Title: Formal Methods and Security Models for Wireless Network Protocols
1Formal Methods and Security Models for Wireless
Network Protocols
- Calvin Ko
- SPARTA, Inc.
- April 11, 2008
2Formal Methods for Security
- A precise specification of security properties
- A formal model of the system
- A mathematically rigorous approach to verify that
the model of the system satisfies the security
properties - Theorem proving
- Model checking
3Some Notes on Formal Verification
- You cannot prove that a system is secure in any
absolute sense - You can only prove that a model of a system does
or does not have certain specific security
properties - It requires human judgment to conclude whether
having or not having those security properties
constitutes 'a secure system' - Getting the properties (requirements) right is as
important as getting the (model of the) system
right - There is no magic wand, no blind test that could
automatically prove an arbitrary given system is
secure
4Routing in Ad Hoc Networks
- Routing is a critical service in MANET
- Multi-hop communication without base station
- Fully distributed routing
- Each node is a router
- No centralized point
- Topology is dynamic
- Link failure and message loss occur frequently
- Routing security in MANET is a very challenging
problem
5Current State
- Many ad hoc routing protocols
- General AODV, OLSR, DSR, TORA, ZRP, TBRPF,
- Security-aware SAODV, ARAN, SRP, SEAD, Ariande,
SLSP, OSRP, Ednaira, SOLSR - Other add-on solution WATCHDOG, Pathrater,
Confidant, SAR, TIARA, IDS, - We dont fully understand how secure they are?
6What we need?
- Not only a single data point
- Protocol ? Mobility ? Adversary ?
Security-Property
Adversary 1 Adversary 2 Adversary 3 Adversary 4
Mobility 2 S-prop A S-Prop B S-prop C
Mobility 2 S-prop B S-prop D
Mobility 2 S-prop F
Mobility 2 S-prop E
7Our Recent Work
- Provide high assurance of the security of
tactical networks via mathematically rigorous
reasoning - Develop a formal proof the specification-based
IDS can enforce the given secure routing
requirement of the OLSR protocol
Formal Tactical Network model
ACL2 Prover
Tactical network protocol (OLSR)
Formal Security Requirements
.. .. ..
Formal Protocol Specification
Formal Adversary Model
Specification-based IDS
Formal Model of IDS (constraint, detection
algorithm)
8Security Modeling for Routing with Byzantine nodes
- Protect the network from bad wireless nodes
- A small number of Byzantine nodes could cause
huge problem, e.g., - How to misuse AODV a case study of insider
attacks against mobile ad hoc networks, Peng Ning - Attack against OLSR, Cédric Adjih
- Rushing attacks, wormhole attacks, Sybil attacks
9Security Analysis of Ad Hoc Routing Protocols
- Define what secure routing mean
- Limit the disruption by Byzantine nodes
- Routing performance gradually degraded as the
number of Byzantine nodes increase - Existing security properties
- Access control (Secure states / Safety
Properties) - Information flow (Noninterference)
- Data Integrity
- Availability
10Types of misbehavior
- Misbehavior in route-control traffic (distributed
computation of routing tables) - Routing integrity
- Misbehavior in forwarding data traffic
11Tactical Network Model
- A set of MANET nodes with some malicious nodes.
- Good nodes follow the protocol
- Bad nodes can do anything
- Changing topology and wireless links
- An events
- Send / receive packets
- Protocol-specific events
12Wireless Ad Hoc Network
- Consider a particular execution (or run) of a
MANET, producing a trace s - The best case is that the bad nodes all behave in
a way that conform to the protocol. We denote the
resulting trace by s - The best we can do in the worst case is that
other nodes treat the bad nodes as non-existence.
We denote the trace by s-
13Original Execution Trace - S
t0
Send event
Recv event
An execution trace
C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
14All bad nodes behave well S
t0
A
C
B
G
E
F
D
Send event
Recv event
An execution trace
C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
15All bad nodes removed S-
t5
t12
A
A
G
G
C
B
C
B
E
D
F
E
F
D
Send event
Recv event
An execution trace
C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
16S, S, S-
Given a trace of the network
S
Malicious nodes are well behaved
Malicious nodes are removed from the network
S
S-
17Security Routing Requirements
- No route degradation - At any time t, the route
from x to y in S is at least as good as (no of
hops) the route from x to y in either S- or S. - No route being diverted - At any time t, if the
route from x to y in S will go through an
intermediate node z, then the route from x to y
in S or S will go through z.
18No route degradation
A to E - 2 hops A to F - 3 hops
S
A to E - 2 hops A to F - 2 hops
A to E - 2 hops A to F - 2 hops
S
A
S-
B
E
F
D
19A Formal Analysis framework
Common Security Properties
Formal Protocol Specification
Mobility conditions
Adversary model
Highly automated Verification
20Building blocks for Secure Ad hoc Routing Protocol
OLSR
- Building blocks
- Secure neighbor discovery
- Secure 2-hop neighbor association
-
Secure Neighbor Discovery (1-hop)
2-hop Neighbor Discovery (2-hop)
MPR Selector
Routing Table
21Research Challenges
- Security properties for protocols
- Fundamental understanding of basic building block
for protocol security - Support for incremental and reusable proof for
proving result with ranges of assumptions - Composing protocols in large network
- Systematic identification of vulnerabilities in
protocol specification