Turing Assessor: A New Tool for Cyber Security ... - Semantic Scholar

Turing Assessor: A New Tool for Cyber Security Quantification Huafei Zhu

Chunxiao Tricia Chigan

Feng Bao

Institute for Infocomm Research Department of Electrical and Computer Engineering Institute for Infocomm Research 21 Heng Mui Keng Terrace Michigan Technological University 21 Heng Mui Keng Terrace Singapore, 119613 712 EERC, 1400 Townsend Drive, Houghton Singapore, 119613 Email: [email protected] Email: [email protected] Email: [email protected]

Abstract— In this paper, a novel system level methodology for evaluating functionalities of network systems within general security model is introduced and formalized. We first decompose the entire system into a collection of subsystems each associated with a functionality; Thereafter, a new model for evaluating security properties of individual subsystem is built, which intends to implement a functionality by allowing an adversary to learn information and obtain knowledge from the correspondent subsystem via oracle queries; We further define evaluation and security metrics for security qualifications which is shown to be complete and robust within our model. Keywords: Network system, Network security, Security evaluation

I. I NTRODUCTION The research on security evaluation and security metrics for network systems has a rich history due to its fundamental importance. Traditional research on security evaluation focus on following issues: -Dependability: dependability is the ability of a system to deliver a specified service. A system can be at a state either proper or improper. And a system is at proper state if the service is delivered as specified; otherwise it is improper. System failure is a transition from the proper to improper service, while system restoration is a transition from improper to proper service. The recent works of Nicol, Standers and Trivedi [15] has shown that dependability could be a useful tool to evaluate security aspects of information and computer systems. We thus refer to reader [10], [13] and [15] for further reference. -Reliability: reliability is a measure of the continuous delivery of service. Thus it is the probability that a system performs a specified service throughout a specified interval of time. Reliability analysis therefore depends on stochastic models of the frequency, duration, and intensity of faults in hardware and software. Several initial attempts have been made to quantify the system security using ideas deployed to quantify the effect of accidental failures (see [14], [19], [18] and [7] for more details). -Availability: availability is a quantification of the alternation between proper and improper service, and is often expressed as the fraction of time that a system can be used for its intended purpose during a specified interval of time or in

steady state. The availability is closely related to the notion of reliability but it focuses on the fraction of time that a system can be used for its intended purpose. We refer to reader [15] for further reference. -Safety: safety is a measure of the time of the catastrophic failure. This notion is analogous to reliability, but it focuses on catastrophic failures (see [15] for more details). -Performability: performability quantifies how well a system performs, taking into account behaviors due to the occurrence of faults. It generalizes the notion of dependability in two ways: 1) it includes performance-related impairments to proper services, and 2) it considers multiple levels of services in specification, possibly an uncountable number. Performability measures are truly user-oriented, quantifying performance as perceived by users. We refer to reader [13] for further reference. -and survivability: survivability is an issue of system to fulfill its mission in a timely manner, in the presence of attacks, failure or accidents. Recently works in quantifying survivability is found in [11], [20], [12] and other places. Although these researches suggest that there is a merit to using the stochastic technique to evaluate security properties, Nicol, Standers and Trivedi [15] also suggest that significant new work is necessary to create a sound, model-based framework for quantifying system security. At the highest level, they believe that this work falls into two categories: 1) modeling attacker behavior; and 2) creating a single, comprehensive methodology for evaluating whether a design meets one or more high level requirements related to security. A. Problem statement Before we provide solutions to the above challenging open problems, we would like to look through what factors essentially tie in these challenging problems: Problem 1 − how to define the adversary’s strategies? Modeling attacker’s behavior and creating a single, comprehensive methodology for evaluating whether a design meets one or more security requirements is a challenging task since an evaluation procedure is related not only to behaviors of the adversaries but also to the environments with which the system communicates. That is, in the real world scenario, when an adversary attacks a network system, she may have her own

629 1-4244-0270-0/06/$20.00 (c)2006 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2006 proceedings.

