1 / 32

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories. Gul Agha Michael Greenwald Carl Gunter Sanjeev Khanna. Jose Meseguer Koushik Sen Prasanna Thati. Formal Analysis of Cryptographic Protocols. Integrity and Confidentiality Recipient not fooled or leaks information

lanza
Download Presentation

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories Gul Agha Michael Greenwald Carl Gunter Sanjeev Khanna Jose Meseguer Koushik Sen Prasanna Thati

  2. Formal Analysis of Cryptographic Protocols • Integrity and Confidentiality • Recipient not fooled or leaks information • algebraic techniques • assumes idealized cryptographic primitives • complexity-theoretic techniques • based on complexity assumptions

  3. Availability Attack • Availability threats • whether recipient available to valid sender • algebraic and/or complexity theoretic methods are not suitable for finding availability threats • assumes adversary can insert, delete, or replay messages • availability attack is assured as the adversary can delete any valid packet

  4. Availability Attack • Availability threats • whether recipient available to valid sender • algebraic and/or complexity theoretic methods are not suitable for finding availability threats • assumes adversary can insert, delete, or replay messages • availability attack is assured as the adversary can delete any valid packet • How to model and analyze availability formally?

  5. Our Goal • Given a protocol P, let properties T hold for P • P is a traditional non-deterministic specification • T is a set of integrity and confidentiality properties • Extend P to P* and T to T* • P* is DoS hardened P • T* includes availability properties in addition to T • Goal • Prove that T* hold for P* • without re-proving that T hold for P

  6. Our Results • Given a protocol P, let properties T hold for P • P is a traditional non-deterministic specification • T is a set of integrity and confidentiality properties • Extend P to P* and T to T* • P* is DoS hardened P • T* includes availability properties in addition to T • Goal • Prove that T* hold for P* • without re-proving that T hold for P ?

  7. Modeling and Analysis • Probabilistic Rewrite Theories • Unified Algebraic Model • Probabilistic Object Model • Properties in Continuous stochastic logic (CSL) • Statistical Model-checking [Sen et al. CAV’04, CAV’05, QEST’05] • using Monte Carlo simulation • and statistical hypothesis testing • QuaTEx • Quantitative Temporal Expressions • Query language to gain quantitative insight about a model • Statistical computation of QuaTEx [QAPL’05]

  8. DoS Models and Counter-measures • “Shared Memory” model • adversary cannot delete packet • adversary can replay or insert message in the network • “Asymmetry Paradigm” • adversary attacks by recognizing: • certain operations at recipient are expensive • whereas invoking them is easy • so it uses all of its bandwidth to invoke expensive operations • creates a difference (asymmetry) • receiver can increase the burden on attacker • “selective verification” is our approach C Gunter, S Khanna, K Tan, S Venkatesh 2004

  9. Selective Sequential Verification • The signature stream is vulnerable to signature flooding: the adversary can devote his entire channel to fake signature packets • Countermeasure : • Valid sender sends multiple copies of the signature packet • receiver checks each incoming signature packet with some probability (say, 25% or 1%)

  10. A loads this channel with bad packets S requires low b/w channel with high processing cost at R Attack Profile A R S

  11. Selective Verification A R S

  12. A gets reduced channel S adds redundancy Selective Verification R makes channels lossy A R Tradeoff: bandwidth vs. processing S

  13. TCP/IP: A case study • Common • Susceptible to DoS attacks: • SYN flood and others • Existing solutions as benchmark: • Increase size of SYN cache, random drop, SYN cookies

  14. TCP/IP: 3-way handshake A: valid sender B: valid receiver SYN SYN + ACK SYN Cache ACK

  15. TCP/IP: SYN Flood Attack X: attacker A: valid sender B: valid receiver SYN SYN SYN Cache SYN Cache Full Packet Dropped

  16. Drop packet with probability 0.75 TCP/IP: SYN Flood Attack X: attacker A: valid sender B: valid receiver SYN SYN SYN Cache SYN + ACK ACK M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

