Saša Radomirović

Foundations of attack-defense trees

We introduce and give formal definitions of attack-defense trees. We argue that these trees are a simple, yet powerful tool to analyze complex security and privacy problems. Our formalization is generic in the sense that it supports different semantical approaches. We present several semantics for attack-defense trees along with usage scenarios, and we show how to evaluate attributes.

Attack–defense trees

The advent of the information age has notably amplified the importance of security. Unfortunately security considerations still widely occur as an afterthought. For many companies, security is not a requirement to conduct business and is therefore readily neglected. However the lack of security may obstruct, impede and even ruin an otherwise flourishing enterprise. Only when internal computer networks shut down, web portals are inaccessible, mail servers are attacked, or similar incidents affect the day to day business of an enterprise, security enters into the field of vision of companies. As such, security by design is only slowly becoming accepted practice. Amongst security researchers, there is no dispute that a reasonable approach to- wards uninterrupted business activities includes security measures and controls from the beginning. To support these efforts, many security models have been developed. Graphical security models are a type of security model that help illus- trate and guide the consideration of security throughout the lifecycle of a product, system or company. Their visual properties are especially well-suited to elucidate security requirements and corresponding security measures. During the last four years, we have developed a new graphical security model called attack–defense trees. The new framework, presented in this thesis, generalizes the well-known attack trees model. Attack–defense trees formally extend attack trees and enhance them with defenses. To be able to deploy attack–defense trees as a security support tool, we have equipped them with three different syntaxes: A visually appealing, graph-based syntax that is dedicated to representing security problems, an algebraic, term-based syntax that simplifies correct, formal and quantitative analysis of security scenarios and a textual syntax that is a compromise between succinct, visual representation and easy, computerized input. We have also equipped attack–defense trees with a variety of semantics. This became necessary, since different applications require different interpretations of attack–defense trees. Besides the very specific and problem oriented propositional, De Morgan and multiset semantics, we have introduced equational semantics. The latter semantics is, in fact, an alternative, unified presentation of semantics based on equational theory. We have expressed the propositional and the multiset seman- tics in terms of the equational semantics. This facilitates algorithmic treatment since the two different semantics have a unified formal foundation. To be able to perform quantitative security analysis, we have introduced the notion of an attribute for attack–defense trees. To guarantee that the evaluation of an attribute on two or more semantically equal attack–defense trees results in the same value, we have introduced the notion of a compatibility condition between semantics and attributes. We have also provided usability guidelines for attributes. These guidelines help a user to specify security-relevant questions that can unambiguously be answered using attributes. We have performed several case studies that allowed us to test and improve the attack–defense tree methodology. We have provided detailed explanations for our design choices during the case studies as well as extensive applicability guidelines that serve a prospective user of the attack–defense tree methodology as a user manual. We have demonstrated the usefulness of the formal foundations of attack–defense trees by relating attack–defense terms to other scientific research disciplines. Con- cretely, we have shown that attack–defense trees in the propositional semantics are computationally as complex as propositional attack trees. Moreover, we have described how to merge Bayesian networks with attack–defense trees and have il- lustrated that attack–defense trees in the propositional semantics are equivalent to a specific class of games frequently occurring in game theory. Concluding the thesis, we have related the attack–defense tree methodology to other graphical security models in an extensive literature overview over similar methodologies.

Untraceability of RFID protocols

We give an intuitive formal definition of untraceability inthe standard Dolev-Yao intruder model, inspired by existing definitionsof anonymity. We show how to verify whether communication protocolssatisfy the untraceability property and apply our methods to knownRFID protocols. We show a previously unknown attack on a publishedRFID protocol and use our framework to prove that the protocol is notuntraceable.

A framework for compositional verification of security protocols

Automatic security protocol analysis is currently feasible only for small protocols. Since larger protocols quite often are composed of many small protocols, compositional analysis is an attractive, but non-trivial approach. We have developed a framework for compositional analysis of a large class of security protocols. The framework is intended to facilitate automatic as well as manual verification of large structured security protocols. Our approach is to verify properties of component protocols in a multi-protocol environment, then deduce properties about the composed protocol. To reduce the complexity of multi-protocol verification, we introduce a notion of protocol independence and prove a number of theorems that enable analysis of independent component protocols in isolation. To illustrate the applicability of our framework to real-world protocols, we study a key establishment sequence in WiMAX consisting of three subprotocols. Except for a small amount of trivial reasoning, the analysis is done using automatic tools.

Algebraic Attacks on RFID Protocols

This work aims to identify the algebraic problems which enable many attacks on RFID protocols. Toward this goal, three emerging types of attacks on RFID protocols, concerning authentication, untraceability, and secrecy are discussed. We demonstrate the types of attacks by exhibiting previously unpublished vulnerabilities in several protocols and referring to various other flawed protocols. The common theme in these attacks is the fact that the algebraic properties of operators employed by the protocols are abused. While the methodology is applicable to any operator with algebraic properties, the protocols considered in this paper make use of xor , modular addition, and elliptic curve point addition.

Secure ownership and ownership transfer in RFID systems

We present a formal model for stateful security protocols. This model is used to define ownership and ownership transfer as concepts as well as security properties. These definitions are based on an intuitive notion of ownership related to physical ownership. They are aimed at RFID systems, but should be applicable to any scenario sharing the same intuition of ownership. We discuss the connection between ownership and the notion of desynchronization resistance and give the first formal definition of the latter. We apply our definitions to existing RFID protocols, exhibiting attacks on desynchronization resistance, secure ownership, and secure ownership transfer.

On a new formal proof model for RFID location privacy

We discuss a recently proposed formal proof model for RFID location privacy. We show that protocols which intuitively and in several other models are considered not to be location private, are provably location private in this model. Conversely, we also show that protocols which obviously are location private, are not considered location private in this model. Specifically, we prove a protocol in which every tag transmits the same constant message to not be location private in the proposed model. Then we prove a protocol in which a tags identity is transmitted in clear text to be weakly location private in the model.

Security of an RFID Protocol for Supply Chains

We report on the security claims of an RFID authentication protocol by Li and Ding which was specifically designed for use in supply chains. We show how the protocols vulnerabilities can be used to track products, relate incoming and outgoing products, and extort supply chain partners. Starting from a discussion of the relevant security requirements for RFID protocols in supply chains, we proceed to illustrate several shortcomings in the protocol with respect to mutual authentication, unlinkability, and desynchronization resistance. We investigate the use of the XOR operator in the protocol, suggest possible improvements, and point out flaws in the proofs of the security claims.

EC-RAC: enriching a capacious RFID attack collection

We demonstrate two classes of attacks on EC-RAC, a growing set of RFID protocols. Our first class of attacks concerns the compositional approach used to construct a particular revision of EC-RAC. We invalidate the authentication and privacy claims made for that revision. We discuss the significance of the fact that RFID privacy is not compositional in general. Our second class of attacks applies to all versions of EC-RAC and reveals hitherto unknown vulnerabilities in the latest version of EC-RAC. It is a general man-in-the-middle attack executable by a weak adversary. We show a general construction for improving narrow-weak private protocols to wide-weak private protocols and indicate specific improvements for the flaws of EC-RAC exhibited in this document.

Improving the Security of Cryptographic Protocol Standards

Despite being carefully designed, cryptographic protocol standards often turn out to be flawed. Integrating unambiguous security properties, clear threat models, and formal methods into the standardization process can improve protocol security.