more
This commit is contained in:
JakeGinesin
@@ -1,4 +1,4 @@
|
||||
\korg supports three general attacker models: an attacker that can drop, replay, or rearrange messages on a channel. Additionally, \korg supports user-defined attacker that insert arbitrary messages onto a channel. In this section we discuss the various details that go into each attacker model.
|
||||
\korg supports three general attacker models: an attacker that can drop, replay, or reordering messages on a channel. Additionally, \korg supports user-defined attacker that insert arbitrary messages onto a channel. In this section we discuss the various details that go into each attacker model.
|
||||
|
||||
\subsection{Dropping Attacker Model}%
|
||||
\label{sub:Dropping Attacker}
|
||||
@@ -7,29 +7,7 @@ The first and most simple general attacker model \korg supports is an attacker t
|
||||
|
||||
The dropper attacker model gadget \korg synthesizes works as follows. The gadget will nondeterministically choose to observe a message on a channel. Then, if the drop limit variable is not zero, it will consume the message. An example is shown in Figure \ref{lst:korg_drop}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}, label={lst:korg_drop}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
active proctype attacker_drop() {
|
||||
int b_0, b_1, b_2;
|
||||
byte lim = 3; // drop limit
|
||||
MAIN:
|
||||
do
|
||||
:: cn ? [b_0, b_1, b_2] -> atomic {
|
||||
if
|
||||
:: lim == 0 -> goto BREAK;
|
||||
:: else ->
|
||||
cn ? b_0, b_1, b_2; // consume message on the channel
|
||||
lim = lim - 1;
|
||||
goto MAIN;
|
||||
fi
|
||||
}
|
||||
od
|
||||
BREAK:
|
||||
}
|
||||
\end{lstlisting}
|
||||
\end{figure}
|
||||
|
||||
\subsection{Replaying Attacker Model}%
|
||||
\label{sub:Replay Attacker}
|
||||
@@ -37,138 +15,17 @@ The second attacker model \korg supports is an attacker that can observe and \te
|
||||
|
||||
The dropper attacker model gadget \korg synthesizes works as follows. The gadget has two states, \textsc{Consume} and \textsc{Replay}. The gadget starts in the \textsc{Consume} state and nondeterministically reads (but not consumes) messages on the target channel, sending them into a local storage buffer. Once the gadget read the number of messages on the channel equivalent to the defined replay limit, its state changes to \textsc{Replay}. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_replay}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_replay}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
// local memory for the gadget
|
||||
chan gadget_mem = [3] of { int, int, int };
|
||||
\subsection{Reordering Attacker Model}%
|
||||
\label{sub:reordering Attacker}
|
||||
Lastly, \korg supports an attacker model such that an attacker can \textit{reorder} messages on a channel. Like the drop and replay attacker models, the user can specify a "reordering limit" that caps the number of messages that can be reorderingd by the attacker on the specified channel.
|
||||
|
||||
active proctype attacker_replay() {
|
||||
int b_0, b_1, b_2;
|
||||
int i = 3;
|
||||
CONSUME:
|
||||
do
|
||||
// read messages until the limit is passed
|
||||
:: cn ? [b_0, b_1, b_2] -> atomic {
|
||||
cn ? <b_0, b_1, b_2> -> gadget_mem ! b_0, b_1, b_2;
|
||||
i--;
|
||||
if
|
||||
:: i == 0 -> goto REPLAY;
|
||||
:: i != 0 -> goto CONSUME;
|
||||
fi
|
||||
}
|
||||
od
|
||||
REPLAY:
|
||||
do
|
||||
:: atomic {
|
||||
// nondeterministically select a random value from the storage buffer
|
||||
int am;
|
||||
select(am : 0 .. len(gadget_mem)-1);
|
||||
do
|
||||
:: am != 0 ->
|
||||
am = am-1;
|
||||
gadget_mem ? b_0, b_1, b_2 -> gadget_mem ! b_0, b_1, b_2;
|
||||
:: am == 0 ->
|
||||
gadget_mem ? b_0, b_1, b_2 -> cn ! b_0, b_1, b_2;
|
||||
break;
|
||||
od
|
||||
}
|
||||
// doesn't need to use all messages on the channel
|
||||
:: atomic {gadget_mem ? b_0, b_1, b_2; }
|
||||
// once mem has no more messages, we're done
|
||||
:: empty(gadget_mem) -> goto BREAK;
|
||||
od
|
||||
BREAK:
|
||||
}
|
||||
\end{lstlisting}
|
||||
\end{figure}
|
||||
The reordering attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined reordering limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_reordering}.
