A Formal Framework for A
Formal Framework for
Secure Routing Protocols
Chen Chen Limin Jia, Hao
Chen Chen, Limin
Jia Hao Xu, Cheng Luo, Wenchao
Xu Cheng Luo Wenchao Zhou and Boon Thau
Zhou and Boon Thau Loo
University of Pennsylvania, Carnegie Mellon University, Georgetown University
1
What makes Internet Routing vulnerable today?
 BGP: De‐facto Internet routing protocol
AS 3
AS 2
AS 4
Prefix hijacking
j
g
{IP prefix(foo),<AS2>}
{IP prefix(foo),<AS7>}
AS 5
AS 1
AS 6
{IP prefix(foo),<AS6,AS7>}
{IP prefix(foo),<AS5,AS6,AS7>}
AS 7
www.foo.com
2
What makes Internet Routing vulnerable today?
 BGP: De‐facto Internet routing protocol
AS 3
AS 2
AS 4
Forged
g announcement
{IP prefix(foo),<AS2,AS3,AS4,AS7>}
{IP prefix(foo),<AS2, AS7>}
AS 5
AS 1
{IP prefix(foo),<AS7>}
AS 6
{IP prefix(foo),<AS6,AS7>}
{IP prefix(foo),<AS5,AS6,AS7>}
AS 7
www.youtube.com
3
Solutions
 Secure BGP extension (through cryptography):
 S‐BGP
S BGP [S. Kent, et al. IEEE Journal on Selected Areas in Communications, vol. [S. Kent, et al. IEEE Journal on Selected Areas in Communications, vol.
18,no. 4, 2000] (http://www.ir.bbn.com/sbgp/)
 so‐BGP [R. White, et al. Cisco, 2004] (http://tools.ietf.org/html/draft white sobgp architecture 00)
(http://tools.ietf.org/html/draft‐white‐sobgp‐architecture‐00)
 SPV [Y.C. Hu, et al. Proc. of SIGCOMM’04, 2004]
Lack of formal proofs in terms of security guarantees
 Clean slate (new infrastructure):
 ICING [J.Naous, et al. CoNEXT. 2011]
 SCION [X. Zhang, et al. Oakland. 2011]
4
Our solution
SeNDlog
specification
p
EExecutable bl
code generator
Distributed p
implementation
Simulator
(emulator)
Property specification
p
Verification Verification
condition generator
Proof obligations
Theorem prover
5
Outline
•
•
•
•
•
Syntax of SeNDLog
Operational Semantics
Program ogic
Program Logic Case study
Concl sion & f t re
Conclusion & future
6
SeNDLog
[ICDE 2009]
 Secure Network Datalogg
– Network Datalog: Distributed declarative language
• Network protocols
– User‐defined cryptographic function
• Secure network protocols
R1 reachable(@S, D) :‐
(
) link(@S, D).
(
)
R2 reachable(@Z, D) :‐ link(@S, Z), reachable(@S, D).
7
Outline
•
•
•
•
•
Syntax of SeNDLog
Operational Semantics
Program ogic
Program Logic Case study
Concl sion & f t re
Conclusion & future
8
Distributed Execution Model
• Small‐step operational semantics
– State: node state & network queue
R1 : reachable(@S, D)  link(@S, D)
R2 : reachable(@Z, D)  link(@S, Z), reachable(@S, D)
Q = {}
SA = {link(@A, B)}
SB = {link(@B, A),
link(@B, C)}
A
B
Sc = {link(@C, B)}
C
9
Distributed Execution Model
• Small‐step operational semantics
– State: node state & network queue
– Transition: Invocation of rules change node states, thus changing network states.
R1 : reachable(@S, D)  link(@S, D)
R2 : reachable(@Z, D)  link(@S, Z), reachable(@S, D)
Q = {}
SA = {link(@A, B),
reachable(@A, B)}
A
SB = {link(@B, A),
{link(@B A)
link(@B, C),
reachable(@B, A),
reachable(@B, C)}
B
Sc = {link(@C, B),
reachable(@C, B)}
C
10
Distributed Execution Model
• Small‐step operational semantics
– State: node state & network queue
– Transition: Invocation of rules change node states, thus changing network states.
