fine-grained msr specifications for quantitative security analysis iliano cervesato...

Fine-Grained MSR Specifications

for

Quantitative Security Analysis

Iliano [email protected]

ITT Industries, inc @ NRL Washington, DC

http://theory.stanford.edu/~iliano/

Protocol Analysis Seminar, NPS, Monterey, CA February 9, 2004

Quantitative Security Analysis 2/25

Seminar Web Page

http://theory.stanford.edu/~iliano/umbc/


Qualitative (Dolev-Yao) Analysis Classifies protocol operations in

Possible (Dolev-Yao) Reception/transmission Crypto with key, …

Impossible Guessing keys Breaking crypto, …

Security assessed only on possible ops“Easily” achieved by most current toolsWhat next?

“Easy”(polynomial)

“Hard”(exponential)


Analysis beyond Dolev-Yao

D a t a

Crypto

Perfect

Real

Symbolic Bit-oriented

More ops- xor- DH, …

Type confusion

Guessing

Probabilistic

Crypto hybrid- probability- complexity

Cost-aware


Cost-Aware Security Analysis

Assign cost to operations [Meadows,01]

Including non Dolev-Yao Discrete logarithm, factoring, … (Verifiable) guessing [Lowe,02] Principal subversion, …

ApplicationsEstimate actual resources needed for attacksResources limitation (smart cards, PDAs, …)DoS resistance assessmentComparing attacks or protocols


Outline

Protocol specificationMSR Fine-Grained MSR

Technique applies to other languages

Traces and Scripts

Cost ModelOperations Scripts

Cost-aware SecurityThreshold analysisComparative analysis


MSR

Executable protocol specification language Theoretical results

Decidability Most powerful intruder, …

3 generations already MSR 1: (here) MSR 2: 1 + strong typing MSR 3: 2 + -multisets

Based on MultiSet Rewriting Foundations in (linear) logic Ties to Petri nets and process algebra

Practice Kerberos V Implementation

underway


Multiset Rewriting …

Multiset: set with repetitions alloweda,b,c a,a,b,c,c,c

Rewrite rule:r: N1 N2

Application:

M’, N1 M’, N2

M1 M2state


… with Existentials

msets of 1st-order atomic formulas Rules:

r: F(x) n. G(x,n) Application

M’, F(t) M’, G(t,c)

M1 M2

c not in M1


Traces and Scripts

TracesRewrite sequence (r1,1),…,(rn,n) from M0 to Mn

Rules ri

Substitutions i

ScriptsParametric traces

S, (r,) S1 + S2

!n S

Normal run: SNR

Attack scripts: SA


MSR for Security Protocols

MessagesA, k, n,… Princ., keys, nonces, …{m}k, (m,m’), … Encryption, concat., …

PredicatesN(m) Network messagesM*(t1,…,tn) Public dataMA(t1,…,tn) Private data

I(m) Intruder info.Lv(t1,…,tn) Local states


Example

Needham-Schroeder protocolInitiator role

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

L(kA,k’A,kB,nA), N({nA,nB}kA)

PrvKA(kA,k’A), PubK*(B,kB)

PrvKA(kA,k’A),PubK*(B,kB),

L(kA,k’A,kB,nA),N({nA,A}kB)

N({nB}kB)

nA.


Preparing for Cost Assignment

Isolate operationsVerification

Success Failure

Construction

Apply rule in stagesPre-screeningDetailed verification

Split LHS in atomicsteps

Allow failure


Fine-Grained MSR (1)

RulesClean-up lhs rhs else cr

PredicatesRegisters Rv(m)Headers Nh(m)

Phased executionSelect rule based only on predicatesVerify if arguments match

Allow failure


Fine-Grained MSR (2)

Verification rulesNh(x) R(x)Lv(x) R(x)R(y), R’(opy(x)) R’’(x) else crR(x), R’(x) . else crR(x) R’(m)…

Construction rulesRemain the same


Fine-Grained Intruder

Dolev-Yao style

Subversion Guessing

Nh(x) I(x) M*(x) I(x) I(y), I(opy(x)) I(x)

I(x) Nh(x) . x. I(x) I(x) I(op(x))

. X(A) X(A) . X(A), MA(x) X(A), I(x)

… G(x)… V1(m1)

… V2(m2)

G(x), V1(y), V2(y) I(x)

I(g), I(gx) I(x)


Cost

vA

: cost typeTime, space, energy, …

A: principal incurring cost

v: amount of costPhysical measurements0 / (Dolev-Yao model)Complexity classes


Assigning Cost – Basic Operations

Network Storage Operations

ConstructionSuccessful verificationFailed verification

Subversion Guessing

Various ways

Supportsvery highprecision

Difficultydepends onprecision

Possiblysubjective


Assigning Costs – Traces &

Scripts

Traces: (T)Add up basic costs

Monotonic costs: time, energy, … Non-monotonic: space, …

Scripts: (S)Interval arithmetic

Script alternative


Quantitative Security Analysis

A model checking view

C 0 (Dolev-Yao)

C 1

C 2


Threshold Analysis

(SNR) HW/HCI?Cost of normal run acceptable?

PDAs, cell phones, …

(SA) I?Cost of attack/defense acceptable?Cost of candidate attack vs. resources

Non Dolev-Yao operations

min x. (SA(x)) I++?Design protocolFine-tuning parameters


Comparative Analysis

(SA1) (SA2) ?Comparing attacks

Protocol can always be attacked

(SP1) (SP2) ?Comparing protocols

B(SA) I(SA) ?Comparing attack and defense costs

Denial of Service


Typical Client/Server Exchange

Client Server

request

challenge

response

ok

scq

scc

scr

sco

tcq

tcc

tcr

tco

ssq

ssc

-(ssq+ss

c)

0

tsq

tsc

tsr

tso

T

B


Time DoS

q

ctc

q

0

tsq

tsc

q

c

tcq

0

tsq

tsc

tsr

ts

q1.

2.

3. Service rate 1/(ts

q + tsc + ts

r)

Attack rate 1/tc

q

Service rate: 1/tsq

Usually dominated by networking costs

Service rate 1/(ts

q + tsc)

Attack rate 1/tc

q

Betterattack


Space DDoS

Max concurrent requestsB / (ss

q + ssc)

Space allocation rate (ss

q + ssc) / (ts

q + tsc)

Space reclamation rateB / T

Max. concurrent attacks

0

0

0

ssq

ssc

-(ssq+ss

c) T

q

c

tcq

0

tsq

tsc

tsr

B

B (tsq + ts

c) (ss

q + ssc) T

n Use large B

Keep T small


Conclusions

Quantitative protocol analysis Cost conscious attacks (non Dolev-Yao) Fine-Grained specification languages (MSR) Paper: http://theory.stanford.edu/~iliano/forthcoming/

Related work C. Meadows: Cost framework for DoS G. Lowe: guessing attacks D. Tomioka, et al: cost for spi-calculus

Future work Attack costs: WEP DoS aware protocols: JFK, puzzle-based Client/Server Complexity-based costs Mixing probability

fine-grained msr specifications for quantitative security analysis iliano cervesato...

Documents