formal modeling and analysis of dos using probabilistic rewrite theories

1

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories

Gul Agha

Michael Greenwald

Carl Gunter

Sanjeev Khanna

Jose MeseguerKoushik SenPrasanna Thati

2/28

Formal Analysis of Cryptographic Protocols Integrity and Confidentiality

Recipient not fooled or leaks information algebraic techniques

assumes idealized cryptographic primitives complexity-theoretic techniques

based on complexity assumptions

3/28

Availability Attack Availability threats

whether recipient available to valid sender algebraic and/or complexity theoretic methods are

not suitable for finding availability threats assumes adversary can insert, delete, or replay

messages availability attack is assured as the adversary can delete

any valid packet

4/28

Availability Attack Availability threats

whether recipient available to valid sender algebraic and/or complexity theoretic methods are

not suitable for finding availability threats assumes adversary can insert, delete, or replay

messages availability attack is assured as the adversary can delete

any valid packet

How to model and analyze availability formally?

5/28

Our Goal Given a protocol P, let properties T hold for P

P is a traditional non-deterministic specification T is a set of integrity and confidentiality properties

Extend P to P* and T to T*

P* is DoS hardened P T* includes availability properties in addition to T

Goal Prove that T* hold for P*

without re-proving that T hold for P

6/28

Our Results Given a protocol P, let properties T hold for P






?

7/28

Modeling and Analysis Probabilistic Rewrite Theories

Unified Algebraic Model Probabilistic Object Model

Properties in Continuous stochastic logic (CSL) Statistical Model-checking [Sen et al. CAV’04, CAV’05,

QEST’05] using Monte Carlo simulation and statistical hypothesis testing

QuaTEx Quantitative Temporal Expressions Query language to gain quantitative insight about a model Statistical computation of QuaTEx [QAPL’05]

8/28

DoS Models and Counter-measures “Shared Memory” model

adversary cannot delete packet adversary can replay or insert message in the network

“Asymmetry Paradigm” adversary attacks by recognizing:

certain operations at recipient are expensive whereas invoking them is easy so it uses all of its bandwidth to invoke expensive operations creates a difference (asymmetry)

receiver can increase the burden on attacker “selective verification” is our approach

C Gunter, S Khanna, K Tan, S Venkatesh 2004

9/28

Selective Sequential Verification The signature stream is vulnerable to

signature flooding: the adversary can devote his entire channel to fake signature packets

Countermeasure : Valid sender sends multiple copies of the

signature packet receiver checks each incoming signature packet

with some probability (say, 25% or 1%)

10/28

Attack Profile

R

S requireslow b/w

channel withhigh processing

cost at R

A loadsthis channel

with bad packets

S

A

11/28

Selective Verification

RA

S

12/28

Selective Verification

RR makes channels

lossy

S addsredundancy

A getsreducedchannel

Tradeoff: bandwidth vs. processing

S

A

13/28

TCP/IP: A case study Common Susceptible to DoS attacks:

SYN flood and others Existing solutions as benchmark:

Increase size of SYN cache, random drop, SYN cookies

14/28

TCP/IP: 3-way handshakeA: valid sender B: valid receiver

SYN

SYN + ACK

ACK

SYN Cache

15/28

TCP/IP: SYN Flood AttackA: valid sender B: valid receiver

SYN

SYN Cache

X: attacker

SYN

SYN Cache FullPacket Dropped

16/28

TCP/IP: SYN Flood AttackA: valid sender B: valid receiver

SYN Cache

X: attacker

SYN

Drop packet with probability 0.75

SYN

SYN + ACK

ACK

M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

17/28

Standard Rewrite Theories rules are of the form

t(x) ! t’ (x) if cond

t t’cond

18/28

Probabilistic Rewrite Theories (PRTh) we add probability information to rules

t(x) ! t’(x,y) if cond with probability y:=(x)

t cond

t’

G Agha, J Meseguer, N Kumar, K Sen 2003

19/28

Model TCP/IP 3-way handshake using PRwThPReceiver: h B: buf , miMessage: (X Ã content)Rules:[drop packet]:h B: buf , mi (BÃ SYN(X,n)) ) h B: buf, mi

[process packet]:h B: buf , mi (BÃ SYN(X,n)) )

h B: buf TCB(X,m) , m+1i (XÃ SYN-ACK(B,m))

20/28

Model TCP/IP 3-way handshake using PRwThP*

Receiver: h B: buf , miMessage: (X Ã content)One Rule (selective verification):h B: buf , mi (BÃ SYN(X,n))

)if drop?

thenh B: buf, mi

else h B: buf TCB(X,m) , m+1i (XÃ SYN-

ACK(B,m))fi

with probability drop? := BERNOULLI(p) .

21/28

Availability Property Property: The probability that eventually the

attacker X successfully fills up the SYN cache of B is less than 0.01.

P<0.01[§(sucessful_attack())] Statistical Model-checking using Vesta

model-checker

K Sen, M Viswanathan, G Agha 2005

22/28

Tools PMaude: Extends Maude with probabilistic

rewrite theories [QAPL’05] Monte Carlo simulation of probabilistic rewrite

theories with on un-quantified non-determinism Vesta: Statistical model-checker for

continuous stochastic logic [CAV’05] Java implementation

23/28

Results Cache-size = 10,000 timeout = 10 seconds number of valid senders = 100

24/28

Quantitative Queries Using QuaTEx What is the expected number of clients that

successfully connect to S out of 100 clients? What is the probability that a client connected

to S within 10 seconds after it initiated the connection request?

CountConnected() = if completed() then count() else ° (CountConnected()) fi;

eval E[CountConnected()]

25/28

Linux Kernel Test

Attack rate in SYNs/sec received at server

Graph shows successful connections per 450 threads

Defenseless kernel: >6 SYNs/sec shuts out client

Agg

rega

te c

o nn e

c tio

n s

Attack rateModel predicts cliff


26/28

Results

Expected number of clients out of 100 clients that get connected with the server under DoS attack

27/28

Conclusion A general framework for modeling and

verifying DoS properties of communication protocols.

Capable of expressing and proving key availability properties.

Performance limitations require us to use scaled down version of parameters.

Future Work Addressing efficiency limitations Verifying the properties for general systems

28/28

Summary Given a protocol P, let properties T hold for P






29/28

SYN-flood defense: selective processing

rX <= f B/t, then (1-f)B slots reserved for legit clients

B

B: size of SYN-cache

t : timeout

0 < f < 1

rX : attacker rate

p : probability of processing SYN at B


30/28


rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX)

Bp


t : timeout

0 < f < 1

rX : attacker rate



31/28


Bp

X 1/p

X 1/p Limited by net capacity.


t : timeout

0 < f < 1

rX : attacker rate


rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX) Increase SYN packets sent by valid sender by 1/p


32/28


rX <= f B/t, then (1-f)B slots reserved for legit clients Process SYNs with probability p <= f B/(t rX) Increase SYN packets sent by valid sender by 1/p Attacker rate of p rX cannot fill more than f B slots

Bp p rA

X 1/p

rA


t : timeout

0 < f < 1

rX : attacker rate



formal modeling and analysis of dos using probabilistic rewrite theories

Documents