verified secure routing
play

Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research - PowerPoint PPT Presentation

Oct 01, 2023 •137 likes •696 views

Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research Institute June 2017 Team Members Verification Team Scion Design & Development Team Information Security David Basin Tobias

  1. 
 
 
 
 
 
 Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research Institute June 2017 


  2. 
 
 Team Members Verification Team Scion Design & Development Team Information Security David Basin Tobias Klenze Ralf Sasse Christoph Sprenger Thilo Weghorn Programming Methodology 
 Marco Eilers Peter Müller Network Security Samuel Hitz Adrian Perrig 2

  3. Motivation and Context Routing problems with the status quo (inter-AS routing)

  4. Routing between autonomous systems • Network of networks run by di ff erent institutions • Nodes correspond to Autonomous Systems (ASes) - Set of routers run by common institution (Telcos, ISPs, companies) - 50,000+ ASes, e.g., your typical university or large corporation. 4

  5. Autonomous systems and routers AS 4 AS 1 1. finds paths between ASes 
 AS 3 (and within ASes) 2. forwards data along paths AS 2 • Multiple paths between ASes: 2,1,4 and 2,3,4 • Computed in background by Border Gateway Protocol (BGP) 
 and just one will be selected and used to configure routers 5

  6. Path between two ASes computed using Border Gateway Protocol (BGP) 3 5 7 2 6 4 8 Path : 8,7,5,4,2,1 1 Tra ffi c flow: 1,2,4,5,7,8 Destination Source 6

  7. Boarder Gateway Protocol “I can reach ip “I can reach ip” over AS 8” … 5 8 7 data data ip My network, Destination ip: some IP address range, 
 my rules! e.g., 208.65.153.0/24 • ASes exchange reachability information ( paths ) • Policies programmed by network operators - Decisions on what is accepted, rejected, or propagated - Any AS can announce any address range it wants • It is all based on trust! Motivations may vary! 7

  8. Who controls the Internet? Routers on path can 
 read and modify data NSA data storage 
 center Utah • Control over paths is completely distributed - Border Gateway Protocol (BGP): all nodes flood path announcements • No inbound tra ffi c control 8

  9. Who controls Internet paths? 9

  10. Three concrete examples 208.65.153.0/24 208.65.153.0/22 Pakistan DoS against Youtube (2 hours, 2008) Fribourg’s government Ukraine ISP hijacks UK routes 
 address space stolen including UK Atomic Weapons for 3 days by SPAMers 10

  11. Scion Routing as it should be

  12. Scion Project 
 Secure Future Internet Architecture ▪ Design & Implementation, 75+ man years ▪ Design of routing / forwarding protocols, 
 support ecosystem, and numerous extensions ▪ Clean slate, yet compatible with existing Internet ▪ Not just a research prototype: 
 Growing deployment on 5 continents, 4 ISDs, 26 ASes ▪ See www.scion-architecture.net and related publications 
 CACM 2017, IEEE S&P 2011, CCS 2015, NDSS 2016, S&P 2016 12

  13. SCION Overview ▪ Isolation Domains (ISD) ▪ Control Plane : routing ▪ Path exploration ▪ Path registration ▪ Path resolution ▪ Data Plane : packet forwarding 13

  14. SCION Isolation Domain (ISD) (1) Agreement : (2) Failure Isolation : Each regions agrees on a No ISD can influence common trust root. another ISD’s control TRC ISD plane. core TRC ISD ISD TRC TRC ISD core TRC core core ISD ISD ISD ISD ISD core ISD H F E D D G A A C C I B B 14

  15. SCION Routing (Control Plane) Routing Phases: TRC ISD Beaconing core (1) Path Exploration (2) Path Registration 1 2 (3) Path Resolution PCB ISD 5 3 Core: Out: 4 4 AS E: In: 1, Out: 4 1 AS F: 2 E 5 In: 1, Out: 3 3 4 AS B: In: 1 D 2 1 G 3 1 4 A F 2 3 1 C • Path Construction Beacons (PCB) are 3 H Sequence of signed Hop Fields 2 1 B • Hop Fields (HF) carry the 
 AS X: 1 In: y, Out: z I routing information for one AS 15

