Andrew Pombortsis

Intrusion attack tactics for the model checking of e-commerce security guarantees

In existing security model-checkers the intruders behavior is defined as a message deducibility rule base governing use of eavesdropped information, with the aim to find out a message that is meant to be secret or to generate messages that impersonate some protocol participant(s). The advent of complex protocols like those used in e-commerce brings to the foreground intrusion attacks that are not always attributed to failures of secrecy or authentication. We introduce an intruder model that provides an open-ended base for the integration of multiple attack tactics. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. Thus, the analyst can express e-commerce security guarantees that are not restricted to the absence of secrecy and the absence of authentication failures. The described intruder model was implemented within the SPIN model-checker and revealed an integrity violation attack on the Pay Word micro payment protocol.

Synthesis of attack actions using model checking for the verification of security protocols

Model checking cryptographic protocols have evolved to a valuable method for discovering counterintuitive security flaws, which makes it possible for a hostile agent to subvert the goals of the protocol. Published works and existing security analysis tools are usually based on general intruder models that embody at least some aspects of the seminal work of Dolev–Yao, in an attempt to detect failures of secrecy. In this work, we propose an alternative intruder model, which is based on a thorough analysis of how potential attacks might proceed. We introduce an intruder model that provides an open-ended base for the integration of multiple basic attack tactics. Those attack tactics have the possibility to be combined, in a way to compose complex attack actions that require a number of procedural steps from the intruders side, such as a Denial of Service attack. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. The analyst can express security properties of specific attack actions that are not restricted to safety violations captured by a generic model checker. The described intruder model methodology was implemented within the SPIN model checker for verifying two security protocols, Micromint and PayWord. Copyright

A Probabilistic Attacker Model for Quantitative Verification of DoS Security Threats

This work introduces probabilistic model checking as a viable tool-assisted approach for systematically quantifying DoS security threats. The proposed analysis is based on a probabilistic attacker model implementing simultaneous N zombie participants, which subvert secure authentication features in communication protocols and electronic commerce systems. DoS threats are expressed as probabilistic reachability properties that are automatically verified through an appropriate Discrete Time Markov Chain representing the protocol participants and attacker models. The overall analysis takes place in a mature probabilistic model checking toolset called PRISM. We believe that the applied quantitative verification approach is a valuable means for comparing protocol implementations with alternative parameter choices, for optimal resistance to the analyzed threats.

An intruder model with message inspection for model checking security protocols

Model checking security protocols is based on an intruder model that represents the eavesdropping or interception of the exchanged messages, while at the same time performs attack actions against the ongoing protocol session(s). Any attempt to enumerate all messages that can be deduced by the intruder and the possible actions in all protocol steps results in an enormous branching of the models state-space. In current work, we introduce a new intruder model that can be exploited for state-space reduction, optionally in combination with known techniques, such as partial order and symmetry reduction. The proposed intruder modeling approach called Message Inspection (MI) is based on enhancing the intruders knowledge with metadata for the exchanged messages. In a preliminary simulation run, the intruder tags the analyzed messages with protocol-specific values for a set of predefined parameters. This metadata is used to identify possible attack actions, for which it is a priori known that they cannot cause a security violation. The MI algorithm selects attack actions that can be discarded, from an open-ended base of primitive attack actions. Thus, model checking focuses only on attack actions that may disclose a security violation. The most interesting consequence is a non-negligible state-space pruning, but at the same time our approach also allows customizing the behavior of the intruder model, in order e.g. to make it appropriate for model checking problems that involve liveness. We provide experimental results obtained with the SPIN model checker, for the Needham-Schroeder security protocol.

An interactive laboratory exercise for teaching computer science students network performance evaluation using Mathcad(R) and MathConnex/sup TM/

This work presents the development of an interactive computer laboratory exercise based on the combined use of Mathcad(R) and MathConnex/sup TM/. The exercise was designed for teaching network performance evaluation to the undergraduate students of the Computer Science Department at the Aristotle University of Thessaloniki, Greece.

Interlocking control by distributed signal boxes: design and verification with the SPIN model checker

Control systems are required to comply with certain safety and liveness correctness properties. In most cases, such systems have an intrinsic degree of complexity and it is not easy to formally analyze them, due to the resulting large state space. Also, exhaustive simulation and testing can easily miss system errors, whether they are life-critical or not. In this work, we introduce an interlocking control approach that is based on the use of the so-called Distributed Signal Boxes (DSBs). The proposed control design is applied to a railway-interlocking problem and more precisely, to the Athens underground metro system. Signal boxes correspond to the networks interlocking points and communicate only with their neighbor signal boxes. Communication takes place by the use of rendezvous communication channels. This design results in a simple interlocking control approach that compared to other centralized solutions produces a smaller and easier to analyze state space. Formal analysis and verification is performed with the SPIN model checker.

Controlling Performance Degradation Of Multistage Interconnection Networks With Non-Uniform Traffic

Multistage Interconnection Net works (MINs) have been proposed as an efficient interconnection medium for parallel computera. In addition, many ATM switch architectures have been proposed in the literature and most of them adopt a multistage arrangement of simple switching elements with self-routing capabilities. In MINs the performance estimates obtained under unifonn traffic tend to be optimistic since the presence of unbalanced traffic loads could result in increased congestion. In this paper, a non-uniform model that captures non-uniform traffic in the presence of hotspot is described. Also, we present a solution to the problem of performance degradation of MINs, with non-uniform traffic, which includes a feedback based flow control scheme, a switching strategy that implements priority policies at the packet level, and a switch model. Finally, we demonstrate the effectiveness of the proposed approach by presenting and analyzing aimulation results.