Changes between Version 61 and Version 62 of ExDescLang


Ignore:
Timestamp:
Oct 19, 2010 4:34:35 PM (14 years ago)
Author:
sunshine
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ExDescLang

    v61 v62  
    88 3. [MitmExample]
    99
    10    
    11  
    12 
    13  3. An ARP spoofing experiment where the attacker puts himself in between two nodes and then modifies their traffic. There are two classes of experiments that need to be combined:
    14     a. an experiment where ARP poisoning happens between two nodes by the attacker
    15     b. an experiment where an attacker changes traffic passing through it
    16 
    1710= Requirements =
    1811
     
    2114  1. Logical topologies - both at the level of individual nodes or groups of nodes. We are expressing a ''logical'' topology of the experiment where there are '''objects''' that do something in the experiment - generate traffic, change state, hold data, whatever. Whether these objects are individually generated or generated as a group of entities, whether they are physical nodes or virtual, etc. does not matter. The expressiveness should be such that the actual implementation of objects and the cardinality of each object is orthogonal to the topology description. We should however be able to give hints such as "these objects are in the same network or on same physical node or object A resides on object B". These hints are called '''constraints'''.
    2215  2. Timeline of events - we need to express the ordering of actions that some objects will take in the experiment, their duration, repetition and concurrency. We also need to express state transitions in objects. In some domains this is called a ''workflow''. It could be pre-created in the experiment design stage or it could be generated manually during the experiment (mined from events that happen as user takes manual actions) or a mix of those. Each experiment class must have some default workflow that user can manipulate during experiment design.
    23   3. Invariants - we need to express what MUST happen in the experiment for it to be valid. Valid here means "for it to belong to a class of experiments whose metadescription we used" plus any other conditions that user wants to impose. There are two types of invariants:
     16  3. Invariants - we need to express what MUST happen in the experiment for it to be valid. This is not a complete set, just the necessary one. If any of the invariants were violated the experiment would become invalid. Valid here means "for it to belong to a class of experiments whose metadescription we used" plus any other conditions that user wants to impose. There are two types of invariants:
    2417     a. those that deal with objects and their states ("cache must be poisoned")
    2518     b. those that deal with events and their features ("traffic must flow from A to B for 5 minutes at 100Mbps")
     
    2720'''Note that intentionally this is all pretty high-level and is orthogonal to any generator used to generate topologies, traffic, etc.''' There must be a mapping process that selects eligible generators for each dimension and takes their output and maps objects and events to it. More about this mapping process later.
    2821
    29 = Diving in =
    30 
    31 I'll now ignore the question '''which language to use to design experiments''' because I think that pretty much any language can be used once we know '''what we want to say'''. To figure this out I'll try to use some variation of UML that can express both protocol diagrams and state transitions. If the level of detail is right we can decide on appropriate language in the next step.
    32 
    33 
    34 
    35 == Example 3: ARP poisoning with MITM attack ==
    36 
    37 This example used two metadescriptions. The first was ARP poisoning which is a flavor of cache poisoning, and the other is MITM attack.
    38 
    39 
    40 === ARP poisoning metadescription ===
    41 
    42   This is a special case of cache poisoning where the target is ARP cache. I've highlighted customizations from the general cache poisoning metadescriptions to arrive at this one.
    43 
    44 Dimensions:
    45  * '''Logical topology:'''
    46    [[Image(arpcpobj.jpg)]]
    47 
    48    (in English: There is one attacker node. There is a fakeIP of type IPaddress. A cache is simply a collection of ARPRecord items, one or more. These are  subtypes of Info and in the domain knowledge DB there's syntax defined for an ARPRecord. Cache does not reside at the attacker.)
    49 
    50 
    51  * '''Timeline of events: '''
    52 
    53   [[Image(arpwf.jpg, 50%)]]
    54 
    55    (in English: Attacker sends the ARP reply with mapping of an ARP address to somebody's IP. This really could be anybody's ARP address but in most cases it is the attacker's.)
    56 
    57  * '''Invariants:'''
    58 
    59    Nothing in addition to the topology and timeline above.
    60 
    61 === MITM attack metadescription ===
    62 
    63 Dimensions:
    64  * '''Logical topology:'''
    65    [[Image(mitmobj.jpg)]]
    66 
    67    (in English: There is one attacker node, and two regular nodes who want to communicate. These are all different nodes.)
    68 
    69 
    70  * '''Timeline of events: '''
    71 
    72   [[Image(mitmwf.jpg, 70%)]]
    73 
    74    (in English: Attacker replaces each msg between nodes with some modification.)
    75 
    76  * '''Invariants:'''
    77 
    78    Nothing in addition to the topology and timeline above.
    79 
    80 === Experiment design ===
    81 
    82 Now I'm a user who wants to design an experiment. I need to combine two metadescriptions (ARP poisoning and MITM attack) and somehow tie them down to generator choices. To combine I'll do something like this:
    83 
    84    [[Image(arpmitmcomb.jpg)]]
    85 
    86 i.e. the ARP experiment needs to be run twice to generate the mappings at node1 and node2 necessary for the attacker to appear on the path from node1 to node2. The cache we're poisoning is at node1 and node2. Poison links the IP address of node2 and node1 respectively with the attacker's ARP address.
    87 
    88 The system now needs to offer me several generators:
    89 
    90  * It should offer a topology generator and map the nodes (Node1, Node2, Attacker) to the topology that gets generated. Caches have to reside at Node1 and Node2.
    91  * It should offer event generator for each of the events: reply (for ARP), and mod(for message).
    9222
    9323= TODO =