  16. SCION Routing (Control Plane) Routing Phases: TRC ISD Beaconing core (1) Path Exploration (2) Path Registration 1 2 (3) Path Resolution PCB ISD 5 3 Core: Out: 4 4 AS E: In: 1, Out: 4 1 AS F: 2 E 5 In: 1, Out: 3 3 4 AS B: In: 1 D 2 1 G 3 1 4 A F 2 3 1 C • Path Construction Beacons (PCB) are 3 H Sequence of signed Hop Fields 2 1 B • Hop Fields (HF) carry the 
 AS X: 1 In: y, Out: z I routing information for one AS 16

  17. SCION Routing (Control Plane) Routing Phases: TRC ISD Path Server Beaconing core (1) Path Exploration B I I (2) Path Registration 1 2 (3) Path Resolution PCB ISD 5 3 Core: Out: 4 4 AS E: In: 1, Out: 4 1 AS F: 2 E 5 In: 1, Out: 3 3 4 AS B: In: 1 D 2 1 G 3 1 4 A F 2 3 1 C 3 H 2 1 B 1 I 17

  18. SCION Routing (Control Plane) Routing Phases: TRC ISD Path Server core (1) Path Exploration B I I (2) Path Registration 1 2 (3) Path Resolution ISD 5 3 4 PCB PCB 1 2 E 5 Core: Core: 3 4 Out: 4 Out: 4 AS E: AS E: = In: 1, Out: 4 In: 1, Out: 3 D 2 1 G 3 1 AS F: AS G: 4 A F In: 1, Out: 3 In: 1, Out: 4 2 3 AS B: In: 1 AS H: 1 C 3 In: 1, Out: 2 H 2 1 B AS I: In: 1 1 Packet Header I 18

  19. SCION Forwarding (Data Plane) Common Packet header TRC ISD Header core Up- Segment Forwarding along: 1 AS B: 2 In: 1, Out: ⊥ • Up-Segment ISD 5 3 • Core-Segment AS F: 4 In: 1, Out: 3 • Down-Segment AS E: In: 1, Out: 4 1 2 E 5 3 4 Segments are Down- sequences of Hop Fields Segment D 2 1 AS E: G 3 (HFs). In: 1, Out: 3 1 4 A F 2 3 AS G: In: 1, Out: 4 1 C 3 H Hop Field contain AS H: 2 1 B routing information of In: 1, Out: 2 1 one AS. AS I: I In: 1, Out: ⊥ 19

  20. Verification High-level, omitting formal details

  21. Can We Verify Scion? • Control and data plane guarantees • Functional correctness of actual code - Suitable for high-assurance business cases - Ensures that routers are backdoor-free • S cion routers are simple and stateless - This is the key to their (feasible) verification - Not possible for current Internet with highly complex routers 
 and giant code bases of millions of lines 21

  22. Correctness and Security SCION approach Code Protocol Properties Properties Verification of the protocol Verification of the components at the network level at the code level • Code-level guarantees 
 • Abstract models of network & 
 network-wide properties (e.g., secure information flow) • Protocol verification guarantees 
 • Guarantees that each SCION that security properties hold in an 
 component behaves as specified adversarial environment, assuming 
 that each SCION component 
 behaves as specified Data Plane Initial focus Router code 22

  23. Network-Level Verification: Approach ▪ Formal specification of network and network-wide properties • Description of network topology, beaconing and path construction, … • Network adversary (on and off-path) • Network-wide security properties ▪ Formal verification : refinement used to go from high-level models to precise assumptions on the individual components needed to ensure security properties. • Correctness by construction: stepwise refinement between (transition) systems • Proofs: forward simulation and invariant preservation • Invariants preserved under refinement ▪ Tool support : verification using Isabelle/HOL 
 system with ETH Zurich developed theory extensions. 23

  24. Scion Properties On both control and data planes Control planes properties: address beacons’ authenticity • Security critical, but not in focus of this talk Data plane properties: address how routers forward messages • Path Authorization: Packets traverse the network only along previously authorized paths. • Weak Detectability: An active attacker cannot hide his presence on the path. 24

  25. SCION Border Routers Z 1 Z 2 PCB ISD PCB core PCB Z 3 PCB Border router Internal router E ISD K D A AS C C B AS Peering link Prov.-Cust. link def router(): while (pkt.nxt()): pkt.process() 25