goals. To achieve her goals, she may try to learn information and obtain knowledge as much as possible. To get useful information and obtain knowledge, she may adopt a collection of strategies adaptively: For example, she may mount an passive attack by listening to the traffics over the channel. She may also mount active attacks by inserting, modifying and deleting messages communicated over the channels. The adversary can register to the system as a legal user and then make oracle queries. The adversary may further collude a set of users registered in the system in order to learn information and obtain knowledge. Problem 2 − how to define the measurement of security of network systems? For a fixed network system, we can partition it into a collection of subsystems. Each subsystem will provide a specified functionality. If a collection of subsystems are overlapped, then the measurement function should be defined over the conditional probability space. In this case, the Markov chaining model should be involved in since the knowledge generated by the i-th subsystem can propagated up to the (i + j)-th subsystem. Thus to evaluate the security attributes of a network system, one should carefully define the partition in order to avoid the unnecessarily complex measurement functions. B. This work In this paper, we propose a novel theory to evaluate security properties in system level. We will cope with this problem by defining a set of equivalent relationship over the network and thus propose a complete partition to the network system and then build a new model for evaluating security properties of a protocol that intends to implement a functionality by allowing an adversary to learn information and obtain knowledge form oracle queries. Finally, we define a measurement for security quantification and show that our measurement is complete and robust within our model. At a high level, our solution to the problems above can be stated as follows: • we first decompose a network system s into a collection of subsystems {s1 , · · · , sk }. Each subsystem si is associated with a functionality fi . To deal with this problem, a relationship R is defined over s × s. More precisely, given a network system s, we abstract the set of functionalities {f1 , · · · , fl } from the entire system, and then for each fi , we define a relationship Rfi such that Rfi (sm , sn ) =1 if and only if sm and sn have the same functionality. Obliviously, the relationship Rfi has reflexivity, symmetry, and transitivity. Consequently, Rfi is an equivalent relationship. Thus, this relationship on the set s × s induces a partition of s. As a result, we can reduce the security assessment of the network system to a set of functionality associated with this system by defining the equivalence classes of the system recursively. • to evaluate the security of each functionality, we will allow an adversary to learn information and obtain knowledge from the correspondent subsystem via oracle queries which are associated with this functionality. In our model, when an adversary issues an query to the system, we

allow the adversary to run all oracles related to this functionality. Notice that each query to the correspondent oracle can be effective or ineffective depending on the attacker itself. • since the measurement of security quantification for a network system depends on its environment in which the system works, we should provide environment-based model for quantifying the security measurement. Our metrics for evaluating security properties of an network system are defined over any environment. We are able to show that our measurement is complete and robust within the model. Based on this general methodology, we can reduce the evaluation of security properties for a network system to that of a set of functionality within the system. Notice that a functionality in our setting is general. It can be a functionality of dependability, reliability, availability, safety, performability, survivability or any other functionality. The remaining task is thus to develop a framework for evaluating individual functionality defined within arbitrary environment. Not only a cryptographic protocol is an important research topic to evaluate security aspects of a cryptographic system within an network system, but also it typically has explicit mathematical structures and thus enables us to define a concise model, we evaluate security aspects of cryptographic subsystems within an network system throughout this paper. Recall that the evaluation of security properties cryptographic protocols is closely related to their running environments. A nice example is a zero-knowledge proof system [8]. By the definition of zero-knowledge, if an attacker only gets to see the transcripts of the protocol execution, but cannot interact with the corrupted verifier during the execution, then there exists a simulator for which the environment/distinguisher cannot distinguish the real execution from the simulated one. This is because the simulator is always allowed to rewind a corrupted party, as it is the simulator which runs the corrupted parties/dishonest codes, and so it can do what it wants with the corrupted parties by rewinding the verifier. In the UC model [2], the corrupted party is allowed to communicate with the environment/distinguisher during the protocol execution and it is the environment that cannot be rewound. Intuitively, because it represents the environment in which the program runs which cannot be rewound, i.e., the attacker cannot turn back the time, and technically because otherwise the UC composition theorem cannot be proven and in fact does not hold. On the contrary, if the simulator cannot rewind the environment and if the corrupted party potentially communicates with the environment, then the simulator cannot rewind the corrupted party, respectively it is potentially already too late in that the information the corrupted party has produced is already communicated to the environment. However, if the the environment may communicate with the corrupted verifier during the protocol execution, then one possible attack is as follows: the corrupted verifier forwards the first message of the zero-knowledge proof to the environment, and then the environment produces the challenge, possibly by applying a

630 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2006 proceedings.

