Formal Models of Availability

1
Formal Models of Availability

• Carl A. Gunter
• University of Pennsylvania
• (Soon to be the University of Illinois)

2
State of the Art in Formal Analysis of Security

• Excellent progress on the formal analysis of
  integrity and confidentiality.
• Algebraic techniques catch bugs quickly and can
  be automated. Many successful case studies with
  practical protocols.
• Complexity-theoretic techniques provide more
  complete proofs.
• Techniques are being derived to unify these.

• Modest progress on the formal study of
  availability.
• Limited formal models.
• Too conservative.
• Not realistic.
• Insufficient nomenclature.
• No automation.
• Few case studies or experimental validations.
• Fragile linkage to implementations.

3
Toward Formal Analysis of DoS

• Shared Channel Model
• Case study DoS protection for authenticated
  broadcast.
• Asymmetry Paradigm
• Case study TCP.
• Composition and testing of DoS-resistent
  protocols.
• Case study Layer three accounting (L3A).
• Unified algebraic model.
• Formalization of authentication protocols.
• Probabilistic term rewriting.

4
Broadcast Authentication
Internet television, shared spectrum radio,
digital satellite, etc.
5
Challenge of Broadcast Authentication

• Inefficient to use public key signatures for each
  packet.
• Insecure to use a common distributed key.
• Inefficient, impractical, or impossible to use
  unicast tunnels.
• Many proposals have been made to address these
  problems.
• Delayed key release.
• Amortize costs of public key checks over multiple
  packets.

6
Challenge of DoS for Broadcast

• Attacks in broadcast case are more likely to be
  informed attacks in which sequence numbers and
  other aspects of protocol state are known.
• TCP is very vulnerable to informed attacks.
• Authentication based on Public Key Checks (PKCs)
  are vulnerable to signature flooding.
• Attacks on Forward Error Correction (FEC) lead to
  higher overheads.

7
Security Models for DoS

• Common form of analysis show that the victim can
  defend against an attack that occupies his whole
  channel.
• Effective, but too conservative.
• Dolev-Yao assume that the adversary controls the
  channel and can use the legitimate sender at
  will.
• Seems to give away the game.
• Attacks based on limited modification.
• Not a common case.
• Tit for tat work commitment by initiator.
• Needs extension.
• Wanted a more realistic model of attack and
  countermeasures to exploit it.

8
Shared Channel Model

• Adversary can replay and insert packets.
• Legitimate sender sends packets with a maximum
  and minimum bandwidth.
• Legitimate sender experiences loss, but not
  deliberate modification.
• Model is a four-tuple (W0, W1, A, p).
• W0, W1 min and max sender b/w
• A attacker max b/w
• p loss rate of sender

9
Shared Channel Model Example
10
Signature Flooding

• Attack factor R A / W1.
• Proportionate attack R 1.
• Disproportionate attack R gt 1.
• Stock PC can handle about 8000 PKC/sec.
• 10Mbps link sends about 900 pkt/sec, 100Mbps link
  sends about 9000 pkt/sec (assuming large
  packets).
• Processor is overwhelmed by too many signature
  checks. Adversary can devote full b/w to bad
  signatures at no cost.
• Budget no more that 5 of processor on PKCs.

11
Broadcast Authentication Streams
Data Stream
Hash/Parity Stream
Signature Stream
12
Interleaving of Transmission Groups
Data
Hash
Parity
Signature
13
Selective Sequential Verification

• The signature stream is vulnerable to signature
  flooding the adversary can devote his entire
  channel to fake signature packets.
• Countermeasure
• Valid sender sends multiple copies of the
  signature packet.
• receiver checks each incoming signature packet
  with some probability (say, 25 or 1).

14
Attack Profile
R
A
S
15
Selective Verification
R
A
S
16
Selective Verification
R makes channels lossy
R
A
Tradeoff bandwidth vs. processing
S
17
How to Choose Parameters

• Parameters
• Attack factor R
• Sender bandwidth W (packets/sec)
• Packet loss rate p
• Signature check budget K (per second)
• Theorem A client receives a valid signature with
  confidence at least 99 if the number of
  signature copies is 5W(R1) / (1-p)K.

18
Intuition

• Suppose we have 100 valid signature packets
  hidden in a large set of packets with invalid
  signatures.
• If we check each packet in the large set with
  probability 5, the probability that we do not
  find a valid signature packet is at most
• (1-(5 / 100))100 (1-(1 / 20))205
• 1 / e5 lt .01

19
In More Detail

• Suppose the client checks each signature packet
  with probability p.
• The probability that a signature packet is
  successfully received and verified by the client
  is (1-p) p.
• Let N be the number of signature packets.
• The probability that none of the N signature
  packets is successfully received and verified by
  the client is (1-(1-p) p)N.
• Roughly speaking, we set
• p K / RW
• N 5 / (1-p) p.

