1 / 19

Research Overview

Research Overview. Carl A. Gunter University of Pennsylvania. FUNDING SOURCES Army Research Office National Science Foundation Office of Naval Research PROFESSORS Rajeev Alur Michael Greenwald Carl A. Gunter Sanjeev Khanna Jose Meseguer Andre Scedrov Santosh Venkatesh

trula
Télécharger la présentation

Research Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research Overview Carl A. Gunter University of Pennsylvania

  2. FUNDING SOURCES Army Research Office National Science Foundation Office of Naval Research PROFESSORS Rajeev Alur Michael Greenwald Carl A. Gunter Sanjeev Khanna Jose Meseguer Andre Scedrov Santosh Venkatesh Steve Zdancewic RESEARCH STAFF Mark-Oliver Stehr Kaijun Tan PHD STUDENTS Margaret Delap Matthew Jacobs Alwyn Goodloe Michael McDougall Peng Li Gaurav Shah Raman Sharykin Jason Simas Ying Xu RESEARCH PROGRAMMERS Sumeet Bedi Watee Arsjamat Authenticated Traversal : L3A : Goodloe, Gunter, Stehr DoS : Selective Verification : Gunter, Khanna, Venkatesh OpEm : PPC : Alur, Gunter PISCES Projects

  3. Wireless Security • Why is wireless security any different from wired security? • Resource constraints. • Value of the network link. • Increased risk to confidentiality.

  4. Wireless Security Efforts • Layer 1 (Physical) • Spread spectrum • Layer 2 (Link) • 802.11x – 802.11(b) WEP, 802.11(g) • GPRS • CDMA 2000

  5. Network Layer Wireless Security • Advantages • Independent of underlying link layer. • Overcomes the challenges addressed by layer 2 mechanisms for most cases. • Leverages extensive experience, s/w, and h/w support from Ipsec for VPNs. • Disadvantage • Need set up protocols.

  6. Basic Challenge Internet LAN C NAS S

  7. L3A Architecture L3A SAM SIKE SPD SAD Ipsec IP

  8. SIKE w/ delegation SIKE w/ delegation SIKE SIKE Protocol Messages and Tunnels C NAS S

  9. Research Directions • Build on sectrace experience. • Formal simulation of SIKE and L3A in Maude in parallel with design. • Implementation on BSD with X.509 certs. • Develop requirements for accounting and prove correctness.

  10. DoS Models and Protection Measures • Shared Channel Model • Selective Verification • Bin Verification • Current Directions

  11. Shared Channel Model • Adversary can replay and insert packets. • Legitimate sender sends packets with a maximum and minimum bandwidth. • Legitimate sender experiences loss, but not deliberate modification.

  12. Shared Channel Model Example Sender Packet Dropped Sender Packet Attacker Packet S1 A1 S2 S3 S4 A2 A3 S5 A4 A5 • Model is a four-tuple (W0, W1, A, p). • W0, W1 min and max sender b/w • A attacker max b/w • p loss rate of sender

  13. Signature Flooding • Attack factor R = A / W1. Proportionate attack R = 1. Disproportionate attack R > 1. • Stock PC can handle about 8000 PKC/sec. • 10Mbps link sends about 900 pkt/sec, 100Mbps link sends about 9000 pkt/sec. • Budget: no more that 5% of processor on PKCs.

  14. Selective Sequential Verification • Adversary can devote his entire channel to fake signature packets. • Countermeasure: • Valid sender sends multiple copies of the signature packet. • Receiver checks each incoming signature packet with some probability (say, 25% or 1%).

  15. A loads this channel with bad packets S requires low b/w channel with high processing cost at R Attack Profile A R S

  16. Selective Verification A R S

  17. A gets reduced channel S adds redundancy Selective Verification R makes channels lossy A R Tradeoff: bandwidth vs. processing S

  18. 1 1 2 2 3 4 1 1 1 2 3 4 Bin Verification

  19. Current Research • Develop a unified theory with Dolev Yao A  B : M • Investigate general protocol analysis techniques. • Analysis of TCP. t

More Related