hash function to the first message, and sends it to the corrupted verifier, who then forwards it as his challenge. It is now clear that rewinding the corrupt verifier doesn’t help in simulating the protocol if the environment cannot be rewound: once the environment has announced the challenge, it expects to see the corresponding answer, and it knows that it’s not in the real protocol execution if it doesn’t get it. Thus, in this case, the protocol cannot be simulated without the environment noticing. Thus the evaluation of cryptographic protocols in the UC model is much more difficult than that within the nonenvironment scenario. II. T URING A SSESSOR : AN OVERVIEW Given a network system that intends to realize a collection of functionalities (say, F = (F1 , F2 , · · ·, Fm ), assuming that there is a map D from a functionality F to a subsytem S (say, S =(S1 , S2 , · · ·, Sn ), i.e, there exists a polynomial time decomposer D who can extract a set of sub-systems. Therefore, it is required to explain the exact means of a system si securely realizes a functionality Fj . As a result, a set of interesting research problems can be addressed as follows: • •

•

• •

•

Research problem 1: Given a network S, how to define a collection of functionalities F ? Research problem 2: Clearly, F canNOT be defined as a semi-group over a system within an environment Z since the computation of F needNot to be closed under some algebraic structure. Thus, a natural question is that is F = (F1 , F2 , · · ·, Fm ) equivalent with F = (F1 , · · ·, Fi+1 , Fi , · · ·, Fm )? That is, we ask the question should the functionality set be defined in an order-specified way? Research problem 3: Typically, for a given Si , there is an environment Z with which it is associated. This leaves an interesting research problem how to define Z corresponding to Si and Fj ? Research problem 4: How to evaluate the security of si that is intended to realize the functionality fj ? Research problem 5: For each Fj there is a si securely realizes the security of Fj within some environment Z, can we deduce that S securely realize the functionality F in any environment? and so on......

To solve the problems listed above (to name but a few), a notion which we call Turing Assessor is introduced and formalized. Informally, a Turing Assessor is a probabilistic polynomial time ring master for a network system whose security will be evaluated. In essence, we model a Turing Assessor as an environment Z that tries to extract any knowledge beyond what can be obtained after the execution of the system. Thus, a Turing Assessor provides a simulation-based technique to define the security strength of the system. In this paper, we make the first step to provide a platform for a Turing Assessor by defining the security of a system for a functionality. Due to huge works for a complete description of Turing Assessor, this paper however only studies the most simple case where the evaluation of a subsystem (or a simple

system) with an isolated functionality, i.e., when Turing Assessor is applied to evaluate the system, no extra functionality is introduced any more (in the further work, we will consider more complex Turing Assessor where arbitrary functionalities can be introduced.). III. S YNCHRONOUS T URING A SSESSOR Since a Turing Assessor can be used for asynchronous and synchronous communication channels, we therefore define asynchronous Turing Assessor (ATA) for asynchronous communication channels and synchronous Turing Assessor (STA) for synchronous communication channels. Obviously, STA is a special case of ATA and thus here are two approaches to study Turing Assessor. One is to define a general model for ATS and then reduce ATA to STA; Another approach is to build a platform for STA at first and then remove the synchronous communication channels restriction. We will adopt the second approach. A. Synchronous players A protocol Π consists of n parties, all interactive Turing machines. The execution of a protocol takes place in the presence of an environment Z, also an interactive Turing machine which supplies inputs and obtains outputs from each player within the protocol (hence the name of Turing Assessor). The environment Z also models adversarial behavior to the protocol (and it can be used to test the security of the protocol, and the protocol is called secure if Z obtains no extra knowledge compared to its knowledge when it is run with an ideal system that is to specify some function F ). To define a synchronous player Pi , we need to specify the internal random tape of Pi , and receiving messages from the network (specified the underlying protocol). In our model, in each round r, each party Pi sends a message mi,j,r to every party including itself. The message mi,i,r denotes the state of Pi after round i which is an auxiliary input to Pi (hence, for an honest Pi , Z knows nothing about mi,i,r ) but when Pi is corrupted by Z, however the initial internal random string ri should be provided to Z. By C, we denote a set of corrupted parties and H={1, · · · , n}\C be honest parties. B. Synchronous environment Z A synchronous environment Z, is a ring master of the underlying system. The functionality of Z is to maintain the consistence of the system that is currently being evaluated. To provide an evaluation, Z must force Pi to run a collection of instructions which are listed below: • (Active, i, xi,r , {mj,i,r−1 }j∈C ); • (Corrupt, i), for i ∈ H; • (round termination, r); • (decision, b ∈ {0, 1}). Notice that, Z observes any information flow interacted among the players Pi (1 ≤ i ≤ n). Thus the only secret value for Pi is its internal random string ri and its local output yi,r string after the running of (round termination, r) instruction. All the public values, together with auxiliary


information obtained from the corrupted set will be used to make a decision whether the system is correct, secure and robust against the attacks instructed by Z.

variables REALF,Z is computationally indistinguishable from the random variable IDEALF,sim,Z .

