Robustness in Wireless Network Access Protocols PhD Defense

Similar documents
Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Secure Initial Access Authentication in WLAN

EXAM IN TTM4137 WIRELESS SECURITY

Chapter 24 Wireless Network Security

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Chapter 17. Wireless Network Security

Configuring Management Frame Protection

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Status of P Sub-Specification

Error and Event Messages

Configuring Layer2 Security

Advanced WiFi Attacks Using Commodity Hardware

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Modeling and Verification of Extensible Authentication Protocol for Transport Layer Security in Wireless LAN Environment

Model Checking DSL-Generated C Source Code

WPA-GPG: Wireless authentication using GPG Key

WLAN The Wireless Local Area Network Consortium

Enhancement of Feedback Congestion Control Mechanisms by Deploying Active Congestion Control

Introduction to Model Checking

Design and Analysis of Distributed Interacting Systems

Security. Reliability

Cryptanalysis of IEEE i TKIP

An Integrated Scheme for Intrusion Detection in WLAN +

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Computer Aided Verification 2015 The SPIN model checker

Wireless KRACK attack client side workaround and detection

The Spin Model Checker : Part I/II

05 - WLAN Encryption and Data Integrity Protocols

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Configuring IDS Signatures

Hidden Problems with the Hidden Node Problem

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

ZIGBEE. Erkan Ünal CSE 401 SPECIAL TOPICS IN COMPUTER NETWORKS

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Table of Contents 1 WLAN Security Configuration Commands 1-1

WiMAX Security: Problems & Solutions

Software Engineering using Formal Methods

Wireless Network Security Spring 2015

Physical and Link Layer Attacks

Chapter 2. Switch Concepts and Configuration. Part II

Formal Specification and Verification

Synology Security Whitepaper

Wireless LAN Error Messages

Configuring Cipher Suites and WEP

Tool-Supported Cyber-Risk Assessment

National Information Assurance (IA) Policy on Wireless Capabilities

Reliable Broadcast Message Authentication in Wireless Sensor Networks

Tool demonstration: Spin

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Wireless Network Security

Wireless Security i. Lars Strand lars (at) unik no June 2004

Complexity. An introduction to protocol chaos. Andrés Blanco. CC License - Swtiruty Rgbytw

Modeling and Verification of IEEE i Security Protocol for Internet of Things

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Attacks on WLAN Alessandro Redondi

IEEE WiMax Security

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

On Demand secure routing protocol resilient to Byzantine failures

Preventing wireless deauthentication attacks over Networks

Wireless LANs. ITS 413 Internet Technologies and Applications

Navigating Regulatory Issues for Medical Device Software

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

CIT 480: Securing Computer Systems. Putting It All Together

Cybersecurity, safety and resilience - Airline perspective

Security in Mobile Ad-hoc Networks. Wormhole Attacks

Information Security in Corporation

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Software Engineering using Formal Methods

Mobile Security Fall 2013

SPIN: Introduction and Examples

Unit title: Mobile Technology: Device Connectivity (SCQF level 5) Outcome 1

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

The SPIN Model Checker

Wireless Network Security Spring 2016

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Chapter X Security Performance Metrics

TECHNICAL SPECIFICATION

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Lecture 3 SPIN and Promela

Bluetooth SIG Liaison Report May 2009

Chapter X Security Performance Metrics

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Network Security and Cryptography. 2 September Marking Scheme

Wireless Intrusion Detection System

Security in IEEE Networks

IoT & SCADA Cyber Security Services

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

IEEE C802.16e-04/67r1. IEEE Broadband Wireless Access Working Group <

Distributed Systems Programming (F21DS1) Formal Verification

Security Challenges Facing the Future Wireless World (aka.. Alice and Bob in the Wireless Wonderland) Wade Trappe

Plaintext Recovery Attacks Against WPA/TKIP

transmitting on the same channel or adjacent channels

NIST Compliance Controls

Transcription:

