The attacker poisons a DNS cache to take over authority for a given domain. The attacker then creates a phishing page and tries to steal user's usernames/passwords. There are two classes of experiments that need to be combined:
This example used two metadescriptions. Let's go through each of them. This example is written in [CurrentlyProposedLanguage].
define cachePoisoning:
Logical topology:
Objects:
Attacker extends Node
Name, fakeResource extends String
Cache extends Object
Cache := {String[] records}
Cardinality:
|Attacker|1
|Name|1
|fakeResource|1
|Cache|1
Relationships:
not collocated(Cache, Attacker)
Timeline of events:
Definitions:
Attacker a, Cache c, Name n, fakeResource fr
e1 := {type = REPLY, origin = a, destination = c, content = (n=fr)}
s1 := {c.records += (n=fr)}
Timeline:
e1 -> s1
Invariants: Nothing in addition to the topology and timeline above.
This is a special case of cache poisoning where the target is DNS cache.
define DNSCachePoisoning: import cachePoisoning cp
Logical topology:
Objects:
Auth extends Node
(Name extends DNSName, Name := cp.Name, fakeIP extends IPAddress, FakeIP := cp.fakeResource) xor
(Name extends DNSName, domain(Name) := cp.Name, fakeAuth extends DNSName, fakeAuth := cp.fakeResource)
RealIP extends IPAddress
victimCache extends Object, victimCache := cp.Cache
victimCache := {DNSRecord[] records}
authCache extends Object
authCache := {DNSRecord[] records = {Name=RealIP, auth(domain(Name)) = Auth}
Cardinality:
|Auth|1
|RealIP|1
|authCache|1
Relationships:
not collocated(victimCache, Auth)
collocated(authCache, Auth)
Timeline of events:
Definitions:
DNSREQUEST extends REQUEST
DNSREPLY extends REPLY
Attacker att, Auth auth, Name n, FakeIP fIP, fakeAuth fauth, RealIP rIP, victimCache vc, authCache ac
e1 := {type = DNSREQUEST, origin = att, destination = vc, content = IP(n)?}
e2 := {type = DNSREQUEST, origin = vc, destination = auth, content = IP(n)?}
e3 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=rIP}}
e4 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=unknown}}
e5 := cp.e1, e5 := {type = DNSREPLY, origin = att, destination = vc, content = {auth(domain(n)) = fakeAuth}}
s1 := cp.s1, s1 := {vc.records += (auth(domain(n)) = fakeAuth)}
e6 := cp.e1, e6 := {type = DNSREPLY, origin = att, destination = vc, content = {n=fIP}}
s2 := cp.s1, s1 := {vc.records += (n=fIP)}
Timeline:
e1 -> e2 -> (e5 | matches(e5,e2) -> s1 -> e4 xor e6 | matches(e6, e2) -> s2 -> e3)
Invariants: Nothing in addition to the topology and timeline above.
The phishing attempt is essentially same as presenting a valid page to the user that asks for confidential info - it's just that the location of that page is not as user expected.
define confidentialAccess:
Logical topology:
Objects:
User extends Human
Server extends webServer
Page extends webPage
Public, Confidential extends String
Cardinality:
|User|1
|Server|1
|Page|>=1
|Public|1
|Confidential|1
Relationships:
collocated(Page, Server)
Timeline of events:
Definitions:
User u, Server s, Public p, Confidential c, Page wp
e1 := {type = WEBREQUEST, origin = u, destination = s, content = url(wp)}
e2 := {type = WEBREQUEST, origin = s, destination = u, content = (public?, confidential?)}
e3 := {type = WEBREPLY, origin = u, destination = s, content = (public=x, confidential=y)}
e4 := {type = WEBREPLY, origin = s, destination = u, content = wp}
Timeline:
e1 -> e2 -> e3 -> if (x == p and y == c) then e4
Invariants: Nothing in addition to the topology and timeline above.
Now I'm a user who wants to design an experiment. I need to combine two metadescriptions (DNS cache poisoning and phishing) and somehow tie them down to generator choices. To combine I'll do something like this:
define Phishing: import DNSCachePoisoning dcp, confidentialAccess ca
Logical topology:
Objects:
dcp.FakeIP := ip(ca.Server)
Cardinality:
Relationships:
Timeline of events:
Definitions:
Timeline:
timeline(dcp) -> timeline(ca)
Invariants: Nothing in addition to the topology and timeline above.