R1 : reachable(@S, D)  link(@S, D)
R2 : reachable(@Z, D)  link(@S, Z), reachable(@S, D)
Q = {reachable(@A, C)}
SA = {link(@A, B),
reachable(@A, B)}
A
SB = {link(@B, A),
{link(@B A)
link(@B, C),
reachable(@B, A),
reachable(@B, C)}
B
Sc = {link(@C, B),
reachable(@C, B)}
C
11
Outline
•
•
•
•
•
Syntax of SeNDLog
Operational Semantics
Program ogic
Program Logic Case study
Concl sion & f t re
Conclusion & future
12
Program Logic
• Syntax
– Atoms:
• tuple(a1,a2…an)@(loc, t); send(loc, tuple)@t; receive(loc, tuple())@t;
honest(loc, prog, t);Inequality
– Formula ϕ:
Formula ϕ:
• Atoms | ϕ ᴠ ϕ | ϕ ᴧ ϕ | ϕ ⇒ ϕ | ¬ϕ | ∀x, ϕ | ∃x, ϕ
– Variable context Σ & Logical context Г
• Inference rule
– Standard first‐order logic rule
– rules based on semantics
• Invariant rule (INV)
• Honest rule (HONEST)
(
)
13
Invariant Rule (INV)
[prog]i :{i,ts,te} : property of SeNDLog program [prog]i running from ts till te(ϕ(i,ts,te))
ϕ(i,t): property of SeNDLog program at time t
ϕ(i,ts,te) : invariance?
ϕ(i,t
(i ts,tte) ↔ ∀t, t
) ↔ ∀t ts ≤ t ≤ t
t ≤ te ᴧ ϕ(i,t)
(i t)
ϕ(i,t) ᴧ ts ≤ t ≤ te
ϕ(i,ts) holds
ϕ(i,t+1)
ϕ(i,ts,te) holds
R1 : reachable(@S,
reachable(@S D)  link(@S,
link(@S D)
Each invocation of rules at time t maintains ϕ(i,t)
R2 : reachable(@Z, D)  link(@S, Z), reachable(@S, D)
ϕ(i,t): ∀
ϕ(i,t):
∀ d, reachable(i,d)@(i,t) → link(i,d)@(i,t) ᴠ ∃m, link(m,i)@(m,t).
d, reachable(i,d)@(i,t) → link(i,d)@(i,t) ᴠ ∃m, link(m,i)@(m,t).
ϕ(i,ts,te): ∀t, ts ≤ t ≤ te ᴧ ϕ(i,t) Verification Condition Generator
Each invocation of rules at time t maintains ϕ(i,t)
ϕ(i,ts,te): ∀ d,t, ts ≤ t ≤ te ᴧ (reachable(i,d)@(i,t) → link(i,d)@(i,t) ᴠ ∃m, link(m,i)@(m,t)).
R1 : reachable(@S, D)  link(@S, D)
ϕreachable
R2 : reachable(@Z, D)  link(@S, Z), reachable(@S, D)
Automation: Verification condition generator
Lemma1 : ϕreachable  link(s, d)@(s, t).
hϕbl
( d)@(s,
d)@( t)) .
L
Lemma2
2 : ϕreachable  link(s,
li k( z)@(s,
)@( t),
) reachable(s,
reachable
15
Honest Rule (HONEST)
[prog]i :{i,ts,te} .ϕ(i,ts,te)
Honest(n, [prog]i, tn)
∀t’, t’ > tn ⇒ ϕ(n,tn,t’)
Honest(n, [prog]i, t):
Honest(n, [prog]
, t):
• n is honest:  n does not leak its private key
 n follows the behavior specified by SeNDLog program
• n runs the program in question: [prog]
h
i
i
[
]i
• n runs the program at time t.
[prog]i :{i,t
:{i ts,tte} .ϕ(i,t
} ϕ(i ts,tte): ∀
): ∀ d,t, t
d t ts ≤ t ≤ t
≤ t ≤ te ᴧ (reachable(i,d)@(i,t) → link(i,d)@(i,t) ᴠ ∃m, (reachable(i d)@(i t) → link(i d)@(i t) ᴠ ∃m
link(m,i)@(m,t)).
Honest(n, [prog]i, tn)
∀t’, t’ > tn ⇒
∀ d,t, tn ≤ t ≤ t’ ᴧ (reachable(n,d)@(n,t’’) → link(n,d)@(n,t’’) ᴠ ∃m, link(m,n)@(m,t’’)).
16
Outline
•
•
•
•
•
Syntax of SeNDLog
Operational Semantics
Program ogic
Program Logic Case study
Concl sion & f t re
Conclusion & future
17
Protocols
S‐BGP
•
•
Secure extension to BGP protocol
Layered signature
SCION
•
•
•
Clean‐slate design of Internet routing.
Group autonomous systems(AD) into trusted domains(TD)
Layered signature
S‐BGP
SCION
Control‐plane path authenticity:
p t, Honest(n) ᴧ
( ) advertisement(m,n,d,p,sl)@(n,t) ⇒
(
p ) ( )
∀n m d p sl
goodPath(t,p,d)
True
True
Data‐plane path authenticity:
Each node authenticates neighboring links in the specific path during data forwarding (To be done)
False
True
18
Conclusion & Future work
• Conclusion:
 A unified framework for verification and A unified framework for verification and
implementation of Internet routing protocol.
p
g
 Operational semantics for SeNDLog
 Program logic for proving security properties
 Verification condition generator
• Future work:
 Automation of invariant generation?
 Automation of proof?
19
Thank you
Thank
you
Questions?
20