The FI problem (1)

Identification of

Feature Denial of Services

Rui Gustavo CrespoTechnical University of Lisbon/ Portugal

2/15Identification of Feature Denial of Services

The FI problem (1)

Mobile and Multimedia Telecommunication Services extend basic services of Telephony, Email, WWW and other media with features. Single and multimedia features reveal FI-Feature Interaction.

Feature: functionality unit perceived as having a self-contained functional role (ex: Email filterMessage, Telephony voiceMail, WWW refresh)Interaction: undesirable behaviour revealed by features when subscribed together, while alone working fine.


The FI problem (2)

Example of a feature interaction

decryptMessageforwardMessage

SK

PK

&x.!%w$&


The FI problem (3)

Undesired behaviour :Message sent in clear!

Suppose one party subscribes to decryptMessage and forwardMessage features.

PK

&x.!%w$&

A) Ciphered message arrives

SK

B) Message is decrypted

C) Message is sent forward

Mobility may increase FIs (ex: RemailMessage-anonymous status may be lost, due to lack of service when user moves from one location to another).


3 major focus on FI research: Detection: identification of pairs candidate of FI. Avoidance: intervene at protocol/design stages to prevent FI occur. Resolution: actions to correct detected FI.

I. Research on FI detection focus on schemes to represent features (automaton, petri-nets, process

algebra, temporal logics,...), and

methods to check if a given pair of features is likely to interact (model checking, simulation, theorem proving, security analysis,...)

II. Avoidance unfeasable in Internet/Mobile networks, due to

distributed control

multi-vendor / multi-provider environments.

The FI problem (4)


III. Proposed resolver: install a FeatureManager in every node

The FI problem (5)

Message to FM contain the list of actions executed by all features candidate for execution.

Advice based on formulas with Interdiction operator over Action featuresRequests Conditions Restriction

Application

Feat. A Feat. N…FM

API

Commands

Extra

information

Advice

Incoming/Outgoing messages

Message FORMULAS


The FI problem (6)

Example of resolutions (over 7 actions) Resolution by simple interdiction

Example: CW + CFB – first call waits, all others are forwardForward(_dest) Wait(_init) one_hold(_init) I Forward(_dest)Forward(_dest) Wait(_init) one_hold(_init) I Wait(_dest)

Resolution by priority Example: filterMessage priority higher then Read

Accept(_init) Deny(_init) I Accept(_init)

Resolution may request collaboration between several FMs, e.g. permission Example: for parental control

Accept(_init) perm(_init) I Accept(_init)


The FI problem (7)

Formulas are checked and interdicted actions are removed.

Cost of FI resolution is linear to the number of formulas.

System still works in case of FM breakdown.When FM breaks, or information cannot be transmitted across networks, default values may be established for predicates (ex: negation of a permission).


The FDS problem

If all features are marked for removal, then a FDS-”feature denial of services” occurs.

A.Usually, feature denial is unacceptable!Example: filterMessage(bob) and forwardMessage(charles)

subscribed, with 3 formulasAccept(_init) perm(_init) I Accept(_init) # access control

Forward(_dest) perm(_init) I Forward(_dest) # access control

Deny(_init) emergency(_init) I Deny(_dest) # emergency must pass

An emergency call from BOB results in a FDS!

B.However, sometimes feature denial is required!Example: two parties subscribe forwardMessage to each other

Forward(_dest) loop(_init) I Forward(_dest)

FDS stops message looping


The algorithm (1)

We must identify the cases when a non-empty set of interdiction formulas result in a FDS!

Inputs: A non-empty set of Interdiction formulas, and A non-empty set of all possible actions.

1.Generate one DS tree Each node contains an unique subset of actions. Link from an upper level to a lower level nodes

corresponds to an action removal.


The algorithm (2)

DS tree example for F={A,C,D,F}

• Nodes represent elementsFkC#

{A,C,D,F}

{C,D,F} {A,D,F} {A,C,F} {A,C,D}

{A,C}{A,D}{A,F}{D,F} {C,F} {C,D}

{F} {D}

{ }

{C} {A}


The algorithm (3)

DS tree contains same nodes as Pascal triangle and partial order (2F).

2.FDS detection: Scan all non-empty DS nodes. Starting from a non-empty DS node

Label branch to a lower level node with the predicates required for the formula satisfaction, only if the conjunction of all predicates upwards does not raise a contradiction!Note: removing A then B is equal to removing B then A.

If reached a non-empty leaf, expand DS tree by removing one of the actions (predicates may not hold, or may be those selected while transversing the path)

FDS occurs when previous step leads to an empty leaf!


The algorithm (4)

Example for {D,F}

(2) Forward(_dest) perm(_init) I Forward(_dest)(3) Deny(_init) emergency(_init) I Deny(_dest)

{ }

(3), emergency(_init)

Expand non-empty DS node

{D,F}

{D}

(2),perm(_init)

{F}


The algorithm (5)

Cost of FDS identification:Cost of DS tree creation: O(2F)

Cost of interdiction formula application:On average, for each action removal there are P/F

interdiction formulas. In a Pascal triangle, the number of branches

between rows N and N+1 is N+1. The sum of a linear series is quadratic.F is small, hence PI and the cost is O(I2).

Total cost for FDS algorithm is O(2FI2)


Conclusions

Mobile systems off a large number of features. Feature Interaction is inevitable, which may lead to

customer displeasure! FI resolution by interdiction may lead to Feature Denial

of Service. Every FDS must be classified, and actions exercised to

correct unacceptable occurrences!

Thank you!Questions?

The FI problem (1)

Documents

Transcript of The FI problem (1)