Reasoning about Concurrency for Security Tunnels

1
Reasoning about Concurrency for Security Tunnels

• Alwyn E. Goodloe
• University of Pennsylvania
• Carl A. Gunter
• University of Illinois Urbana-Champaign

2
Security Tunnels

• A technique in which a pair of nodes share state
  that enables them to apply transformations to
  messages to ensure their security.
• SSL, IPsec.
• Our work assumes network layer tunnels, but not a
  specific technology.
• Key-establishment protocols are employed to
  create a shared key.
• Internet Key Exchange Protocol (IKE).
• Secrecy and integrity of shared crypto
  information is typically the focus of formal
  analysis.
• Not our focus.

3
Road Warrior Example
4
Hierarchy of Gateways
5
Gateways Tunnels

• Tunnels and gateways can ensure that traffic is
  authenticated and authorized as satisfying some
  policy.
• Firewalls do authorization, but not
  authentication of packets.
• We assume VPN gtateways.
• The tunnels form a virtual topology where traffic
  flow governed by the gateways high-level policy.
• Tunnel complex configuration typically requires
  manual activity.
• Discovery protocols that discover gateways and
  set up tunnels automate this task.
• Establishment is a component of such protocols.

6
Authenticated Traversal

• Ingress traffic to a gateways administrative
  domain must be authenticated and authorized
• Want to control what traffic is on your networks.
• Protection against denial of service.
• Egress traffic from an administrative domain must
  be authenticated and authorized
• Wireless gateways that are billing for services.
• Protection against exfiltration.

7
Modeling Tunnels

• A secure tunnel can be viewed type-theoretically
  as a rule for applying a constructor at the
  source and a destructor at the destination.
• Security Association the constructor destructor
  pair.
• Security association database (SAD).
• Security Parameter Index (SPI) uniquely
  identifies association.
• Security Mechanism - directs traffic into the
  proper association.
• Security mechanism database (SMD).
• IPsec SPD.

8
Tunnel Example
?1
?2
A
B
G
?3
A?BOut(B,?3) Out(G,?1)
A?BIn(A,?1)
A?BOut(B,?2)
A?BIn(A,?,3)In(G,?2)
P(A,B,y)
P(A,G,S(?1,P(A,B,S(?3,P(A,B,y)))))
P(A,B,S(?3,P(A,B,y)))
P(G,B,S(?2,P(A,B,S(?3,P(A,B,y))
P(A,B,y)
9
Establishment
B
A
P(A,B, X(Req(S, D, ?A, K)))
In(A,?B) S?Din(A, ?B)
P(B,A, X(Rep(S, D, ?A , ?B, K)))
Out(B,?B) S?DOut(B, ?B)
Out(A,?A) D?SOut(A, ?A)
In(B,?A) D?SIn(B, ?A)
10
Friendly Fire
B
A
P(A,B,X(Req))
P(A,B,X(Req))
B?A?A
A?B?B
P(B,A,X(Rep))
P(A,B,X(Rep))
11
Preventing Deadlock

• Each protocol session is assigned a unique
  session identifier. The packet filter includes
  the session identifier.
• Session identifiers are similar to protocol
  identifiers.
• Session identifiers included in messages.
• Session matching property. Packets match filters
  installed for a particular session.
• Security associations may be shared among
  different sessions.

12
With Solution
B
A
P(A,B,X(Req(v2)))
P(A,B,X(Req(v1)))
B?Av1?A
A?Bv2?B
P(B,A,X(Rep(v2)))
P(A,B,X(Rep(v1)))
13
Objective II

• Want a formal proof that state installed in
  session u does not interfere with the messages
  of session v.
• Introduce the tunnel calculus.
• Noninterference theorem.
• Progress theorem.

14
Tunnel Calculus

• Operational semantics for protocol stack.
• Provides an abstract foundation for future tunnel
  protocols in light of their use in tunnel
  complexes.
• A suitable version could be used to model IPsec,
  but not our current focus.
• Based on multiset term rewriting modulo
  equations.
• Allows one to reason about interactions between
  state installed at nodes and protocols.

15
Tunnel Calculus Layers
Discovery
Establishment
Authorization
Security Processing
Packet Forwarding
16
Grammar
Send secure packet
Secure message sent
Message from the secure layer
Pass state from one rule to the next and enforce
an order of execution
17
Layer Interaction
Node a
Node b
Higher Layer
Sec
Fwd
18
Forwarding Layer Rules
19
Secure Layer
Find the matching entry in MDB, select bundle,
apply the constructors in the bundle, and send
the message to forwarding layer
20
Trace Semantics
21
Observing Messages

• Given a trace M1, M2, M3 we want to observe only
  the secure send and receive messages in a
  session.
• Q(u) infinite set of secure send/receive terms
  of session u.

22
Equivalent Traces

• During each run of the protocol some values are
  generated by the TC new operator.
• SPI, acknowledgement identifiers.
• t1t2 iff they only differ in values generated by
  new.
• M1M2
• T1T2

23
Simulation Lemma
M1

M1

M2
M2
24
Observational Commutativity Theorem
25
Noninterference Theorem

• Suppose T M1Mn is a trace in which session v
  is complete, where v not in Free(M1).
• Suppose T M1Mm is a trace in which session
  v is complete, where M1 M1,Then

26
Progress Theorem
27
Google Tunnel Calculus