Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou

1
Automatic Vulnerability Checking of IEEE 802.16
WiMAX Protocols through TLA

• Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen
  and Hai Zhou
• Northwestern University, Evanston IL, USA
• Z. Judy Fu
• Motorola Labs, Schaumburg IL, USA

2
Outline

• Motivation
• Our approach
• Background on TLA
• General methods and challenges
• Results on WiMAX initial ranging and
  authentication
• Conclusions and future work

3
Motivation

• High-speed Wireless Metropolitan Area Networks
  (MAN) poised to become the Next Big Thing
• IEEE 802.16 (WiMAX) with enormous backing from
  the industry is set to lead the broadband
  wireless network space
• Security, as always, is key for its functioning
  and growth
• However, security Analysis of the IEEE 802.16
  protocol largely confined to manual analysis
• Incomplete
• Inaccurate

4
Motivation (II)

• Formal methods for automatic vulnerability
  checking highly desirable
• With completeness and correctness guarantees
• Previous studies focus on security protocols and
  security properties only
• CSP and FDR Lowe96, MurØ Shmatikov98,
  Symbolic traces and PS-LTL Corin06
• Non-security protocol analysis focus on resource
  exhaustion DoS attacks and ignore protocol
  malfunction attacks !
• Yu88, Meadow99, and Meadow02

5
Our Approach

• Vulnerability analysis of 802.16e specs and WiMAX
  standards
• Systematic and automatic checking through formal
  methods.
• First specify the specs and potential
  capabilities of attackers in a formal language
  TLA (the Temporal Logic of Actions)
• Then model check for any possible attacks
• The formal analysis can also help guide fixing of
  the flaws

6
Outline

• Motivation
• Our approach
• Background on TLA
• General methods and challenges
• Results on WiMAX initial ranging and
  authentication
• Conclusions and future work

7
TLA

• TLA a logic designed for specifying and
  reasoning about concurrent systems.
• TLA a complete spec language based on TLA
• First translate the natural language spec into a
  TLA spec, sys
• Correctness request postulated as a TLA
  property, prop
• Then to verify the correctness, prove sys ? prop
• Proof done automatically by model checker, TLC

8
Intro to TLA

• TLA is a simple extension of linear temporal
  logic
• With primed variable (x) for next state
• Temporal operations forever
• A system is specified as
• Init /\ Nextx
• system satisfies Init initially and satisfies
  Next for all transitions

9
TLA for Security

• A protocol can be specified as one monolithic
  system
• Or it can be specified as a composition of many
  components
• CompA /\ CompB /\ \A i Comp(i)
• An attacker can be specified and composed with a
  protocol
• System Protocol /\ Attacker
• Check security by
• System gt Properties

10
TLA Modeling Process
11
TLA Protocol Specification

• Protocol specification in TLA can be easy or
  difficult
• FSM easily translate to TLA
• Tricky from English description to TLA spec
  ambiguity, re-design, etc.
• Process of protocol specification
• Identify principals
• Modularize principal behavior using TLA
• Compose a series of states and transitions for
  each principal
• Specify flow of control between principals

12
Outline

• Motivation
• Our approach
• Background on TLA
• General methods and challenges
• Results on WiMAX initial ranging and
  authentication
• Conclusions and future work

13
TLA Protocol Specification Challenges (I)

• Vagueness in English specification and the
  correctness in its translation to TLA.
• Solutions
• No good solution exists!
• Better having protocols in TLA
• Consult standards committee, product
  implementation teams among other things

14
TLA Protocol Specification Challenges (II)

• State space explosion
• Solutions
• Combine similar states without loss of
  functionality into one state
• Replace some random variables with constants with
  some additional properties to simulate the
  effects of randomness
• Define principals symmetric, which will treat the
  different states as one common state.