20
Sample Numbers

• 10Mbps with 20 loss and 2 second latency
• 1584 data packets
• 11 hash packets, 11 parity packets
• 20 signature packets, verification probability
  25
• 100Mbps with 40 loss and 1 second latency
• 8208 data packets
• 57 hash packets, 66 parity packets
• 200 signature packets, verification probability
  2.5

21
Selective Verification is Very Effective
22
Authentication Loss
23
Throughputs Under Severe Attacks
Little effect!
8 sig o/h
3 sig o/h
8 sig o/h
24
The Asymmetry Paradigm

• Attackers leverage a feature that inflicts a
  great cost on the server at little expense to the
  client
• Defenders leverage asymmetric goals
• Attacker acquire all of a resource.
• Client acquire a single unit of resource.
• Inflate the cost of a resource that the attacker
  consumes at a greater rate, so that it becomes a
  bottleneck for the attacker before being able to
  deny service.

Jujitsu a martial art that forces attacker to
use his size and weight against himself.
25
Is the Asymmetry Paradigm generally applicable?

• Applicable Are there typically resources
  consumed by the attacker more quickly than by the
  clients?
• Effective Does an application of the asymmetry
  paradigm remove the threat of DoS?
• Composition Can the paradigm be applied without
  changing the existing protocol?

26
TCP/IP A case study

• Common
• Round Trip already have example for one-way
  protocol
• Susceptible to DoS attacks
• SYN flood and others
• Existing solutions as benchmark
• Increase size of SYN cache, random drop, SYN
  cookies

27
TCP/IP A case study
SYNSSN123SP, DP
?
?
SP,DP, SSN
SP
?
SP,DP,SSN, DSN
SYN,ACK124SSN456SP, DP
SP,DP,SSN, DSN
ACK457SSN124SP, DP
SP,DP,SSN, DSN
SP,DP,SSN, DSN

• Connection initiation
• SYN, SYNACK, ACK 3-way handshake
• Agree on source, dest, source port, dest port,
  source seq. , dest seq.

28
TCPs Memory Requirements

• TCB Control Block SSN, RxMT, Acked
• Packet buffers
• Outgoing unacked data
• Incoming, unread out-of-order data
• Until ESTABLISHED, only need portno, ISN, ACK
• SYN Cache of size B

29
ExampleTCP SYN Cache

• Parameters
• Network capacity is rA 300K SYNs/sec (100Mbps
  Fast Ethernet)
• B 10,000
• Slots free at rate of B/tA
• SYN cache occupancy
• On timeout tA 100 seconds (30-120 seconds)
• On success RTT 10ms (lt1 - 100 milliseconds)

30
SYN-flood defense selective processing
B

• If attacker arrives at rate lt f B/tA then (1-f)B
  slots reserved for legit clients

31
SYN-flood defense selective processing
B
p

• If attacker arrives at rate lt f B/tA then (1-f)B
  slots reserved for legit clients
• Process SYNs w/ probability p lt f B/(tA rA)

32
SYN-flood defense selective processing
X 1/p
Limited by net capacity.
B
p
X 1/p

• If attacker arrives at rate lt f B/tA then (1-f)B
  slots reserved for legit clients
• Process SYNs w/ probability p lt f B/(tA rA)
• Increase connection rate by 1/p

33
SYN-flood defense selective processing
rA
p rA
B
p
X 1/p

• If attacker arrives at rate lt f B/tA then (1-f)B
  slots reserved for legit clients
• Process SYNs w/ probability p lt f B/(tA rA)
• Increase rate by 1/p
• Attacker rate of p rA cannot fill more than f B
  slots

34
SYN-flood defense selective processing
rA
p rA
B
p
X 1/p

• Process SYNs w/ probability p lt f B/(tA rA)
• Examples
• If p 10-3/6, then attacker can never occupy
  more than half of SYN cache, but clients rxmt
  6000 SYNs/connection
• If increase size to 30B, and p .005 then same
  .5 limit, but client only rxmts 200
  SYNs/connection. For 500KB file, this is only 2
  overhead.
• Without selective processing (p 1) need B 6
  X 107 ( 6000B) to achieve the same level of
  defense.

35
Experimental validationSuccessful connections
vs. attack rate

• Attack rate in SYNs/sec received at server
• Graph shows successful connections per 450
  threads
• Defenseless kernel gt6 SYNs/sec shuts out client

Aggregate connections
Attack rate
Model predicts cliff
36
Conclusion

• Progress is possible on formal analysis of
  availability.
• New models are more realistic and point to new
  countermeasures.
• Key concepts
• Shared Channel Model
• Selective Processing Countermeasures
• Asymmetry Paradigm