Ariadne Attack Development

We use the messages in Figure 36 on page 66 for static analysis to develop the Ariadne attacker. Since the target node signs the accumulated path received in the rreq, the path cannot be corrupted during the rrep, as shown in the Ariadne model validation. Thus, the target signature limits the attacker to the forward rreq. Examining the rreq message structure indicates that the

unprotected accumulated path can be changed at will, as long as the corresponding hash chain and signatures match the path changes. The forward intermediate signatures do not allow the attacker to reorder the path or an outsider to add to the path. Since we are not explicitly modeling the forward signatures, we limit the malicious insider to only appending or dropping a node from the end of the accumulated path. We also limit the malicious outsider to only dropping a node from the end of the accumulated path, since the outsider cannot generate a valid signature without a trusted key.

The final message element to consider is the one-way hash value. Due to its cryptographic properties, the hash value cannot be directly corrupted. Any attacker that attempts to drop a node from the accumulated path must compute a hash value that corresponds to the new path. The only way for an attacker to strip a node from the end of the accumulated path and compute a correct corresponding hash value is to generate the hash value based on capturing a previous hash value from an upstream neighbor during the current route discovery round. Hash values from previous route discovery rounds do not match due to the message id, or sequence number. For instance, if an attacker wishes to remove node 2 from the protocol example in Figure 36 on page 66, it needs to know the value h1. If h1 was not directly captured from msg2 it could be

calculated from h0, which is extracted from msg1, since h1 = H[1,h0].

Ariadne NDA. Since Ariadne requires intermediate nodes to add a signature to the forward

rreq, NDA attempts where a malicious node drops the upstream packet in place of itself is limited

to malicious insiders.

Figure 45 provides a high level description for the NDA against Ariadne. The Ariadne NDA can be performed by a malicious insider.

rreq process:

• If previous node initiator → store hash value • Else

o Store hash value

o If a hash is known for any upstream node in the embedded path ƒ Drop previous node and add own id to path

ƒ Compute hash value to match current path ƒ Retransmit changed rreq

rrep process:

• Send unicast message to all upstream nodes

Figure 45. High Level Ariadne NDA Process

If attacker receives a rreq directly from the initiator, it stores the hash value and takes no further action. Upon receiving a rreq from an intermediate node, the attacker first stores the

Figure 46. Since the hash value is modeled as a copy of the current accumulated path at each step, the attacker must be able to store up to N hash chains with a maximum path size of N, for a network containing N nodes.

Global type definition

typedef Attacker_Store{

bool h_stored = 0; /* marks if hash is stored */ byte h_chain[N] = 255; /* holds captured hash chain */ }

Local attacker variable definition

/* initiate a space for up to N hash chains*/

/* hash chain stored in array position corresponding to node that generated the hash*/ Attacker_Store a_store[N];

Figure 46. Modeling Attacker Storage Space

Once the message is received and the hash chain is stored, the attacker checks if it knows a hash value from a previous upstream host listed in the embedded path. If the attacker has this knowledge, it removes the last node id and adds its own id to the accumulated path The attacker also replaces the hash value with its local hash calculation. To compute a valid hash, the modeled attacker appends nodes to a previous hash-chain until it matches the current accumulated path. During the rrep, the attacker attempts to relay the rrep to any upstream neighbor identified in the embedded path.

Ariadne INDA. We also the consider the combination of the INA and NDA attacker, where the attacker actively corrupts the path and makes the corresponding hash changes without adding its id to the routing path. We refer to this attack as an invisible NDA (INDA). The INDA allows a malicious outsider, without cryptographic keys, the ability to attack Ariadne. To the best of our knowledge, the INDA is the first discovered active path corruption attacker against Ariadne by a malicious outsider. In chapter 7 we demonstrate our discovery of this attack using SPIN analysis over the modeled Ariadne protocol and INDA attacker.

The INDA, which can be performed by a malicious outsider, follows the same process as shown for the NDA in Figure 45,except that it does not add its id to the path after dropping the last node from the accumulated path. These attacks are successful as long the attacker lies in a position to capture a previous enabling hash value and the rrep can be delivered to one of the attacker's upstream neighbors.

The resulting SPIN generated FSA for the Ariadne NDA and INDA, shown in Appendix A, both contain 25 states. Chapter 7 demonstrates SPIN’s exhaustive automated attack analysis for the Ariadne NDA and INDA.