1 / 16

Unveiling Security Protocols: Traces, Attacks, and Behaviors

Explore the post-attack life of security protocols with a focus on traces, attacks, and behaviors. Discover the intricacies of retaliation, detection, and suspicion in protocol verification settings, and their implications for system security. Uncover the potential consequences and novel insights about protocol designs and bad actors' behaviors. Reflect on the adaptability of mechanized tools for advanced protocol analysis.

feivel
Download Presentation

Unveiling Security Protocols: Traces, Attacks, and Behaviors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Protocol’s Life After Attackslet’s investigate beyond Giampaolo Bella Stefano Bistarelli Fabio Massacci @ Cambridge, Catania, Pescara, Pisa, Trento

  2. I can assure there’s no such!! Theorem Prover Current verification setting Yes! I found an attack! Model Checker Focus is in fact on “THE attack”. Is this all??

  3. Glance at the physical world We own a bakery, and one morning we find the window smashed. We can: • Suspect: no-one’s around – it could have been any passer-by  • Detect: the burglars are still there, and no-one else’s around – it was them!  • Retaliate: the burglars are caught and punished accordingly – by appropriate measures!!  Idea: apply same concepts to security protocols

  4. How and Why • How? Must continue analysis after “THE attack” For example: • Model Checkers: If I find an attack, is there another one? (retaliation) • Theorem Provers: If I assume there is an attack, could anyone else mount the same attack? (detection) • Why? Can get novel insights about protocolsFor example: • Is it really convenient to attempt attacks? • Do we need to redesign, or the bad guys are stopped by realistic threats? • What if the principals change their behaviours?

  5. Example Take Lowe’s middle-person attack on NS: if A executes with C then C impersonates A with B • Consequence (Lowe):if B is a bank, C can steal from A’s accountCB : {Na, Nb, “Transfer ₤1000 from A’s account to C’s}Kb • Extra consequence (last year’s workshop):if A is a bank, B can steal from C’s accountBA : {Na, Nb, “Transfer ₤1000 from C’s account to B’s}Ka

  6. Principals’ behaviours Principals are divided according to their behaviours into three disjoint sets. Good: G– conform to the protocol Bad:B – attempt to break the protocol Ugly:U – conform to the protocol but would collaborate with bad Crucially: principals may decide to change behaviour!

  7. Traces and attacks TraceT : conventional view of protocol history as log (of events or messages, or…) ProjectionT/A : subtrace of Twhere some agent in A acted AttackA : some predicate A(T,G,B,U) Can make Spy, owner of the network, explicit.

  8. Current verification setting(more formal) P vulnerable to A against G if ∃ T∊P. A(T,G,B,U) Model Checker P immune to A against G if ∄T∊P. A(T,G,B,U) Theorem Prover

  9. Retaliation A protocol P allows retaliation of an attack A by B if ∀ T∊P, G,B,U s.t. A(T,G,B,U), ∃ Tr∊P extending T , ∃ G’,B’,U’ s.t. B’⊂G∪Uand B⊂G’∪U’ s.t. A(Tr,G’,B’,U’) • if B’=Gdirect retaliation • else, if B’∩G ≠ ∅combined retaliation • else, if B’⊂Uarbitrary retaliation Appears suitable for theorem proving…

  10. Example (more formal) Lowe’s middle-person attack on NS: if A executes with C then C impersonates A with B • Consequence (Lowe):if B is a bank, C can steal from A’s account • Extra consequence (last year’s workshop):if A is a bank, B can steal from C’s account Whenever A(T, G:={B}, B:={C}, U:={A}) T can be extended as Tr s.t. A(T, G:={A}, B:={B}, U:={C})

  11. No Retaliation A protocol P allows no retaliation of an attack A by Bif ∃ T∊P,G,B,U s.t. A(T,G,B,U), ∀ Tr∊P extending T , ∀ G’,B’,U’ s.t. B’⊂G∪Uand B⊂G’∪U’ holds ¬A(Tr,G’,B’,U’) Appears suitable for model checking

  12. Detection A protocol P allows detection of an attack A by B if ∀ T∊P, G,B,U s.t. A(T,G,B,U), ∀ Tr∊P s.t. T /G = Tr/G holds A(Tr,G’,B’,U’) Appears suitable for theorem proving…

  13. No Detection A protocol P allows no detection of an attack A by B if ∃ T∊P, G,B,U s.t. A(T,G,B,U), ∃ Tr∊P s.t. T /G = Tr/G and Tr≠T holds ¬A(Tr,G’,B’,U’) Appears suitable for model checking…

  14. Suspicion A protocol P allows suspicion of an attack A if ∀ T∊P, G,B,U s.t. A(T,G,B,U), ∀ Tr∊P s.t. T /G = Tr/G ∃ B’,U’ s.t. B’≠ B and U’≠U s.t. A(Tr,G,B’,U’) Appears suitable for theorem proving…

  15. No Suspicion A protocol P allows no suspicion of an attack A if ∃ T∊P, G,B,U s.t. A(T,G,B,U), ∃ Tr∊P s.t. T /G = Tr/G ∀ B’,U’ s.t. B’≠ B and U’≠U holds ¬A(Tr,G,B’,U’) Appears suitable for model checking…

  16. Conclusions • There’s life after attacks take place! • Life that is worth investigating • More complex properties of traces: at least two quantifiers (possibly alternated) where we used to have one only • Theory now adapted. Can we adapt mechanised tool support?

More Related