|
||||
|
||||
\subsection{Rearranging Attacker Model}%
|
||||
\label{sub:Rearrange Attacker}
|
||||
Lastly, \korg supports an attacker model such that an attacker can \textit{rearrange} messages on a channel. Like the drop and replay attacker models, the user can specify a "rearrange limit" that caps the number of messages that can be rearranged by the attacker on the specified channel.
|
||||
|
||||
The rearrange attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined rearrange limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_rearrange}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example rearrange attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_rearrange}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
chan gadget_mem = [3] of { int, int, int };
|
||||
active proctype attacker_rearrange() priority 255 {
|
||||
byte b_0, b_1, b_2, blocker;
|
||||
int i = 3;
|
||||
INIT:
|
||||
do
|
||||
// arbitrarily choose a message to start consuming on
|
||||
:: {
|
||||
blocker = len(cn);
|
||||
do
|
||||
:: b != len(c) -> goto INIT;
|
||||
od
|
||||
}
|
||||
:: goto CONSUME;
|
||||
od
|
||||
CONSUME:
|
||||
do
|
||||
// consume messages with high priority
|
||||
:: c ? [b_0] -> atomic {
|
||||
c ? b_0 -> gadget_mem ! b_0;
|
||||
i--;
|
||||
if
|
||||
:: i == 0 -> goto REPLAY;
|
||||
:: i != 0 -> goto CONSUME;
|
||||
fi
|
||||
}
|
||||
od
|
||||
REPLAY:
|
||||
do
|
||||
// replay messages back onto the channel, also with priority
|
||||
:: atomic {
|
||||
int am;
|
||||
select(am : 0 .. len(gadget_mem)-1);
|
||||
do
|
||||
:: am != 0 ->
|
||||
am = am-1;
|
||||
gadget_mem ? b_0 -> attacker_mem_0 ! b_0;
|
||||
:: am == 0 ->
|
||||
gadget_mem ? b_0 -> c ! b_0;
|
||||
break;
|
||||
od
|
||||
}
|
||||
:: atomic { empty(gadget_mem) -> goto BREAK; }
|
||||
od
|
||||
BREAK:
|
||||
}
|
||||
|
||||
\end{lstlisting}
|
||||
\end{figure}
|
||||
|
||||
|
||||
\subsection{Custom Attacker Models}%
|
||||
\label{sub:Custom Attacker Models}
|
||||
While the drop, replay, and rearrange attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}.
|
||||
While the drop, replay, and reordering attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example I/O file targetting channel "cn"}, label={lst:io-file}]
|
||||
cn:
|
||||
I:
|
||||
O:1-1-1, 1-2-3, 3-4-5
|
||||
\end{lstlisting}
|
||||
|
||||
\begin{lstlisting}[caption={Example gadget synthesized from an I/O file targetting the channel "cn"}, label={lst:io-file-synth}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
active proctype daisy() {
|
||||
INIT:
|
||||
do
|
||||
:: cn ! 1,1,1;
|
||||
:: cn ! 1,2,3;
|
||||
:: cn ! 3,4,5;
|
||||
:: goto RECOVERY;
|
||||
od
|
||||
RECOVERY:
|
||||
}
|
||||
\end{lstlisting}
|
||||
\end{figure}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user