A Formal Analysis of IEEE 802.11w Deadlock Vulnerabilities Martin Eian Department of Telematics Norwegian University of Science and Technology (NTNU) Trondheim, Norway Email: martin.eian@item.ntnu.no Stig F. Mjølsnes Department of Telematics Norwegian University of Science and Technology (NTNU) Trondheim, Norway Email: stig.mjolsnes@item.ntnu.no Abstract—Formal methods can be used to discover obscure de- nial of service (DoS) vulnerabilities in wireless network protocols. The application of formal methods to the analysis of DoS vul- nerabilities in communication protocols is not a mature research area. Although several formal models have been proposed, they lack a clear and convincing demonstration of their usefulness and practicality. This paper bridges the gap between theory and practice, and shows how a simple protocol model can be used to discover protocol deadlock vulnerabilities. A deadlock vulnerability is the most severe form of DoS vulnerabilities, thus checking for deadlock vulnerabilities is an essential part of robust protocol design. We demonstrate the usefulness of the proposed method through the discovery and experimental validation of deadlock vulnerabilities in the published IEEE 802.11w amendment to the 802.11 standard. We present the complete procedure of our approach, from model construction to verification and validation. An Appendix includes the complete model source code, which facilitates the replication and extension of our results. The source code can also be used as a template for modeling other protocols. I. I NTRODUCTION Wireless network access protocols are used in numer- ous safety critical applications, such as life critical medical devices, supervisory control and data acquisition (SCADA) systems, smart grid applications, intelligent transport systems (ITS), emergency communications and alarm systems. Net- work availability is important for safety critical applications, since loss of availability can cause physical damage. An adversary can disrupt the availability of a wireless network using denial of service (DoS) attacks. The most widely deployed wireless protocols are vulner- able to DoS attacks. Throughout the last decade researchers have published DoS attacks against IEEE 802.11 local area networks (LANs) [1], [2], [3], [4], IEEE 802.16 wide area networks (WANs) [5] and GSM and UMTS mobile networks [6]. One of the most common forms of wireless DoS attacks is semantic attacks, i.e. to send valid protocol messages that cause one or more protocol participants to lose state synchronization. Semantic attacks can be highly efficient, since the participants may have to spend a significant amount of time to detect and correct the lost synchronization. The most severe semantic DoS attacks can cause a protocol deadlock. A deadlock state is a global state where the protocol participants are not able to recover to a functional state. In this paper, we apply formal methods for the analysis of deadlock vulnerabilities in the IEEE 802.11 medium access control (MAC) layer [7] with the 802.11i [8] and 802.11w [9] amendments. The motivation for using 802.11w as our target protocol is that it has been subject to extensive manual analysis. The 802.11w designers found a deadlock vulnerabil- ity in an early draft of 802.11w. The protocol specification was modified because deadlock vulnerabilities were consid- ered unacceptable. The 802.11w amendment has also been subject to manual analysis by independent researchers [2], [10]. Thus, we consider 802.11w as an appropriate subject for our investigation. The main contribution of our work is a demonstration of how formal methods can be used to find deadlock vulnerabili- ties. In particular, we investigate how to automatically discover vulnerabilities through the construction and verification of a formal protocol model. Our work bridges the gap between theory and practice by giving a detailed description of how to construct and verify a simple and useful protocol model, including the complete model source code. The proposed approach to modeling and verification could help protocol designers discover deadlock vulnerabilities at an early stage of the design process. Several formal models for the analysis of protocol DoS vulnerabilities have been proposed [11], [12], [13]. To the best of our knowledge, none of the proposed models have been demonstrated to be both easy to implement and able to discover deadlock vulnerabilities in protocols. The rest of this paper is structured as follows: Section II introduces relevant parts of the 802.11 standard and related work. Section III constructs the model. Section IV presents the verification results from the model checker. Section V is an experimental validation of the verification results. Section VI discusses the results. Section VII concludes the paper. The Appendix includes the complete source code of our model. II. BACKGROUND AND RELATED WORK The IEEE 802.11 standard for wireless LANs (WLANs) was ratified in 1997 and accepted as an ISO standard in 1999. c  2012 IEEE