Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.

Slides:



Advertisements
Similar presentations
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
PROJECT IN COMPUTER SECURITY IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Formal Verification of AODV Protocol using Cadence SMV Xin Liu and Jun Wang (CPSC513 Course.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Effects of Applying Mobility Localization on Source Routing Algorithms for Mobile Ad Hoc Network Hridesh Rajan presented by Metin Tekkalmaz.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Privacy-Preserving Cross-Domain Network Reachability Quantification
CS335 Networking & Network Administration Tuesday, May 11, 2010.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
1 Model Checking Orna Grumberg Technion Haifa, Israel Taiwan, October 8, 2009.
Review of the automata-theoretic approach to model-checking.
System Design Research Laboratory Specification-based Testing with Linear Temporal Logic Li Tan Oleg Sokolsky Insup Lee University of Pennsylvania.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Towards High-Assurance Hypervisors Jason Franklin Joint with Anupam Datta, Sagar Chaki, Ning Qu, Arvind Seshadri.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.
1 Internet Protocol: Forwarding IP Datagrams Chapter 7.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Open Shortest Path First (OSPF) -Sheela Anand -Kalyani Ravi -Saroja Gadde.
1 Pertemuan 20 Teknik Routing Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
Network Layer introduction 4.2 virtual circuit and datagram networks 4.3 what’s inside a router 4.4 IP: Internet Protocol  datagram format  IPv4.
Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)
Router and Routing Basics
 Network Segments  NICs  Repeaters  Hubs  Bridges  Switches  Routers and Brouters  Gateways 2.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 6 Delivery and Routing of IP Packets.
Internetworking Concept and Architectural Model
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Intrusion Tolerant Software Architectures Bruno Dutertre and Hassen Saïdi System Design Laboratory, SRI International OASIS PI Meeting.
Routing protocols. Static Routing Routes to destinations are set up manually Route may be up or down but static routes will remain in the routing tables.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
1 Version 3.1 Module 6 Routed & Routing Protocols.
Teknik Routing Pertemuan 10 Matakuliah: H0524/Jaringan Komputer Tahun: 2009.
Open Incremental Model Checking (OIMC) and the Role of Contracts Model-Based Programming and Verification.
A Framework for Reliable Routing in Mobile Ad Hoc Networks Zhenqiang Ye Srikanth V. Krishnamurthy Satish K. Tripathi.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
1 Chapter 4: Internetworking (IP Routing) Dr. Rocky K. C. Chang 16 March 2004.
Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a Specification Presenter: Scott Crosby.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
1 Group Communications: Host Group and IGMP Dr. Rocky K. C. Chang 19 March, 2002.
1 CMPT 471 Networking II OSPF © Janice Regan,
Working at a Small-to-Medium Business or ISP – Chapter 6
Dynamic Routing Protocols II OSPF
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
Chapter 6 Delivery & Forwarding of IP Packets
Internet Networking recitation #4
Chapter 3: Dynamic Routing
Dynamic Routing Protocols II OSPF
ECE 544 Project3 Team member: BIAO LI, BO QU, XIAO ZHANG 1 1.
Working at a Small-to-Medium Business or ISP – Chapter 6
Computer Networks ARP and RARP
Control-Data Plane Separation
OSPF Protocol.
Presentation transcript:

Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and Gabi Nakibly Tel-Aviv University, December 5,

Motivation Attacks on network protocols, taking advantage of built-in vulnerabilities, are not easy to identify –Rely on legitimate functionality of the protocol –May involve only a small number of messages –Identifying attacks is done mostly manually, by experts, in an ad hoc manner

Goals Develop automatic methods for identifying attacks in network protocols Using methods and tools for formal verification of software and hardware –Model checking

4 Model Checking [CE81,QS82] An efficient procedure that receives:  A finite-state model describing a system  A temporal logic formula describing a property It returns yes, if the system has the property no + Counterexample, otherwise

5 Mutual Exclusion Example Two process mutual exclusion with shared semaphore Each process has three states Non-critical (N) Trying (T) Critical (C) Semaphore can be available (sem=1) or taken (sem=0) Initially both processes are in the Non-critical state and the semaphore is available --- N 1 N 2 S 0 S 0 denotes sem=0 S 1 denotes sem=1

Mutual Exclusion Example P = P 1 || P 2 P i :: while (true) { if (v i == N) v i = T; else if (v i == T && sem=1) {v i = C; sem=0;} else if (v i == C) {v i = N; sem=1;} } Initial state: (v 1 == N, v 2 == N, sem=0) 6

7 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) The two processes are never in their critical states at the same time The state with (C 1  C 2 ) is not reachable

8 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 0

9 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 1

10 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 2

11 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 3

12 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (C 1  C 2 ) S 4  S 0  …  S 3 

13 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 ) The two processes are never in their trying states at the same time

14 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 )

15 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG  (T 1  T 2 )

16 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M |  AG  (T 1  T 2 ) A violating state has been found

17 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M |  AG  (T 1  T 2 ) Model checking returns a counterexample

Our goals To search for attacks using model checking For this purpose, we define: Model –Represents the protocol’s behaviors –Includes an attacker with predefined capabilities Specification –Specifies “suspect” states

Challenges Building a model which is –Sufficiently detailed: to enable identifying attacks based on the protocol's functionality –Sufficiently reduced: feasible for model checking tools Write general specification to identify different kinds of attacks with different techniques

Advantages of our approach We do not need to define an attack, but only its possible outcome. –Specifying suspect states requires less knowledge and efforts than defining an attack –May enable finding new attacks, unknown by now