C. Measurement for a protocol with single functionality

In SASN’04, Buttyán and Vajda [1] proposed a formal framework for the security analysis of on-demand source routing protocols for wireless ad hoc networks. Their approach is based on the well-known simulation paradigm that has been proposed to prove the security of cryptographic protocols. That is, they formally define the real-world and the idealworld models that capture the basic features of wireless ad hoc networking in general, and ad hoc routing protocols in particular. They also proposed a novel on-demand source routing protocol for wireless ad hoc networks, which can be proven to be secure in our model. Buttyán and Vajda further proposed a concrete routing discovery protocol called endairA (the inverse of Ariadne protocol) which is provably secure in the simulation paradigm. The endairA protocol is attractive since it is provably secure assuming the underlying signature scheme is provably secure against adaptive chosen message attack. Informally, the endairA protocol can be abstracted as concatenations of order specified signatures (Sigskj (mj ) → · · · → Sigsk1 (m1 )) computed from a set of order-specified identifier messages (mj , · · ·, m1 ). We now assess Buttyán and Vajda’s routing discovery protocol (endairA protocol). Let σ = (KGen, sign, vf) be any ordinary signature scheme deployed in the routing discovery protocol. Then Πσ securely realizes Fsig if and only if σ is secure against adaptive chosen message attack using the simulation-based argument described above. By applying the measurement, we have the following statement: the endairA protocol securely realizes the functionality of a signature scheme and thus it is secure within the framework. This framework ensures that Buttyán and Vajda’s routing discovery protocol is secure for message authentication of sender, but the framework does NOT say anything other than the claimed signature functionality. Thus, further research on any other evaluation e.g., selfish attack, denial of service attack is certainly welcome.

A critical issue for evaluate security level of a system is to define acceptable measurement. The measurement should be defined with clear mathematical structures so that it can be evaluated automatically, i.e., the evaluation strategy should be efficient (PPT) and thus programable in polynomial time within a security parameter. In this paper, we provide a simulation-based measurement which has explicit mathematical structure. More precisely, we define the following realworld processing of Π and ideal-world processing of F (F ← Fj ) proposed by interacting with arbitrary environment Z in the synchronous communication channel. Real-world Processing with synchronous Z • Initialization: On input a security parameter k and n, random strings (ri , rz ) where ri for Pi and rz for Z; • Instructions: Z outputs one of the following instructions: 1) (Active, i, xi,r , {mj,i,r−1 }j∈C ): on input xi,r , Pi obtains {mj,i,r−1 }j∈H from Pj . And then computes (mi,j,r , yi,r ) ← Pi ({mj,i,r−1 , xi,r }), Finally, it outputs mi,j,r (i = j) to Z; 2) (Corrupt, i), for i ∈ H: on input (Corrupt, i), Pi outputs ri to Z and C ← C ∪ {i}; 3) (round termination, r): on input (round termination, r), each party outputs yi,r and Z obtains yi,r (i ∈ H). This means that Z obtains all yi,r (1 ≤ i ≤ n). • (decision, b ∈ {0, 1}), Z outputs a bit b. By REALΠ,Z (k, n, r), we denote the bit b outputted by Z. Thus, the notation of REALΠ,Z (k, n) defines a random variable, where we take r uniformly at random. Ideal-world Functionality F with synchronous Z • Initialization: On input a security parameter k and n, random strings (rF , rsim , rz ) where rF for Pi , rsim for simulator sim and rz for Z; • Instructions: Z outputs one of the following instructions: 1) (Active, i, xi,r , {mj,i,r−1 }j∈C ): on input xi,r , sim forwards it to F , and obtains vF , a public information outputted by F ; Input ({mj,i,r−1 }j∈C , vF ) to sim, sim outputs mi,j,r (i = j) and yi,r . Finally, sim sends mi,j,r (i = j) to Z. 2) (Corrupt, i), for i ∈ H: on input (Corrupt, i), sim outputs ri to Z, and sets C ← C ∪ {i}; 3) (round termination, r): on input (round termination, r), each party outputs yi,r and Z obtains yi,r (i ∈ H). This means that Z obtains all yi,r (1 ≤ i ≤ n). • (decision, b ∈ {0, 1}), Z outputs a bit b. By IDEALF,sim,Z (k, n, r), we denote the bit b outputted by Z. Thus, the notation of IDEALF,sim,Z (k, n) defines a random variable, where we take r uniformly at random. Measurement: A protocol Π securely realizes a functionality F if for any environment Z (also models an adversary in the real world), there exists sim such that for the random