15
Attacker Model

• Attacker capability model similar to Dolev-Yao
  model
• Basically, attackers can
• Eavesdrop on and store messages.
• Replay old messages.
• Inject or spoof unprotected messages.
• Corrupt messages on the channel by causing
  collisions.
• We also assume the ideal cryptography, which
  means unforgeable signatures, safe encryption and
  safe digest

16
Attacker Model - Challenges

• Challenge How to find realistic attacks under
  such an attacker model ?
• Our solution
• Start with a very strong attacker model
• TLC model-checks may yield unrealistic attacks.
• Then weaken the attacker model
• E.g. the attacker can continuously corrupt a
  response from the BS.
• Since we are only interested in realistic
  attacks, we put restrictions on attacker behavior
  to remove such attacks.
• This dynamic modification of attacker model will
  end up with
• a complete robustness proof OR
• a report of a realistic attack

17
Property Specification

• Focus on Denial of Service (DoS) currently
• Client may reach a termination
• ltgt (\A i\in PartySet Partyi.stateObjState
• Client may not terminate
• ltgt(\A \in PartySet Partyi.stateObjState)

18
Model Checking with TLC

• TLC is a model checker for TLA
• Has both simulation mode and model checking mode
• We run simulations before a complete model
  checking
• Since TLA is very expressive, TLC currently can
  only check safety properties

19
Outline

• Motivation
• Our approach
• Background on TLA
• General methods and challenges
• Results on WiMAX initial ranging and
  authentication
• Conclusions and future work

20
Case Studies

• Initial Ranging
• Authentication processes
• Choices based on the criticality of function and
  the probability of vulnerability

21
Initial Ranging Process

• Initial ranging the first step in which an SS
  communicates with a BS via message exchanges.
• An SS acquires correct timing offset and power
  adjustments
• The request-response communication happens until
  the BS is satisfied with the ranging parameters.
• Actual data communication can happen only if
  the initial ranging is successful.

22
Initial Ranging TLA Model

• In the TLA model, the correctness property is set
  as
• ? i ? ContentionSlots ? sloti?ltgt
• ? sloti.type REQ
• ? sloti.source.pendrequest sloti
• Attacker may affect the behavior of normal
  parties
• Enforce SSs to go to the Done state without the
  attacker
• ??(SSstate DONE)

23
DOS during Initial Ranging (found by TLC Model
Checking)
UL Subframe
DL Subframe
Contention-based Initial Ranging Slots
REQ
REQ
REQ
REQ
24
PKMv2 Authentication Process

• SS and BS mutually authenticate each other and
  exchange keys for data encryption
• PKMv2 is directed by two state machines in the SS
  
• Authentication State Machine
• TEK State Machine
• PKMv2 employs a SATEK-three-way-handshake for the
  BS and the SS/MS to exchange the security
  capabilities

25
Authentication TLA Model

• Each key has a life time, so the SS needs to get
  authorized from time to time
• SSes should reach the Authorized state infinite
  times
• The correctness condition is
• ??(SSstate Authorized)
• TLC encounters space explosion problem
• We restrict the SS can reach Authorized state
  at most a given of times.
• With our attacker model, TLC model checking shows
  no suspicious trace
• Hence, authentication process is resistant to any
  attempt using our attacker capability model

26
Outline

• Motivation
• Our approach
• Background on TLA
• General methods and challenges
• Results on WiMAX initial ranging and
  authentication
• Conclusions and future work

27
Conclusions

• First step towards automatic vulnerability
  checking of any network protocols with
  completeness and correctness guarantees
• Use TLA/TLC to model all DoS attacks
• Avoid state space explosion in property checking
• Model attackers capabilities for finding
  realistic attacks
• Study the initial ranging and authentication
  processes in 802.16 protocols

28
Future Work

• Development of a rigorous process in protocol
  specification using TLA language
• Modeling of inter-relationships of
  processes/components
• Check vulnerabilities in other parts of 802.16
  standards such as mobility support and handoff
  procedures.

29
Backup Slides
30
Our Approach
31
Related Work (2)

• Automatically check with formal language
• For security network protocols
• CSP and FDR Lowe96
• MurØ Shmatikov98
• Symbolic traces and PS-LTL Corin06
• For DoS attack
• A formal specification and verification method
  for the prevention of denial of service Yu88
• Game-based analysis of denial-of-service
  prevention protocols Mahimkar05

32
DOS during Initial Ranging (found by TLC Model
Checking)