1 / 26

Reasoning about Concurrency for Security Tunnels

Reasoning about Concurrency for Security Tunnels. Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign. Security Tunnels.

evangelia-chloe
Télécharger la présentation

Reasoning about Concurrency for Security Tunnels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign

  2. Security Tunnels • A technique in which a pair of nodes share state that enables them to apply transformations to messages to ensure their security. • SSL, IPsec. • Our work assumes network layer tunnels, but not a specific technology. • Key-establishment protocols are employed to create a shared key. • Internet Key Exchange Protocol (IKE). • Secrecy and integrity of shared crypto information is typically the focus of formal analysis. • Not our focus.

  3. Road Warrior Example

  4. Hierarchy of Gateways

  5. Gateways + Tunnels • Tunnels and gateways can ensure that traffic is authenticated and authorized as satisfying some policy. • Firewalls do authorization, but not authentication of packets. • We assume VPN gtateways. • The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy. • Tunnel complex configuration typically requires manual activity. • Discovery protocols that discover gateways and set up tunnels automate this task. • Establishment is a component of such protocols.

  6. Authenticated Traversal • Ingress traffic to a gateway’s administrative domain must be authenticated and authorized • Want to control what traffic is on your networks. • Protection against denial of service. • Egress traffic from an administrative domain must be authenticated and authorized • Wireless gateways that are billing for services. • Protection against exfiltration.

  7. Modeling Tunnels • A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination. • Security Association – the constructor destructor pair. • Security association database (SAD). • Security Parameter Index (SPI) – uniquely identifies association. • Security Mechanism - directs traffic into the proper association. • Security mechanism database (SMD). • IPsec SPD.

  8. Tunnel Example ί1 ί2 A B G ί3 AB:[Out(B,ί3) Out(G,ί1)] AB:[In(A,ί1)] AB:[Out(B,ί2)] AB:[In(A,ί,3)In(G,ί2)] P(A,B,y) P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y))))) P(A,B,S(ί3,P(A,B,y))) P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y)) P(A,B,y)

  9. Establishment B A P(A,B, X(Req(S, D, ίA, K))) In(A,ίB) SD:[in(A, ίB)] P(B,A, X(Rep(S, D, ίA, ίB, K’))) Out(B,ίB) SD:[Out(B, ίB)] Out(A,ίA) DS:[Out(A, ίA)] In(B,ίA) DS:[In(B, ίA)]

  10. Friendly Fire B A P(A,B,X(Req)) P(A,B,X(Req)) BA:[ίA] AB:[ίB] P(B,A,X(Rep)) P(A,B,X(Rep))

  11. Preventing Deadlock • Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier. • Session identifiers are similar to protocol identifiers. • Session identifiers included in messages. • Session matching property. Packets match filters installed for a particular session. • Security associations may be shared among different sessions.

  12. With Solution B A P(A,B,X(Req(v2))) P(A,B,X(Req(v1))) BA:v1:[ίA] AB:v2:[ίB] P(B,A,X(Rep(v2))) P(A,B,X(Rep(v1)))

  13. Tunnel Calculus • Operational semantics for protocol stack. • Provides an abstract foundation for future tunnel protocols in light of their use in tunnel complexes. • A suitable version could be used to model IPsec, but not our current focus. • Based on multiset term rewriting modulo equations. • Allows one to reason about interactions between state installed at nodes and protocols.

  14. Tunnel Calculus Layers Discovery Establishment Authorization Security Processing Packet Forwarding

  15. Grammar Secure message sent Send secure packet Message from the secure layer Pass state from one rule to the next and enforce an order of execution

  16. Layer Interaction Node a Node b Higher Layer Sec Fwd

  17. Forwarding Layer Rules

  18. Secure Layer Find the matching entry in MDB, select bundle, apply the constructors in the bundle, and send the message to forwarding layer

  19. Trace Semantics

  20. Observing Messages • Given a trace M1, M2, M3 we want to observe only the secure send and receive messages in a session. • Q(u) – infinite set of secure send/receive terms of session u.

  21. Equivalent Traces • During each run of the protocol some values are generated by the TC new operator. • SPI, acknowledgement identifiers. • t1~t2 iff they only differ in values generated by new. • M1~M2 • T1~T2

  22. Simulation Lemma M’1 ~ M1 ~ M2 M’2

  23. Observational Commutativity Theorem

  24. Noninterference Theorem • Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1). • Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then

  25. Progress Theorem

  26. Google Tunnel Calculus

More Related