IV. A PPLICATIONS

V. C ONCLUSION In this paper, we propose a novel theory to evaluate security properties in system level by applying the standard reduction technique. And then a concrete example is provided for illustrating the power of our new tool. Acknowledgment The research is partially supported by National Natural Science Foundation of CHINA under the Project number 60273058. R EFERENCES [1] L.Buttyán and I. Vajda, Towards Provable Security for Ad Hoc Routing Protocols, 2nd ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN 2004) Washington DC, USA, October 25, 2004, 94-105. [2] Ran Canetti: Universally Composable Security: A New Paradigm for Cryptographic Protocols. FOCS 2001: 136-145


[3] Ran Canetti, Marc Fischlin: Universally Composable Commitments. CRYPTO 2001: 19-40 [4] Ran Canetti, Eyal Kushilevitz, Yehuda Lindell: On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions. EUROCRYPT 2003: 68-86 [5] Danny Dolev, Andrew Chi-Chih Yao: On the security of public key protocols. IEEE Transactions on Information Theory 29(2): 198-207 (1983) [6] Michael J. Freedman1, Yuval Ishai, Benny Pinkas, and Omer Reingold Keyword Search and Oblivious Pseudorandom Functions, 2nd Theory of Cryptography Conference (TCC’05). [7] Gupta, V. V. Lam, H. V. Ramasamy, W. H. Sanders, and S. Singh, Dependability and performance evaluation of intrusion-tolerant server architectures, In Dependable Computing: Proc. of the First LatinAmerican Symposium (LADC 2003), ser. LNCS, vol. 2847, 2003, pp. 81C101. [8] Shafi Goldwasser, Silvio Micali, Charles Rackoff: The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract) STOC 1985: 291-304, See also, the Knowledge Complexity of Interactive Proof Systems. SIAM J. Comput. 18(1): 186-208 (1989) [9] Oded Goldreich, Silvio Micali, Avi Wigderson: How to Prove all NPStatements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design. CRYPTO 1986: 171-185 [10] J.C. Laprie (ed.), Dependability: Basic Concepts and Terminology, Springer-Verlag, 1992. [11] Y. Liu and K. S. Trivedi, A general framework for network survivability quantification. Proc. 12th GI/ITG Conference on Measuring, Modelling and Evaluation of Computer and Communication Systems (MMB) together with 3rd Polish-German Teletraffic Symposium (PGTS), 2004. [12] Y. Liu, V. B. Mendiratta, and K. S. Trivedi, Survivability analysis of telephone access network. in Proc. IEEE Intl. Symposium on Software Engineering (ISSRE04), 2004. [13] J. F. Meyer. On Evaluating the Performability of Degradable Computing Systems, Proceedings of the 8th International Symposium on Fault-Tolerant Computing, Toulouse, France, June 1978, pp. 44-49. [14] Madan, K. Goseva-Popstojanova, K. Vaidyanathan, and K. Trivedi. Modeling and quantification of security attributes of software systems. Proc. Int. Conf. Dependable Systems and Networks, 2002, pp. 505C514. [15] David M. Nicol, William H. Sanders, and Kishor S. Trivedi. ModelBased Evaluation: From Dependability to Security. IEEE Transaction on dependable and secure computing, Vol.1, No.1, 2004. [16] Birgit Pfitzmann, Michael Waidner: Composition and integrity preservation of secure reactive systems. ACM Conference on Computer and Communications Security 2000: 245-254. [17] Birgit Pfitzmann, Michael Waidner: A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission. IEEE Symposium on Security and Privacy 2001: 184. [18] S. Singh, M. Cukier, and W. H. Sanders. Probabilistic validation of an intrusion-tolerant replication system. Proc. Int. Conf. on Dependable Systems and Networks, June 2003, pp. 616C624. [19] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. Automated generation and analysis of attack graphs. Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002, pp. 273 - 284. [20] F. Stevens, T. Courtney, S. Singh, A. Agbaria, J. F. Meyer, W. H. Sanders, and P. Pal, Model-based validation of an intrusion-tolerant network system. Proceedings of the 23rd Symposium on Reliable Distributed Systems (SRDS 2004), Florianpolis, Brazil, October 2004. [21] A. Yao: Protocols for secure computations. Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS’82), pages 160164. IEEE Computer Society, 1982.