Robustness in Wireless Network Access Protocols PhD Defense Martin Eian Department of Telematics Supervisor: Professor Stig F. Mjølsnes Co-supervisor: Professor Steinar H. Andresen 21 September 2012

2 Outline Motivation and Introduction Background Manual protocol analysis Formal model construction and verification Conclusions and open research problems

3 Motivation - Two Trends in Wireless Networking Commercial off-the-shelf (COTS) hardware and software 802.11/WiFi local area networks Mobile/Cellular networks GSM (2G) UMTS (3G) LTE (4G) 802.16/WiMAX wide area networks Safety critical applications Medical Road safety Supervisory control and data aquisition (SCADA) Power generation and distribution Oil & gas Industrial Transportation Emergency communications

4 Safety Critical Applications Key security requirement: Availability Availability can be disrupted by denial of service (DoS) attacks Case studies U.S. public safety communications network - LTE 1 Hospitals - 802.11 medical devices 2 Research questions Are current protocols vulnerable? How do we assess the severity of a protocol vulnerability? How can we prevent protocol vulnerabilities? 1 Federal Communications Commission (FCC), National Broadband Plan, http://www.broadband.gov/ 2 The Wireless Revolution in Medical Devices, http://www.medicaldevice-network.com/projects/wireless_revolution/

5 Wireless Networks Access Network Access Point Base Station Router Router Access Point Base Station Core Network

6 Wireless Network Access Protocols Access Network Access Point Base Station Router Router Access Point Base Station Core Network

7 Definitions 3 Protocol Set of rules and formats, semantic and syntactic, permitting information systems to exchange information. Availability The property of [resources] being accessible and useable upon demand by an authorized entity. Denial of Service (DoS) The prevention of authorized access to resources or the delaying of time-critical operations. 3 Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary

8 Communication Protocols Formatting of data Control/management messages 4 Data messages Behaviour When to send a message What to do when a message is received Model: finite state machine States Transitions 4 Packets, frames, protocol data units

9 Project Phases and Published Papers 1: Literature review, problem definition Fragility of the Robust Security Network: 802.11 Denial of Service 2: Manual protocol analysis 7th International Conference on Applied Cryptography and Network Security (ACNS 09) A Practical Cryptographic Denial of Service Attack Against 802.11i TKIP and CCMP Ninth International Conference on Cryptology And Network Security (CANS 2010) The Modeling and Comparison of Wireless Network Denial of Service Attacks 3: Formal model construction and verificatioing, Systems, and Applications on Mobile 3rd ACM SOSP Workshop on Network- Handhelds (MobiHeld 11) A Formal Analysis of IEEE 802.11w Deadlock Vulnerabilities 31st Annual IEEE International Conference on Computer Communications (IEEE INFOCOM 2012)

10 Denial of Service Attacks Attacks against Availability Disrupt the communication service Categories Jamming Transmit noise Flooding Exhaust resources Implementation specific Exploit bugs Semantic Exploit protocol vulnerabilities

11 Semantic Denial of Service Attacks Protocol vulnerabilities - desynchronize state Unprotected control/management messages Attack amplification Denial of Service time : Adversary transmission time 10:1 100:1 1000:1... Special case: deadlocks Current wireless access protocols are vulnerable