Routing in the Internet How do packets get from A to B in the Internet? A B Internet

Routing in the Internet Each router makes a local decision on how to forward a packet towards B A B R1 R4 R2 R3 R6 R7 R5 R8

Research Focus - OSPF We focused on the routing protocol Open Shortest Path First (OSPF) OSPF is widely used for routing in the Internet –Finding attacks on OSPF is significant OSPF is a complex protocol –We may be able to derive insights from its modeling to modeling of other network protocols

OSPF Each router compiles a database of the most recent OSPF messages received from all routers in the network A B R1 R4 R2 R3 R6 R7 R5 R8 OriginatorList of neighbors Links costs r1r4,r6,r2, r3 … r2r3,r1,r8… ……… database network Using this database a router obtains a complete view of the network topology

OSPF OSPF messages are flooded through the network OriginatorList of neighbors Links costs r6r4,r1,r8… OSPF message M A B R1 R4 R2 R3 R6 R7 R5 R8 network M M M M M M M M

OSPF Attacks The goal of an OSPF attacker is to advertise fake messages on behalf of some other router(s) in the network. OriginatorList of neighbors Links costs r5 r3,r8… fake OSPF message M A B R1 R4 R2 R3 R6 R7 R5 R8 network M

OSPF Attacks A B R1 R4 R2 R6 R7 R5 R8 A B R1 R4 R2 R3 R6 R7 R5 R8 M Routing path before from A to B R3 Routing path after from A to B

OSPF Fight Back Mechanism A B R1 R4 R2 R6 R7 R5 R8 M M M M M M When a router receives a message in its own name that it didn't originate, it sends a fight back message to all its neighbors The fight back message is supposed to revert the effect of the attack eventually M R3 M M Originato r List of neighbors Links costs r5r3,r8… fake OSPF message - M

OSPF Attacks An attack is a run of the protocol that creates a fake topology view for some routers in the network An attack is called persistent if the fake topology view remains in some routers' databases We are interested in finding persistent attacks

OSPF Concrete Model A fixed network topology Router Model –Models a legitimate router Attacker Model –Models a malicious router can send any random message to any random destination router can ignore incoming messages.

In our model: Messages originated by the attacker are marked with a special flag isFake This flag is not part of the OSPF standard, and legitimate routers do not make use of it This flag allows us to easily define the specifications for the model

OSPF Concrete Model Our formal model for OSPF is a finite state machine with global states and transitions The model is a simplified version of OSPF, which includes the fight back mechanism

Specification A global state is considered attacked if: –Some router has a fake message in its database –No message resides in any router's queue An attacked state defines the outcome of a successful persistent attack regardless of a specific attack technique

Model Checking We implemented the model of OSPF in C, and used the Bounded Model Checking tool CBMC to find persistent attacks on OSPF A counterexample returned by CBMC is an attack

Example of Attacks on OSPF Attack #1 –The attacker (r3) originates a fake message: dest = r2, orig = r4 r0r0 r2r2 r1r1 r4r4 r3r3

Example of Attacks on OSPF Attack #2 The attacker (r3) sends two fake messages: m1 = (dest = r4, orig = r1, sequence_number = 1) m2 = (dest = r4, orig = r1, sequence_number = 2) r0r0 r2r2 r1r1 r4r4 r3r

Another demonstration of attack #2 on a different topology r0r0 r2r2 r1r1 r4r4 r3r r5r5 2 r8r8 r7r7 r6r

Concrete Model - Problems state explosion problem –Models that can be handled are very small in size and hence restricted in their topologies and functionality –We would like to extend our search for attacks to larger and more complex topologies

Abstract Model We are interested in general attacks –insensitive to most of the topology's details –can be applied in a family of topologies We define an abstract model which: –represents a family of concrete models –under-approximates each member in the family.

Abstract Model The abstract model consists of an abstract topology and an abstract protocol We defined several levels of abstract components An abstract topology may also contain some un- abstracted routers The attacker is always an un-abstracted router

Main Property of the Abstract Model If an attack is found on an abstract network, then there is a corresponding attack on each one of the concrete networks represented by it.

Example of an Abstract Attack on OSPF in the Abstract Model –The attacker sends a fake message with: dest=2, orig=4 a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

Example of an attack in a concrete instantiation of the abstract model a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

Example of a similar attack on another possible instantiation of the abstract model a0a0 r2r2 r1r1 r4r4 r3r3 a1a1 a2a2

Examples of attacks on OSPF in the abstract model Attack # 2 –The attacker (designated router) originates a fake message on behalf of sr1: m = (dest = sr5; orig = sr1; seq = 1; isFake = T) DR

Correctness of Our Method Lemma –For each abstract transition on the abstract topology, there is a corresponding concrete finite run on each matching concrete topology Abstract run Matching concrete run

Correctness of Our Method Theorem –An abstract attack found on an abstract topology T A, has a corresponding attack on each matching concrete topology T C.

Exposed OSPF vulnerabilities: a message is opened only by its destination the flooding procedure does not flood a message back to its source –As a result, a fake message in the name of router r might be sent through r –If the attacker plays the role of a designated router, then by ignoring messages it can stop message flooding, including fight back messages

Conclusion We automatically found attacks on small concrete models We automatically found general attacks on small abstract models The general attacks are applicable to huge networks, with possibly thousands of routers –No model checker can be applied directly to such networks

Conclusion We developed a novel technique for parameterized networks suitable for finding a counterexample (in our case an attack) on each member of the family

Thank You 51

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.