1
Reasoning about Concurrency for Security Tunnels
Alwyn E. Goodloe
University of Pennsylvania
Carl A. Gunter
University of Illinois Urbana-Champaign
2
Security Tunnels A technique in which a pair of nodes share state
that enables them to apply transformations to messages to ensure their security. SSL, IPsec. Our work assumes network layer tunnels, but not a
specific technology. Key-establishment protocols are employed to
create a shared key. Internet Key Exchange Protocol (IKE). Secrecy and integrity of shared crypto information is
typically the focus of formal analysis. Not our focus.
3
Road Warrior Example
BobAlice
Coyote Co.
4
Hierarchy of Gateways
b
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
GW
5
Gateways + Tunnels Tunnels and gateways can ensure that traffic is
authenticated and authorized as satisfying some policy. Firewalls do authorization, but not authentication of
packets. We assume VPN gtateways.
The tunnels form a virtual topology where traffic flow governed by the gateway’s high-level policy.
Tunnel complex configuration typically requires manual activity. Discovery protocols that discover gateways and set up
tunnels automate this task. Establishment is a component of such protocols.
6
Authenticated Traversal
Ingress traffic to a gateway’s administrative domain must be authenticated and authorized Want to control what traffic is on your networks. Protection against denial of service.
Egress traffic from an administrative domain must be authenticated and authorized Wireless gateways that are billing for services. Protection against exfiltration.
7
Modeling Tunnels
A secure tunnel can be viewed “type-theoretically”as a rule for applying a constructor at the source and a destructor at the destination.
Security Association – the constructor destructor pair. Security association database (SAD).
Security Parameter Index (SPI) – uniquely identifies association.
Security Mechanism - directs traffic into the proper association. Security mechanism database (SMD).
IPsec SPD.
8
Tunnel Example
GA B
AB:[In(A,ί1)]
P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))
AB:[Out(B,ί2)] AB:[In(A,ί,3)In(G,ί2)]
P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))
P(A,B,S(ί3,P(A,B,y)))
P(A,B,y)
P(A,B,y)
ί1 ί2
ί3AB:[Out(B,ί3)
Out(G,ί1)]
9
Establishment
AA BBP(A,B, X(Req(S, D, P(A,B, X(Req(S, D, ίίAA, K))), K)))
In(A,In(A,ίίBB) )
SSD:[in(A, D:[in(A, ίίBB)])]
Out(A,Out(A,ίίAA) )
DDS:[Out(A, S:[Out(A, ίίAA)])]
P(B,A, X(Rep(S, D, P(B,A, X(Rep(S, D, ίίAA , ίίBB, K’))), K’)))
Out(B,Out(B,ίίBB))
SSD:[Out(B, D:[Out(B, ίίBB)])]In(B,In(B,ίίAA) )
DDS:[In(B, S:[In(B, ίίAA)])]
10
Friendly FireAA BB
P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))P(A,B,X(Req))
BBA:[A:[ίίAA]] AAB:[B:[ίίBB]]
P(B,A,X(Rep))P(B,A,X(Rep)) P(A,B,X(Rep))P(A,B,X(Rep))
11
Preventing Deadlock
Each protocol session is assigned a unique session identifier. The packet filter includes the session identifier. Session identifiers are similar to protocol identifiers. Session identifiers included in messages.
Session matching property. Packets match filters installed for a particular session.
Security associations may be shared among different sessions.
12
With Solution
AA BB
P(A,B,X(Req(vP(A,B,X(Req(v22))))))P(A,B,X(Req(vP(A,B,X(Req(v11))))))
BBA:vA:v11:[:[ίίAA]] AAB:vB:v22:[:[ίίBB]]
P(B,A,X(Rep(vP(B,A,X(Rep(v22)))))) P(A,B,X(Rep(vP(A,B,X(Rep(v11))))))
14
Tunnel Calculus
Operational semantics for protocol stack. Provides an abstract foundation for future tunnel
protocols in light of their use in tunnel complexes. A suitable version could be used to model IPsec, but
not our current focus. Based on multiset term rewriting modulo
equations.
Allows one to reason about interactions between state installed at nodes and protocols.
15
Tunnel Calculus Layers
Packet Forwarding
Security Processing
Authorization
Establishment
Discovery
16
Grammar
Send secure packet
Secure message
sentMessage from
the secure layer
Pass state from one rule to the next and enforce an order of execution
17
Layer Interaction
Node a Node b
Higher Layer
Sec
Fwd
18
Forwarding Layer Rules
19
Secure LayerFind the matching
entry in MDB, select bundle, apply the
constructors in the bundle, and send the
message to forwarding layer
20
Trace Semantics
21
Observing Messages Given a trace M1, M2, M3 we want to observe
only the secure send and receive messages in a session.
Q(u) – infinite set of secure send/receive terms of session u.
22
Equivalent Traces
During each run of the protocol some values are generated by the TC new operator. SPI, acknowledgement identifiers.
t1~t2 iff they only differ in values generated by new.
M1~M2
T1~T2
23
Simulation Lemma
MM11
MM22 M’M’22
M’M’11
~~
~~
24
Observational Commutativity Theorem
25
Noninterference Theorem
Suppose T= M1…Mn is a trace in which session v is complete, where v not in Free(M1).
Suppose T’ = M’1…M’m is a trace in which session v is complete, where M1 ~ M’1,Then
26
Progress Theorem
27
Google Tunnel Calculus