Formal Models of
Availability
Carl A. Gunter
University of Pennsylvania
(Soon to be the University of Illinois)
State of the Art in Formal Analysis of
Security
 Excellent progress on the
formal analysis of integrity
and confidentiality.
 Algebraic techniques
catch bugs quickly and
can be automated. Many
successful case studies
with practical protocols.
 Complexity-theoretic
techniques provide more
complete proofs.
 Techniques are being
derived to unify these.
 Modest progress on the
formal study of availability.
 Limited formal models.






Too conservative.
Not realistic.
Insufficient
nomenclature.
No automation.
Few case studies or
experimental validations.
Fragile linkage to
implementations.
Toward Formal Analysis of DoS
 Shared Channel Model
 Case study: DoS protection for authenticated
broadcast.
C Gunter, S Khanna, K Tan, S Venkatesh
 Asymmetry Paradigm
 Case study: TCP.
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
 Composition and testing of DoS-resistent protocols.
 Case study: Layer three accounting (L3A).
A Goodloe, C Gunter,
 Unified algebraic model.
MO Stehr
 Formalization of authentication protocols.
 Probabilistic term rewriting.
C Gunter, M Sherr, S Venkatesh
M Greenwald, C Gunter, S
Khanna, J Meseguer, K Sen,
P Thati
Broadcast Authentication
Attacker
Internet television, shared spectrum radio, digital satellite, etc.
Challenge of Broadcast Authentication
 Inefficient to use public key signatures for
each packet.
 Insecure to use a common distributed key.
 Inefficient, impractical, or impossible to use
unicast tunnels.
 Many proposals have been made to address
these problems.


Delayed key release.
Amortize costs of public key checks over
multiple packets.
Challenge of DoS for Broadcast
 Attacks in broadcast case are more likely to
be informed attacks in which sequence
numbers and other aspects of protocol state
are known.

TCP is very vulnerable to informed attacks.
 Authentication based on Public Key Checks
(PKCs) are vulnerable to signature flooding.
 Attacks on Forward Error Correction (FEC)
lead to higher overheads.
Security Models for DoS
 Common form of analysis: show that the victim can
defend against an attack that occupies his whole
channel.

Effective, but too conservative.
 Dolev-Yao: assume that the adversary controls the
channel and can use the legitimate sender at will.

Seems to give away the game.
 Attacks based on limited modification.
 Not a common case.
 “Tit for tat”: work commitment by initiator.
 Needs extension.
 Wanted: a more realistic model of attack and
countermeasures to exploit it.
Shared Channel Model
 Adversary can replay and insert packets.
 Legitimate sender sends packets with a
maximum and minimum bandwidth.
 Legitimate sender experiences loss, but not
deliberate modification.
 Model is a four-tuple (W0, W1, A, p).



W0, W1 min and max sender b/w
A attacker max b/w
p loss rate of sender
Shared Channel Model Example
Sender Packet
S1
A1
S2
S3
Dropped Sender Packet
S4
A2
Attacker Packet
A3
S5
A4
A5
Signature Flooding
 Attack factor R = A / W1.
 Proportionate attack R = 1.
 Disproportionate attack R > 1.
 Stock PC can handle about 8000 PKC/sec.
 10Mbps link sends about 900 pkt/sec, 100Mbps link
sends about 9000 pkt/sec (assuming large packets).
 Processor is overwhelmed by too many signature
checks. Adversary can devote full b/w to bad
signatures at no cost.
 Budget: no more that 5% of processor on PKCs.
Broadcast Authentication Streams
Data Stream
Hash/Parity Stream
Signature Stream
Interleaving of Transmission Groups
Data
Hash
0
0
0
0
-1
0
0
0
0
-1
0
0
0
0
0
-1
1
1
1
1
0
1
1
1
1
0
1
1
1
1
1
0
Parity
Signature
Selective Sequential Verification
 The signature stream is vulnerable to
signature flooding: the adversary can devote
his entire channel to fake signature packets.
 Countermeasure:


Valid sender sends multiple copies of the
signature packet.
receiver checks each incoming signature
packet with some probability (say, 25% or
1%).
Attack Profile
A
R
A loads
this channel
with bad packets
S requires
low b/w
channel with
high processing
cost at R
S
Selective Verification
A
R
S
Selective Verification
A gets
reduced
channel
A
R
R makes
channels
lossy
Tradeoff:
bandwidth vs. processing
S
S adds
redundancy
How to Choose Parameters
 Parameters:




Attack factor R
Sender bandwidth W (packets/sec)
Packet loss rate p
Signature check budget K (per second)
 Theorem: A client receives a valid signature
with confidence at least 99% if the number of
signature copies is 5W(R+1) / (1-p)K.
Intuition
 Suppose we have 100 valid signature
packets hidden in a large set of packets with
invalid signatures.
 If we check each packet in the large set with
probability 5%, the probability that we do not
find a valid signature packet is at most
(1-(5 / 100))100 = (1-(1 / 20))20*5
≈ 1 / e5 < .01
In More Detail
 Suppose the client checks each signature packet with




probability π.
The probability that a signature packet is successfully
received and verified by the client is (1-p) π.
Let N be the number of signature packets.
The probability that none of the N signature packets
is successfully received and verified by the client is
(1-(1-p) π)N.
Roughly speaking, we set


