Universally Composable Firewall Architectures usg Trusted Hardware 16.10.2014 Dirk Achenbach, Jörn Müller-Quade, Jochen Rill KARLSRUHE INSTITUTE OF TECHNOLOGY KIT University of the State of Baden-Wuerttemberg and National Laboratory of the Helmholtz Association www.kit.edu
Outle 1 Concatenation of Packet Filters Actively Trusted Hardware Quorum Decisions 2 The Universal Composability Framework Provg the Security of Our Approach Universally Composable Firewall Architectures usg Trusted Hardware 2/23
Firewalls Universally Composable Firewall Architectures usg Trusted Hardware 3/23
Are Firewalls Really Secure? Universally Composable Firewall Architectures usg Trusted Hardware 4/23
Just Use Two! Universally Composable Firewall Architectures usg Trusted Hardware 5/23
This Doesn t Work Universally Composable Firewall Architectures usg Trusted Hardware 6/23
Trusted Hardware Our idea: Use a piece of trusted hardware Very simple functionality Not programmable, maybe even sealed Checks if what goes also comes H 1 H 2 hw put cmp put Universally Composable Firewall Architectures usg Trusted Hardware 7/23
Trusted Hardware This doesn t work either: The compromised firewall could send evil packets with clever timg: H 1 H 2 hw put cmp put Universally Composable Firewall Architectures usg Trusted Hardware 8/23
Data What ab this approach? H 1 hw put H 2 2 1 put Research Challenge Rigorously analyse the security of this approach. Universally Composable Firewall Architectures usg Trusted Hardware 9/23
Data What ab this approach? H 1 hw put H 2 2 1 put Research Challenge Rigorously analyse the security of this approach. Universally Composable Firewall Architectures usg Trusted Hardware 9/23
The Universal Composability Framework Formal framework for the security of cryptographic protocols. Compare the concrete protocol with an idealised version. Simulation-based approach. F 1 D A 2 S D 3 D Z Z Universally Composable Firewall Architectures usg Trusted Hardware 10/23
The Universal Composability Framework A protocol π securely realises an ideal functionality F if A S Z : REAL π,a,z IDEAL F,S,Z F 1 D A 2 S D 3 D Z Z Universally Composable Firewall Architectures usg Trusted Hardware 11/23
The Universal Composability Framework With this approach we need not specify what a (uncompromised) firewall actually does! H1 hw H2 put H2 2 1 put put put Security Intuition As if the compromised firewall was not there. Universally Composable Firewall Architectures usg Trusted Hardware 12/23
The Universal Composability Framework With this approach we need not specify what a (uncompromised) firewall actually does! H1 hw H2 put H2 2 1 put put put Security Intuition As if the compromised firewall was not there. Universally Composable Firewall Architectures usg Trusted Hardware 12/23
Caveat Emptor The Composition Theorem makes it possible to construct secure networks from smaller components: Theorem (Composition Theorem [1]) Let ρ, φ, π be protocols such that ρ uses φ as subre and π UC-emulates φ. Then protocol ρ φ π UC-emulates ρ. Setup Assumptions No non-trivial protocols can be proven secure the bare model [2]. Setup assumptions alleviate this problem: Common Reference Strgs [1], Public-Key Infrastructures [3], Tamper-Proof Hardware [4] Universally Composable Firewall Architectures usg Trusted Hardware 13/23
Caveat Emptor The Composition Theorem makes it possible to construct secure networks from smaller components: Theorem (Composition Theorem [1]) Let ρ, φ, π be protocols such that ρ uses φ as subre and π UC-emulates φ. Then protocol ρ φ π UC-emulates ρ. Setup Assumptions No non-trivial protocols can be proven secure the bare model [2]. Setup assumptions alleviate this problem: Common Reference Strgs [1], Public-Key Infrastructures [3], Tamper-Proof Hardware [4] Universally Composable Firewall Architectures usg Trusted Hardware 13/23
Our Setup Assumption: A Trusted Packet Comparator An idealised description of trusted hardware hw Keep a local cache realised as an unordered list. Upon receivg packet p on terface i: If there is another put terface j i, and a correspondg entry (j, q) with p q the cache: Remove (j, q) from the cache, put p. Otherwise, store (i, p) the cache. This is a much simpler functionality than that of a firewall! Universally Composable Firewall Architectures usg Trusted Hardware 14/23
Our Setup Assumption: A Trusted Packet Comparator An idealised description of trusted hardware hw Keep a local cache realised as an unordered list. Upon receivg packet p on terface i: If there is another put terface j i, and a correspondg entry (j, q) with p q the cache: Remove (j, q) from the cache, put p. Otherwise, store (i, p) the cache. This is a much simpler functionality than that of a firewall! Universally Composable Firewall Architectures usg Trusted Hardware 14/23
Security of Two Firewalls The ideal functionality of two firewalls F ideal Upon receivg (put, p): Ask the adversary if p should be delivered. If yes, let fw k be the non-corrupted party; calculate F fwk (p,, s) = (p, i, s ). Write p to the put tape of hw, if p and i. Else, do nothg. Save the new ternal state s. This is not an absolute guarantee! We state what the adversary s capabilities ideally should be. Universally Composable Firewall Architectures usg Trusted Hardware 15/23
