Secure Routing in Wireless

brainybootsMobile - Wireless

Nov 21, 2013 (3 years and 11 months ago)

69 views

Secure Routing in Wireless
Sensor Networks

This Paper


One of the first to examine security on sensor
networks


prior work focused on wired and adhoc


Not an algorithms or systems paper


Describes


general attacks on routing


attacks on specific sensor systems


some countermeasures


Also useful as survey of sensor routing protocols

Outline


Context


Routing attacks


Protocol attacks


What next?

Security for Sensor Nets


A larger challenge in sensor nets


security not priority in protocol design


mainly optimize for power (CPU / transmissions)


E2E principle does not apply


routers need access to data for aggregation


many to one communication instead of end
-
to
-
end


Result


Protocols easy to attack and cripple


Security needs to be built
-
in at protocol design

Context


Large static sensor networks


large # (100’s, 1000’s) of low power nodes


fixed location for their entire lifetime


focused scenario: Berkeley Motes


4Mhz CPU, 4KB RAM (data), 40Kbps max b/w


Connectivity


base stations: powerful pts of central control


sensors form multi
-
hop wireless network


periodic data stream aggregated to BS

Worrying about Power


Power is #1 concern for sensors


small power reserves


1% duty cycle or less


radio uses power 10
3

more than sleep mode


Other constraints


minimal CPU, RAM, radio power


cannot support: public
-
key, source routing or distance
vector, anything that requires


May not benefit from Moore’s law


strong pressure to use cheaper nodes


is this a temporary trend? will eventually benefit

Assumptions


Network assumptions


radio is insecure


base stations are trust
-
worthy


Attackers


can control/turn nodes, collude


mote
-
class vs. laptop
-
class attackers


inside vs. outside attackers

Outline


Context


Routing attacks


Protocol attacks


What next?

Attacks on Sensor Routing


Spoofed, altered, replayed routing info


result: routing loops, attract or repel network
traffic, extend or shorten routes, partition
network


Selective forwarding


drop subset of packets w/o being detected


(enabled by) Sinkhole attack


provide or falsely advertise shorter routes


many to one model makes this easy

Routing Attacks II


Sybil attack


one node, many (network) identities


Wormholes


use out
-
of
-
band fast channel to route msgs faster than regular
network


exploit out
-
of
-
order delivery (race conditions)


hello

flood


broadcast msg to all nodes (laptop
-
class)


disrupt topology construction


Ack spoofing


replay link layer acks to misrepresent link quality between nodes

Understanding Routing Attacks


Key weakness


insecure wireless channel

(eavesdropping, replays)


unequal transmission power / link quality


Selective forwarding


be a sinkhole (concentrate traffic into malicious node)


Enablers (distort view of wireless network)


wormholes, HELLO flood (leverage transmission pwr)


acknowledgement/route spoofing (distort view of links)


sybil (appear as many nodes at once)

Outline


Context


Routing attacks


Protocol attacks


What next?

Protocols Attacks


TinyOS beaconing


base station constructs depth first spanning
tree with itself as root


Attacks


w/o authentication: anyone can claim 2b BS


wormhole


sinkhole attack w/ laptop
-
class
nodes


HELLO flood


strand nodes out of range

Protocol Attacks II


Directed diffusion


BS flood “interests” for named data


sensors send data on reverse interest path


paths “reinforced” to in/decrease data flow


Attacks


flooding is more robust to sinkholes


once path established, can suppress or clone flows
using path reinforcements


can modify in
-
flight data once it’s on path

Protocol Attacks III


Geographic routing (GPSR, GEAR)


use coordinates to route towards destination


GEAR spreads out path to load
-
balance


attack
: misrepresent location data for sinkhole attack


attack
: use sybil to surround target node (sinkhole)


Minimum cost forwarding


each node keeps local
cost
of reaching BS


broadcast out msg w/ budget, each hop subtracts
cost. If budget exceeded, msg dropped


attack
: advertise low cost path (can also use HELLO)

Protocol Attacks IV


Rumor routing


send out
agent

carrying useful events on
random walk through network w/ TTL


queries and data both sent out via agents


attack
: mishandle agents & remove data


attack
: send out tendrils with large TTLs
advertising low cost

Protocol Attacks V


Energy conserving topology maintenance


GAF: nodes placed into grid squares


occasionally wake to see if they’re needed,
otherwise sleep


SPAN: “coordinators” keep connectivity


nodes occasionally wake to see if they should be
upgraded to coordinator


Attacks


spoof route/discovery msgs to lull nodes to
sleep


destroy connectivity

Understanding Protocol Attacks


Inherent tradeoff: energy vs. security


optimizing route vs. susceptibility to attacks


Attacks


all leading to sinkhole attack


manipulate cost function to represent self as optimal
path


Is resistance futile?


flooding


useful, but high cost


random walks


potentially high cost


key is randomization

Outline


Context


Routing attacks


Protocol attacks


What next?

Countermeasures


Link layer security (shared key auth.)


costly, but can disable sybil attacks


useless against compromised nodes (insiders)


Hello floods


verify bi
-
directionality, or authenticate identity of
neighbors w/ separate protocol


Use global knowledge


nodes are static, so learn global map


scalability: enough state to keep info?

Intuition


Tight tradeoff


energy conservation via optimized paths


optimization


manipulation of cost factors


Avoid


powerful nodes (they can’t be authenticated)


centralized functionality (same reason)


What can we use?


randomization / probabilistic routing?