GSC-8 022

GTSC-1 8.1AGENDA ITEM:

Formal Methods for Quality of Standards,

Conformity Assessment and Security

TITLE:

TSACCSOURCE:

Formal Methods for Quality of Formal Methods for Quality of Standards, Conformity Assessment Standards, Conformity Assessment

and Securityand Security

O. Monkewich, Ph.D., P.Eng.OMC International

Phone: +1 613 836-4406

Fax: +1 613 836-5430

E-mail: os.monkewich@sympatico.ca

April 20, 2023 GSC-8, OTTAWA Slide 2

Formal Methods and SecurityFormal Methods and Security• Error-free, unambiguous standards specified using SDL,

MSC, ASN.1 and TTCN with formal syntax and semantics

• Tools based on formal syntax and semantics are certifiable as trusted tools by accredited organizations

• Machine-generated, tool-specific source code is difficult to understand or modify by attackers

• Source descriptions in SDL are easy to review by non-programmers – benefit from “many eyes” reviews

• Conformity assessment can find malicious content and vulnerabilities – test suites can be widely available

Manual work offloaded to trusted tools.

April 20, 2023 GSC-8, OTTAWA Slide 3

Understandability of open source codeUnderstandability of open source code

Figure 1 – (a) Illustrates an SDL process which adds two numbers, a and b, and return their sum. (b) is the corresponding hand-written code in the C programming language. The examples illustrate language readability characteristics from the point of view of the non-programmer.

#include <stdio.h>void main(){int x, y, sum;int calc(int, int);puts("\nPlease enter two integers:\n");scanf("%d", &x);scanf("%d", &y);sum = calc(x,y);printf("\nThe sum of the two numbers you entered is: %d", sum);}int calc(m,n)int m, n;{int s;s = m + n;return (s);}

number1,number2

DCLa,b,sum Integer;

WaitForNumber1

number1(a)

WaitForNumber2

number2(b)

sum := CALL Add(a, b)

result(sum)

sum

Add

sum := a + b

sum

(a) (b)

April 20, 2023 GSC-8, OTTAWA Slide 4

A common vulnerability can be detected A common vulnerability can be detected with conformance testingwith conformance testing

(a)

ANY WEB SITE

VICTIMATTACKER

SYN/ACK

RESET

SYN

10.1.1.30

10.1.1.20

10.1.1.10

Figure 2 – A common attack method using TCP/IP SYN packets to transfer a covert program one ASCII character at a time. Figure 2 (a) shows how packets can be bounced off any Web site to make detection of the attacker more difficult; Figure 2 (b) represents the TCP packet format showing the Sequence Number field.

(b)

SYN

RST

PSH

ACK

URG

Source port Destination port

Sequence Number

Acknowledgement Number

Dataoffset

Resvd Window

Data

Options (if any)

Urgent PointerChecksum

ST

SH

ACKG

Source port Destination port

Sequence Number

Acknowledgement Number

Dataoffset

Resvd Window

Data

Options (if any)

Urgent PointerChecksum

FIN

April 20, 2023 GSC-8, OTTAWA Slide 5

TCP Packet Sequence Number TCP Packet Sequence Number Conformance Test in TTCNConformance Test in TTCN

Figure 3 - a test case in TTCN derived from SDL to test the value of the Sequence Number field in the TCP SYN packet.

April 20, 2023 GSC-8, OTTAWA Slide 6

TCP Packet in ASN.1 and ConstraintTCP Packet in ASN.1 and Constraint

Figure 4 - ASN.1 representation of the TCP packet named TCP_SYN and the corresponding TCP_SYN1 with the field values filled in.

April 20, 2023 GSC-8, OTTAWA Slide 7

Buffer OverflowBuffer Overflow

Figure 5 – The normal program memory stack with two buffers intended to accept user input, such as credit card number, can be overwritten with attacker’s code. For attacker’s code to work, the attacker must know and understand the victim’s code. This is difficult for the attacker to achieve due to the nature of machine-generated code and the need for special tools to change the code. Formalisms that define language syntax and semantics makes it possible to prove the correctness of the language typing rules so that no data can flow into places not capable of holding it.

Buffer 2

Buffer 1

Return Pointer

.

.

.

.

.

.

Buffer 2

Attacker’s Machine Code

NewReturn Pointer

.

.

.

.

.

.

Fill Direction

Memory Pointer

(a) (b)

April 20, 2023 GSC-8, OTTAWA Slide 8

ASN.1 code portability and Trusted ToolsASN.1 code portability and Trusted Tools• What is placed on the wire to transmit “John Smith”?• Inside the protocol, define the variable type “Name” in ASN.1:

Name := SEQUENCE { FirstName PrintableString, LastName PritnableString

}

Assign values to the variables FirstName and LastName:FirstName := ‘John’LastName := ‘Smith’

The variable “Name” encoded as BER sequence in Hex:

00101000 00010101 00010011 00000100 01001010… 0000110 0000101… J o … S m

Converted into a binary stream of zeros and ones:

(Seq_Class) (No_Bytes) (Printable_Str) (No_bytes) (John) (Printable_Str) (No_bytes) (Smith)28 15 13 04 4A 6F 68 6E 13 05 53 6D 69 74 68

Figure 6 – Using ASN.1 and Basic Encoding Rules (BER) to encode “John Smith” for transmission.This is done using trusted tools – no errors due to manual coding.

April 20, 2023 GSC-8, OTTAWA Slide 9

RFC Data FormatRFC Data Format

SYN

RST

PSH

ACK

URG

Source port Destination port

Sequence Number

Acknowledgement Number

Dataoffset

Resvd Window

Data

Options (if any)

Urgent PointerChecksum

ST

SH

ACKG

Source port Destination port

Sequence Number

Acknowledgement Number

Dataoffset

Resvd Window

Data

Options (if any)

Urgent PointerChecksum

FIN

This non-standard data format is dominant in the Internet literature today.

It is changed in arbitrary ways by authors, usually to fit the page.

This format cannot be compiled or validated.ASN.1 can be compiled and validated.

Figure 7 – The tabular form of specifying packet structure and content is dominant in the literature today, but, machines cannot understand it.

April 20, 2023 GSC-8, OTTAWA Slide 10

ConclusionsConclusions

• Several aspects of network security can be improved through the use of

– Higher quality protocol and test suite Recommendations specified in SDL, ASN.1, MSC and TTCN

– Trusted tools based on SDL, ASN.1, MSC and TTCN for specification, validation, code generation and testing

– Machine-generated code is error-free and difficult to modify by intruder

– Conformance tests traceable to specification can detect malicious code

April 20, 2023 GSC-8, OTTAWA Slide 11

ResolutionResolution• That ITU-T Study Groups will apply Recommendation A.3 Supplement 1,

Guidelines on the Quality Aspects of Protocol Related Recommendations, when developing new protocol related recommendations

• That ITU-T TSB will provide technical support and tools for the development and maintenance of complex Recommendations

• That companies that participate in GSC member organizations will make use of commercial tools based on formal methods in their reviews of draft Recommendations

• That companies that participate in GSC member organizations will promote the use of formal languages and tools in IETF