective Sequential Verification The signature stream is vulnerable to
signature flooding: the adversary can devote his entire channel to fake signature packets
Countermeasure : Valid sender sends multiple copies of the
signature packet receiver checks each incoming signature packet
with some probability (say, 25% or 1%)
10/28
Attack Profile
R
S requireslow b/w
channel withhigh processing
cost at R
A loadsthis channel
with bad packets
S
A
11/28
Selective Verification
RA
S
12/28
Selective Verification
RR makes channels
lossy
S addsredundancy
A getsreducedchannel
Tradeoff: bandwidth vs. processing
S
A
13/28
TCP/IP: A case study Common Susceptible to DoS attacks:
SYN flood and others Existing solutions as benchmark:
Increase size of SYN cache, random drop, SYN cookies
14/28
TCP/IP: 3-way handshakeA: valid sender B: valid receiver
SYN
SYN + ACK
ACK
SYN Cache
15/28
TCP/IP: SYN Flood AttackA: valid sender B: valid receiver
SYN
SYN Cache
X: attacker
SYN
SYN Cache FullPacket Dropped
16/28
TCP/IP: SYN Flood AttackA: valid sender B: valid receiver
SYN Cache
X: attacker
SYN
Drop packet with probability 0.75
SYN
SYN + ACK
ACK
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004
17/28
Standard Rewrite Theories rules are of the form
t(x) ! t’ (x) if cond
t t’cond
18/28
Probabilistic Rewrite Theories (PRTh) we add probability information to rules
t(x) ! t’(x,y) if cond with probability y:=(x)
t cond
t’
G Agha, J Meseguer, N Kumar, K Sen 2003
19/28
Model TCP/IP 3-way handshake using PRwThPReceiver: h B: buf , miMessage: (X Ã content)Rules:[drop packet]:h B: buf , mi (BÃ SYN(X,n)) ) h B: buf, mi
[process packet]:h B: buf , mi (BÃ SYN(X,n)) )
h B: buf TCB(X,m) , m+1i (XÃ SYN-ACK(B,m))
20/28
Model TCP/IP 3-way handshake using PRwThP*
Receiver: h B: buf , miMessage: (X Ã content)One Rule (selective verification):h B: buf , mi (BÃ SYN(X,n))
)if drop?
thenh B: buf, mi
else h B: buf TCB(X,m) , m+1i (XÃ SYN-
ACK(B,m))fi
with probability drop? := BERNOULLI(p) .
21/28
Availability Property Property: The probability that eventually the
attacker X successfully fills up the SYN cache of B is less than 0.01.
P<0.01[§(sucessful_attack())] Statistical Model-checking using Vesta
model-checker
K Sen, M Viswanathan, G Agha 2005
22/28
Tools PMaude: Extends Maude with probabilistic
rewrite theories [QAPL’05] Monte Carlo simulation of probabilistic rewrite
theories with on un-quantified non-determinism Vesta: Statistical model-checker for
continuous stochastic logic [CAV’05] Java implementation
23/28
Results Cache-size = 10,000 timeout = 10 seconds number of valid senders = 100
24/28
Quantitative Queries Using QuaTEx What is the expected number of clients that
successfully connect to S out of 100 clients? What is the probability that a client connected
to S within 10 seconds after it initiated the connection request?
CountConnected() = if completed() then count() else ° (CountConnected()) fi;
eval E[CountConnected()]
25/28
Linux Kernel Test
Attack rate in SYNs/sec received at server
Graph shows successful connections per 450 threads
Defenseless kernel: >6 SYNs/sec shuts out client
Agg
rega
te c
o nn e
c tio
n s
Attack rateModel predicts cliff
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004
26/28
Results
Expected number of clients out of 100 clients that get connected with the server under DoS attack
27/28
Conclusion A general framework for modeling and
verifying DoS properties of communication protocols.
Capable of expressing and proving key availability properties.
Performance limitations require us to use scaled down version of parameters.
Future Work Addressing efficiency limitations Verifying the properties for general systems
28/28
Summary Given a protocol P, let properties T hold for P
P is a traditional non-deterministic specification T is a set of integrity and confidentiality properties
Extend P to P* and T to T*
P* is DoS hardened P T* includes availability properties in addition to T
Goal Prove that T* hold for P*
without re-proving that T hold for P
29/28
SYN-flood defense: selective processing
rX <= f B/t, then (1-f)B slots reserved for legit clients
B
B: size of SYN-cache
t : timeout
0 < f < 1
rX : attacker rate
p : probability of processing SYN at B
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004
30/28
SYN-flood defense: selective processing
rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX)
Bp
B: size of SYN-cache
t : timeout
0 < f < 1
rX : attacker rate
p : probability of processing SYN at B
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004
31/28
SYN-flood defense: selective processing
Bp
X 1/p
X 1/p Limited by net capacity.
B: size of SYN-cache
t : timeout
0 < f < 1
rX : attacker rate
p : probability of processing SYN at B
rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX) Increase SYN packets sent by valid sender by 1/p
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004
32/28
SYN-flood defense: selective processing
rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX) Increase SYN packets sent by valid sender by 1/p Attacker rate of p rX cannot fill more than f B slots
Bp p rA
X 1/p
rA
B: size of SYN-cache
t : timeout
0 < f < 1
rX : attacker rate
p : probability of processing SYN at B
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004