Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic

Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai ZhouNorthwestern University, Evanston

IL, USA

Z. Judy FuMotorola Labs, Schaumburg IL, USA

Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols

through TLA+

Outline

•Motivation•Our approach•Background on TLA+•General methods and challenges•Results on WiMAX initial ranging

and authentication•Conclusions and future work

Motivation•High-speed Wireless Metropolitan Area

Networks (MAN) poised to become the Next Big Thing

•IEEE 802.16 (WiMAX) with enormous backing from the industry is set to lead the broadband wireless network space

•Security, as always, is key for its functioning and growth

•However, security Analysis of the IEEE 802.16 protocol largely confined to manual analysis– Incomplete– Inaccurate

Motivation (II)•Formal methods for automatic

vulnerability checking highly desirable–With completeness and correctness

guarantees

•Previous studies focus on security protocols and security properties only–CSP and FDR [Lowe96], MurØ

[Shmatikov98], Symbolic traces and PS-LTL [Corin06]

•Non-security protocol analysis focus on resource exhaustion DoS attacks and ignore protocol malfunction attacks !– [Yu88], [Meadow99], and [Meadow02]

Our Approach

•Vulnerability analysis of 802.16e specs and WiMAX standards–Systematic and automatic checking through

formal methods. –First specify the specs and potential

capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions)

–Then model check for any possible attacks–The formal analysis can also help guide fixing

of the flaws

Outline



TLA+

•TLA: a logic designed for specifying and reasoning about concurrent systems. –TLA+: a complete spec language based on

TLA

•First translate the natural language spec into a TLA+ spec, sys–Correctness request postulated as a TLA+

property, prop

•Then to verify the correctness, prove sys → prop–Proof done automatically by model checker,

TLC

Intro to TLA+

•TLA+ is a simple extension of linear temporal logic–With primed variable (x’) for next state–Temporal operations: []—forever

•A system is specified as

Init /\ [] [Next]x

−system satisfies Init initially and satisfies Next for all transitions

TLA+ for Security

•A protocol can be specified as one monolithic system

•Or it can be specified as a composition of many components:–CompA /\ CompB /\ \A i: Comp(i)

•An attacker can be specified and composed with a protocol–System == Protocol /\ Attacker

•Check security by–System => Properties

TLA Modeling Process

TLA+ Protocol

Specification

Attacker TLA+

Specification

TLC Model

Checking

Found Vulnerability ?

Analyze Severity

Weaken Attacker

Property TLA+

Specification

Stop

Yes

No

TLA+ Protocol Specification

•Protocol specification in TLA+ can be easy or difficult–FSM easily translate to TLA+–Tricky from English description to TLA+

spec: ambiguity, re-design, etc.

•Process of protocol specification:– Identify principals–Modularize principal behavior using

TLA+–Compose a series of states and

transitions for each principal–Specify flow of control between

principals

Outline



TLA+ Protocol Specification – Challenges

(I)

•Vagueness in English specification and the correctness in its translation to TLA+.

•Solutions –No good solution exists! –Better having protocols in TLA+–Consult standards committee, product implementation teams among other things

TLA+ Protocol Specification – Challenges

(II)•State space explosion•Solutions

–Combine similar states without loss of functionality into one state

–Replace some random variables with constants with some additional properties to simulate the effects of randomness

–Define principals symmetric, which will treat the different states as one common state.

Attacker Model

•Attacker capability model similar to Dolev-Yao model

•Basically, attackers can:–Eavesdrop on and store messages.–Replay old messages.– Inject or spoof unprotected messages.–Corrupt messages on the channel by

causing collisions.

•We also assume the ideal cryptography, which means unforgeable signatures, safe encryption and safe digest

Attacker Model - Challenges

•Challenge: How to find realistic attacks under such an attacker model ?

•Our solution: –Start with a very strong attacker model

»TLC model-checks may yield unrealistic attacks.

–Then weaken the attacker model»E.g.: the attacker can continuously corrupt a

response from the BS. »Since we are only interested in realistic attacks,

we put restrictions on attacker behavior to remove such attacks.

