Loading in 2 Seconds...
Loading in 2 Seconds...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University of Maryland College Park, MD. 20742 firstname.lastname@example.org Florida State University Tallahassee, FL. 32306 May 5, 2005 *based on joint work with H. Chan, B. Parno and A. Perrig
Overview • A Security Perspective with some Old Examples New Technologies ~> New Vulnerabilities ~> New Adversary Models … <~> New Security Protocol Analysis Methods and Tools “~>” = almost always implies) 2. A New Example New Technology: sensor networks New Vulnerabilities: (variable number of) nodes captured and replicated New Application: distributed Sensing New Adversary: different from both Dolev-Yao and Byzantine adversaries New Tools: emergent properties, protocols 3. Conclusions
A Security Perspective and some Old Examples Technology ~> Vulnerability ~> Adversary < ~> Methods & Tools -sharing programs confidentiality and untrusted user sys. vs. user mode (’62 ->) & data; integrity breaches; programs (TH) rings, sec. kernel (’65, ‘67) - computing utility system penetration; FHM (’75)theory/tool(’91)* (early – mid ’60s) DoS instances DoS instances ex. (’67-’75) acc. policy models (’71 ->) • shared services; denial of service untrusted user DoS general def. (’83-’85)* • e.g., DBMS, net. prot. os, net. protocols processes; formal spec. & verif. (’88)* • (early - mid ’70s) concurrent, coord. models (’92 -> ) • attacks • PCs, LANs; read, modify, block, man-in-the-middle, informal: NS, DS (’78–81) • public-domain Crypto replay, forge untrusted user semi-formal: DY (‘81) • (early – mid ’70s) messages processes; Byzantine (‘82 –>) • active, adaptive, crypto models (‘84->)*, • mobile adv. auth. prot. analysis (87->) • internetworking; large-scale effects: distributed, virus scans, tracebacks • E2E argument worms, viruses, coordinated intrusion detection • (mid – late ’80s) DDoS (e.g., flooding) attacks (mid ’90s ->) -etc.
A Security Perspective … Long delays … New Technology ~> New Vulnerability ~> New Adversary Model <~> New Analysis Method & Tools +O(years) +/- O(months) +O(years) … cause problems New Technology ~> New Vulnerability Old Adversary Model Reuse of Old (Secure) Protocols mismatch
New Technology: Sensor Networks 1. Ease of Scalable Deployment and Extension - simply drop sensors at desired locations - net. connectivity => neither administrative intervention nor base-station interaction - key sharing => simple neighbor discovery protocols, path keys - comm.: radio broadcast => Adv. cannot block-modify-retransmit 2. Nodes: Low-Cost, Commodity Hardware - low cost => physical node shielding is impractical => ease of access to internal node state (Q: how good should physical node shielding be to prevent access to a sensor’s internal state ? A: most likely, impractically good) 3. Unattended Node Operation in Hostile Areas => adversary can capture & replicate nodes, insert replicas at chosen locations within a network
A New Attack: Node Capture and Replication 3 Captured Node NEIGHBORHOOD j NEIGHBORHOOD i shared key outside neighborhood 1 NEIGHBORHOOD k i 3 shared key outside neighborhood 2
A New Attack: Node Capture and Replication (ctnd.) Node Replica 1 NEIGHBORHOOD i 3 1 Node Replica 2 i 3 3 3 2 Captured Node NEIGHBORHOOD j NEIGHBORHOOD k Note: Replica IDs are cryptographically bound to pre-distributed keys and cannot be changed
New (Replication) vs. Old (Dolev-Yao) Adversary Old (Dolev-Yao) Adversary can - control network operation - man-in-the-middle: read, replay, forge, block, modify, insert messages anywhere in the network - send/receive any message to/from any legitimate principal (e.g., node) - act as a legitimate principal of the network Old (Dolev-Yao) Adversary cannot - perform unbounded computations - perform cryptanalysis; e.g., discover a legitimate principal’s secrets - capture and coerce the behavior of legitimate principals’ nodes - replicate nodes adaptively, modify network and trust topology New (Replication) Adversary =/= Old (Dolev-Yao) Adversary - can block/modify/insert messages only at specific node (replica) locations - replicated nodes can adaptively modify network and trust topology
