Sponsor:

1
Northwestern Lab for Internet and Security
Technology (LIST) Prasad Narayana, Ruiming
Chen, Yao Zhao, Coh Yoshizaki, Yan Chen, Judy Fu,
Hai Zhoup-narayana, rui-chen, jingo,
c-yoshizaki, ychen, haizhou_at_northwestern.edu,
judy.fu_at_motorola.comhttp//list.cs.northwestern.e
du/
802.16 Vulnerability Analysis
1.
2.
Motivation
Related Work

• High-speed Wireless Metropolitan Area Networks
  (MAN) poised to become the Next Big Thing in data
  networks
• IEEE 802.16 technology, popularly called as
  Wimax, with enormous backing from the industry is
  set to lead the broadband wireless network space
• Security, as always, is key for its functioning
  and growth

• Security Analysis of the IEEE 802.16 protocol
  largely confined to manual analysis
• Fast evolution of the protocol resulted in many
  incomplete (and, sometimes, even incorrect!)
  analysis
• Logic-based comprehensive analysis missing from
  all previous work

3.
Our Approach
Manual Analysis and Verification
TLA Modeling
Logic-based Analysis and Verification
Identification of Security Loopholes Classification of Vulnerability Levels of various IEEE 802.16 Protocol Processes
Formal Specification of the Protocol Processes using TLA (Temporal Logic of Actions)
Rigorous, Logic-based Analysis using Model-Checking and Simulation using TLC Model-Checker
4.
5.
Current Progress
Future Work
DoS during Initial Ranging

• Analyze the mobility aspect of the new standard
  802.16e and classify processes based on
  vulnerability levels
• Formally specify critical parts of the protocol
  and perform extensive TLC-based analysis of
  security properties
• Focus on internetworking aspects of the new
  standard and study their security implications

DL Subframe
UL Subframe
Initial Ranging slots

Attacker fills all slots, denying all new SS a
chance to complete ranging
DoS during Authentication

• Sponsor