Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dialects for CoAP-like Messaging Protocols

Carolyn Talcott

TL;DR

This report proposes a generic dialect for CoAP messaging and proves (stuttering) bisimulations between CoAP messaging applications and dialected versions, thus ensuring that dialecting preserves LTL properties (without Next) of CoAP applications.

Abstract

Messaging protocols for resource limited systems such as distributed IoT systems are often vulnerable to attacks due to security choices made to conserve resources such as time, memory, or bandwidth. For example, use of secure layers such as DTLS are resource expensive and can sometimes cause service disruption. Protocol dialects are intended as a light weight, modular mechanism to provide selected security guarantees, such as authentication. In this report we study the CoAP messaging protocol and define two attack models formalizing different vulnerabilities. We propose a generic dialect for CoAP messaging. The CoAP protocol, dialect, and attack models are formalized in the rewriting logic system Maude. A number of case studies are reported illustrating vulnerabilities and effects of applying the dialect. We also prove (stuttering) bisimulations between CoAP messaging applications and dialected versions, thus ensuring that dialecting preserves LTL properties (without Next) of CoAP applications. To support search for attacks in complex messaging situations we specify a simple application layer to drive the CoAP messaging and generalize the attack model to support a form of symbolic search for attacks. Two case studies are presented to illustrate the more general attack search.

Dialects for CoAP-like Messaging Protocols

TL;DR

This report proposes a generic dialect for CoAP messaging and proves (stuttering) bisimulations between CoAP messaging applications and dialected versions, thus ensuring that dialecting preserves LTL properties (without Next) of CoAP applications.

Abstract

Messaging protocols for resource limited systems such as distributed IoT systems are often vulnerable to attacks due to security choices made to conserve resources such as time, memory, or bandwidth. For example, use of secure layers such as DTLS are resource expensive and can sometimes cause service disruption. Protocol dialects are intended as a light weight, modular mechanism to provide selected security guarantees, such as authentication. In this report we study the CoAP messaging protocol and define two attack models formalizing different vulnerabilities. We propose a generic dialect for CoAP messaging. The CoAP protocol, dialect, and attack models are formalized in the rewriting logic system Maude. A number of case studies are reported illustrating vulnerabilities and effects of applying the dialect. We also prove (stuttering) bisimulations between CoAP messaging applications and dialected versions, thus ensuring that dialecting preserves LTL properties (without Next) of CoAP applications. To support search for attacks in complex messaging situations we specify a simple application layer to drive the CoAP messaging and generalize the attack model to support a form of symbolic search for attacks. Two case studies are presented to illustrate the more general attack search.
Paper Structure (79 sections, 7 theorems, 15 equations, 2 figures)

This paper contains 79 sections, 7 theorems, 15 equations, 2 figures.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Plan.
  4. Background
  5. The CoAP protocol
  6. Dialects
  7. Rewriting logic and Maude
  8. Executable Specification of CoAP
  9. Data types
  10. Message data type.
  11. Endpoint state.
  12. Rules
  13. Sending a message.
  14. Receiving a message.
  15. ReSending a message.
  16. ...and 64 more sections

Key Result

proposition thmcounterproposition

Let sysI be an initial configuration and let sysC be a CoAP system configuration reachable from sysI. Then mte(sysC) is either 0, nz a non-zero natural number, or the constant infty (representing infinity) and one of the following holds.

Figures (2)

  • Figure 1: Summary of bridge application attacks. The column nRnd is the number of rounds, mcX is delay argument to the mcX attack capability, and msg is the message identifier of the attacked message.
  • Figure 2: Summary of attacks on PnP. The column nRnd is the number of rounds, mcX is delay argument to the mcX attack capability, and msg is the message identifier of the attacked message.

Theorems & Definitions (15)

  • definition thmcounterdefinition: Initial CoAP configuration
  • definition thmcounterdefinition: Initial dialected CoAP configuration
  • proposition thmcounterproposition: Mte based characterization of reachable CoAP configurations
  • proposition thmcounterproposition: Mte based characterization of reachable dialected CoAP configurations.
  • definition thmcounterdefinition: $\sim$-bisimulation
  • definition thmcounterdefinition: UDX and simulation
  • lemma thmcounterlemma: Inverse relation
  • theorem 1: Stuttering bisimulation in the absence of attacks.
  • proof
  • corollary thmcountercorollary
  • ...and 5 more