  17. Standard Rewrite Theories • rules are of the form t(x)!t’ (x) if cond t’ t cond

  18. Probabilistic Rewrite Theories (PRTh) • we add probability information to rules t(x)!t’(x,y) ifcondwithprobability y:=(x) t t’ cond G Agha, J Meseguer, N Kumar, K Sen 2003

  19. Model TCP/IP 3-way handshake using PRwTh P Receiver:h B: buf , mi Message: (X Ã content) Rules: [drop packet]: h B: buf , mi (BÃ SYN(X,n)) ) h B: buf, mi [process packet]: h B: buf , mi (BÃ SYN(X,n)) ) h B: buf TCB(X,m) , m+1i (XÃ SYN-ACK(B,m))

  20. Model TCP/IP 3-way handshake using PRwTh P* Receiver:h B: buf , mi Message: (X Ã content) One Rule (selective verification): h B: buf , mi (BÃ SYN(X,n)) ) if drop? then h B: buf, mi else h B: buf TCB(X,m) , m+1i (XÃ SYN-ACK(B,m)) fi with probability drop? := BERNOULLI(p) .

  21. Availability Property • Property: The probability that eventually the attacker X successfully fills up the SYN cache of B is less than 0.01. P<0.01[§(sucessful_attack())] • Statistical Model-checking using Vesta model-checker K Sen, M Viswanathan, G Agha 2005

  22. Tools • PMaude: Extends Maude with probabilistic rewrite theories [QAPL’05] • Monte Carlo simulation of probabilistic rewrite theories with on un-quantified non-determinism • Vesta: Statistical model-checker for continuous stochastic logic [CAV’05] • Java implementation

  23. Results • Cache-size = 10,000 • timeout = 10 seconds • number of valid senders = 100

  24. Quantitative Queries Using QuaTEx • What is the expected number of clients that successfully connect to S out of 100 clients? • What is the probability that a client connected to S within 10 seconds after it initiated the connection request? CountConnected() = if completed() then count() else ° (CountConnected()) fi; eval E[CountConnected()]

  25. Linux Kernel Test • Attack rate in SYNs/sec received at server • Graph shows successful connections per 450 threads • Defenseless kernel: >6 SYNs/sec shuts out client Aggregate connections Attack rate Model predicts cliff M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

  26. Results Expected number of clients out of 100 clients that get connected with the server under DoS attack

  27. Conclusion • A general framework for modeling and verifying DoS properties of communication protocols. • Capable of expressing and proving key availability properties. • Performance limitations require us to use scaled down version of parameters. • Future Work • Addressing efficiency limitations • Verifying the properties for general systems

  28. Summary • Given a protocol P, let properties T hold for P • P is a traditional non-deterministic specification • T is a set of integrity and confidentiality properties • Extend P to P* and T to T* • P* is DoS hardened P • T* includes availability properties in addition to T • Goal • Prove that T* hold for P* • without re-proving that T hold for P

  29. SYN-flood defense: selective processing B: size of SYN-cache t: timeout 0 < f < 1 rX : attacker rate p : probability of processing SYN at B • rX <= f B/t, then (1-f)B slots reserved for legit clients B M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

  30. SYN-flood defense: selective processing B: size of SYN-cache t: timeout 0 < f < 1 rX : attacker rate p : probability of processing SYN at B • rX <= f B/t, then (1-f)B slots reserved for legit clients • Process SYNs with probability p <= f B/(trX) B p M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

  31. SYN-flood defense: selective processing B: size of SYN-cache t: timeout 0 < f < 1 rX : attacker rate p : probability of processing SYN at B X1/p Limited by net capacity. B p X1/p • rX <= f B/t, then (1-f)B slots reserved for legit clients • Process SYNs with probability p <= f B/(trX) • Increase SYN packets sent by valid sender by 1/p M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

  32. SYN-flood defense: selective processing B: size of SYN-cache t: timeout 0 < f < 1 rX : attacker rate p : probability of processing SYN at B • rX <= f B/t, then (1-f)B slots reserved for legit clients • Process SYNs with probability p <= f B/(trX) • Increase SYN packets sent by valid sender by 1/p • Attacker rate of p rX cannot fill more than f B slots rA p rA B p X1/p M Delap, M Greenwald, C Gunter, S Khanna, Y Xu 2004

More Related