π = K / RW
N = 5 / (1-p) π.
Sample Numbers
 10Mbps with 20% loss and 2 second latency
 1584 data packets
 11 hash packets, 11 parity packets
 20 signature packets, verification probability
25%
 100Mbps with 40% loss and 1 second latency
 8208 data packets
 57 hash packets, 66 parity packets
 200 signature packets, verification probability
2.5%
Selective Verification is Very Effective
9000
0.12
8000
no of fake signatures
0.1
0.06
0.04
0.02
7000
6000
5000
4000
3000
2000
1000
0
0
1
4
7
10
13
16
19
22
25
28
31
1
34
4
7
10
13
16
19
TGs x 64
TGs x 64
6.00%
5.00%
auth loss rate
sec/TG
0.08
4.00%
3.00%
2.00%
1.00%
0.00%
1
4
7
10
13
16
19
TGs x 64
22
25
28
31
34
22
25
28
31
34
Authentication Loss
20.00%
18.00%
16.00%
Auth Loss Rate(%)
14.00%
12.00%
100-40
100-5
10.00%
"10-40"
"10-5"
8.00%
6.00%
4.00%
2.00%
0.00%
1
2
3
4
5
6
7
8
9
10
11
12
13
Burst Rate (Pkts x 10)
14
15
16
17
18
19
20
Throughputs Under Severe Attacks
Little effect!
300
Thruput (Mbps)
250
10/5
10/20 10/40
100/5 100/20
100/40
100/5 100/20
100/40
200
sender
150
receiver
100
50
0
Factor 10
400 PKC/TG
8% sig o/h
Factor 5
400 PKC/TG
8% sig o/h
Factor 5
1000 PKC/TG
3% sig o/h
The Asymmetry Paradigm
 Attackers leverage a feature that inflicts a great cost on
the server at little expense to the client
 Defenders leverage asymmetric goals:


Attacker: acquire all of a resource.
Client: acquire a single unit of resource.
 Inflate the cost of a resource that the attacker
consumes at a greater rate, so that it becomes a
bottleneck for the attacker before being able to deny
service.
Jujitsu: a martial art that forces attacker to
use his size and weight against himself.
Is the Asymmetry Paradigm
generally applicable?
 Applicable: Are there typically resources consumed
by the attacker more quickly than by the clients?
 Effective: Does an application of the asymmetry
paradigm remove the threat of DoS?
 Composition: Can the paradigm be applied without
changing the existing protocol?
TCP/IP: A case study
 Common
 Round Trip:
already have example for one-way protocol
 Susceptible to DoS attacks:
 SYN flood and others
 Existing solutions as benchmark:
 Increase size of SYN cache, random drop,
SYN cookies
TCP/IP: A case study
?
SP,DP,
SSN
SYN
SSN=123
SP, DP
SP,DP,
SSN, DSN
ACK=457
SP,DP,
SSN=124
SSN, DSN SP, DP
SP
SYN,ACK=124
SSN=456
SP, DP
SP,DP,
SSN, DSN
?
?
SP,DP,
SSN, DSN
 Connection initiation
 SYN, SYN+ACK, ACK 3-way handshake
 Agree on source, dest, source port, dest port, source
seq. #, dest seq. #
TCP’s Memory Requirements
 TCB Control Block: SSN, RxMT, Acked
 Packet buffers:
 Outgoing unacked data
 Incoming, unread + out-of-order data
 Until ESTABLISHED, only need: portno, ISN, ACK
 SYN Cache of size B
Example:
TCP SYN Cache
 Parameters:

Network capacity is rA = 300K SYNs/sec
(100Mbps Fast Ethernet)

B = 10,000

Slots free at rate of B/tA
 SYN cache occupancy:
 On timeout: tA = 100 seconds (30-120 seconds)
 On success: RTT = 10ms (<1 - 100 milliseconds)
SYN-flood defense:
selective processing
B
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
SYN-flood defense:
selective processing
p
B
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
SYN-flood defense:
selective processing
X 1/p
Limited by net capacity.
p
B
X 1/p
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
 Increase connection rate by 1/p
SYN-flood defense:
selective processing
rA
p rA
p
B
X 1/p
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
 Increase rate by 1/p
 Attacker rate of p rA cannot fill more than f B slots
SYN-flood defense:
selective processing
rA
p rA
p
B
X 1/p
 Process SYNs w/ probability p <= f B/(tA rA)
 Examples:



If p = 10-3/6, then attacker can never occupy more than half of SYN
cache, but clients rxmt 6000 SYNs/connection
If increase size to 30B, and p = .005 then same .5 limit, but client
only rxmts 200 SYNs/connection. For 500KB file, this is only 2%
overhead.
Without selective processing (p = 1) need B’ = 6 X 107 (= 6000B) to
achieve the same level of defense.
Experimental validation:
Successful connections vs. attack rate
 Attack rate in
SYNs/sec
received at server
 Graph shows
successful
connections per
450 threads
 Defenseless
kernel: >6
SYNs/sec shuts
out client
Attack rate
Model predicts cliff
Conclusion
 Progress is possible on formal analysis of
availability.
 New models are more realistic and point to
new countermeasures.
 Key concepts:



Shared Channel Model
Selective Processing Countermeasures
Asymmetry Paradigm