Implementing a distributed firewall
Proceedings of the 7th ACM conference on Computer and communications security
PRISM: Probabilistic Symbolic Model Checker
TOOLS '02 Proceedings of the 12th International Conference on Computer Performance Evaluation, Modelling Techniques and Tools
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Paranoid penguin: Introduction to SELinux, Part II
Linux Journal
Pastures: Towards Usable Security Policy Engineering
ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
Probabilistic analysis of an anonymity system
Journal of Computer Security - Special issue on CSFW15
Design of a network architecture with inherent data path security
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Spin model checker, the: primer and reference manual
Spin model checker, the: primer and reference manual
How to Enable Policy-Based Interactions in Dynamic Wireless Networks?
POLICY '08 Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks
Security analysis of the bootstrap protocol for deny-by-default mobile ad-hoc networks
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Performance analysis of DRAMA: a distributed policy-based system for MANET management
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
Security analysis of the bootstrap protocol for deny-by-default mobile ad-hoc networks
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
| Hi-index | 0.00 |
In previous work, we proposed a "Bootstrap" protocol for establishing neighbor relationships, between two mobile nodes in a mission critical deny-by-default Mobile Ad-hoc Network. In this paper, we formally characterize the security properties of this Bootstrap protocol, striving to answer the following questions: 1) To what extent can an adversary undermine the correctness and performance of the Bootstrap protocol? 2) To what extent can the Bootstrap protocol be improved in anticipation of an adversary? Our analyses employ a combination of formal logic and two standard automated model checkers, SPIN and PRISM. Two types of threats are considered, which we call the subverted node and the subverted link. In the subverted link analysis, we further categorize the adversary into two variants, which we call dark-red or light-red in correspondence with having detailed Bootstrap-protocol-specific knowledge or only generic neighbor setup knowledge, respectively. The subverted node analysis shows that the adversary cannot TCP-SYN-flood-like attack nor deadlock the good node within the Bootstrap protocol. The subverted link analysis shows that the adversary cannot undermine the correctness of the protocol, in the sense that the protocol's performance is only degraded in a bounded manner by the dark-red adversary or in a benign manner by the light-red adversary.