Reasoning about
Concurrency for Security
Tunnels
Alwyn E. Goodloe
University of Pennsylvania
Carl A. Gunter
University of Illinois Urbana-Champaign
1
Security Tunnels

A technique in which a pair of nodes share state
that enables them to apply transformations to
messages to ensure their security.
 SSL,
IPsec.
 Our work assumes network layer tunnels, but not a
specific technology.

Key-establishment protocols are employed to
create a shared key.
 Internet
Key Exchange Protocol (IKE).
 Secrecy and integrity of shared crypto information is
typically the focus of formal analysis.

Not our focus.
2
Road Warrior Example
3
Hierarchy of Gateways
4
Gateways + Tunnels

Tunnels and gateways can ensure that traffic is
authenticated and authorized as satisfying some
policy.
 Firewalls
do authorization, but not authentication of
packets.
 We assume VPN gtateways.


The tunnels form a virtual topology where traffic
flow governed by the gateway’s high-level policy.
Tunnel complex configuration typically requires
manual activity.
 Discovery
protocols that discover gateways and set up
tunnels automate this task.
 Establishment is a component of such protocols.
5
Authenticated Traversal

Ingress traffic to a gateway’s administrative
domain must be authenticated and authorized
 Want
to control what traffic is on your networks.
 Protection against denial of service.

Egress traffic from an administrative domain
must be authenticated and authorized
 Wireless
gateways that are billing for services.
 Protection against exfiltration.
6
Modeling Tunnels


A secure tunnel can be viewed “typetheoretically”as a rule for applying a constructor
at the source and a destructor at the destination.
Security Association – the constructor destructor
pair.
 Security


association database (SAD).
Security Parameter Index (SPI) – uniquely
identifies association.
Security Mechanism - directs traffic into the
proper association.
 Security mechanism
 IPsec SPD.
database (SMD).
7
Tunnel Example
ί1
G
A
AB:[Out(B,ί3)
Out(G,ί1)]
ί2
B
ί3
AB:[In(A,ί1)]
AB:[Out(B,ί2)]
AB:[In(A,ί,3)In(G,ί2)]
P(A,B,y)
P(A,G,S(ί1,P(A,B,S(ί3,P(A,B,y)))))
P(A,B,S(ί3,P(A,B,y)))
P(G,B,S(ί2,P(A,B,S(ί3,P(A,B,y))
P(A,B,y)
8
Establishment
A
P(A,B, X(Req(S, D, ί
A,
B
K)))
In(A,ίB)
SD:[in(A, ίB)]
P(B,A, X(Rep(S, D, ίA , ίB, K’)))
Out(B,ίB)
SD:[Out(B, ίB)]
In(B,ίA)
DS:[In(B, ίA)]
Out(A,ίA)
DS:[Out(A, ίA)]
9
Friendly Fire
A
B
P(A,B,X(Req))
P(A,B,X(Req))
BA:[ίA]
AB:[ίB]
P(B,A,X(Rep))
P(A,B,X(Rep))
10
Preventing Deadlock

Each protocol session is assigned a unique
session identifier. The packet filter includes the
session identifier.
 Session
identifiers are similar to protocol identifiers.
 Session identifiers included in messages.


Session matching property. Packets match filters
installed for a particular session.
Security associations may be shared among
different sessions.
11
With Solution
A
P(A,B,X(Req(v1)))
BA:v1:[ίA]
P(B,A,X(Rep(v2)))
B
P(A,B,X(Req(v2)))
AB:v2:[ίB]
P(A,B,X(Rep(v1)))
12
Tunnel Calculus

Operational semantics for protocol stack.
 Provides
an abstract foundation for future tunnel
protocols in light of their use in tunnel complexes.
 A suitable version could be used to model IPsec, but
not our current focus.

Based on multiset term rewriting modulo
equations.

Allows one to reason about interactions between
state installed at nodes and protocols.
14
Tunnel Calculus Layers
Discovery
Establishment
Authorization
Security Processing
Packet Forwarding
15
Grammar
Secure
Send
message
secure
Message
from
packet
thesent
secure
layer
Pass state from one rule
to the next and enforce
an order of execution
16
Layer Interaction
Node a
Node b
Higher
Layer
Sec
Fwd
17
Forwarding Layer Rules
18
Secure Layer
Find the matching
entry in MDB, select
bundle, apply the
constructors in the
bundle, and send the
message to
forwarding layer
19
Trace Semantics
20
Observing Messages


Given a trace M1, M2, M3 we want to observe
only the secure send and receive messages in a
session.
Q(u) – infinite set of secure send/receive terms
of session u.
21
Equivalent Traces

During each run of the protocol some
values are generated by the TC new
operator.
 SPI,
acknowledgement identifiers.
 t1~t2
iff they only differ in values generated
by new.
 M1~M2
 T1~T2
22
Simulation Lemma
M1
~
M’1
M2
~
M’2
23
Observational Commutativity
Theorem
24
Noninterference Theorem


Suppose T= M1…Mn is a trace in which session
v is complete, where v not in Free(M1).
Suppose T’ = M’1…M’m is a trace in which
session v is complete, where M1 ~ M’1,Then
25
Progress Theorem
26
Google Tunnel Calculus
27