Formal Analysis of Availability

advertisement
Formal Models of
Availability
Carl A. Gunter
University of Pennsylvania
(Soon to be the University of Illinois)
State of the Art in Formal Analysis of
Security
 Excellent progress on the
formal analysis of integrity
and confidentiality.
 Algebraic techniques
catch bugs quickly and
can be automated. Many
successful case studies
with practical protocols.
 Complexity-theoretic
techniques provide more
complete proofs.
 Techniques are being
derived to unify these.
 Modest progress on the
formal study of availability.
 Limited formal models.






Too conservative.
Not realistic.
Insufficient
nomenclature.
No automation.
Few case studies or
experimental validations.
Fragile linkage to
implementations.
Toward Formal Analysis of DoS
 Shared Channel Model
 Case study: DoS protection for authenticated
broadcast.
C Gunter, S Khanna, K Tan, S Venkatesh
 Asymmetry Paradigm
 Case study: TCP.
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
 Composition and testing of DoS-resistent protocols.
 Case study: Layer three accounting (L3A).
A Goodloe, C Gunter,
 Unified algebraic model.
MO Stehr
 Formalization of authentication protocols.
 Probabilistic term rewriting.
C Gunter, M Sherr, S Venkatesh
M Greenwald, C Gunter, S
Khanna, J Meseguer, K Sen,
P Thati
Broadcast Authentication
Attacker
Internet television, shared spectrum radio, digital satellite, etc.
Challenge of Broadcast Authentication
 Inefficient to use public key signatures for
each packet.
 Insecure to use a common distributed key.
 Inefficient, impractical, or impossible to use
unicast tunnels.
 Many proposals have been made to address
these problems.


Delayed key release.
Amortize costs of public key checks over
multiple packets.
Challenge of DoS for Broadcast
 Attacks in broadcast case are more likely to
be informed attacks in which sequence
numbers and other aspects of protocol state
are known.

TCP is very vulnerable to informed attacks.
 Authentication based on Public Key Checks
(PKCs) are vulnerable to signature flooding.
 Attacks on Forward Error Correction (FEC)
lead to higher overheads.
Security Models for DoS
 Common form of analysis: show that the victim can
defend against an attack that occupies his whole
channel.

Effective, but too conservative.
 Dolev-Yao: assume that the adversary controls the
channel and can use the legitimate sender at will.

Seems to give away the game.
 Attacks based on limited modification.
 Not a common case.
 “Tit for tat”: work commitment by initiator.
 Needs extension.
 Wanted: a more realistic model of attack and
countermeasures to exploit it.
Shared Channel Model
 Adversary can replay and insert packets.
 Legitimate sender sends packets with a
maximum and minimum bandwidth.
 Legitimate sender experiences loss, but not
deliberate modification.
 Model is a four-tuple (W0, W1, A, p).



W0, W1 min and max sender b/w
A attacker max b/w
p loss rate of sender
Shared Channel Model Example
Sender Packet
S1
A1
S2
S3
Dropped Sender Packet
S4
A2
Attacker Packet
A3
S5
A4
A5
Signature Flooding
 Attack factor R = A / W1.
 Proportionate attack R = 1.
 Disproportionate attack R > 1.
 Stock PC can handle about 8000 PKC/sec.
 10Mbps link sends about 900 pkt/sec, 100Mbps link
sends about 9000 pkt/sec (assuming large packets).
 Processor is overwhelmed by too many signature
checks. Adversary can devote full b/w to bad
signatures at no cost.
 Budget: no more that 5% of processor on PKCs.
Broadcast Authentication Streams
Data Stream
Hash/Parity Stream
Signature Stream
Interleaving of Transmission Groups
Data
Hash
0
0
0
0
-1
0
0
0
0
-1
0
0
0
0
0
-1
1
1
1
1
0
1
1
1
1
0
1
1
1
1
1
0
Parity
Signature
Selective Sequential Verification
 The signature stream is vulnerable to
signature flooding: the adversary can devote
his entire channel to fake signature packets.
 Countermeasure:


Valid sender sends multiple copies of the
signature packet.
receiver checks each incoming signature
packet with some probability (say, 25% or
1%).
Attack Profile
A
R
A loads
this channel
with bad packets
S requires
low b/w
channel with
high processing
cost at R
S
Selective Verification
A
R
S
Selective Verification
A gets
reduced
channel
A
R
R makes
channels
lossy
Tradeoff:
bandwidth vs. processing
S
S adds
redundancy
How to Choose Parameters
 Parameters:




Attack factor R
Sender bandwidth W (packets/sec)
Packet loss rate p
Signature check budget K (per second)
 Theorem: A client receives a valid signature
with confidence at least 99% if the number of
signature copies is 5W(R+1) / (1-p)K.
Intuition
 Suppose we have 100 valid signature
packets hidden in a large set of packets with
invalid signatures.
 If we check each packet in the large set with
probability 5%, the probability that we do not
find a valid signature packet is at most
(1-(5 / 100))100 = (1-(1 / 20))20*5
≈ 1 / e5 < .01
In More Detail
 Suppose the client checks each signature packet with




probability π.
The probability that a signature packet is successfully
received and verified by the client is (1-p) π.
Let N be the number of signature packets.
The probability that none of the N signature packets
is successfully received and verified by the client is
(1-(1-p) π)N.
Roughly speaking, we set