•This dynamic modification of attacker model will end up with –a complete robustness proof OR–a report of a realistic attack

Property Specification

•Focus on Denial of Service (DoS) currently–Client may reach a termination<>[] (\A i\in PartySet: Party[i].state=ObjState

–Client may not terminate[]<>(\A \in PartySet: Party[i].state=ObjState)

Model Checking with TLC

•TLC is a model checker for TLA+•Has both simulation mode and

model checking mode–We run simulations before a complete

model checking

•Since TLA+ is very expressive, TLC currently can only check safety properties

Outline



Case Studies

•Initial Ranging •Authentication processes

•Choices based on the criticality of function and the probability of vulnerability

Initial Ranging Process• Initial ranging: the first step

in which an SS communicates with a BS via message exchanges.

• An SS acquires correct timing offset and power adjustments

• The request-response communication happens until the BS is satisfied with the ranging parameters.

• ’Actual’ data communication can happen only if the initial ranging is successful.

Initial Ranging – TLA Model

•In the TLA model, the correctness property is set as:

∃ i ∈ ContentionSlots: ∧ slot[i]≠<> ∧ slot[i].type =

“REQ” ⇒ slot[i].source.pendrequest = slot[i]

•Attacker may affect the behavior of normal parties

•Enforce SSs to go to the “Done” state without the attacker:

□◊(SSstate = “DONE”)

DOS during Initial Ranging (found by TLC Model

Checking)

DL SubframeContention-based Initial Ranging Slots

UL Subframe

REQ

REQ

REQ

REQ

PKMv2 Authentication Process

BS SS/MS

Auth Response

SATEK Challenge

SATEK Response

Key Response

Auth Request

Auth ACK

SATEK Request

Key Request

• SS and BS mutually authenticate each other and exchange keys for data encryption

• PKMv2 is directed by two state machines in the SS – Authentication State Machine

– TEK State Machine

• PKMv2 employs a SATEK-three-way-handshake for the BS and the SS/MS to exchange the security capabilities

Authentication – TLA Model

• Each key has a life time, so the SS needs to get authorized from time to time– SSes should reach the “Authorized” state infinite

times – The correctness condition is

□◊(SSstate = “Authorized”)

• TLC encounters space explosion problem–We restrict the SS can reach “Authorized”

state at most a given # of times.• With our attacker model, TLC model checking

shows no suspicious trace• Hence, authentication process is resistant to

any attempt using our attacker capability model

Outline



Conclusions•First step towards automatic

vulnerability checking of any network protocols with completeness and correctness guarantees

•Use TLA+/TLC to model all DoS attacks–Avoid state space explosion in property

checking–Model attackers’ capabilities for finding

realistic attacks

•Study the initial ranging and authentication processes in 802.16 protocols

Future Work•Development of a rigorous process

in protocol specification using TLA+ language

•Modeling of inter-relationships of processes/components

•Check vulnerabilities in other parts of 802.16 standards such as mobility support and handoff procedures.

Backup Slides

Our Approach

Identify critical parts of function to assess the vulnerability aspect of those parts

TLA Modeling:

Formal Specification of

Protocol Process and Attacker

actions using TLA

Logic-based Analysis and Verification:

Rigorous, Logic-based Analysis using Model-Checking and Simulation using TLC

Related Work (2)•Automatically check with formal

language–For security network protocols

»CSP and FDR [Lowe96]»MurØ [Shmatikov98]»Symbolic traces and PS-LTL [Corin06]

–For DoS attack»“A formal specification and verification method

for the prevention of denial of service” [Yu88]»“Game-based analysis of denial-of-service

prevention protocols” [Mahimkar05]

DOS during Initial Ranging (found by TLC Model

Checking)

DL SubframeContention-based Initial Ranging Slots

UL Subframe

Attacker fills all slots, making its requests collide with requests from other SS, thereby denying all new SS a chance to complete ranging

Documents

Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic