1

Reasoning about Concurrency for Security Tunnels

Alwyn E. Goodloe

University of Pennsylvania

Carl A. Gunter

University of Illinois Urbana-Champaign

2

Security Tunnels A technique in which a pair of nodes share state

that enables them to apply transformations to messages to ensure their security. SSL, IPsec. Our work assumes network layer tunnels, but not a

specific technology. Key-establishment protocols are employed to

create a shared key. Internet Key Exchange Protocol (IKE). Secrecy and integrity of shared crypto information is

typically the focus of formal analysis. Not our focus.

3

Road Warrior Example

BobAlice

Coyote Co.

4

Hierarchy of Gateways

b

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

5

Gateways + Tunnels Tunnels and gateways can ensure that traffic is

authenticated and authorized as satisfying some policy. Firewalls do authorization, but not authentication of

packets. We assume VPN gtateways.

The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy.

Tunnel complex configuration typically requires manual activity. Discovery protocols that discover gateways and set up

tunnels automate this task. Establishment is a component of such protocols.

6

Authenticated Traversal

Ingress traffic to a gateway’s administrative domain must be authenticated and authorized Want to control what traffic is on your networks. Protection against denial of service.

Egress traffic from an administrative domain must be authenticated and authorized Wireless gateways that are billing for services. Protection against exfiltration.

7

Modeling Tunnels

A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination.

Security Association – the constructor destructor pair. Security association database (SAD).

Security Parameter Index (SPI) – uniquely identifies association.

Security Mechanism - directs traffic into the proper association. Security mechanism database (SMD).

IPsec SPD.

8

Tunnel Example

GA B

AB:[In(A,ί1)]

P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))

AB:[Out(B,ί2)] AB:[In(A,ί,3)In(G,ί2)]

P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))

P(A,B,S(ί3,P(A,B,y)))

P(A,B,y)

P(A,B,y)

ί1 ί2

ί3AB:[Out(B,ί3)

Out(G,ί1)]

9

Establishment

AA BBP(A,B, X(Req(S, D, P(A,B, X(Req(S, D, ίίAA, K))), K)))

In(A,In(A,ίίBB) )

SSD:[in(A, D:[in(A, ίίBB)])]

Out(A,Out(A,ίίAA) )

DDS:[Out(A, S:[Out(A, ίίAA)])]

P(B,A, X(Rep(S, D, P(B,A, X(Rep(S, D, ίίAA , ίίBB, K’))), K’)))

Out(B,Out(B,ίίBB))

SSD:[Out(B, D:[Out(B, ίίBB)])]In(B,In(B,ίίAA) )

DDS:[In(B, S:[In(B, ίίAA)])]

10

Friendly FireAA BB

P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))

BBA:[A:[ίίAA]] AAB:[B:[ίίBB]]

P(B,A,X(Rep))P(B,A,X(Rep)) P(A,B,X(Rep))P(A,B,X(Rep))

11

Preventing Deadlock

Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier. Session identifiers are similar to protocol identifiers. Session identifiers included in messages.

Session matching property. Packets match filters installed for a particular session.

Security associations may be shared among different sessions.

12

With Solution

AA BB

P(A,B,X(Req(vP(A,B,X(Req(v22))))))P(A,B,X(Req(vP(A,B,X(Req(v11))))))

BBA:vA:v11:[:[ίίAA]] AAB:vB:v22:[:[ίίBB]]

P(B,A,X(Rep(vP(B,A,X(Rep(v22)))))) P(A,B,X(Rep(vP(A,B,X(Rep(v11))))))

14

Tunnel Calculus

Operational semantics for protocol stack. Provides an abstract foundation for future tunnel

protocols in light of their use in tunnel complexes. A suitable version could be used to model IPsec, but

not our current focus. Based on multiset term rewriting modulo

equations.

Allows one to reason about interactions between state installed at nodes and protocols.

15

Tunnel Calculus Layers

Packet Forwarding

Security Processing

Authorization

Establishment

Discovery

16

Grammar

Send secure packet

Secure message

sentMessage from

the secure layer

Pass state from one rule to the next and enforce an order of execution

17

Layer Interaction

Node a Node b

Higher Layer

Sec

Fwd

18

Forwarding Layer Rules

19

Secure LayerFind the matching

entry in MDB, select bundle, apply the

constructors in the bundle, and send the

message to forwarding layer

20

Trace Semantics

21

Observing Messages Given a trace M1, M2, M3 we want to observe

only the secure send and receive messages in a session.

Q(u) – infinite set of secure send/receive terms of session u.

22

Equivalent Traces

During each run of the protocol some values are generated by the TC new operator. SPI, acknowledgement identifiers.

t1~t2 iff they only differ in values generated by new.

M1~M2

T1~T2

23

Simulation Lemma

MM11

MM22 M’M’22

M’M’11

~~

~~

24

Observational Commutativity Theorem

25

Noninterference Theorem

Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1).

Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then

26

Progress Theorem

27

Google Tunnel Calculus