  26. Concrete Attacker Model We use a localized, colluding Dolev-Yao attacker model TRC ISD core ISD D A C B Attacker controls the Attacker controls entire network entire ASes 26

  27. System & Environment Attacker Environment Network End hosts System OS & Libraries Border Router 27

  28. SCION Router Verification Overview Model Reality Environment Model Real Environment attacker, network Router Router Model Code } Protocol Code Security Properties Security Properties 28 refined by unproven justified proven satisfies

  29. SCION Router Verification Overview Model Reality Environment Model Real Environment attacker, network Router Router Model Code } Protocol Code Security Properties Security Properties 29 refined by unproven justified proven satisfies

  30. Abstract Packet Format The Path is the Packet = Past Path Future Path The Path (consisting of Past and Future) contains Hop Fields (HF) Example: HF1 HF2 HF3 HF4 HF5 HF6 A Hop Field contains routing information of one AS 30

  31. Refinement Overview Communication channels Hop Field format Attacker A Refinement ( ,A, ) ( ,A, , ) ( ,A, , ) A Idea : strengthen attacker while increasing protection of paths. : Fields protected by MAC : Neighbor ASes : MAC : Message set 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at ETH Security and Correctness Protocol-level properties - Path validity : Constructed paths are valid and reflect the routing decisions by on-path

294 views • 8 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos & Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos & Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos & Zygmunt J. Haas Presented by Leland Smith CS 6204, Spring 2005 1 Overview What are MANETs? Motivation Secure Routing Protocol Protocol Description

560 views • 15 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why do we keep seeing these headlines? 1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies

572 views • 15 slides
Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

886 views • 36 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich Ian Goldberg 20 June 2017 EPFL Summer Research Institute Censorship Censors may monitor, alter or block traffic that enters or leaves their area

909 views • 53 slides
On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

International Workshop on OMNeT++ Code Contribution On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture Mohamad Sbeiti and Christian Wietfeld 05.03.2013 Faculty of Electrical and Computing

463 views • 7 slides
Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

687 views • 36 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Secure Geographical Routing Vivek Pathak and Liviu Iftode Location Authenticating

Secure Geographical Routing Vivek Pathak and Liviu Iftode Location Authenticating

Secure Geographical Routing Vivek Pathak and Liviu Iftode Location Authenticating geographical location False Location Attacks Motivations Economic Benefit of misreporting location Strategic Battlefield Privacy

481 views • 37 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
Selecting new BGP feeders to Address the Incompleteness of the Internet AS-level Graph Luca Sani

Selecting new BGP feeders to Address the Incompleteness of the Internet AS-level Graph Luca Sani

Selecting new BGP feeders to Address the Incompleteness of the Internet AS-level Graph Luca Sani Enrico Gregori, Alessandro Improta, Luciano Lenzini, Lorenzo Rossi InfQ Workshop - Lucca - July 5-6, 2012 Luca Sani Selecting new BGP feeders to

743 views • 26 slides
China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa Gill 2 1 Linkping University,

China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa Gill 2 1 Linkping University,

Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa Gill 2 1 Linkping University, Sweden 2 University of Toronto, Canada 19 th March2013 China Telecom incident

735 views • 31 slides
IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite

IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite

IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at the internet layer. Handles addressing and routing TCP: at the transport layer. Setting up channels (between

418 views • 21 slides
Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan

Internet Protocol: Routing Algorithms Internet Protocol: Routing Algorithms Srinidhi Varadarajan Routing Routing Rout ing prot ocol 5 Goal: det ermine good pat h (sequence of rout ers) t hru 3 B C net work f rom source t o dest .

636 views • 40 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition 7 1 6 6 2 0-1500 0-46 4 DA SA Data Pad CRC Preamble SFD Type Gap Destination MAC address Source MAC address Type (of

1.03k views • 47 slides
Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and

Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and

Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Open Shortest Path First (OSPF) Last lecture: OSPF as an example of Link State Routing algorithm

608 views • 25 slides
Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities and Services Overall: message delivery End-to-end" communications between processes ( i.e. running programs) Communicating

467 views • 17 slides

More recommend