The attacker poisons a DNS cache to take over authority for a given domain. The attacker then creates a phishing page and tries to steal user's usernames/passwords. There are two classes of experiments that need to be combined: a. an experiment where a DNS cache is poisoned, subclass of cache poisoning experiments b. an experiment where a phishing attack is conducted via a Web page to steal usernames/passwords == Example 2: DNS cache poisoning for phishing == This example used two metadescriptions. Let's go through each of them. This example is written in [CurrentlyProposedLanguage]. === Cache poisoning metadescription === * '''Logical topology:''' '''Objects:''' Attacker extends Node Name, fakeResource extends String Cache extends Object Cache := {String[] records} '''Cardinality:''' |Attacker|,,1,, |Name|,,1,, |fakeResource|,,1,, |Cache|,,1,, '''Relationships:''' not collocated(Cache, Attacker) * '''Timeline of events: ''' '''Definitions:''' Attacker a, Cache c, Name n, fakeResource fr e1 := {type = REPLY, origin = a, destination = c, content = (n=fr)} s1 := {c.records += (n=fr)} '''Timeline:''' e1 -> s1 * '''Invariants:''' Nothing in addition to the topology and timeline above. === DNS Cache poisoning metadescription === This is a special case of cache poisoning where the target is DNS cache. * '''Logical topology:''' '''Objects:''' Attacker extends Node Auth extends Node Name extends DNSName RealIP extends IPAddress FakeIP extends IPAddress or fakeAuth extends DNSName victimCache extends Object victimCache := {DNSRecord[] records} authCache extends Object authCache := {DNSRecord[] records = {Name=RealIP, auth(domain(Name)) = Auth} '''Cardinality:''' |Attacker|,,1,, |Auth|,,1,, |Name|,,1,, |FakeIP|,,1,, |fakeAuth|,,1,, |RealIP|,,1,, |victimCache|,,1,, |authCache|,,1,, '''Relationships:''' not collocated(victimCache, Attacker) not collocated(victimCache, Auth) collocated(authCache, Auth) * '''Timeline of events: ''' '''Definitions:''' Attacker att, Auth auth, Name n, FakeIP fIP, fakeAuth fauth, RealIP rIP, victimCache vc, authCache ac e1 := {type = DNSREQUEST, origin = att, destination = vc, content = IP(n)?} e2 := {type = DNSREQUEST, origin = vc, destination = auth, content = IP(n)?} e3 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=rIP}} e4 := {type = DNSREPLY, origin = auth, destination = vc, content = {n=unknown}} e5 := {type = DNSREPLY, origin = att, destination = vc, content = {auth(domain(n)) = dnsname(fakeAuth)}} s1 := {vc.records += (auth(domain(n)) = fakeAuth)} e6 := {type = DNSREPLY, origin = att, destination = vc, content = {n=fIP}} s2 := {vc.records += (n=fIP)} '''Timeline:''' e1 -> e2 -> (e5 -> s1 -> e4 xor e6 -> s2 -> e3) * '''Invariants:''' Nothing in addition to the topology and timeline above. === Confidential access metadescription === The phishing attempt is essentially same as presenting a valid page to the user that asks for confidential info - it's just that the location of that page is not as user expected. * '''Logical topology:''' '''Objects:''' User extends Human Server extends webServer Page extends webPage Public, Confidential extends String '''Cardinality:''' |User|,,1,,    |Server|,,1,, |Page|,,>=1,, |Public|,,1,, |Confidential|,,1,, '''Relationships:'''    collocated(Page, Server) * '''Timeline of events: ''' '''Definitions:''' User u, Server s, Public p, Confidential c, Page wp e1 := {type = WEBREQUEST, origin = u, destination = s, content = url(wp)} e2 := {type = WEBREQUEST, origin = s, destination = u, content = (public?, confidential?)} e3 := {type = WEBREPLY, origin = u, destination = s, content = (public=x, confidential=y)} e4 := {type = WEBREPLY, origin = s, destination = u, content = wp} '''Timeline:''' e1 -> e2 -> e3 -> if (x == p and y == c) then e4 * '''Invariants:''' Nothing in addition to the topology and timeline above. === Experiment design === Now I'm a user who wants to design an experiment. I need to combine two metadescriptions (DNS cache poisoning and phishing) and somehow tie them down to generator choices. To combine I'll do something like this: DNSCachePoisoning dcp, confidentialAccess ca dcp.FakeIP := ip(ca.Server) dcp -> ca