On the Soundness of Infrastructure Adversaries

by   Alexander Dax, et al.

Companies and network operators perform risk assessment to inform policy-making, guide infrastructure investments or to comply with security standards such as ISO 27001. Due to the size and complexity of these networks, risk assessment techniques such as attack graphs or trees describe the attacker with a finite set of rules. This characterization of the attacker can easily miss attack vectors or overstate them, potentially leading to incorrect risk estimation. In this work, we propose the first methodology to justify a rule-based attacker model. Conceptually, we add another layer of abstraction on top of the symbolic model of cryptography, which reasons about protocols and abstracts cryptographic primitives. This new layer reasons about Internet-scale networks and abstracts protocols. We show, in general, how the soundness and completeness of a rule-based model can be ensured by verifying trace properties, linking soundness to safety properties and completeness to liveness properties. We then demonstrate the approach for a recently proposed threat model that quantifies the confidentiality of email communication on the Internet, including DNS, DNSSEC, and SMTP. Using off-the-shelf protocol verification tools, we discover two flaws in their threat model. After fixing them, we show that it provides symbolic soundness.


page 1

page 2

page 3

page 4


CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model

Cryptographic protocols are extremely hard to design and prove correct, ...

Automated Attack Synthesis by Extracting Finite State Machines from Protocol Specification Documents

Automated attack discovery techniques, such as attacker synthesis or mod...

Risk Framework for Bitcoin Custody Operation with the Revault Protocol

Our contributions with this paper are twofold. First, we elucidate the m...

Risk Assessment Graphs: Utilizing Attack Graphs for Risk Assessment

Risk assessment plays a crucial role in ensuring the security and resili...

Verifying Cryptographic Security Implementations in C Using Automated Model Extraction

This thesis presents an automated method for verifying security properti...

Verifying Accountability for Unbounded Sets of Participants

Little can be achieved in the design of security protocols without trust...

Heuristic Approach Towards Countermeasure Selection using Attack Graphs

Selecting the optimal set of countermeasures is a challenging task that ...

Please sign up or login with your details

Forgot password? Click here to reset