CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP

The Internet routing protocol BGP expresses topological reachability and policy-based decisions simultaneously in path vectors. A complete view on the Internet backbone routing is given by the collection of all valid routes, which is infeasible to obtain due to information hiding of BGP, the lack of omnipresent collection points, and data complexity. Commonly, graph-based data models are used to represent the Internet topology from a given set of BGP routing tables but fall short of explaining policy contexts. As a consequence, routing anomalies such as route leaks and interception attacks cannot be explained with graphs. In this paper, we use formal languages to represent the global routing system in a rigorous model. Our CAIR framework translates BGP announcements into a finite route language that allows for the incremental construction of minimal route automata. CAIR preserves route diversity, is highly efficient, and well-suited to monitor BGP path changes in real-time. We formally derive implementable search patterns for route leaks and interception attacks. In contrast to the state-of-the-art, we can detect these incidents. In practical experiments, we analyze public BGP data over the last seven years

A Formal Analysis of Some Properties of Kerberos 5 Using MSR

We give three formalizations of the Kerberos 5 authentication protocol in the Multi-Set Rewriting (MSR) formalism. One is a high-level formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a variety of protocol options; we similarly refine proofs of properties in the first formalization to prove properties of the second formalization. Our third formalization adds timestamps to the first formalization but has not been analyzed extensively. The various proofs make use of rank and corank functions, inspired by work of Schneider in CSP, and provide examples of reasoning about real-world protocols in MSR.We also note some potentially curious protocol behavior; given our positive results, this does not compromise the security of the protocol

Rewriting Semantics of Meta-Objects and Composable Distributed Services1 1Supported by DARPA through Rome Laboratories Contract F30602-97-C-0312, by DARPA and NASA through Contract NAS2-98073, by Office of Naval Research Contract N00014-99-C-0198, and by National Science Foundation Grants CCR-9505960 and CCR-9633363, and CCR-9900334.

AbstractCommunication between distributed objects may have to be protected against random failures and malicious attacks; also, communication timeliness may be essential or highly desired. Therefore, a distributed application often has to be extended with communication services providing some kind of fault-tolerance, secrecy, or quality-of-service guarantees. Ideally, such services should be defined in a highly modular and dynamically composable way, so that the combined assurance of several services can be achieved by composition in certain cases, and so that services can be added or removed from applications at runtime in response to changes in the environment. To reason about the formal properties of such composable communication services one first needs to give them a precise semantics. This paper proposes a rewriting logic semantics for the so-called “onion skin” model of distributed object reflection, in which different meta-objects, providing different communication services, can be stacked on top of a basic application object. Since the correct behavior of a service depends on the type of hostile environment, against which the service must protect the application, rewriting logic should also be used to specify such hostile environments. The service guarantees are then guarantees about the behavior specified by the union of the rewrite theories specifying the basic application, the services, and the hostile environment

Composable Models for Timing and Liveness Analysis in Distributed Real-Time Embedded Systems Middleware

Middleware for distributed real-time embedded (DRE) systems has grown increasingly complex, to address functional and temporal requirements of diverse applications. While current approaches to modeling middleware have eased the task of assembling, deploying and configuring middleware and the applications that use it, a lower-level set of formal models is needed to uncover subtle timing and liveness hazards introduced by interference between and within distributed computations, particularly in the face of alternative middleware concurrency strategies. In this paper, we propose timed automata as a formal model of low-level middleware building blocks from which a variety different middleware configurations can be constructed. When combined with analysis techniques such as model checking, this formal model can help developers in verifying the correctness of various middleware configurations with respect to the timing and liveness constraints of each particular application

Seeking Asylum Across the International Boundary: Legal Terms and Geopolitical Conditions of Irregular Border Crossing and Asylum Seeking Between the United States and Canada, 2016 - 2018