12 The Denial of Service Problem Network User Access Point Adversary

13 The Denial of Service Problem Network User Access Point Authentication Request Adversary

14 The Denial of Service Problem Network User Access Point Authentication Response Adversary

15 The Denial of Service Problem Network User Access Point Association Request Adversary

16 The Denial of Service Problem Network User Access Point Association Response Adversary

17 The Denial of Service Problem Network User Access Point Service Enabled Adversary

18 The Denial of Service Problem Network User Access Point Service Enabled Deauthentication Adversary

19 The Denial of Service Problem Network User Access Point Adversary

20 The Denial of Service Problem - MSC

21 Summary of Phase 1 Scope: semantic protocol vulnerabilities Case study: IEEE 802.11 Start manual analysis

22 Project Phases and Published Papers 1: Literature review, problem definition Fragility of the Robust Security Network: 802.11 Denial of Service 2: Manual protocol analysis 7th International Conference on Applied Cryptography and Network Security (ACNS 09) A Practical Cryptographic Denial of Service Attack Against 802.11i TKIP and CCMP Ninth International Conference on Cryptology And Network Security (CANS 2010) The Modeling and Comparison of Wireless Network Denial of Service Attacks 3: Formal model construction and verificatioing, Systems, and Applications on Mobile 3rd ACM SOSP Workshop on Network- Handhelds (MobiHeld 11) A Formal Analysis of IEEE 802.11w Deadlock Vulnerabilities 31st Annual IEEE International Conference on Computer Communications (IEEE INFOCOM 2012)

23 Case Study - IEEE 802.11 (1997) Standard for wireless local area networks PHY and MAC layers Three message types Control frames Management frames Data frames Extensively analyzed for DoS vulnerabilities Facilitates experimental validation Scope 802.11 MAC layer protocols 802.11i and 802.11w amendments

24 802.11 States, Authentication and Association

25 802.11i: Robust Security Network (RSN) (2004) Provides Integrity Confidentiality Replay protection Sender authenticity (unicast) TKIP and AES-CCMP Security Associations (SAs) Pairwise keys Security parameters Deleted on successful authentication, (re)association, deauthentication, disassociation Only protects data frames (not management/control) Uses deauthentication to recover from lost key synchronization

26 Deauthentication Attack - 802.11i

27 802.11i TKIP Weak message integrity code (MIC) Countermeasures 2 MIC failures in 60 seconds Shut down for 60 seconds Delete all security associations using TKIP Design goal: difficult to deliberately cause MIC failures TKIP sequence counter (TSC) - prevent replay 802.11e quality of service (QoS) One TSC per QoS class

28 TKIP Countermeasures Attack (Paper B)

29 802.11w: Protected Management Frames (2009) RSN protection for: Deauthentication Disassociation Action...but not for: Authentication Chicken and egg problem? Association Backward compatibility

30 Authentication Attack (Paper A)

31 Summary of Phase 2 Contributions Discovered vulnerabilities Experimental validation Proposed robust solutions and temporary workarounds A decade of 802.11 analysis 5 New vulnerabilities found Manual analysis insufficient Use formal methods Goal: automatically find semantic protocol vulnerabilities 5 J. Bellardo and S. Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Usenix Security Symposium 2003

32 Project Phases and Published Papers 1: Literature review, problem definition Fragility of the Robust Security Network: 802.11 Denial of Service 2: Manual protocol analysis 7th International Conference on Applied Cryptography and Network Security (ACNS 09) A Practical Cryptographic Denial of Service Attack Against 802.11i TKIP and CCMP Ninth International Conference on Cryptology And Network Security (CANS 2010) The Modeling and Comparison of Wireless Network Denial of Service Attacks 3: Formal model construction and verificatioing, Systems, and Applications on Mobile 3rd ACM SOSP Workshop on Network- Handhelds (MobiHeld 11) A Formal Analysis of IEEE 802.11w Deadlock Vulnerabilities 31st Annual IEEE International Conference on Computer Communications (IEEE INFOCOM 2012)

33 Formal Method Development Method: Model checking Bottom-up approach Cost quantification Model implementation in Promela Model verification using SPIN Experimental validation Formal definition

34 Construction of Models Cost Model Protocol Model Adversary Model

35 Cost Model Cost: energy, computational, memory, monetary, probability of detection/location, time Protocol participant cost Γ P Time without communication service Implementation: global variable Adversary cost Γ A Total adversary transmission time Implementation: global variable Attack efficiency/amplification E E = Γ P Γ A Bounds Γ P is finite Γ A > 0 E not defined for deadlock attacks

36 Attack Efficiency E

37 General Protocol Model Initiator Adversary Responder Initiator Promela proctype Responder Promela proctype I/O: Protocol messages Promela chan

