fine-grained msr specifications for quantitative security analysis iliano cervesato...
Post on 20-Dec-2015
220 views
TRANSCRIPT
Fine-Grained MSR Specifications
for
Quantitative Security Analysis
Iliano [email protected]
ITT Industries, inc @ NRL Washington, DC
http://theory.stanford.edu/~iliano/
Protocol Analysis Seminar, NPS, Monterey, CA February 9, 2004
Quantitative Security Analysis 2/25
Seminar Web Page
http://theory.stanford.edu/~iliano/umbc/
Quantitative Security Analysis 3/25
Qualitative (Dolev-Yao) Analysis Classifies protocol operations in
Possible (Dolev-Yao) Reception/transmission Crypto with key, …
Impossible Guessing keys Breaking crypto, …
Security assessed only on possible ops“Easily” achieved by most current toolsWhat next?
“Easy”(polynomial)
“Hard”(exponential)
Quantitative Security Analysis 4/25
Analysis beyond Dolev-Yao
D a t a
Crypto
Perfect
Real
Symbolic Bit-oriented
More ops- xor- DH, …
Type confusion
Guessing
Probabilistic
Crypto hybrid- probability- complexity
Cost-aware
Quantitative Security Analysis 5/25
Cost-Aware Security Analysis
Assign cost to operations [Meadows,01]
Including non Dolev-Yao Discrete logarithm, factoring, … (Verifiable) guessing [Lowe,02] Principal subversion, …
ApplicationsEstimate actual resources needed for attacksResources limitation (smart cards, PDAs, …)DoS resistance assessmentComparing attacks or protocols
Quantitative Security Analysis 6/25
Outline
Protocol specificationMSR Fine-Grained MSR
Technique applies to other languages
Traces and Scripts
Cost ModelOperations Scripts
Cost-aware SecurityThreshold analysisComparative analysis
Quantitative Security Analysis 7/25
MSR
Executable protocol specification language Theoretical results
Decidability Most powerful intruder, …
3 generations already MSR 1: (here) MSR 2: 1 + strong typing MSR 3: 2 + -multisets
Based on MultiSet Rewriting Foundations in (linear) logic Ties to Petri nets and process algebra
Practice Kerberos V Implementation
underway
Quantitative Security Analysis 8/25
Multiset Rewriting …
Multiset: set with repetitions alloweda,b,c a,a,b,c,c,c
Rewrite rule:r: N1 N2
Application:
M’, N1 M’, N2
M1 M2state
Quantitative Security Analysis 9/25
… with Existentials
msets of 1st-order atomic formulas Rules:
r: F(x) n. G(x,n) Application
M’, F(t) M’, G(t,c)
M1 M2
c not in M1
Quantitative Security Analysis 10/25
Traces and Scripts
TracesRewrite sequence (r1,1),…,(rn,n) from M0 to Mn
Rules ri
Substitutions i
ScriptsParametric traces
S, (r,) S1 + S2
!n S
Normal run: SNR
Attack scripts: SA
Quantitative Security Analysis 11/25
MSR for Security Protocols
MessagesA, k, n,… Princ., keys, nonces, …{m}k, (m,m’), … Encryption, concat., …
PredicatesN(m) Network messagesM*(t1,…,tn) Public dataMA(t1,…,tn) Private data
I(m) Intruder info.Lv(t1,…,tn) Local states
Quantitative Security Analysis 12/25
Example
Needham-Schroeder protocolInitiator role
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
L(kA,k’A,kB,nA), N({nA,nB}kA)
PrvKA(kA,k’A), PubK*(B,kB)
PrvKA(kA,k’A),PubK*(B,kB),
L(kA,k’A,kB,nA),N({nA,A}kB)
N({nB}kB)
nA.
Quantitative Security Analysis 13/25
Preparing for Cost Assignment
Isolate operationsVerification
Success Failure
Construction
Apply rule in stagesPre-screeningDetailed verification
Split LHS in atomicsteps
Allow failure
Quantitative Security Analysis 14/25
Fine-Grained MSR (1)
RulesClean-up lhs rhs else cr
PredicatesRegisters Rv(m)Headers Nh(m)
Phased executionSelect rule based only on predicatesVerify if arguments match
Allow failure
Quantitative Security Analysis 15/25
Fine-Grained MSR (2)
Verification rulesNh(x) R(x)Lv(x) R(x)R(y), R’(opy(x)) R’’(x) else crR(x), R’(x) . else crR(x) R’(m)…
Construction rulesRemain the same
Quantitative Security Analysis 16/25
Fine-Grained Intruder
Dolev-Yao style
Subversion Guessing
Nh(x) I(x) M*(x) I(x) I(y), I(opy(x)) I(x)
I(x) Nh(x) . x. I(x) I(x) I(op(x))
. X(A) X(A) . X(A), MA(x) X(A), I(x)
… G(x)… V1(m1)
… V2(m2)
G(x), V1(y), V2(y) I(x)
I(g), I(gx) I(x)
Quantitative Security Analysis 17/25
Cost
vA
: cost typeTime, space, energy, …
A: principal incurring cost
v: amount of costPhysical measurements0 / (Dolev-Yao model)Complexity classes
Quantitative Security Analysis 18/25
Assigning Cost – Basic Operations
Network Storage Operations
ConstructionSuccessful verificationFailed verification
Subversion Guessing
Various ways
Supportsvery highprecision
Difficultydepends onprecision
Possiblysubjective
Quantitative Security Analysis 19/25
Assigning Costs – Traces &
Scripts
Traces: (T)Add up basic costs
Monotonic costs: time, energy, … Non-monotonic: space, …
Scripts: (S)Interval arithmetic
Script alternative
Quantitative Security Analysis 20/25
Quantitative Security Analysis
A model checking view
C 0 (Dolev-Yao)
C 1
C 2
Quantitative Security Analysis 21/25
Threshold Analysis
(SNR) HW/HCI?Cost of normal run acceptable?
PDAs, cell phones, …
(SA) I?Cost of attack/defense acceptable?Cost of candidate attack vs. resources
Non Dolev-Yao operations
min x. (SA(x)) I++?Design protocolFine-tuning parameters
Quantitative Security Analysis 22/25
Comparative Analysis
(SA1) (SA2) ?Comparing attacks
Protocol can always be attacked
(SP1) (SP2) ?Comparing protocols
B(SA) I(SA) ?Comparing attack and defense costs
Denial of Service
Quantitative Security Analysis 23/25
Typical Client/Server Exchange
Client Server
request
challenge
response
ok
scq
scc
scr
sco
tcq
tcc
tcr
tco
ssq
ssc
-(ssq+ss
c)
0
tsq
tsc
tsr
tso
T
B
Quantitative Security Analysis 24/25
Time DoS
q
ctc
q
0
tsq
tsc
q
c
tcq
0
tsq
tsc
tsr
ts
q1.
2.
3. Service rate 1/(ts
q + tsc + ts
r)
Attack rate 1/tc
q
Service rate: 1/tsq
Usually dominated by networking costs
Service rate 1/(ts
q + tsc)
Attack rate 1/tc
q
Betterattack
Quantitative Security Analysis 25/25
Space DDoS
Max concurrent requestsB / (ss
q + ssc)
Space allocation rate (ss
q + ssc) / (ts
q + tsc)
Space reclamation rateB / T
Max. concurrent attacks
0
0
0
ssq
ssc
-(ssq+ss
c) T
q
c
tcq
0
tsq
tsc
tsr
B
B (tsq + ts
c) (ss
q + ssc) T
n Use large B
Keep T small
Quantitative Security Analysis 26/25
Conclusions
Quantitative protocol analysis Cost conscious attacks (non Dolev-Yao) Fine-Grained specification languages (MSR) Paper: http://theory.stanford.edu/~iliano/forthcoming/
Related work C. Meadows: Cost framework for DoS G. Lowe: guessing attacks D. Tomioka, et al: cost for spi-calculus
Future work Attack costs: WEP DoS aware protocols: JFK, puzzle-based Client/Server Complexity-based costs Mixing probability