Intrusion Attack Tactics for the Model Checking of e-Commerce Security Guarantees

Pombortsis

2010

Computers & Security

Self Cite

Model checking security protocols is based on an intruder model that represents the eavesdropping or interception of the exchanged messages, while at the same time performs attack actions against the ongoing protocol session(s). Any attempt to enumerate all messages that can be deduced by the intruder and the possible actions in all protocol steps results in an enormous branching of the model's state space. In current work, we introduce a new intruder model that can be exploited for state space reduction, optionally in combination with known techniques, such as partial order and symmetry reduction. The proposed intruder modeling approach called Message Inspection (MI) is based on enhancing the intruder's knowledge with metadata for the exchanged messages. In a preliminary simulation run, the intruder tags the analyzed messages with protocol-specific values for a set of predefined parameters. This metadata is used to identify possible attack actions, for which it is a priori known that they cannot cause a security violation. The MI algorithm selects attack actions that can be discarded, from an open-ended base of primitive attack actions. Thus, model checking focuses only on attack actions that may disclose a security violation. The most interesting consequence is a non negligible state-space pruning, but at the same time our approach also allows customizing the behavior of the intruder model, in order e.g. to make it appropriate for model checking problems that involve liveness. We provide experimental results obtained with the SPIN model checker, for the Needham Schroeder security protocol.

Section: The MI Intruder Modelmentioning

confidence: 99%

Section: Message Metadatamentioning

confidence: 99%

Section: The MI Intruder Model In Usementioning

confidence: 99%

“…In the last row of Table 2 we provide the enabling conditions for this attack action. For a complete description of the attack actions mentioned in Table 2 the reader is referred to [15].…”

Section: The MI Intruder Model In Usementioning

confidence: 99%

See 2 more Smart Citations

An intruder model with message inspection for model checking security protocols

Pombortsis

2010

Computers & Security

Self Cite

“…SPIN is an automated model checker that aims to efficiently verifying (distributed) software systems. Its success has been proved through several case studies [7,8], where SPIN is used to trace design errors in distributed systems. It provides the capability of reporting flaws like model deadlocks, unspecified receptions, flags incompleteness, race conditions, unwarranted assumptions about the speeds of processes [9] and others.…”

Section: Introductionmentioning

confidence: 99%

A Formally Verified Mechanism for Countering SPIT

Soupionis

Lecture Notes in Computer Science

et al. 2011

Self Cite

Abstract. Voice over IP (VoIP) is a key technology, which provides new ways of communication. It enables the transmission of telephone calls over the Internet, which delivers economical telephony that can clearly benefit both consumers and businesses, but it also provides a cheap method of mass advertising. Those bulks unsolicited calls are known as SPam over Internet Telephony (SPIT). In this paper we illustrate an anti-SPIT policy-based management (aSPM) mechanism which can handle the SPIT phenomenon. Moreover, we introduce a formal verification as a mean for validating the effectiveness of the aSPM against its intended goals. We provide model checking results that report upper bounds in the duration of call session establishment for the analyzed anti-SPIT policy over the Session Initiation Protocol (SIP) and prove the absence of deadlocks.

Synthesis of attack actions using model checking for the verification of security protocols

Pombortsis

2011

Security Comm Networks

Self Cite

Model checking cryptographic protocols have evolved to a valuable method for discovering counterintuitive security flaws, which makes it possible for a hostile agent to subvert the goals of the protocol. Published works and existing security analysis tools are usually based on general intruder models that embody at least some aspects of the seminal work of Dolev--Yao, in an attempt to detect failures of secrecy. In this work, we propose an alternative intruder model, which is based on a thorough analysis of how potential attacks might proceed. We introduce an intruder model that provides an open-ended base for the integration of multiple basic attack tactics. Those attack tactics have the possibility to be combined, in a way to compose complex attack actions that require a number of procedural steps from the intruder's side, such as a Denial of Service attack. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. The analyst can express security properties of specific attack actions that are not restricted to safety violations captured by a generic model checker. The described intruder model methodology was implemented within the SPIN model checker for verifying two security protocols, Micromint and PayWord.