reasoning about concurrency for security tunnels
Download
Skip this Video
Download Presentation
Reasoning about Concurrency for Security Tunnels

Loading in 2 Seconds...

play fullscreen
1 / 26

Reasoning about Concurrency for Security Tunnels - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Reasoning about Concurrency for Security Tunnels. Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign. Security Tunnels.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Reasoning about Concurrency for Security Tunnels' - evangelia-chloe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
reasoning about concurrency for security tunnels

Reasoning about Concurrency for Security Tunnels

Alwyn E. Goodloe

University of Pennsylvania

Carl A. Gunter

University of Illinois Urbana-Champaign

security tunnels
Security Tunnels
  • A technique in which a pair of nodes share state that enables them to apply transformations to messages to ensure their security.
    • SSL, IPsec.
    • Our work assumes network layer tunnels, but not a specific technology.
  • Key-establishment protocols are employed to create a shared key.
    • Internet Key Exchange Protocol (IKE).
    • Secrecy and integrity of shared crypto information is typically the focus of formal analysis.
      • Not our focus.
gateways tunnels
Gateways + Tunnels
  • Tunnels and gateways can ensure that traffic is authenticated and authorized as satisfying some policy.
    • Firewalls do authorization, but not authentication of packets.
    • We assume VPN gtateways.
  • The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy.
  • Tunnel complex configuration typically requires manual activity.
    • Discovery protocols that discover gateways and set up tunnels automate this task.
    • Establishment is a component of such protocols.
authenticated traversal
Authenticated Traversal
  • Ingress traffic to a gateway’s administrative domain must be authenticated and authorized
    • Want to control what traffic is on your networks.
    • Protection against denial of service.
  • Egress traffic from an administrative domain must be authenticated and authorized
    • Wireless gateways that are billing for services.
    • Protection against exfiltration.
modeling tunnels
Modeling Tunnels
  • A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination.
  • Security Association – the constructor destructor pair.
    • Security association database (SAD).
  • Security Parameter Index (SPI) – uniquely identifies association.
  • Security Mechanism - directs traffic into the proper association.
    • Security mechanism database (SMD).
      • IPsec SPD.
tunnel example
Tunnel Example

ί1

ί2

A

B

G

ί3

AB:[Out(B,ί3)

Out(G,ί1)]

AB:[In(A,ί1)]

AB:[Out(B,ί2)]

AB:[In(A,ί,3)In(G,ί2)]

P(A,B,y)

P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))

P(A,B,S(ί3,P(A,B,y)))

P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))

P(A,B,y)

establishment
Establishment

B

A

P(A,B, X(Req(S, D, ίA, K)))

In(A,ίB)

SD:[in(A, ίB)]

P(B,A, X(Rep(S, D, ίA, ίB, K’)))

Out(B,ίB)

SD:[Out(B, ίB)]

Out(A,ίA)

DS:[Out(A, ίA)]

In(B,ίA)

DS:[In(B, ίA)]

friendly fire
Friendly Fire

B

A

P(A,B,X(Req))

P(A,B,X(Req))

BA:[ίA]

AB:[ίB]

P(B,A,X(Rep))

P(A,B,X(Rep))

preventing deadlock
Preventing Deadlock
  • Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier.
    • Session identifiers are similar to protocol identifiers.
    • Session identifiers included in messages.
  • Session matching property. Packets match filters installed for a particular session.
  • Security associations may be shared among different sessions.
with solution
With Solution

B

A

P(A,B,X(Req(v2)))

P(A,B,X(Req(v1)))

BA:v1:[ίA]

AB:v2:[ίB]

P(B,A,X(Rep(v2)))

P(A,B,X(Rep(v1)))

tunnel calculus
Tunnel Calculus
  • Operational semantics for protocol stack.
    • Provides an abstract foundation for future tunnel protocols in light of their use in tunnel complexes.
    • A suitable version could be used to model IPsec, but not our current focus.
  • Based on multiset term rewriting modulo equations.
  • Allows one to reason about interactions between state installed at nodes and protocols.
tunnel calculus layers
Tunnel Calculus Layers

Discovery

Establishment

Authorization

Security Processing

Packet Forwarding

grammar
Grammar

Secure message sent

Send secure packet

Message from the secure layer

Pass state from one rule to the next and enforce an order of execution

layer interaction
Layer Interaction

Node a

Node b

Higher Layer

Sec

Fwd

secure layer
Secure Layer

Find the matching entry in MDB, select bundle, apply the constructors in the bundle, and send the message to forwarding layer

observing messages
Observing Messages
  • Given a trace M1, M2, M3 we want to observe only the secure send and receive messages in a session.
  • Q(u) – infinite set of secure send/receive terms of session u.
equivalent traces
Equivalent Traces
  • During each run of the protocol some values are generated by the TC new operator.
    • SPI, acknowledgement identifiers.
  • t1~t2 iff they only differ in values generated by new.
  • M1~M2
  • T1~T2
simulation lemma
Simulation Lemma

M’1

~

M1

~

M2

M’2

noninterference theorem
Noninterference Theorem
  • Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1).
  • Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then
ad