Formal Methods and Security Models for Wireless Network Protocols

1
Formal Methods and Security Models for Wireless
Network Protocols

• Calvin Ko
• SPARTA, Inc.
• April 11, 2008

2
Formal Methods for Security

• A precise specification of security properties
• A formal model of the system
• A mathematically rigorous approach to verify that
  the model of the system satisfies the security
  properties
• Theorem proving
• Model checking

3
Some Notes on Formal Verification

• You cannot prove that a system is secure in any
  absolute sense
• You can only prove that a model of a system does
  or does not have certain specific security
  properties
• It requires human judgment to conclude whether
  having or not having those security properties
  constitutes 'a secure system'
• Getting the properties (requirements) right is as
  important as getting the (model of the) system
  right
• There is no magic wand, no blind test that could
  automatically prove an arbitrary given system is
  secure

4
Routing in Ad Hoc Networks

• Routing is a critical service in MANET
• Multi-hop communication without base station
• Fully distributed routing
• Each node is a router
• No centralized point
• Topology is dynamic
• Link failure and message loss occur frequently
• Routing security in MANET is a very challenging
  problem

5
Current State

• Many ad hoc routing protocols
• General AODV, OLSR, DSR, TORA, ZRP, TBRPF,
• Security-aware SAODV, ARAN, SRP, SEAD, Ariande,
  SLSP, OSRP, Ednaira, SOLSR
• Other add-on solution WATCHDOG, Pathrater,
  Confidant, SAR, TIARA, IDS,
• We dont fully understand how secure they are?

6
What we need?

• Not only a single data point
• Protocol ? Mobility ? Adversary ?
  Security-Property

Adversary 1 Adversary 2 Adversary 3 Adversary 4
Mobility 2 S-prop A S-Prop B S-prop C
Mobility 2 S-prop B S-prop D
Mobility 2 S-prop F
Mobility 2 S-prop E
7
Our Recent Work

• Provide high assurance of the security of
  tactical networks via mathematically rigorous
  reasoning
• Develop a formal proof the specification-based
  IDS can enforce the given secure routing
  requirement of the OLSR protocol

Formal Tactical Network model
ACL2 Prover
Tactical network protocol (OLSR)
Formal Security Requirements
.. .. ..
Formal Protocol Specification
Formal Adversary Model
Specification-based IDS
Formal Model of IDS (constraint, detection
algorithm)
8
Security Modeling for Routing with Byzantine nodes

• Protect the network from bad wireless nodes
• A small number of Byzantine nodes could cause
  huge problem, e.g.,
• How to misuse AODV a case study of insider
  attacks against mobile ad hoc networks, Peng Ning
• Attack against OLSR, Cédric Adjih
• Rushing attacks, wormhole attacks, Sybil attacks

9
Security Analysis of Ad Hoc Routing Protocols

• Define what secure routing mean
• Limit the disruption by Byzantine nodes
• Routing performance gradually degraded as the
  number of Byzantine nodes increase
• Existing security properties
• Access control (Secure states / Safety
  Properties)
• Information flow (Noninterference)
• Data Integrity
• Availability

10
Types of misbehavior

• Misbehavior in route-control traffic (distributed
  computation of routing tables)
• Routing integrity
• Misbehavior in forwarding data traffic

11
Tactical Network Model

• A set of MANET nodes with some malicious nodes.
• Good nodes follow the protocol
• Bad nodes can do anything
• Changing topology and wireless links
• An events
• Send / receive packets
• Protocol-specific events

12
Wireless Ad Hoc Network

• Consider a particular execution (or run) of a
  MANET, producing a trace s
• The best case is that the bad nodes all behave in
  a way that conform to the protocol. We denote the
  resulting trace by s
• The best we can do in the worst case is that
  other nodes treat the bad nodes as non-existence.
  We denote the trace by s-

13
Original Execution Trace - S
t0
Send event
Recv event
An execution trace

C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
14
All bad nodes behave well S
t0
A
C
B
G
E
F
D
Send event
Recv event
An execution trace

C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
15
All bad nodes removed S-
t5
t12
A
A
G
G
C
B
C
B
E
D
F
E
F
D
Send event
Recv event
An execution trace

C send P1 to D at t1
A send P2 to B at t2
B recv P2 at t5
16
S, S, S-
Given a trace of the network
S
Malicious nodes are well behaved
Malicious nodes are removed from the network
S
S-
17
Security Routing Requirements

• No route degradation - At any time t, the route
  from x to y in S is at least as good as (no of
  hops) the route from x to y in either S- or S.
• No route being diverted - At any time t, if the
  route from x to y in S will go through an
  intermediate node z, then the route from x to y
  in S or S will go through z.

18
No route degradation
A to E - 2 hops A to F - 3 hops
S
A to E - 2 hops A to F - 2 hops
A to E - 2 hops A to F - 2 hops
S
A
S-
B
E
F
D
19
A Formal Analysis framework
Common Security Properties
Formal Protocol Specification
Mobility conditions
Adversary model
Highly automated Verification




20
Building blocks for Secure Ad hoc Routing Protocol
OLSR

• Building blocks
• Secure neighbor discovery
• Secure 2-hop neighbor association

Secure Neighbor Discovery (1-hop)
2-hop Neighbor Discovery (2-hop)
MPR Selector
Routing Table
21
Research Challenges

• Security properties for protocols
• Fundamental understanding of basic building block
  for protocol security
• Support for incremental and reusable proof for
  proving result with ranges of assumptions
• Composing protocols in large network
• Systematic identification of vulnerabilities in
  protocol specification