pptx

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

77 εμφανίσεις

SECURE ROUTING IN WIRELESS
SENSOR NETWORKS:

ATTACKS AND COUNTERMEASURES

Chris
Karlof

and David Wagner

University of California at Berkeley

1
st

IEEE International Workshop on Sensor Network Protocols and
Applications, 2003





:
장준혁
,
최준철

Contents


Introduction: wireless sensor network


Problem statement


Attacks on sensor network routing


Attacks on specific sensor network protocols


Countermeasures


Conclusion

Wireless Sensor Network(WSN)


Applications


Fire monitoring, protecting wild animals, military purpose


Deployment


Sensing


Network construction


Data aggregation



Restricted resources



Environments(assumptions
)


Base station


Global information


Transmission range


Mobility


Sink

Node

Sensor Field

Resource
constraints
Sensor Node

Sensor Node

<Mica mote>

Component

Spec

Processor

4 MHz

8
-
bit CPU

OS

TinyOS

RAM

4 KB

Storage

512 KB flash memory

Radio

916 MHz, 40Kbps

Range

of a few dozen meters

Power supply

AA battery

Sensors

Optional

CPU

Consumption

Active

5.5 mA

Sleep

100



이상

적음

Radio

Consumption

Receiving

4.8 mA

Transmit

12

mA

Sleep


5
uA

<Power consumption>

Sensor Network Routing


Power
consumption dominates network
lifetime


Mostly, sensor nodes are not repaired or reused


2
weeks ~ a few
years


How
many messages are used
?


=
How long does the network alive?




Sensor routing protocols


Flooding, proactive(DSDV), reactive(AODV), clustering(LEACH)



The routing protocols are not designed for
security
and
traditional methods are hard to
use


This
paper suggests


Threat models and security goals


Countermeasures


Design consideration


WSN vs. Ad
-
hoc Wireless Networks


Similarity


Support Multi
-
hop networking


Differences


Sensor : Supports Specialized communication patterns


Many
-
to
-
One


One
-
to
-
Many


Local Communication


Sensor nodes more resource constrained than Ad
-
hoc nodes


Public key cryptography not feasible


Higher level of trust relationship among sensor nodes


In
-
network processing, aggregation, duplication elimination

DIP2010F

6

Problem Statement


Trust Requirements


Insecure Radio links


Base station(trusted), nodes(untrusted)


None tamper
resistant


Adversary can access all key, data, code



Threat
Models


Based on device capability


Mote
-
class attacker /
Laptop
-
class attacker


Based on attacker type/location


Outside attacks /
Inside
attacks

DIP2010F

7

Security Goal


Responsibility


Link layer: Integrity, authenticity, and confidentiality


Routing protocol: Availability


Application: replay attack



Outsider adversaries


Conceivable to achieve these goals


Insider adversaries


These goals are not fully attainable
-
>
Graceful degradation

DIP2010F

8

Attack Model


Spoofed, altered, or replayed routing information


Selective forwarding


Sinkhole attacks**


Sybil attacks


Wormholes attacks


HELLO flood attacks**


Acknowledgement spoofing



Attacker wants to:


Steal information through the data flows


Break the functionality of the sensor network

DIP2010F

9

Attack Model


Spoofed, altered or replayed routing information


May be used for loop construction, attracting or repelling traffic, extend or
shorten source route



Selective forwarding


A malicious node behaves like a black hole


Refuse to forward certain messengers, selective forwarding packets or
simply drop them



Sinkhole attacks


Attacker creates metaphorical sinkhole

by advertising for example high quality

route
to a base station


Almost
all traffic is directed to the fake sinkhole



DIP2010F

10

B

A1

A3

A2

A4

Attack Model


The Sybil Attack


Forging of
multiple identities

-

having a set of faulty entities represented
through a larger set of identities.


Significant threat to location aware routing protocols


An adversary node can be in more than one place at once


Wormholes


Tunneling of messages over alternative low
-
latency links,


e.g. confuse the routing protocol, create sinkholes. etc.