π = K / RW
N = 5 / (1-p) π.
Sample Numbers
 10Mbps with 20% loss and 2 second latency
 1584 data packets
 11 hash packets, 11 parity packets
 20 signature packets, verification probability
25%
 100Mbps with 40% loss and 1 second latency
 8208 data packets
 57 hash packets, 66 parity packets
 200 signature packets, verification probability
2.5%
Selective Verification is Very Effective
9000
0.12
8000
no of fake signatures
0.1
0.06
0.04
0.02
7000
6000
5000
4000
3000
2000
1000
0
0
1
4
7
10
13
16
19
22
25
28
31
1
34
4
7
10
13
16
19
TGs x 64
TGs x 64
6.00%
5.00%
auth loss rate
sec/TG
0.08
4.00%
3.00%
2.00%
1.00%
0.00%
1
4
7
10
13
16
19
TGs x 64
22
25
28
31
34
22
25
28
31
34
Authentication Loss
20.00%
18.00%
16.00%
Auth Loss Rate(%)
14.00%
12.00%
100-40
100-5
10.00%
"10-40"
"10-5"
8.00%
6.00%
4.00%
2.00%
0.00%
1
2
3
4
5
6
7
8
9
10
11
12
13
Burst Rate (Pkts x 10)
14
15
16
17
18
19
20
Throughputs Under Severe Attacks
Little effect!
300
Thruput (Mbps)
250
10/5
10/20 10/40
100/5 100/20
100/40
100/5 100/20
100/40
200
sender
150
receiver
100
50
0
Factor 10
400 PKC/TG
8% sig o/h
Factor 5
400 PKC/TG
8% sig o/h
Factor 5
1000 PKC/TG
3% sig o/h
The Asymmetry Paradigm
 Attackers leverage a feature that inflicts a great cost on
the server at little expense to the client
 Defenders leverage asymmetric goals:


Attacker: acquire all of a resource.
Client: acquire a single unit of resource.
 Inflate the cost of a resource that the attacker
consumes at a greater rate, so that it becomes a
bottleneck for the attacker before being able to deny
service.
Jujitsu: a martial art that forces attacker to
use his size and weight against himself.
Is the Asymmetry Paradigm
generally applicable?
 Applicable: Are there typically resources consumed
by the attacker more quickly than by the clients?
 Effective: Does an application of the asymmetry
paradigm remove the threat of DoS?
 Composition: Can the paradigm be applied without
changing the existing protocol?
TCP/IP: A case study
 Common
 Round Trip:
already have example for one-way protocol
 Susceptible to DoS attacks:
 SYN flood and others
 Existing solutions as benchmark:
 Increase size of SYN cache, random drop,
SYN cookies
TCP/IP: A case study
?
SP,DP,
SSN
SYN
SSN=123
SP, DP
SP,DP,
SSN, DSN
ACK=457
SP,DP,
SSN=124
SSN, DSN SP, DP
SP
SYN,ACK=124
SSN=456
SP, DP
SP,DP,
SSN, DSN
?
?
SP,DP,
SSN, DSN
 Connection initiation
 SYN, SYN+ACK, ACK 3-way handshake
 Agree on source, dest, source port, dest port, source
seq. #, dest seq. #
TCP’s Memory Requirements
 TCB Control Block: SSN, RxMT, Acked
 Packet buffers:
 Outgoing unacked data
 Incoming, unread + out-of-order data
 Until ESTABLISHED, only need: portno, ISN, ACK
 SYN Cache of size B
Example:
TCP SYN Cache
 Parameters:

Network capacity is rA = 300K SYNs/sec
(100Mbps Fast Ethernet)

B = 10,000

Slots free at rate of B/tA
 SYN cache occupancy:
 On timeout: tA = 100 seconds (30-120 seconds)
 On success: RTT = 10ms (<1 - 100 milliseconds)
SYN-flood defense:
selective processing
B
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
SYN-flood defense:
selective processing
p
B
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
SYN-flood defense:
selective processing
X 1/p
Limited by net capacity.
p
B
X 1/p
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
 Increase connection rate by 1/p
SYN-flood defense:
selective processing
rA
p rA
p
B
X 1/p
 If attacker arrives at rate <= f B/tA then (1-f)B slots reserved for legit
clients
 Process SYNs w/ probability p <= f B/(tA rA)
 Increase rate by 1/p
 Attacker rate of p rA cannot fill more than f B slots
SYN-flood defense:
selective processing
rA
p rA
p
B
X 1/p
 Process SYNs w/ probability p <= f B/(tA rA)
 Examples:



If p = 10-3/6, then attacker can never occupy more than half of SYN
cache, but clients rxmt 6000 SYNs/connection
If increase size to 30B, and p = .005 then same .5 limit, but client
only rxmts 200 SYNs/connection. For 500KB file, this is only 2%
overhead.
Without selective processing (p = 1) need B’ = 6 X 107 (= 6000B) to
achieve the same level of defense.
Experimental validation:
Successful connections vs. attack rate
 Attack rate in
SYNs/sec
received at server
 Graph shows
successful
connections per
450 threads
 Defenseless
kernel: >6
SYNs/sec shuts
out client
Attack rate
Model predicts cliff
Conclusion
 Progress is possible on formal analysis of
availability.
 New models are more realistic and point to
new countermeasures.
 Key concepts:



Shared Channel Model
Selective Processing Countermeasures
Asymmetry Paradigm
Download