Abstract
Static system configuration provides a significant advantage for the adversaries to discover the assets and vulnerabilities in the system and launch attacks. Configuration-based moving target defense (MTD) reverses the cyber warfare asymmetry for the defenders’ advantage by mutating certain configuration parameters proactively in order to disrupt attacks planning or increase the attack cost significantly.
A key challenge in developing MTD techniques is guaranteeing design correctness and operational integrity. Due to the dynamic, asynchronous, and distributed nature of moving target defense, various mutation actions can be executed in an interleaved manner causing failures in the defense mechanism itself or negative interference in the cyber operations. Therefore, it is important to verify the correctness and operational integrity, of moving target techniques to identify the design errors or inappropriate run-time behavior that might jeopardize the effectiveness of MTD or cyber operations. To the best of our knowledge, there is no work aiming for the formal verification of the design correctness and integrity of moving target defense techniques.
In this paper, we present a methodology for formal verification of configuration based moving target defense. We model the system behaviors with system modeling language (SysML) and formalize the MTD technique using du-ration calculus (DC). The formal model satisfies the constraints and de-sign correctness properties. We use the random host mutation (RHM) as a case study of the MTD system that randomly mutates the IP addresses to make end-hosts untraceable by scanners. We validate the design correctness of RHM using model checking over various configuration-based mutation parameters.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Shaer, E.: Mutable networks, National cyber leap year summit 2009 participants ideas report. Technical report, Networking and Information Technology Research and Development (NTIRD) (2009)
Al-Shaer, E.: Toward network configuration randomization for moving target defense. In: Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S. (eds.) Moving Target Defense, Advances in Information Security, vol. 54, pp. 153–159. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9_9
Al-Shaer, E., Duan, Q., Jafarian, J.H.: Random host mutation for moving target defense. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 310–327. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36883-7_19
An, J., Zhan, N., Li, X., Zhang, M., Yi, W.: Model checking bounded continuous-time extended linear duration invariants. In: Proceedings of the 21st International Conference on Hybrid Systems: Computation and Control (Part of CPS Week), HSCC 2018 pp. 81–90. ACM, New York (2018)
Atighetchi, M., Pal, P., Webber, F., Jones, C.: Adaptive use of network-centric mechanisms in cyber-defense. In: Second IEEE International Symposium on Network Computing and Applications, NCA 2003, pp. 179–188 (2003)
Basit-Ur-Rahim, M.A., Ahmad, J., Arif, F.: Parallel verification of UML using divine tool. In: 2013 5th International Conference on Computer Science and Information Technology, pp. 49–53 (2013)
Basit-Ur-Rahim, M.A., Arif, F., Ahmad, J.: Modeling of real-time embedded systems using SysML and its verification using UPPAAL and DiVinE. In: 2014 IEEE 5th International Conference on Software Engineering and Service Science, pp. 132–136 (2014)
Behrmann, G., David, A., Larsen, K.G.: A tutorial on uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30080-9_7
Dadeau, F., Héam, P., Kheddam, R.: Mutation-based test generation from security protocols in hlpsl. In: 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation, pp. 240–248 (2011)
Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., Carney, M.: Dynamic host configuration protocol for IPv6 (2003). https://tools.ietf.org/html/rfc3315
Dunlop, M., Groat, S., Marchany, R., Tront, J.: IPv6: now you see me, now you don’t. In: The Tenth International Conference on Networks, ICN 2011 (2011)
Dunlop, M., Groat, S., Urbanski, W., Marchany, R., Tront, J.: Mt6d: a moving target IPv6 defense. In: 2011 - MILCOM 2011 Military Communications Conference, pp. 1321–1326 (2011)
Olderog, E.R., Dierks, H.: Real-Time Systems: Formal Specification and Automatic Verification. Cambridge University Press, Cambridge (2008)
Fang, K., Li, X., Hao, J., Feng, Z.: Formal modeling and verification of security protocols on cloud computing systems based on UML 2.3. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 852–859 (2016)
Fu, Y., Koné, O.: Validation of security protocol implementations from security objectives. Comput. Secur. 36, 27–39 (2013)
Goranko, V., Montanari, A., Sciavicco, G.: A road map of interval temporal logics and duration calculi. J. Appl. Non-Class. Logics 14(1–2), 9–54 (2004)
Guelev, D.P., Wang, S., Zhan, N.: Compositional hoare-style reasoning about hybrid CSP in the duration calculus. In: Larsen, K.G., Sokolsky, O., Wang, J. (eds.) SETTA 2017. LNCS, vol. 10606, pp. 110–127. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69483-2_7
Lugou, F., Li, L.W., Apvrille, L., Ameur-Boulifa, R.: SYSML models and model transformation for security. In: 2016 4th International Conference on Model-Driven Engineering and Software Development (MODELSWARD), pp. 331–338 (2016)
