DENIAL OF SERVICE MEETING
January 27, 1999
9-10am
3085 ENG II
In attendance:
Matt Bishop (MB), John Hughes (JH), Tuomas Aura (TA)
TOPICS:
Techniques used to identify Covert Channels
John Hughes Work
Yu/Gligor Paper
Millen Paper
To-Do List
-
Techniques used to identify Covert Channels
-
MB: Since transmit information over covert channel requires low bandwidth,
discuss techniques used to deny service
-
Ex. Machine A sends a File 1 or File 0 ever ten seconds. Machine B looks
for File 0 or File 1.
-
Block mechanism for sharing all channels
-
Impractical, dont want to block network connections
-
Prevent two people from accessing same directory
-
Ex. Block CPU randomize CPU channels delays person
-
Covert channels looks for limits of things
-
Discover relationship between covert channels and denial of service (DOS)
attacks.
-
Any technique used for covert channels applicable to DOS; detecting points
where DOS may occur
-
DOS also used to located covert channels
-
TA: Directory name checking methods create directory
-
Not reading directory name
-
Not allowed to create directory with the same name
-
Hidden directory
-
Reality vs. Virtual Reality - CPU usage time vs. clock
-
John Hughes Work
-
Locating limits in TCP protocol.
-
Went through RFC, saw some limitations
-
Sequence Numbers: 0-232-1 cycles through in 5 minutes; time
out value is 2 minutes
-
Faster connections can cycles through faster than 2 minutes
-
Receiving duplicate packets
-
TCP window, willing to receive packets in sequence range. If window (32
bit) is large, problems with urgent pointer (16 bit). Urgent pointer can
point back to the open window; urgent pointer is offset.
-
TA: Set window size to 232 216
-
Possible to add urgent data, move urgent pointer further down, but urgent
pointer should never shrink in size.
-
Email most interesting high-speed connections to Matt, so he can use them
when he talks to Russ Hobby.
-
Yu/Gligor 1988 Paper A Formal Specification and Verification Method
for the Prevention of Denial of Service
-
Resource Allocation
-
Policy
-
Implementation
-
Analyze and Prove Fairness (liveness property of the system no starvation)
-
Yu/Gligor 1988 paper specifies policy and implementation, builds formal
model and analyzes it.
-
Formal models The main problem is that any time you want to prove fairness
and have state machines, you must make assumptions:
-
Process being held will eventually be released.
-
Agreement between entities, not typically listed in policy
-
Not easy to find assumptions: Going through assumptions more important
than proving fairness
-
Whats new? Nothing different in DOS.
-
Millen 1992 Paper A Resource Allocation Model for Denial of Service
-
Policy that guarantees fairness
-
Policy for allocation resources
-
You always allocate more and more resources then you release all of them
after using them
-
Practical rules for allocating resources resemble database rules
-
General Approach
-
Deadlock Detection
-
Model system prove no deadlock
-
Policy linear order to resources never release them until you have
them all.
-
Same allocation rules for CPU and memory processes
-
MB: OS is really database manager should work for distributed systems
as well.
-
TA: Classical methods not specific to security DOS
-
Policy too restrictive for real systems
-
Any policy that can prove fairness requires large amounts of resources.
-
Internet user can exhaust the server
-
Attacker invest $ amounts to attack. Result is damage in terms of cost,
bandwidth, points of connection
-
Model network as a graph.
-
Cost of disconnecting node in graph
-
Damage = Fsystem (Cost of attack)
-
Evaluate damage
-
Cut off one node not a huge loss
-
How many connections remain
-
Damage = Number of Pairs that cannot communicate £
Nnodes
-
Server Damage = Number of Clients that cannot communicate with server
-
Client Damage = Number of Services a Client cannot use
-
Specify problem more formally
-
Paper could come up with way to calculate damage exactly
-
To-Do List
-
JH email list of high speed connections to Matt
-
JH look through Security Applications Conference Proceedings for DOS
papers
-
Copies of Yu/Gligor, Millen papers to DOS group
-
MB discuss "Extending the Take-Grant Protection System" (Frank, Bishop)
at next meeting