Journal Paper Scouting

flangeeasyMobile - Wireless

Nov 21, 2013 (3 years and 10 months ago)

125 views

EKC

Journal Paper Scouting

A Presentation for the ResiliNets Group

© 2008 Egemen Cetinkaya

July 2008


Egemen
Ç
etinkaya


Department of Electrical Engineering & Computer Science


The University of Kansas


ecetin01@ittc.ku.edu


http://wiki.ittc.ku.edu/resilinets_wiki/index.php/Main_Page


EKC

July 2008

2

Outline


Overall


Security and Privacy in Sensor Networks


Haowen Chan and Adrian Perrig, CMU


IEEE Computer, October 2003, pp. 103
-
105


Denial of Service in Sensor Networks


Anthony D. Wood and John A. Stankovic, Univ. of Virginia


IEEE Computer, October 2002, pp. 54
-
62


Secure routing in wireless sensor networks: attacks
and countermeasures


Chris Karlof and David Wagner, UC
-
Berkeley


Elsevier Ad
-
Hoc Networks, September 2003, pp. 293
-
315

EKC

July 2008

3

Security and Privacy in Sensor Nets


Outline


Sensor Node Compromise


Eavesdropping


Privacy of Sensed Data


Denial of Service Attacks


Malicious Use of Commodity Networks

EKC

July 2008

4

Security and Privacy in Sensor Nets


Sensor Node Compromise


Sensor Node Compromise


Large scale sensor nets, hard to protect against physical and
logical attacks


Countermeasures:


Tamper resistant hardware


expensive


Node
-
to
-
node authentication in software


Sensor Networks must be made resilient:


“able to function at high effectiveness even with a
small number of malicious nodes. For example,
routing protocols must be resilient against
compromised nodes that behave maliciously.”

EKC

July 2008

5

Security and Privacy in Sensor Nets


Eavesdropping


Eavesdropping


Passive attack


Countermeasure: Encryption


Must be robust


Must be feasible for limited resources


Hard to implement E2E encryption due to large scale (too many
keys need to be stored)


HBH encryption is a solution, but conflicts with E2E arguments


Multipath routing is a solution, where parts of a message is
sent over multiple disjoint paths ?!?

EKC

July 2008

6

Security and Privacy in Sensor Nets


Privacy


Privacy of Sensed Data


Access to stored data or by querying or by eavesdropping


Countermeasures:


Encryption


Access control


Reduction in sensed data details (e.g. aggregation)


Distributed processing, where no one node has access to
queried results


EKC

July 2008

7

Security and Privacy in Sensor Nets


DoS


Denial of Service Attacks


Aims to destroy network functionality


At the physical layer


e.g. radio jamming


Battery exhaustion


Creating routing loops


Countermeasures:


Spread spectrum techniques


Proper authentication, e.g. authentication techniques itself can
be used to exhaust battery


EKC

July 2008

8

Security and Privacy in Sensor Nets


Malicious Commodity Networks


Malicious use of commodity networks


Use of sensor networks for illegal purposes, e.g. planting
them in computers to extract private information


Countermeasure:


Deploy sensor detectors to detect malicious sensor nets


It will not protect illegal sensor network deployment, but will
make attacks expensive


This is not an attack on sensor nets ?!?


EKC

July 2008

9

Denial of Service in Sensor Networks


Outline


Theory and application


The denial of service threat


Physical layer


Link layer


Network and routing layer


Transport layer


Protocol vulnerabilities

EKC

July 2008

10

Denial of Service in Sensor Networks


Theory and Application


Small nodes, wireless communication


Data centric vs. address centric


Military, healthcare, environmental monitoring


Large scale


Network must be resilient to individual node failure


Security in the original design of protocols and
software applications for all networks

EKC

July 2008

11

Denial of Service in Sensor Networks


Denial of Service Threat


“A DoS attack is any event that diminishes or
eliminates a network’s capacity to perform its
expected function. Hardware failures, software bugs,
resource exhaustion, environmental conditions, or
any complicated interaction between these factors
can cause a DoS”


Detection of DoS is harder due to large scale


Layered network architecture can improve robustness
(e.g. attacks exploiting interactions between layers)

EKC

July 2008

12

Denial of Service in Sensor Networks


DoS Attacks at the Physical Layer


Jamming


Simple


k jamming node, N out of service nodes, where k<<N


Defense


Spread Spectrum, reporting attack to BS,
buffering during the attack, use of IR or optical during the
attack


Tampering


Tampering physically


Defense


erase cryptographic or program memory,
camouflaging

EKC

July 2008

13

Denial of Service in Sensor Networks


DoS Attacks at the Link Layer


Collision


Corrupting data or control packets for checksum mismatch
or back
-
off


Defense


error correcting codes but expensive


Exhaustion (battery exhaustion)