Distributed Sensing: A New Application and its Adversary Application: a set of m sensors observe and signal a global event - each sensor broadcasts “1” whenever it senses the global event; else, it does nothing - if t broadcasts are “1,” all m sensors signal the event; else they do nothing Operational Constraints - absence of the global event cannot be sensed (e.g., no periodic “0” broadcasts) - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than m - broadcasts are reliable and synchronous (i.e., counted in sessions) Adversary Goals: violate integrity (i.e., any set of t < m false broadcasts ) deny service (i.e., suppress m-t+1 broadcasts) New (Distributed-Sensing) Adversary - captures insiders (i.e., any ofm) nodes forge, replay or suppress broadcasts (within same or across different sessions) - increases broadcast membership: increases m with outsider nodes
An Example of Distributed Sensing: distributed revocation decision Distributed Revocation Decision: - d local neighbors sense the misbehavior of target node with which they share a pairwise private key - each local neighbor broadcasts “revoke” whenever it senses target misbehavior; else, it does nothing - if t (<= d) broadcasts are “revoke,” all d sensors revoke their key shared with the target(and propagate “revoke” decision to non-neighbor nodes that share a pairwise private key with target); else they do nothing. Operational Constraints - absence of target misbehavior cannot be sensed - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than d - broadcasts (and “revoke” propagations) are reliable and synchronous Distributed Node-Revocation Decision => Distributed Sensing
New (Distributed Sensing) vs. Old (Byzantine) Adversary Q: Byzantine Agreement Problem (with similar operational constraints) ? - reactive: both global event and its absence are (“1/0”) broadcast by each node - no PKI => no authenticated broadcast => t > 2/3m honest (not captured) nodes - broadcasts are reliable and synchronous (i.e., counted in sessions) A: No. Byzantine Agreement Problem => => Constrained Distributed Sensing (i.e., with “1/0” broadcasts, t > 2/3m) (=> Constrained Distributed-Revocation Decision) => Distributed Sensing New (Distributed-Sensing) Adv. =/= Old (Byzantine) Adv. - new adversary need not forge, initiate, or replay “0 broadcasts - t < 2/3m => new integrity adversary is stronger; otherwise, same or weaker - new adversary may attempt to modify membership Note: Replication Adversary must also be countered - Replication Adversary => membership violation (not possible with Byzantine Adversaries)
New Vulnerabilities 1. Collusion toSubvert Applications - Ex. 1: subvert aggregation of sensor data; blocks legitimate transmissions, modifies and injects false data - Ex. 2: can subvert “distributed sensing” e.g., sense false events, deny sensing of real events 2. Collusion toSubvert Network Operation - Ex. 1: replicated nodes cooperate to block traffic & partition the network - Ex. 2: revokes legitimate nodes and disconnects network using legitimate, distributed-revocation protocol 3. Circumvent Intrusion Detection (and net’s “immune” system) - Ex: spread abnormal behavior over multiple replicas to avoid detection
Conclusions 1. New Technologies ~> New Vulnerabilities ~> New Adversary Models … ~> New Protocol Analysis Methods and Tools 2. Time Gap between New Technologies and New Protocol Analysis Methods and Tools is Substantial and Must be Decreased =>must anticipate New Vulnerabilities and define Adversary Models =>adversary models must be realistic 4. Re-examination of Formal Methods and Analyzed Protocols is also Required if (Old) Protocols are Reused 5. Some adversaries are best countered by “emergent detection protocols” - distributed node replication - distributed sensing adversary (that captures over t nodes) (viz., examples given in papers co-authored with H. Chen, B. Parno and A. Perrig)