<body><pre>
Network Security Architecture
Carl Gunter, U. Penn

Denial of service

State of the art in Formal Analysis
  Excellent progress on integrity and confidentiality
    algebraic technique catch bugs
    successful case studies with pratical protocols
    complexity-theoretic provide more complete proofs

  Modest progress on study of availability
    limited formal models
      - too conservative
      - not realistic
      - insufficicent nomenclature
    no automation
    few case studies or experimental validations
    fragile linkage to implementations
  
Toward Formal Analysis of DoS
  Shared Channel Model
    Case study: DoS protection for authentication broadcast

  Asymmetry Paradigm
    Case Study: TCP

  Composistion and testing of DoS-resistent protocols
    Case Study: Layer three accounting (L3A)

  Unified algebraic model
    Formalization of authentication protocols
    Probabilistic term rewriting

Broadcast Authentication
  Usage in internet television, shared spectrum radio, digital 
  satellite, etc

  Attacker is also one of the recpient, so not a trustworthy
  user base.

  Challenge:
   - Inefficient to use publi key signatures for each packet
   - Insecure to use a common distrbuted key
   - Inefficient, impractical, or impossible to use unicast tunnels
   - Many proposals have been made to address these problems
     -- delayed key release (synchronication problem)
     -- amortize costs of public key checks over multiple packets
	(lost of packet will pose a problem to verification)
  Attacks are more likely to be "informed attacks" in which SN and 
  other aspects of protocol state are known.
    -- TCP is very vulnerable to informed attacks
  Authenication based on Public Key Checks (PKS) are vulnerable to 
  signature flooding.
    -- checking void/old packets
  Attacks on Forward Error Correction (FEC) lead to higher overhead
    -- FEC itself is a weak point, trying all is too much

  Common form of analysis:
    Show that the victim can defend against an attack that occupies his
    whole channel
      -- effective, but too conservative
    Dolev-Yao: assume that the adversary controls the channel and 
    can use the legitimate sender at will
      -- seems to give away the game
    Attacks based on limited modification
      -- Not a common case, interleve is more common
    "Tit for tat": work commitment by initiator
      -- needs extension
    wanted: a more realistic model of attack and countermeasures to
    exploit it.

 Shared Channel MOdel
  - Adversary can replay and insert packets
  - Legitimate sender sends packets with a maximum and minimum bandwidth
  - Legitimate sender experiences loss, but not deliverate modefication
  - Model is a four tuple (W0, W1, A, p)
    -- W0, W1 min and max sender b/w
    -- A attacker max b/w
    -- p loss rate of sender

Signature Flooding
  Attack factor R = A / W1
  Proportionate attack R = 1
  Disproportionate attack R > 1
  Stock PC can handel about 8000 PKC/sec
  10MBps link sends about 900 pkt/sec
  100Mbps link sends about 9000 pkt/sec
  Processor is overwhelmed by too many signatrure checks. Adversary can
  devote full power on attack at no cost. 
  Budget no more that 5% of processor on PKC

Broadcast Authentication Streams
  - Data Stream
  - Hash/Parity Stream (Parity can recover the lost hash stream packet)
  - Signature Stream

Selective Sequential Verification
  - The signature stream is vulnerable to signature flooding: the adversary can
    dovote his entire channel to fake signature packets
  - Counter measures:
    -- valid sender sends multiple copies of the signature packet
       (1:20, 1:200)
    -- receiver checks each incoming signature packet with some
       probability (25%, 50%)
  Example: in notebook

  Parameters:
     R
     W
     p
     K
  Theorem:
  E.G.
    if we check 5% of packet and the probab that 1 check fail
    ( 1 - (5/100))^100 = 1/e^5 < .01

The Asymmetry Paradigm
  Attackers leverage a feature that inflicts a great cost on the 
  server at little expense to the client

  Defender leaveage asymmetric goals
    - Attacker: acquire all of a resource
    - client: accuqire a single unit of resource

  Inflate the rate of a resouce, so the attacker's cost is inflated

  Applicable: are there typically resources consumed by the
	      attacker that can be inflated
  Case Study: TCP/IP

  Memory Requrements: SYN Cache size: B
  Parameters:
    network capacity: rA = 300K SYNs/sec (100Mbps)
    B = 10,1000
    slots free at rate of B/tA
    SYN cache occupancy:
      on timeout: tA = 100 seconds (30 - 120 seconds)
      on success: RTT = 10ms (<1 - 100 silliseconds)
    If attacker arrives at rate <= f B / tA then
    (1-f)B slots reserved for legit clients
    Process SYNs w/ prob p <= f B / (tA rA)
    Increate rae by 1/p
    attacker rate of p rA can not fit in the slot

Conclusion
  Progress is possible on formal analysis of availability
  New models are more realistic and point to new countermeasures
  Key concepts
  - shared channel
  - selective processing
  - asymmetry paradign


Web Services
  Current web is not automated, built on standards: http + html,
  shallow interaction model: very few assumtions, result was ubiquity.
  
  web services: enable systematic appllication-to-application
  interaction on the web

  Case Study: WSEmail (http://wsemail.ws/)
  Use Blanchet Protocol Verifier to prove the Distributed Attachments 
  protocol (http://www.di.ens.fr/~blanchet/index-eng.html)

</pre></body>
