120 likes | 268 Views
Formal Methods for Quality of Standards, Conformity Assessment and Security. O. Monkewich, Ph.D., P.Eng. OMC International Phone: +1 613 836-4406 Fax: +1 613 836-5430 E-mail: os.monkewich@sympatico.ca. Formal Methods and Security.
E N D
Formal Methods for Quality of Standards, Conformity Assessment and Security O. Monkewich, Ph.D., P.Eng. OMC International Phone: +1 613 836-4406 Fax: +1 613 836-5430 E-mail: os.monkewich@sympatico.ca
Formal Methods and Security • Error-free, unambiguous standards specified using SDL, MSC, ASN.1 and TTCN with formal syntax and semantics • Tools based on formal syntax and semantics are certifiable as trusted tools by accredited organizations • Machine-generated, tool-specific source code is difficult to understand or modify by attackers • Source descriptions in SDL are easy to review by non-programmers – benefit from “many eyes” reviews • Conformity assessment can find malicious content and vulnerabilities – test suites can be widely available Manual work offloaded to trusted tools. GSC-8, OTTAWA
DCL a,b,sum Integer; #include <stdio.h> void main() { int x, y, sum; int calc(int, int); puts("\nPlease enter two integers:\n"); scanf("%d", &x); scanf("%d", &y); sum = calc(x,y); printf("\nThe sum of the two numbers you entered is: %d", sum); } int calc(m,n) int m, n; { int s; s = m + n; return (s); } WaitForNumber1 number1, number2 number1(a) WaitForNumber2 sum number2(b) Add sum := CALL Add(a, b) sum := a + b result(sum) sum (a) (b) Figure 1 – (a) Illustrates an SDL process which adds two numbers, a and b, and return their sum. (b) is the corresponding hand-written code in the C programming language. The examples illustrate language readability characteristics from the point of view of the non-programmer. Understandability of open source code GSC-8, OTTAWA
Destination port Destination port Source port Source port Sequence Number Sequence Number Acknowledgement Number Acknowledgement Number F I N S Y N A A P R U Data Data Resvd Resvd Window Window C C S S S S R offset offset K K H H T T G G Checksum Checksum Urgent Pointer Urgent Pointer Options (if any) Options (if any) Data Data A common vulnerability can be detected with conformance testing ANY WEB SITE 10.1.1.20 SYN SYN/ACK RESET 10.1.1.30 10.1.1.10 ATTACKER VICTIM (a) (b) Figure 2 – A common attack method using TCP/IP SYN packets to transfer a covert program one ASCII character at a time. Figure 2 (a) shows how packets can be bounced off any Web site to make detection of the attacker more difficult; Figure 2 (b) represents the TCP packet format showing the Sequence Number field. GSC-8, OTTAWA
TCP Packet Sequence Number Conformance Test in TTCN Figure 3 - a test case in TTCN derived from SDL to test the value of the Sequence Number field in the TCP SYN packet. GSC-8, OTTAWA
TCP Packet in ASN.1 and Constraint Figure 4 - ASN.1 representation of the TCP packet named TCP_SYN and the corresponding TCP_SYN1 with the field values filled in. GSC-8, OTTAWA
. . . . . . Memory Pointer Buffer 2 Buffer 2 Fill Direction Buffer 1 Attacker’s Machine Code Return Pointer New Return Pointer . . . . . . (a) (b) Buffer Overflow Figure 5 – The normal program memory stack with two buffers intended to accept user input, such as credit card number, can be overwritten with attacker’s code. For attacker’s code to work, the attacker must know and understand the victim’s code. This is difficult for the attacker to achieve due to the nature of machine-generated code and the need for special tools to change the code. Formalismsthat define language syntax and semantics makes it possible to prove the correctness of the language typing rules so that no data can flow into places not capable of holding it. GSC-8, OTTAWA
What is placed on the wire to transmit “John Smith”? • Inside the protocol, define the variable type “Name” in ASN.1: • Name := SEQUENCE { FirstName PrintableString, • LastName PritnableString } • Assign values to the variables FirstName and LastName: • FirstName := ‘John’ • LastName := ‘Smith’ • The variable “Name” encoded as BER sequence in Hex: (Seq_Class) (No_Bytes) (Printable_Str) (No_bytes) (John) (Printable_Str) (No_bytes) (Smith) 28 15 13 04 4A 6F 68 6E 13 05 53 6D 69 74 68 Converted into a binary stream of zeros and ones: 00101000 00010101 00010011 00000100 01001010… 0000110 0000101… J o … S m Figure 6 – Using ASN.1 and Basic Encoding Rules (BER) to encode “John Smith” for transmission. This is done using trusted tools – no errors due to manual coding. ASN.1 code portability and Trusted Tools GSC-8, OTTAWA
Destination port Destination port Source port Source port Sequence Number Sequence Number Acknowledgement Number Acknowledgement Number F I N A A P R S Y N U Data Data Resvd Resvd Window Window C C S S S S R offset offset K K H H T T G G Checksum Checksum Urgent Pointer Urgent Pointer Options (if any) Options (if any) Data Data RFC Data Format This non-standard data format is dominant in the Internet literature today. It is changed in arbitrary ways by authors, usually to fit the page. This format cannot be compiled or validated. ASN.1 can be compiled and validated. Figure 7 – The tabular form of specifying packet structure and content is dominant in the literature today, but, machines cannot understand it. GSC-8, OTTAWA
Conclusions • Several aspects of network security can be improved through the use of • Higher quality protocol and test suite Recommendationsspecified in SDL, ASN.1, MSC and TTCN • Trusted tools based on SDL, ASN.1, MSC and TTCN for specification, validation, code generation and testing • Machine-generated code is error-free and difficult to modify by intruder • Conformance tests traceable to specification can detect malicious code GSC-8, OTTAWA
Resolution • That ITU-T Study Groups will apply Recommendation A.3 Supplement 1, Guidelines on the Quality Aspects of Protocol Related Recommendations, whendeveloping new protocol related recommendations • That ITU-TTSB will provide technical support and tools for the development and maintenance of complex Recommendations • That companies that participate in GSC member organizations will make use of commercial tools based on formal methods in their reviews of draft Recommendations • That companies that participate in GSC member organizations willpromote the use of formal languages and tools in IETF GSC-8, OTTAWA