Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories - PowerPoint PPT Presentation

1 / 32

About This Presentation

Title:

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories

Description:

Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories. Gul Agha ... for modeling and verifying DoS properties of communication protocols. ... – PowerPoint PPT presentation

Number of Views:78

Avg rating:3.0/5.0

Slides: 33

Provided by: secla

Category:

more less

Transcript and Presenter's Notes

Title: Formal Modeling and Analysis of DoS Using Probabilistic Rewrite Theories

1
Formal Modeling and Analysis of DoS Using
Probabilistic Rewrite Theories

Gul Agha
Michael Greenwald
Carl Gunter
Sanjeev Khanna

Jose Meseguer Koushik Sen Prasanna Thati
2
Formal Analysis of Cryptographic Protocols

Integrity and Confidentiality
Recipient not fooled or leaks information
algebraic techniques
assumes idealized cryptographic primitives
complexity-theoretic techniques
based on complexity assumptions

3
Availability Attack

Availability threats
whether recipient available to valid sender
algebraic and/or complexity theoretic methods are
not suitable for finding availability threats
assumes adversary can insert, delete, or replay
messages
availability attack is assured as the adversary
can delete any valid packet

4
Availability Attack

Availability threats
whether recipient available to valid sender
algebraic and/or complexity theoretic methods are
not suitable for finding availability threats
assumes adversary can insert, delete, or replay
messages
availability attack is assured as the adversary
can delete any valid packet
How to model and analyze availability formally?

5
Our Goal

Given a protocol P, let properties T hold for P
P is a traditional non-deterministic
specification
T is a set of integrity and confidentiality
properties
Extend P to P and T to T
P is DoS hardened P
T includes availability properties in addition
to T
Goal
Prove that T hold for P
without re-proving that T hold for P

6
Our Results

Given a protocol P, let properties T hold for P
P is a traditional non-deterministic
specification
T is a set of integrity and confidentiality
properties
Extend P to P and T to T
P is DoS hardened P
T includes availability properties in addition
to T
Goal
Prove that T hold for P
without re-proving that T hold for P

?
7
Modeling and Analysis

Probabilistic Rewrite Theories
Unified Algebraic Model
Probabilistic Object Model
Properties in Continuous stochastic logic (CSL)
Statistical Model-checking Sen et al. CAV04,
CAV05, QEST05
using Monte Carlo simulation
and statistical hypothesis testing
QuaTEx
Quantitative Temporal Expressions
Query language to gain quantitative insight about
a model
Statistical computation of QuaTEx QAPL05

8
DoS Models and Counter-measures

Shared Memory model
adversary cannot delete packet
adversary can replay or insert message in the
network
Asymmetry Paradigm
adversary attacks by recognizing
certain operations at recipient are expensive
whereas invoking them is easy
so it uses all of its bandwidth to invoke
expensive operations
creates a difference (asymmetry)
receiver can increase the burden on attacker
selective verification is our approach

C Gunter, S Khanna, K Tan, S Venkatesh 2004
9
Selective Sequential Verification

The signature stream is vulnerable to signature
flooding the adversary can devote his entire
channel to fake signature packets
Countermeasure
Valid sender sends multiple copies of the
signature packet
receiver checks each incoming signature packet
with some probability (say, 25 or 1)

10
Attack Profile
R
A
S
11
Selective Verification
R
A
S
12
Selective Verification
R makes channels lossy
R
A
Tradeoff bandwidth vs. processing
S
13
TCP/IP A case study

Common
Susceptible to DoS attacks
SYN flood and others
Existing solutions as benchmark
Increase size of SYN cache, random drop, SYN
cookies

