Title: Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories
1Formal Modeling and Analysis of DoS Using
Probabilistic Rewrite Theories
- Gul Agha
- Michael Greenwald
- Carl Gunter
- Sanjeev Khanna
Jose Meseguer Koushik Sen Prasanna Thati
2Formal Analysis of Cryptographic Protocols
- Integrity and Confidentiality
- Recipient not fooled or leaks information
- algebraic techniques
- assumes idealized cryptographic primitives
- complexity-theoretic techniques
- based on complexity assumptions
3Availability Attack
- Availability threats
- whether recipient available to valid sender
- algebraic and/or complexity theoretic methods are
not suitable for finding availability threats - assumes adversary can insert, delete, or replay
messages - availability attack is assured as the adversary
can delete any valid packet
4Availability Attack
- Availability threats
- whether recipient available to valid sender
- algebraic and/or complexity theoretic methods are
not suitable for finding availability threats - assumes adversary can insert, delete, or replay
messages - availability attack is assured as the adversary
can delete any valid packet - How to model and analyze availability formally?
5Our Goal
- Given a protocol P, let properties T hold for P
- P is a traditional non-deterministic
specification - T is a set of integrity and confidentiality
properties - Extend P to P and T to T
- P is DoS hardened P
- T includes availability properties in addition
to T - Goal
- Prove that T hold for P
- without re-proving that T hold for P
6Our Results
- Given a protocol P, let properties T hold for P
- P is a traditional non-deterministic
specification - T is a set of integrity and confidentiality
properties - Extend P to P and T to T
- P is DoS hardened P
- T includes availability properties in addition
to T - Goal
- Prove that T hold for P
- without re-proving that T hold for P
?
7Modeling and Analysis
- Probabilistic Rewrite Theories
- Unified Algebraic Model
- Probabilistic Object Model
- Properties in Continuous stochastic logic (CSL)
- Statistical Model-checking Sen et al. CAV04,
CAV05, QEST05 - using Monte Carlo simulation
- and statistical hypothesis testing
- QuaTEx
- Quantitative Temporal Expressions
- Query language to gain quantitative insight about
a model - Statistical computation of QuaTEx QAPL05
8DoS Models and Counter-measures
- Shared Memory model
- adversary cannot delete packet
- adversary can replay or insert message in the
network - Asymmetry Paradigm
- adversary attacks by recognizing
- certain operations at recipient are expensive
- whereas invoking them is easy
- so it uses all of its bandwidth to invoke
expensive operations - creates a difference (asymmetry)
- receiver can increase the burden on attacker
- selective verification is our approach
C Gunter, S Khanna, K Tan, S Venkatesh 2004
9Selective Sequential Verification
- The signature stream is vulnerable to signature
flooding the adversary can devote his entire
channel to fake signature packets - Countermeasure
- Valid sender sends multiple copies of the
signature packet - receiver checks each incoming signature packet
with some probability (say, 25 or 1)
10Attack Profile
R
A
S
11Selective Verification
R
A
S
12Selective Verification
R makes channels lossy
R
A
Tradeoff bandwidth vs. processing
S
13TCP/IP A case study
- Common
- Susceptible to DoS attacks
- SYN flood and others
- Existing solutions as benchmark
- Increase size of SYN cache, random drop, SYN
cookies
14TCP/IP 3-way handshake
A valid sender
B valid receiver
SYN
SYN ACK
SYN Cache
ACK
15TCP/IP SYN Flood Attack
A valid sender
B valid receiver
X attacker
SYN
SYN
SYN Cache
SYN Cache Full Packet Dropped
16TCP/IP SYN Flood Attack
A valid sender
B valid receiver
X attacker
SYN
SYN
SYN Cache
SYN ACK
ACK
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
17Standard Rewrite Theories
- rules are of the form
- t(x) ! t (x) if cond
t
t
cond
18Probabilistic Rewrite Theories (PRTh)
- we add probability information to rules
- t(x) ! t(x,y) if cond with probability
y?(x)
t
t
cond
G Agha, J Meseguer, N Kumar, K Sen 2003
19Model TCP/IP 3-way handshake using PRwTh
- P
- Receiver h B buf , mi
- Message (X Ã content)
- Rules
- drop packet
- h B buf , mi (BÃ SYN(X,n)) ) h B buf, mi
- process packet
- h B buf , mi (BÃ SYN(X,n)) )
- h B buf TCB(X,m) , m1i (XÃ SYN-ACK(B,m))
20Model TCP/IP 3-way handshake using PRwTh
- P
- Receiver h B buf , mi
- Message (X Ã content)
- One Rule (selective verification)
- h B buf , mi (BÃ SYN(X,n))
- )
- if drop?
- then
- h B buf, mi
- else
- h B buf TCB(X,m) , m1i (XÃ SYN-ACK(B,m))
- fi
- with probability drop? BERNOULLI(p) .
21Availability Property
- Property The probability that eventually the
attacker X successfully fills up the SYN cache of
B is less than 0.01. -
- Plt0.01(sucessful_attack())
- Statistical Model-checking using Vesta
model-checker
K Sen, M Viswanathan, G Agha 2005
22Tools
- PMaude Extends Maude with probabilistic rewrite
theories QAPL05 - Monte Carlo simulation of probabilistic rewrite
theories with on un-quantified non-determinism - Vesta Statistical model-checker for continuous
stochastic logic CAV05 - Java implementation
23Results
- Cache-size 10,000
- timeout 10 seconds
- number of valid senders 100
24Quantitative Queries Using QuaTEx
- What is the expected number of clients that
successfully connect to S out of 100 clients? - What is the probability that a client connected
to S within 10 seconds after it initiated the
connection request? - CountConnected() if completed() then count()
else (CountConnected()) fi - eval ECountConnected()
25Linux Kernel Test
- Attack rate in SYNs/sec received at server
- Graph shows successful connections per 450
threads - Defenseless kernel gt6 SYNs/sec shuts out client
Aggregate connections
Attack rate
Model predicts cliff
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
26Results
Expected number of clients out of 100 clients
that get connected with the server under DoS
attack
27Conclusion
- A general framework for modeling and verifying
DoS properties of communication protocols. - Capable of expressing and proving key
availability properties. - Performance limitations require us to use scaled
down version of parameters. - Future Work
- Addressing efficiency limitations
- Verifying the properties for general systems
28Summary
- Given a protocol P, let properties T hold for P
- P is a traditional non-deterministic
specification - T is a set of integrity and confidentiality
properties - Extend P to P and T to T
- P is DoS hardened P
- T includes availability properties in addition
to T - Goal
- Prove that T hold for P
- without re-proving that T hold for P
29SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
B
- rX lt f B/t, then (1-f)B slots reserved for
legit clients
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
30SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
B
p
- rX lt f B/t, then (1-f)B slots reserved for
legit clients - Process SYNs with probability p lt f B/(t rX)
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
31SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
X 1/p
Limited by net capacity.
B
p
X 1/p
- rX lt f B/t, then (1-f)B slots reserved for
legit clients - Process SYNs with probability p lt f B/(t rX)
- Increase SYN packets sent by valid sender by 1/p
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
32SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
rA
p rA
B
p
X 1/p
- rX lt f B/t, then (1-f)B slots reserved for
legit clients - Process SYNs with probability p lt f B/(t rX)
- Increase SYN packets sent by valid sender by 1/p
- Attacker rate of p rX cannot fill more than f B
slots
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004