Probabilistic model checking for the quantification of DoS security threats

2010 IEEE 12th International Symposium on High Assurance Systems Engineering

Katsaros

et al. 2010

Self Cite

Abstract-We use the probabilistic model checker PRISM to formally model and analyze the highly publicized Kaminsky DNS cache-poisoning attack. DNS (Domain Name System) is an internet-wide, hierarchical naming system used to translate domain names such as google.com into physical IP addresses such as 208.77.188.166. The Kaminsky DNS attack is a recently discovered vulnerability in DNS that allows an intruder to hijack a domain; i.e. corrupt a DNS server so that it replies with the IP address of a malicious web server when asked to resolve URLs within a non-malicious domain such as google.com. A proposed fix for the attack is based on the idea of randomizing the source port a DNS server uses when issuing a query to another server in the DNS hierarchy.We use PRISM to introduce a Continuous Time Markov Chain representation of the Kaminsky attack and the proposed fix, and to perform the required probabilistic model checking. Our results, gleaned from more than 240 PRISM runs, formally validate the existence of the Kaminsky cache-poisoning attack even in the presence of an intruder with virtually no knowledge of the victim DNS server's actions. They also serve to quantify the effectiveness of the proposed fix: using nonlinear least-squares curve fitting, we show that the probability of a successful attack obeys a 1/N distribution, where N is the upper limit on the range of source-port ids. We also demonstrate an increasing attack probability with an increasing number of attempted attacks or increasing rate at which the intruder guesses the source-port id.

Section: B Validation Of Results and Runtime Statisticsmentioning

confidence: 99%

“…RELATED WORK In related work, a number of researchers have deployed probabilistic model checking to analyze threat levels in computer systems and security protocols [9], [16], [14], [2].…”

Section: B Validation Of Results and Runtime Statisticsmentioning

confidence: 99%

Section: Prism Model Of the Kaminsky Attackmentioning

confidence: 99%

See 1 more Smart Citation

Formal Analysis of the Kaminsky DNS Cache-Poisoning Attack Using Probabilistic Model Checking

Αλεξίου

2010 IEEE 12th International Symposium on High Assurance Systems Engineering

Katsaros

et al. 2010

Self Cite

“…This fact makes probabilistic model checking a promising approach towards quantitative analysis of protocols [13,25]. The importance of enabling quantitative analysis for a given cryptographic protocol was first shown in [26].…”

Section: Related Workmentioning

confidence: 99%

Quantitative analysis of a certified e-mail protocol in mobile environments: A probabilistic model checking approach

Petridou

Αλεξίου

et al. 2011

Computers & Security

Formal analysis techniques, such as probabilistic model checking, offer an effective mechanism for model-based performance and verification studies of communication systems' behavior that can be abstractly described by a set of rules i.e., a protocol. This article presents an integrated approach for the quantitative analysis of the Certified E-mail Message Delivery (CEMD) protocol that provides security properties to electronic mail services. The proposed scheme employs a probabilistic model checking analysis and provides for the first time insights on the impact of CEMD's error tolerance on computational and transmission cost. It exploits an efficient combination of quantitative analysis and specific computational and communication parameters, i.e., the widely used Texas Instruments TMS320C55x Family operating in an High Speed Downlink Packet Access (HSDPA) mobile environment, where multiple CEMD participants execute parallel sessions with high bit error rates (BERs). Furthermore, it offers a tool-assistant approach for the protocol designers and analysts towards the verification of their products under varying parameters. Finally, this analysis can be also utilized towards reliably addressing cost-related issues of certain communication protocols and deciding on their cost-dependent viability, taking into account limitations that are introduced by hardware specifications of mobile devices and noisy mobile environments.

“…This allows further optimizations of the MI intruder behavior based on known security principles [15,20,21,22,23], as well as implementation of custom behavior that will enable model checking requirements beyond those expressed as safety guarantees (i.e. secrecy and authentication).…”

Section: The MI Intruder Model In Usementioning

confidence: 99%

An intruder model with message inspection for model checking security protocols

Katsaros

Pombortsis

2010

Computers & Security

Self Cite

Model checking security protocols is based on an intruder model that represents the eavesdropping or interception of the exchanged messages, while at the same time performs attack actions against the ongoing protocol session(s). Any attempt to enumerate all messages that can be deduced by the intruder and the possible actions in all protocol steps results in an enormous branching of the model's state space. In current work, we introduce a new intruder model that can be exploited for state space reduction, optionally in combination with known techniques, such as partial order and symmetry reduction. The proposed intruder modeling approach called Message Inspection (MI) is based on enhancing the intruder's knowledge with metadata for the exchanged messages. In a preliminary simulation run, the intruder tags the analyzed messages with protocol-specific values for a set of predefined parameters. This metadata is used to identify possible attack actions, for which it is a priori known that they cannot cause a security violation. The MI algorithm selects attack actions that can be discarded, from an open-ended base of primitive attack actions. Thus, model checking focuses only on attack actions that may disclose a security violation. The most interesting consequence is a non negligible state-space pruning, but at the same time our approach also allows customizing the behavior of the intruder model, in order e.g. to make it appropriate for model checking problems that involve liveness. We provide experimental results obtained with the SPIN model checker, for the Needham Schroeder security protocol.