This thesis explores the acute surge in the irregular border crossings of asylum seekers across the International Boundary into Canada between late 2016 to early 2018. The goal of this project is to compile an account of the legal terms and geopolitical conditions that act to generate and shape this migration. The trajectory of this research necessitated study of the evolving nature of Temporary Protected Status (TPS) in the United States as well as the Canada-U.S. Safe Third Country Agreement (STCA) and its legal controversy. I explore how both respectively act to produce and structure these trends in irregular border crossing and asylum seeking. While the annulment of TPS is situated within a broader landscape of anti-immigrant and anti-refugee policy in the U.S. under the Trump administration, I place a particular focus on TPS because of the way in which its capacity for protection has been diminished by 75 percent[1] over the course of this research. This project considers how the problematizing of asylum seekers has eroded the refugee determination regime in North America as situated within unprecedented levels of forced displacement globally. The accumulating deficiencies of the U.S. asylum system, in particular, lead both the U.S. and Canada to fail to meet their obligations to international standards of protection under the ongoing application of the STCA. This is a distinct concern in consideration of the way in which the annulment of TPS under the Trump administration has swelled the ranks of vulnerable populations in need of protection within the U.S. While the deteriorating conditions of asylum and humanitarian protection simultaneously produce and criminalize vulnerable populations in the U.S., Canada seeks to deflect and deter access to their own asylum system. I explore how the intersection between the annulment of TPS and the antecedent conditions of the STCA act to generate the legal and geopolitical environment that produces and structures this particular contemporary migration event. [1] Immediately following the submission of this thesis to the Defense Committee on April 18, 2018, the U.S. Secretary of Homeland Security announced the termination of two additional TPS programs (DHS [Press Release], 2018a; DHS [Press Release], 2018b). Coupled with the terminations discussed in this paper, this collectively represents annulment of 98 percent of the program’s capacity for protection under the Trump administration. This statistic is current as of May 11, 2018

A Unified Specification Framework for Spatiotemporal Communication

Traditionally, network communication entailed the delivery of messages to specific network addresses. As computers acquired multimedia capabilities, new applications such as video broadcasting dictated the need for real-time quality of service guarantees and delivery to multiple recipients. In light of this, a subtle transition took place as a subset of IP addresses evolved into a group-naming scheme and best-effort delivery became subjugated to temporal constraints. With recent developments in mobile and sensor networks new applications are being considered in which physical locations and even temporal coordinates play a role in identifying the set of desired recipients. Other applications involved in the delivery of spatiotemporal services are pointing to increasingly sophisticated ways in which the name, time, and space dimensions can be engaged in specifying the recipients of a given message. In this paper we explore the extent to which these and other techniques for implicit and explicit specification of the recipient list can be brought under a single unified frame-work. The proposed framework is shown to be expressive enough so as to offer precise specifications for ex-isting communication mechanisms. More importantly, its analysis suggests novel forms of communication relevant to the emerging areas of spatiotemporal service provision in sensor and mobile networks

An Optimal Medium Access Control with Partial Observations for Sensor Networks

We consider medium access control (MAC) in multihop sensor networks, where only partial information about the shared medium is available to the transmitter. We model our setting as a queuing problem in which the service rate of a queue is a function of a partially observed Markov chain representing the available bandwidth, and in which the arrivals are controlled based on the partial observations so as to keep the system in a desirable mildly unstable regime. The optimal controller for this problem satisfies a separation property: we first compute a probability measure on the state space of the chain, namely the information state, then use this measure as the new state on which the control decisions are based. We give a formal description of the system considered and of its dynamics, we formalize and solve an optimal control problem, and we show numerical simulations to illustrate with concrete examples properties of the optimal control law. We show how the ergodic behavior of our queuing model is characterized by an invariant measure over all possible information states, and we construct that measure. Our results can be specifically applied for designing efficient and stable algorithms for medium access control in multiple-accessed systems, in particular for sensor networks

LIME: A Coordination Middleware Supporting Mobility of Agents and Hosts

LIME (Linda in a Mobile Environment) is a middleware supporting the development of applications that exhibit physical mobility of hosts, logical mobility of agents, or both. LIME adopts a coordination perspective inspired by work on the Linda model. The context for computation, represented in Linda by a globally accessible, persistent tuple space, is refined in LIME to transient sharing of identically-named tuple spaces carried by individual mobile units. Tuple spaces are also extended with a notion of location and programs are given the ability to react to specified states. The resulting model provides a minimalist set of abstractions that promise to facilitate rapid and dependable development of mobile applications. In this paper, we illustrate the model underlying LIME, provide a formal semantic characterization for the operations it makes available to the application developer, present its current design and implementation, and discuss lessons learned in developing applications that involve physical mobility