Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca

Abstract

Increasing use of networks and their complexity make the task of security analysis more and more complicated. Accordingly, automatic verification approaches have received more attention recently. In this paper, we investigate applying of an actor-based language based on reactive objects for analyzing a network environment communicating via Transport Protocol Layer (TCP). The formal foundation of the language and available tools for model checking provide us with formal verification support. Having the model of a typical network including client and server, we show how an attacker may combine simple attacks to construct a complex multiphase attack. We use Rebeca language to model the network of hosts and its model checker to find counter-examples as violations of security of the system. Some simple attacks have been modeled in previous works in this area, here we detect these simple attacks in our model and then verify the model to find more complex attacks which may include simpler attacks as their steps. We choose Rebeca because of its powerful yet simple actor-based paradigm in modeling concurrent and distributed systems. As the real network environment is asynchronous and event-based, Rebeca can be utilized to specify and verify the asynchronous systems, including network protocols.

Introduction

As computer networks grow in size and complexity, their security analysis becomes more complicated. The evolution of computer networks on one hand and their distributed nature on the other hand, creates opportunities for insiders and outsiders to violate the system security. Many services are perfectly secure when offered in isolation, but when combined with other services, result in an exploitable vulnerability. For example, the file transfer protocol (ftp) and the hypertext transfer protocol (http) offered simultaneously in the same host, may allow the attacker to write in a web directory using the ftp service which causes the web server to execute a program written by the attacker.

Accordingly, security evaluation has become an important requirement in design and management of computer networks. When evaluating the security of a network, it is not enough to consider the single vulnerabilities without considering the other hosts, their relationships, and interactions as well as their network infrastructure. Many of the attacks exploit the global weaknesses in network introduced by interconnections. Nevertheless, the analysis of network security is a complex and error prone task by hand. Thus, the automatic analysis has been considered. Some people have modeled the network in order to analyze and detect different attacks [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13]. They could analyze the network model to show some simple attacks. Because of the lack of expressive and simple modeling languages, the complex and distributed attacks have not been considered widely.

In this paper, we use a model based approach to show that how an attacker may use simple attacks to construct a complex attack and reach her/his goals, which were not possible using simple attack methods. We use an abstract model of a network in order to find the complex multiphased attack, named Mitnick attack. To the best of our knowledge, this attack has not been modeled.

Multiphase attacks usually are performed using interaction of different network agents. Such environment is well fitted in actor-based computation paradigm. We use Rebeca [14], [15], [16] to model a system consisting of a server, a client, an attacker and their TCP protocol stack layer.

Rebeca (Reactive Objects Language) is an actor-based language with a formal foundation, presented in [14], [15], [16]. A model in Rebeca consists of a set of reactive objects (called rebecs) which are concurrently executing and asynchronously communicating. Rebeca can be considered as a reference model for concurrent computation, based on an operational interpretation of the actor model [20], [21], [22]. It is also a platform for developing object-based concurrent systems in practice. Formal verification approaches are used to ensure correctness of concurrent and distributed systems. The Rebeca Verifier tool, as a front-end tool, translates Rebeca code into languages of existing model checkers, allowing verification of their properties[23], [24]. There is also an ongoing project on developing a direct model checker for Rebeca using state space reduction techniques [25], [26], [27].

We choose Rebeca because of its powerful yet simple actor-based paradigm in modeling concurrent and distributed systems, and easy to use Java-like syntax for software engineers in modeling, and also the naturally decomposable model and independent modules which is exploited in formal verification and model checking as well as in modeling. The network environment is asynchronous and thus is well fitted in fully asynchronous model of Rebeca. Moreover, the object-oriented nature of Rebeca facilitates the modeling in comparison to other languages such as Promela [31].

The next section surveys the related works that have been done in this field; the third section briefly describes Rebeca. Section 4 presents the model, and its analysis is shown in Section 5 and finally we conclude in Section 6.