14
TCP/IP 3-way handshake
A valid sender
B valid receiver
SYN
SYN ACK
SYN Cache
ACK
15
TCP/IP SYN Flood Attack
A valid sender
B valid receiver
X attacker
SYN
SYN
SYN Cache
SYN Cache Full Packet Dropped
16
TCP/IP SYN Flood Attack
A valid sender
B valid receiver
X attacker
SYN
SYN
SYN Cache
SYN ACK
ACK
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
17
Standard Rewrite Theories

rules are of the form
t(x) ! t (x) if cond

t
t
cond
18
Probabilistic Rewrite Theories (PRTh)

we add probability information to rules
t(x) ! t(x,y) if cond with probability
y?(x)

t
t
cond
G Agha, J Meseguer, N Kumar, K Sen 2003
19
Model TCP/IP 3-way handshake using PRwTh

P
Receiver h B buf , mi
Message (X Ã content)
Rules
drop packet
h B buf , mi (BÃ SYN(X,n)) ) h B buf, mi
process packet
h B buf , mi (BÃ SYN(X,n)) )
h B buf TCB(X,m) , m1i (XÃ SYN-ACK(B,m))

20
Model TCP/IP 3-way handshake using PRwTh

P
Receiver h B buf , mi
Message (X Ã content)
One Rule (selective verification)
h B buf , mi (BÃ SYN(X,n))
)
if drop?
then
h B buf, mi
else
h B buf TCB(X,m) , m1i (XÃ SYN-ACK(B,m))
fi
with probability drop? BERNOULLI(p) .

21
Availability Property

Property The probability that eventually the
attacker X successfully fills up the SYN cache of
B is less than 0.01.
Plt0.01(sucessful_attack())
Statistical Model-checking using Vesta
model-checker

K Sen, M Viswanathan, G Agha 2005
22
Tools

PMaude Extends Maude with probabilistic rewrite
theories QAPL05
Monte Carlo simulation of probabilistic rewrite
theories with on un-quantified non-determinism
Vesta Statistical model-checker for continuous
stochastic logic CAV05
Java implementation

23
Results

Cache-size 10,000
timeout 10 seconds
number of valid senders 100

24
Quantitative Queries Using QuaTEx

What is the expected number of clients that
successfully connect to S out of 100 clients?
What is the probability that a client connected
to S within 10 seconds after it initiated the
connection request?
CountConnected() if completed() then count()
else (CountConnected()) fi
eval ECountConnected()

25
Linux Kernel Test

Attack rate in SYNs/sec received at server
Graph shows successful connections per 450
threads
Defenseless kernel gt6 SYNs/sec shuts out client

Aggregate connections
Attack rate
Model predicts cliff
M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
26
Results
Expected number of clients out of 100 clients
that get connected with the server under DoS
attack
27
Conclusion

A general framework for modeling and verifying
DoS properties of communication protocols.
Capable of expressing and proving key
availability properties.
Performance limitations require us to use scaled
down version of parameters.
Future Work
Addressing efficiency limitations
Verifying the properties for general systems

28
Summary

Given a protocol P, let properties T hold for P
P is a traditional non-deterministic
specification
T is a set of integrity and confidentiality
properties
Extend P to P and T to T
P is DoS hardened P
T includes availability properties in addition
to T
Goal
Prove that T hold for P
without re-proving that T hold for P

29
SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
B

rX lt f B/t, then (1-f)B slots reserved for
legit clients

M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
30
SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
B
p

rX lt f B/t, then (1-f)B slots reserved for
legit clients
Process SYNs with probability p lt f B/(t rX)

M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
31
SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
X 1/p
Limited by net capacity.
B
p
X 1/p

rX lt f B/t, then (1-f)B slots reserved for
legit clients
Process SYNs with probability p lt f B/(t rX)
Increase SYN packets sent by valid sender by 1/p

M Delap, M Greenwald, C Gunter, S Khanna, Y Xu
2004
32
SYN-flood defense selective processing
B size of SYN-cache t timeout 0 lt f lt 1 rX
attacker rate p probability of processing SYN
at B
rA
p rA
B
p
X 1/p