Abstract
Many researchers have proposed formal frameworks for analyzing cryptographic and communication protocols and have studied the theoretical properties of the protocols, such as authenticity and secrecy. The resistance of denial-of-service attacks is one of the most important issues in network security. Several researchers have applied process calculi to security issues. One of the most remarkable of these studies is Abadi and Gordon’s, based on Milner’s pi-calculus. For the denial-of-service attack, Medow proposed a formal framework based on the Alice-and-Bob notation, and Tomioka et al. proposed a process calculus based on Milner’s pi-calculus, the Spice-calculus. Using the Spice-calculus, we can evaluate the computational cost of executing processes. In our previous works, the Spice-calculus could analyze computational costs such as arithmetic operations, hash computation, and message transmission. However, the cost of process creation was disregarded. In this paper, we improve the Spice-calculus through adding cost evaluation of process creations. We extend the syntax of the cost in the Spice-calculus and operational semantics of the Spice-calculus. We then present an example of the improved Spice-calculus.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
4.1 Introduction
Vulnerability of communication protocols can cause various kinds of attacks, which cause substantial damage to systems connected to the Internet. A denial-of-service attack is one of the constant concerns of computer security. It can make the usual services of a computer or network inaccessible to the regular users. An archetypal example of DoS attack is a SYN flooding attack [1] on the Transmission Control Protocol (TCP) (Fig. 4.1).
Before sending data from a source host S to a destination host D, the hosts have to establish a connection between S and D, called three-way handshake. The host S begins by sending a SYN packet including an initial sequence number x. The host D then replies to S with a message in which the SYN and ACK flags are set, indicating that D acknowledges the SYN packet from the S. The message includes D’s sequence number y and incremented S’s sequence number (x + 1) as an ACK number. The host S sends a message with an ACK bit, a SEQ number (x + 1), and an ACK number (y + 1).
Consider a situation that lasts for a short period during which an attacker, A, sends an enormous number of connection requests with spoofed source IP-addresses to a victim host, D. The number of actual implementations of half-opened connections per port is limited since the memory allocation of data structures for such a connection is limited (Fig. 4.2).
Recently, several researchers have studied DoS attacks from various viewpoints, such as protection from DoS attacks using resource monitoring [2] and the development of DoS resistance analysis [3, 4]. She extended the Alice-and-Bob notation by attaching an atomic procedure annotation to each communication.
4.2 Process Calculus for Analyzing Denial-of-Service Attacks
4.2.1 The Spice Calculus
Tomioka et al. [5] proposed a formal system for DoS resistance analysis, the Spice calculus, which is based on Milner’s process calculus [6] and its extension for secure computation [7]. A characteristic feature of the calculus is a type system which enables us to track the computational cost of each computer node. The type of the Spice calculus represents the configuration of a distributed system.
For example, a typing of the Spice-calculus
means that the process P_1 has the type on the left hand side. This notation means that \( {\mathcal{A}},{\mathcal{B}},{\mathcal{C}} \)
P 1 ,Q, P 2 has type \( {\mathcal{A}},{\mathcal{B}},{\mathcal{C}} \), respectively; more intuitively, this means that processes P 1 ,Q, P 2 are executed on machines \( {\mathcal{A}},{\mathcal{B}},{\mathcal{C}} \), respectively. The type \( {\mathcal{A}}|({\mathcal{B}}|{\mathcal{C}}) \) means a distributed system which consists of \( {\mathcal{A}},{\mathcal{B}},{\mathcal{C}} \). The types of Spice-calculus [5] are defined by the following grammar.
The typing of the Spice-calculus contributes to the following:
-
identifying the origins of computational costs and
-
formalizing current memory usage during execution of processes.
The type a ∷ {x 1 ,…,x n } means that in the single computer node a, memory cells x 1 ,…,x n are occupied.
In order to track memory usage accurately, stricter restriction is imposed in the Spice-calculus than in Milner’s original process calculus, the pi-calculus. For example, a typing rule [5]
The first assumption of this rule forces the process P to be executed on the single computer node a. Consequently, a term
is not allowed in the Spice-calculus, since (P | Q)$ must be executed on a distributed system composed of multiple computer nodes.
The Spice-calculus is given operational semantics as a transition relation, in other words, small-step semantics. We can find the computational cost consumed in each transition step of the semantics. Moreover, we can identify not only the level of the computational cost but also the origin of this cost. For example, [5], a rule
formulate hash-value computation. The cost c is incurred for evaluation of M and hash for the hash-value computation. There are two kinds of transition relation between processes giving the operational semantics of the Spice-calculus: one is a reduction relation and another commitment relation. Inner-process computation is formalized as the reduction relation and inter-process computation as the commitment relation. The following is one of the rules defining the reduction relation:
The costs for evaluating M and N are c and d, respectively. The resulting value of M and N is V. The following is one of the rules defining the commitment relation:
In this rule, the process inp n(x); P is transit to an intermediate form (x)P, which is waiting for arrival of a message at the port n. The cost store x occurs at the node a.
