The attacker poisons a DNS cache to take over authority for a given domain. The attacker then creates a phishing page and tries to steal user's usernames/passwords. There are two classes of experiments that need to be combined:
This example used two metadescriptions. Let's go through each of them. This example is written in [CurrentlyProposedLanguage].
Attacker extends Node
Name, fakeResource extends String
Cache extends Object
Cache := {String[] records}
not collocated(Cache, Attacker)
Attacker a, Cache c, Name n, fakeResource fr
e1 := {type = REPLY, origin = a, destination = c, content = (n=fr)}
s1 := {c.records += (n=fr)}
e1 -> s1
This is a special case of cache poisoning where the target is DNS cache.
Attacker extends Node
Auth extends Node
Name extends DNSName
RealIP extends IPAddress
FakeIP extends IPAddress or fakeAuth extends DNSName
victimCache extends Object
victimCache := {DNSRecord[] records}
authCache extends Object
authCache := {DNSRecord[] records = {Name=RealIP, auth(domain(Name)) = Auth}
not collocated(victimCache, Attacker)
not collocated(victimCache, Auth)
collocated(authCache, Auth)
Attacker att, Auth auth, Name n, FakeIP fIP, fakeAuth fauth, RealIP rIP, victimCache vc, authCache ac
e1 := {type = DNSREQUEST, origin = att, destination = vc, content = IP(n)?}
e2 := {type = DNSREQUEST, origin = vc, destination = auth, content = IP(n)?}
e3 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=rIP}}
e4 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=unknown}}
e5 := {type = DNSREPLY, origin = att, destination = vc, content = {auth(domain(n)) = dnsname(fakeAuth)}}
s1 := {vc.records += (auth(domain(n)) = fakeAuth)}
e6 := {type = DNSREPLY, origin = att, destination = vc, content = {n=fIP}}
s2 := {vc.records += (n=fIP)}
e1 -> e2 -> (e5 -> s1 -> e4 xor e6 -> s2 -> e3)
The phishing attempt is essentially same as presenting a valid page to the user that asks for confidential info - it's just that the location of that page is not as user expected.
User extends Human
Server extends webServer
Page extends webPage
Public, Confidential extends String
collocated(Page, Server)
User u, Server s, Public p, Confidential c, Page wp
e1 := {type = WEBREQUEST, origin = u, destination = s, content = url(wp)}
e2 := {type = WEBREQUEST, origin = s, destination = u, content = (public?, confidential?)}
e3 := {type = WEBREPLY, origin = u, destination = s, content = (public=x, confidential=y)}
e4 := {type = WEBREPLY, origin = s, destination = u, content = wp}
e1 -> e2 -> e3 -> if (x == p and y == c) then e4
Now I'm a user who wants to design an experiment. I need to combine two metadescriptions (DNS cache poisoning and phishing) and somehow tie them down to generator choices. To combine I'll do something like this:
DNSCachePoisoning dcp, confidentialAccess ca
dcp.FakeIP := ip(ca.Server)
dcp -> ca