DIP2010F

11

그림
:
애드


(Ad Hoc)
네트워크에서의

위치정보

기반의

웜홀
(Wormhole)
탐지

기법
,
이규호


,
정보과학회
, 2006

Attack Model


HELLO flood attack


An attacker sends or replays a routing protocol’s
HELLO packets with
more energy



Acknowledgement spoofing


Spoof link layer acknowledgement to trick other nodes to believe that a link
or node is either dead or alive


DIP2010F

12

Attacks on
specific protocols


TinyOS

beaconing



Directed Diffusion



Geographic routing

DIP2010F

13

Attacks on
specific protocols


TinyOS

beaconing


Base station broadcast Route update(beacon)
periodically, Nodes
received the update and mark the base
station as
parent and
broadcast
it


Breadth First Spanning Tree rooted at a base station


Routing

updates are not authenticated



DIP2010F

14

Attacks on
TinyOS

protocols


Spoofing a routing update


Bogus and replayed routing information (such like “I
am station
”)
send by an adversary can easily pollute
the entire network


Routing loops can easily be created by mote
-
class adversaries

DIP2010F

15

Attacks on
TinyOS

protocols


Wormhole / Sinkhole attack


Two colluding powerful laptop
-
class nodes, one near the
base station and one near the targeted area


The first node forwards routing updates through worm hole


The second node create sinkhole by rebroadcasting the
routing update in the targeted area

DIP2010F

16

Attacks on
TinyOS

protocols


HELLO flood attack


Broadcast a routing update loud enough to reach the entire
network by using a powerful transmitter


Every node marks the adversary as its parent


Most nodes will be likely out of normal radio range


DIP2010F

17

Attacks on
TinyOS

protocols


HELLO flood attack


Broadcast a routing update loud enough to reach the entire
network by using a powerful transmitter


Every node marks the adversary as its parent


Most nodes will be likely out of normal radio range


DIP2010F

18

Attacks on
specific protocols


Directed diffusion


A data
-
centric routing algorithm for drawing information out of a
sensor network


DIP2010F

19

Attacks on
Directed diffusion protocols


Suppression



Cloning



Path influence



Selective forwarding and data tempering

DIP2010F

20

Attacks on
specific protocols


Geographic Routing


GPSR
(Greedy Perimeter Stateless Routing
)


Greedy forwarding routing each packet to the neighbor closest to
the destination


GEAR
(Geographic and Energy Aware Routing)


GEAR
weighs the choice of the next hop by both
remaining
energy
and distance from the target

DIP2010F

21

Attacks on
Geographic Routing protocols


Sybil Attack


Surrounding each target using non
-
existent nodes by using Sybil
attack. Adversary maximizes chances for placing herself on the
path of data flow


Forge location advertisements


Advertise her location in a way to place herself on the path of a
known flow


Forge other node’s location to create routing loops


DIP2010F

22

Countermeasures


Authentication and encryption


Prevents the majority of outsider attacks


False routing information, selective forwarding, sinkhole attacks,
sybil

attacks, ACK spoofing


Can’t prevent to tunnel or amplify legitimate message


Wormhole attacks, HELLO flood
atacks


Can’t prevent insider attacks


DIP2010F

23

Countermeasures


Insider attacks


Using a globally shared key allows an insider to masquerade as
any node


Verifing

identities might be done using Public key cryptography, but
this is beyond the capabilities of sensor nodes



Share a unique symmetric key with a trusted base station


Two nodes verify each other by using some protocol and establish a
shared key


Using that key, pair of noes can implement authenticated and encrypted
link between them


Base station reasonably limit the number of neighbors

DIP2010F

24

Countermeasures


Wormhole and Sinkhole attacks


These are very difficult to defend since detecting and verifying is
extremely difficult


Difficult to retrofit existing protocols with defenses against these
attack


Best solution is to carefully design routing protocols



Geographic routing protocol


Resistant to wormhole and sinkhole attacks


Do not construct topology with initiation. Construct on demand


Difficult to create a sinkhole and easy to detect wormhole

DIP2010F

25

Countermeasures


Selective Forwarding


Multipath routing can be used to counter these types
of
selective
forwarding
attacks


Messages
routed over n paths whose nodes are
completely
disjoint
are completely protected against selective
forwarding
attacks
involving at most n compromised
nodes


Allowing nodes to dynamically choose a packet’s next hop
probabilistically from a set of possible candidates

DIP2010F

26

Conclusion


Currently proposed routing protocols for sensor networks
are insecure



Link layer encryption and authentication, multipath


routing, identity verification, bidirectional link


verification and authenticated broadcast is
important



Cryptography is not enough for insiders and
laptopclass


adversaries, careful protocol design is needed as


well

DIP2010F

27