Meyer, R., Faber, J., Rybalchenko, A.: Model checking duration calculus: a practical approach. In: Barkaoui, K., Cavalcanti, A., Cerone, A. (eds.) ICTAC 2006. LNCS, vol. 4281, pp. 332–346. Springer, Heidelberg (2006). https://doi.org/10.1007/11921240_23
Page, R.L.: Engineering software correctness. J. Funct. Program. 17(6), 675–686 (2007)
Pedroza, G., Apvrille, L., Knorreck, D.: Avatar: A SYSML environment for the formal verification of safety and security properties. In: 2011 11th Annual International Conference on New Technologies of Distributed Systems, pp. 1–10 (2011)
Rahim, M.A.B.U., Duan, Q., Al-Shaer, E.: A formal analysis of moving target defense (2020)
Basit ur Rahim, M.A., Arif, F.: Translating activity diagram from duration calculus for modeling of real-time systems and its formal verification using UPPAAL and DiVinE. Mehran Univ. Res. J. Eng. Technol. 35(1), 139–154 (2016)
Basit Ur Rahim, M.A., Arif, F., Ahmad, J.: Modeling of embedded system using SysML and its parallel verification using DiVinE tool. In: Murgante, B., et al. (eds.) ICCSA 2014. LNCS, vol. 8583, pp. 541–555. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09156-3_38
Ravn, A.P., Srba, J., Vighio, S.: Modelling and verification of web services business activity protocol. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 357–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_32
Schwammberger, M.: Introducing liveness into multi-lane spatial logic lane change controllers using UPPAAL, pp. 17–31. CoRR abs/1804.04346 (2018)
Shen, G., Li, X., Feng, R., Xu, G., Hu, J., Feng, Z.: An extended UML method for the verification of security protocols. In: 2014 19th International Conference on Engineering of Complex Computer Systems, pp. 19–28 (2014)
Sultana, S., Arif, F.: Computational conversion via translation rules for transforming C++ code into UPPAAL’s automata. IEEE Access 5, 14455–14467 (2017)
Wang, H., Zhou, X., Dong, Y., Tang, L.: Modeling timing behavior for cyber-physical systems. In: 2009 International Conference on Computational Intelligence and Software Engineering, pp. 1–4 (2009)
Zhang, M., Liu, Z., Zhan, N.: Model checking linear duration invariants of networks of automata. In: Arbab, F., Sirjani, M. (eds.) FSEN 2009. LNCS, vol. 5961, pp. 244–259. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11623-0_14
Acknowledgement
This research was supported in part by the United States Army Research Office (ARO). Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: DC Implementable with Definition
Appendix: DC Implementable with Definition
DC implementables | Pattern | Description |
|---|---|---|
Initialisation | \( \lceil \rceil \longrightarrow \lceil x \rceil ; true, \) | Each control automaton is either empty or in initial state |
Sequence | \( \lceil x \rceil \longrightarrow \lceil x \vee x_1 \vee x_2 \vee ..\vee x_n \rceil \) | if the control automaton is in state x it subsequently stays in x or moves to one of the state \(x_1,...,x_n\). e.g. all transition among the states of a component are specified using sequence implementable |
Progress | \( \lceil x \rceil \xrightarrow {\varepsilon } \lceil \lnot x \rceil \) | The control automaton stays for \(\varepsilon \) seconds in state x, it leaves this state and progresses accordingly. e.g. This will be used to define the computational overhead of mutation |
Synchronization | \( \lceil x \wedge \alpha \rceil \xrightarrow {\varepsilon } \lceil \lnot x \rceil \) | The control automaton stays for \(\varepsilon \) second in state x with condition \(\alpha \) being true. The time unit \(\varepsilon \) is a clock that can be either discrete or continuous type. e.g. This will be used to allow the transition iff the mutation criterion is satisfied |
Bounded Stability | \( \lceil \lnot x \rceil ; \lceil x \wedge \alpha \rceil \xrightarrow {\le \varepsilon } \lceil x \vee x_1 \vee x_2 \vee ..\vee x_n \rceil \) | When the control automaton changes its state to x with the condition \(\alpha \) being true and the time does not exceed \(\varepsilon \) seconds, it stays in x or it moves to one of states \(x_1,...,x_n\). e.g. Mutate vIP after a certain time interval |
Unbounded Stability | \( \lceil \lnot x \rceil ; \lceil x \wedge \alpha \rceil \longrightarrow \lceil x \vee x_1 \vee x_2 \vee ..\vee x_n \rceil \) | when the control automaton changes its state to x with the condition \(\alpha \) being true, it stays in x or it moves to one of states \(x_1,...,x_n\). e.g. Select new vIP till all MT hosts get a new vIP |
Bounded Initial Stability | \( \lceil x \wedge \alpha \rceil \xrightarrow {\le \varepsilon } _0 \lceil x \vee x_1 \vee x_2 \vee ..\vee x_n \rceil \) | When the control automaton initially is in state x with the condition \(\alpha \) being true and the time does not exceed \(\varepsilon \) seconds, it stays in x or it moves to one of states \(x_1,..,x_n\). e.g. Set values of all parameters in initial phase before mutation starts |
Unbounded Initial Stability | \( \lceil x \wedge \alpha \rceil \longrightarrow _0 \lceil x \vee x_1 \vee x_2 \vee ..\vee x_n \rceil \) | When the control automaton initially is in phase x with the condition \(\alpha \) being true, it stays in x or it moves to one of states \(x_1,..,x_n\). e.g. Initialise the configuration parameters in initial phase |
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Rahim, M.A.B.U., Al-Shaer, E., Duan, Q. (2020). A Formal Verification of Configuration-Based Mutation Techniques for Moving Target Defense. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)