38 Protocol Model Challenges Stop model execution if protocol is unable to recover Easy deadlock detection (SPIN invalid endstates ) Mental image: data frames ping pong Only send data when receiving data Exception 1: after EAPOL4 Exception 2: after channel switch recovery Timeouts Explicit notification by recipient Promela timeout statement Allow adversary to halt, then resume when timeout is executed Detect attacks where adversary sends messages after timeout

39 Adversary Model Non-deterministic Can read and send unprotected messages Cannot delete messages Distinction from Standard/Dolev-Yao Cryptographic Model Limited message budget

40 Adversary Model - Promela proctype Adversary ( ) { short pkts = 0; Msg m; m. type = DUMMY; m. class = 1; m. ch = 1; m. mic = 0; do : : ( pkts >= a t t ) > break ; : : pkts < a t t && ( setup e s t a b l i s h e d ) > i f : : m. type == DUMMY > break ; : : m. type == DUMMY && ( pkts > 0) > i f : : t i m e o u t f l a g > t i m e o u t f l a g = 0; f i : : m. type == DUMMY > i f : : m. type = deauth > m. class = 1; : : m. type = disassoc > m. class = 2; : : m. type = authreq > m. class = 1; : : m. type = authresp > m. class = 1; : : m. type = assocreq > m. class = 2; : : m. type = assocresp > m. class = 2; : : dot11h > m. type = csw ; m. class = 1; f i : : m. type!= DUMMY > i f : : atomic { pkts ++; toap! m; m. type = DUMMY; } : : atomic { pkts ++; tosta! m; m. type = DUMMY; } f i f i od }

41 802.11 Challenges Model construction revealed ambiguities and gaps in protocol specifications Example: authentication request received in State 3 Checked protocol implementations Cisco hostapd Different interpretations Implement both Verify both

42 Model Verification Model checker: SPIN Using cost model Select efficiency threshold T Check LTL property: ((Γ A = 0) ( Γ P Γ A < T )) Deadlocks Does not require cost model Check SPIN property invalid endstates

43 Model Verification Complexity and Performance 6 Adversary States Transitions Time (s) Htime 1 8,382 14,374 0.1 0.1 sec 2 380,263 729,614 8.8 8.8 sec 3 10,744,856 22,009,511 1,260.0 21 min 4 238,582,500 508,034,440 95,300.0 26.5 hrs 6 Intel Xeon 2.66GHz CPU

44 802.11i Deadlock Attack (Paper C)

45 802.11w Deadlock Attack 1 (Paper D)

46 802.11w Deadlock Attack 2 (Paper D)

47 802.11w Deadlock Attack 3 (Paper D)

48 Cost Model Results Previously published attacks verified Highest efficiency: Quiet attack 7 Difficult to find new lower efficiency attacks Too many counterexamples from model checker Partial solution by limiting adversary and protocol - e.g. 802.11h support Modify protocol to remove vulnerabilities Challenge: experimental validation 7 B. Könings, F. Schaub, F. Kargl and S. Dietzel, Channel Switch and Quiet Attack: New DoS Attacks Exploiting the 802.11 Standard, IEEE 34th Conference on Local Computer Networks, 2009 (LCN 2009).

49 Conclusions Proposed formal method is Practical Useful Found severe vulnerabilities in existing protocols Common cause: protocol modifications Eluded extensive manual analysis Experimental validation of all results Differences in interpretation of the standard

50 Research Questions Retrospective Are current protocols vulnerable? Yes. Why? Complexity makes manual analysis insufficient Protocol modifications can have unintended consequences How do we assess the severity of a protocol vulnerability? Quantify the costs Proposed cost model How can we prevent protocol vulnerabilities? With the help of formal methods during protocol design Proposed formal method

51 Protocol Design Design Protocol Construct Formal Model Yes Run Model Checker Vulnerable? No Implement Protocol

52 Open Research Problems Integration with other models and tools Alternative cost and adversary models Complete 802.11 model Other wireless network access protocols GSM UMTS LTE 802.16 (WiMAX) Real time support Protocol design principles

53 Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback