Reasoning about concurrency for security tunnels
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

Reasoning about Concurrency for Security Tunnels PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

Reasoning about Concurrency for Security Tunnels. Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign. Security Tunnels.

Download Presentation

Reasoning about Concurrency for Security Tunnels

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Reasoning about concurrency for security tunnels

Reasoning about Concurrency for Security Tunnels

Alwyn E. Goodloe

University of Pennsylvania

Carl A. Gunter

University of Illinois Urbana-Champaign


Security tunnels

Security Tunnels

  • A technique in which a pair of nodes share state that enables them to apply transformations to messages to ensure their security.

    • SSL, IPsec.

    • Our work assumes network layer tunnels, but not a specific technology.

  • Key-establishment protocols are employed to create a shared key.

    • Internet Key Exchange Protocol (IKE).

    • Secrecy and integrity of shared crypto information is typically the focus of formal analysis.

      • Not our focus.


Road warrior example

Road Warrior Example


Hierarchy of gateways

Hierarchy of Gateways


Gateways tunnels

Gateways + Tunnels

  • Tunnels and gateways can ensure that traffic is authenticated and authorized as satisfying some policy.

    • Firewalls do authorization, but not authentication of packets.

    • We assume VPN gtateways.

  • The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy.

  • Tunnel complex configuration typically requires manual activity.

    • Discovery protocols that discover gateways and set up tunnels automate this task.

    • Establishment is a component of such protocols.


Authenticated traversal

Authenticated Traversal

  • Ingress traffic to a gateway’s administrative domain must be authenticated and authorized

    • Want to control what traffic is on your networks.

    • Protection against denial of service.

  • Egress traffic from an administrative domain must be authenticated and authorized

    • Wireless gateways that are billing for services.

    • Protection against exfiltration.


Modeling tunnels

Modeling Tunnels

  • A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination.

  • Security Association – the constructor destructor pair.

    • Security association database (SAD).

  • Security Parameter Index (SPI) – uniquely identifies association.

  • Security Mechanism - directs traffic into the proper association.

    • Security mechanism database (SMD).

      • IPsec SPD.


Tunnel example

Tunnel Example

ί1

ί2

A

B

G

ί3

AB:[Out(B,ί3)

Out(G,ί1)]

AB:[In(A,ί1)]

AB:[Out(B,ί2)]

AB:[In(A,ί,3)In(G,ί2)]

P(A,B,y)

P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))

P(A,B,S(ί3,P(A,B,y)))

P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))

P(A,B,y)


Establishment

Establishment

B

A

P(A,B, X(Req(S, D, ίA, K)))

In(A,ίB)

SD:[in(A, ίB)]

P(B,A, X(Rep(S, D, ίA, ίB, K’)))

Out(B,ίB)

SD:[Out(B, ίB)]

Out(A,ίA)

DS:[Out(A, ίA)]

In(B,ίA)

DS:[In(B, ίA)]


Friendly fire

Friendly Fire

B

A

P(A,B,X(Req))

P(A,B,X(Req))

BA:[ίA]

AB:[ίB]

P(B,A,X(Rep))

P(A,B,X(Rep))


Preventing deadlock

Preventing Deadlock

  • Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier.

    • Session identifiers are similar to protocol identifiers.

    • Session identifiers included in messages.

  • Session matching property. Packets match filters installed for a particular session.

  • Security associations may be shared among different sessions.


With solution

With Solution

B

A

P(A,B,X(Req(v2)))

P(A,B,X(Req(v1)))

BA:v1:[ίA]

AB:v2:[ίB]

P(B,A,X(Rep(v2)))

P(A,B,X(Rep(v1)))


Tunnel calculus

Tunnel Calculus

  • Operational semantics for protocol stack.

    • Provides an abstract foundation for future tunnel protocols in light of their use in tunnel complexes.

    • A suitable version could be used to model IPsec, but not our current focus.

  • Based on multiset term rewriting modulo equations.

  • Allows one to reason about interactions between state installed at nodes and protocols.


Tunnel calculus layers

Tunnel Calculus Layers

Discovery

Establishment

Authorization

Security Processing

Packet Forwarding


Grammar

Grammar

Secure message sent

Send secure packet

Message from the secure layer

Pass state from one rule to the next and enforce an order of execution


Layer interaction

Layer Interaction

Node a

Node b

Higher Layer

Sec

Fwd


Forwarding layer rules

Forwarding Layer Rules


Secure layer

Secure Layer

Find the matching entry in MDB, select bundle, apply the constructors in the bundle, and send the message to forwarding layer


Trace semantics

Trace Semantics


Observing messages

Observing Messages

  • Given a trace M1, M2, M3 we want to observe only the secure send and receive messages in a session.

  • Q(u) – infinite set of secure send/receive terms of session u.


Equivalent traces

Equivalent Traces

  • During each run of the protocol some values are generated by the TC new operator.

    • SPI, acknowledgement identifiers.

  • t1~t2 iff they only differ in values generated by new.

  • M1~M2

  • T1~T2


Simulation lemma

Simulation Lemma

M’1

~

M1

~

M2

M’2


Observational commutativity theorem

Observational Commutativity Theorem


Noninterference theorem

Noninterference Theorem

  • Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1).

  • Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then


Progress theorem

Progress Theorem


Reasoning about concurrency for security tunnels

Google Tunnel Calculus


  • Login