Recently, Cervesato proposed another formal approach to quantitative analysis of secure protocols [8].
4.2.2 Formalization of Process Creation
In the existing version of the Spice-calculus [5], the costs of memory and computation, such as hashing and arithmetic operations, are formalized. However, the cost of process creation is overlooked. In this paper, we improve the Spice-calculus by adding the costs of process creation.
Actually, process creation entails a certain amount of cost. For example, in a variation of the Unix system, a Process Control Block (PCB) is allocated in a kernel memory space to save the process context when the process is created. Hence process-creating is considered as expensive. In order to formulate process creation in the Spice-calculus, we introduce several new rules for the operational semantics. In the reduction relation between processes, the process replication is represented as a rule
The cost of creating a process is represented as process and is incorporated into the rule as follows.
The terminated process is formalized as the nil stop. In order to formalize elimination of the terminated processes precisely, we introduce another kind of terminated process end and we add a new reduction rule in which stop is transit to end as follows.
When a process is terminated and eliminated, a cost process is deducted.
4.3 Example of Formalization: Three-Way Handshake
TCP’s three-way handshake is described as follows in the Alice-and-Bob notation.
In the Spice-calculus, we can write the protocol as the following process expressions.
Then a normal situation of communication between these two processes is represented as NormalConfig:
On the other hand, a situation of a SYN-flood attack [9] on the three-way handshake protocol is described in Alice-and-Bob notation as follows.
The intruder in this attack is written as a process P I as follows.
Since the intruder spoofs the senders’ IP-addresses, the responding packets from the victim B are lost. In order to represent such lost packets, we introduce a process P N which formulates the network:
The attacking situation is written as a process AttackConfig:
Then the process is typed as
Reducing the process AttackConfig, we know the level of costs consumed during execution.
Here we know that not only memory cost but also process creation is consumed by the SYN-flood attack.
4.4 Conclusion
In our previous works, the Spice-calculus could analyze computational costs such as arithmetic operations, hash computation, and message transmission. However, the cost of process creation was disregarded. In this paper, we improved the Spice-calculus through adding cost evaluation of process creation and elimination. We extended the syntax of the cost in the Spice-calculus and operational semantics of the Spice-calculus. We then described TCP’s three-way handshake and the SYN-flood attack as examples of our new calculus.
As well as the work presented in this paper, we have several other subjects to study in future. One of the most important ones is formalizing and analyzing the SYN-cookie method against the SYN-flood attack and other DoS-resistant methods [10, 11].
References
Schuba CL, Krsul IV, Kuhn MG, Spafford EH, Sundaram A, Zamboni D (1997) Analysis of a denial of service attack on TCP. In: Proceedings of the 1997 IEEE symposium on security and privacy, pp 208–223. IEEE Computer Society, IEEE Computer Society Press
Millen JK (1993) A resource allocation model for denial of service protection. J Comput Secur 2(2/3):89–106
Meadows C (1999) A formal framework and evaluation method for network denial of service. In: Proceeding of the 12th IEEE computer security foundations workshop, pp 4–13
Meadows C (2001) A cost-based framework for analysis of denial of service networks. J Comput Secur 9(1/2):143–164
Tomioka D, Nishizaki S, Ikeda R (2004) A cost estimation calculus for analyzing the resistance to denial-of-service attack. In: Software security—theories and systems. Lecture Notes in Computer Science, vol 3233. Springer, New York, pp 25–44
Milner R, Parrow J, Walker D (1992) A culculus of mobile processes, part i and part ii. Inf Comput 100(1):1–77
Abadi M, Gordon AD (1997) A calculus for cryptographic protocols: the spi calculus. In: Fourth ACM conference on computer and communication security, pp 36–47. ACM Press, New York
Cervesato I (2006) Towards a notion of quantitative security analysis. In: Gollmann D, Massacci F, Yautsiukhin A (eds) Quality of protection: security measurements and metrics—QoP’05, pp 131–144. Springer advances in information security 23
TCP SYN Flooding and IP spoofing attacks (1996), CA-1996-21
Aura T, Nikander P (1997) Stateless connections. In: International conference on information and communications security ICICS’97. Lecture notes in computer science, vol 1334, pp 87–97. Springer, Berlin
Aura T, Nikander P, Leiwo J (2001) DOS-resistant authentication with client puzzles. In: Security protocols, 8th international workshop. Lecture notes in computer science, vol 2133, pp 170–177. Springer, Berlin
Acknowledgments
This work was supported by Grants-in-Aid for Scientific Research (C) (24500009).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nishizaki, Sy., Fujii, M., Ikeda, R. (2013). Process Calculus for Cost Analysis of Process Creation. In: Lu, W., Cai, G., Liu, W., Xing, W. (eds) Proceedings of the 2012 International Conference on Information Technology and Software Engineering. Lecture Notes in Electrical Engineering, vol 210. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34528-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-34528-9_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34527-2
Online ISBN: 978-3-642-34528-9
eBook Packages: EngineeringEngineering (R0)