Security of Two Firewalls The ideal functionality of two firewalls F ideal Upon receivg (put, p): Ask the adversary if p should be delivered. If yes, let fw k be the non-corrupted party; calculate F fwk (p,, s) = (p, i, s ). Write p to the put tape of hw, if p and i. Else, do nothg. Save the new ternal state s. This is not an absolute guarantee! We state what the adversary s capabilities ideally should be. Universally Composable Firewall Architectures usg Trusted Hardware 15/23
No! H 1 hw put H 2 1 2 put No! The adversary can re-order packets at will! Universally Composable Firewall Architectures usg Trusted Hardware 16/23
No! H 1 hw put H 2 1 2 put No! The adversary can re-order packets at will! Universally Composable Firewall Architectures usg Trusted Hardware 16/23
No! H 1 hw put H 2 1 2 put No! The adversary can re-order packets at will! Universally Composable Firewall Architectures usg Trusted Hardware 16/23
No! H 1 put H 2 hw 1 2 put No! The adversary can re-order packets at will! Universally Composable Firewall Architectures usg Trusted Hardware 16/23
No! H 1 put H 2 hw 1 2 put No! The adversary can re-order packets at will! Universally Composable Firewall Architectures usg Trusted Hardware 16/23
The ideal functionality of the two-firewall approach The ideal functionality of two firewalls with packet reorderg F ideal2 Upon receivg (put, p): Let w.l.o.g fw 1 be the non-corrupted party; calculate F fw1 (p,, s) = (p, i, s ). If p and i, save p an dexed memory structure m at the next free dex. Save new ternal state s. Give p to the adversary. Upon receivg (deliver, j) from the adversary: If m[j] contas a valid packet, write (, m[j]) to the put tape of hw and clear m[j]; else do nothg. This explicitly models the adversary s ability to schedule packets! Universally Composable Firewall Architectures usg Trusted Hardware 17/23
The ideal functionality of the two-firewall approach The ideal functionality of two firewalls with packet reorderg F ideal2 Upon receivg (put, p): Let w.l.o.g fw 1 be the non-corrupted party; calculate F fw1 (p,, s) = (p, i, s ). If p and i, save p an dexed memory structure m at the next free dex. Save new ternal state s. Give p to the adversary. Upon receivg (deliver, j) from the adversary: If m[j] contas a valid packet, write (, m[j]) to the put tape of hw and clear m[j]; else do nothg. This explicitly models the adversary s ability to schedule packets! Universally Composable Firewall Architectures usg Trusted Hardware 17/23
What Ab Availability? H 1 i 1 i 2 hw 1 H 2 hw 2 / i 1 env 1 i 2 i 3 i 1 i 2 i 1 i 2 env 2 i 3 / H 3 i 1 i 2 Is this as secure as the 2-firewall approach? Universally Composable Firewall Architectures usg Trusted Hardware 18/23
Packet Duplication Attack H 1 i 1 i 2 hw 1 H 2 hw 2 / i 1 env 1 i 2 i 3 i 1 i 2 i 1 i 2 env 2 i 3 / H 3 i 1 i 2 Universally Composable Firewall Architectures usg Trusted Hardware 19/23
Packet Duplication Attack H 1 i 1 i 2 hw 1 H 2 hw 2 / i 1 env 1 i 2 i 3 i 1 i 2 H 3 i 1 i 2 env 2 i 3 / i 1 i 2 Universally Composable Firewall Architectures usg Trusted Hardware 19/23
Packet Duplication Attack H 1 i 1 i 2 hw 1 H 2 hw 2 / i 1 env 1 i 2 i 3 i 1 i 2 H 3 i 1 i 2 env 2 i 3 / i 1 i 2 Universally Composable Firewall Architectures usg Trusted Hardware 19/23
Packet Duplication Attack H 1 i 1 i 2 hw 1 H 2 hw 2 / i 1 env 1 i 2 i 3 i 1 i 2 H 3 i 1 i 2 env 2 i 3 / i 1 i 2 Universally Composable Firewall Architectures usg Trusted Hardware 19/23
Fix: Packet Accountg Keep a local cache for each comg terface realised as an unordered list. Upon receivg packet p on terface i: Check if the cache of terface i contas an entry q with p q. If so, delete q and halt. Check if there exists an terface j i with an entry q with p q the cache of that terface: Remove q from the cache, put p, add an entry p to the cache of all other terfaces k with k i and k j. Otherwise, store p the cache of terface i. Universally Composable Firewall Architectures usg Trusted Hardware 20/23
Conclusion We vestigated the idea of actively compromised firewalls. Goal: Combe several candidate implementations to one secure firewall. Serial concatenation does not work, even with trusted hardware. The quorum does work. Future Work: Model availability UC, Bounded Queues. Universally Composable Firewall Architectures usg Trusted Hardware 21/23
References R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, Foundations of Computer Science, 2001. Proceedgs. 42nd IEEE Symposium on, oct. 2001. R. Canetti and M. Fischl, Universally composable commitments, Advances Cryptology Crypto 2001. Sprger, 2001, pp. 19 40. B. Barak, R. Canetti, J. B. Nielsen, and R. Pass, Universally composable protocols with relaxed set-up assumptions, Foundations of Computer Science, 2004. Proceedgs. 45th Annual IEEE Symposium on. IEEE, 2004, pp. 186 195. J. Katz, Universally composable multi-party computation usg tamper-proof hardware, Advances Cryptology EUROCRYPT 2007, ser. Lecture Notes Computer Science, M. Naor, Ed. Sprger Berl Heidelberg, 2007, vol. 4515, pp. 115 128. [Onle]. Available: http://dx.doi.org/10.1007/978-3-540-72540-4 7 Universally Composable Firewall Architectures usg Trusted Hardware 22/23