Retransmissions, interrogation attack (e.g. RTS/CTS)


Defense
-

MAC admission control rate limiting


Unfairness


Weaker DoS, causing real time MAC to miss the deadline


Defense


use of small frames

EKC

July 2008

14

Denial of Service in Sensor Networks


DoS Attacks at the Network Layer
1


Neglect and greed


Malicious nodes randomly drops packets (neglectful node)


Malicious node gives priority to its own messages (greedy)


Defense


multiple routing path and redundant messages


Homing


Passive attack to identify critical nodes
-

e.g. BS,
clusterhead, sink


Once identified an active attack can be launched


Defense


hiding using shared cryptographic keys


EKC

July 2008

15

Denial of Service in Sensor Networks


DoS Attacks at the Network Layer
2


Misdirection


Active attack, messages are forwarded along wrong paths


Defense


egress filtering approach


Black holes


Malicious nodes advertise zero
-
cost routes, making them
attractive for traffic path


Nodes around the malicious node exhausted causing a hole
or partition


Easy to detect, but very disruptive


Defense


detection of inconsistent advertisements

EKC

July 2008

16

Denial of Service in Sensor Networks


DoS Defenses at the Network Layer


Authorization


Defense against misdirection and black holes


Monitoring


Monitoring proper routing


Simple, less expensive IDS


Probing


Probes should be indistinguishable from normal traffic


Defense against neglect and greedy attacks


Redundancy


Diversity coding, less expensive

EKC

July 2008

17

Denial of Service in Sensor Networks


DoS Attacks at the Transport Layer


Flooding


Memory exhaustion for stateful connections


Defense 1


limiting number of connections


Defense 2


client puzzles, computationally expensive


Desynchronization


Forged messages (e.g. sequence numbers, control flags) for
end systems to retransmission


Defense


authentication

EKC

July 2008

18

Denial of Service in Sensor Networks


Protocol Vulnerabilities


Adaptive rate control


High BW traffic generated by malicious nodes are given
priority


Real
-
time location based protocols (RAP)


Flooding the network with high velocity packets

EKC

July 2008

19

Secure Routing in WSNs


Outline


Introduction and contributions


Background


Sensor networks vs. ad
-
hoc wireless networks


Related work


Problem statement


Attacks on sensor network routing


Attacks on specific sensor network protocols


Countermeasures

EKC

July 2008

20

Secure Routing in WSNs


Introduction


The paper is about routing security of WSNs


Conventional networks


Routing is concerned with message availability


Higher layers handle: Integrity, Authenticity, Confidentiality


E2E security is handled by higher layers
-

e.g. SSH, SSL


Wireless Sensor Networks


In
-
network processing makes it impossible for E2E security


LL security can alleviate some of the security problems

EKC

July 2008

21

Secure Routing in WSNs


Contributions


Propose threat models and security goals


Introduce sinkhole and
HELLO

floods attacks against
sensor networks (relevant to MANETs)


Show MANET and P2P attacks can be adapted to
WSNs


Detailed security analysis of major routing protocols


Discuss countermeasures and design considerations

EKC

July 2008

22

Secure Routing in WSNs


Background


Small, large scale, stationary, low cost & power


Berkeley TinyOS platform is examined


Low power & memory


Data aggregation occurs, thus time delay of message


Security


Public
-
key cryptography is computationally expensive


Fast symmetric
-
key cryptography must be used sparingly


Moore’s law seems unlikely


Instead cheaper systems with fixed performance

EKC

July 2008

23

Secure Routing in WSNs


Sensor Network Legends and Architecture

BS

BS

BS

sink

Low latency, high BW link

Sensor node

(mote)

Low power radio

Adversary

EKC

July 2008

24

Secure Routing in WSNs


Sensor Nets vs. MANETs


Similarities


Both are multihop


Differences


Traffic pattern in WSNs


Many
-
to
-
one


One
-
to
-
many


Local communication


WSNs are more resource constrained


Aggregation, in
-
network processing occurs WSNs

EKC

July 2008

25

Secure Routing in WSNs


Related Work


Security issues are similar (MANET vs. WSNs) but not
the defense mechanisms


Public
-
key cryptography is expensive for WSNs


WSNs must rely on private
-
key cryptography


Symmetric
-
key cryptography based on SR or DV is
not suitable for WSNs


Punishing, reporting selfish or misbehaving nodes is a
promising work


SNEP and
µ
TESLA are security protocols optimized
for WSNs

EKC

July 2008

26

Secure Routing in WSNs


Problem Statement
1


Network assumptions


Wireless communication, i.e. insecure radio links


Many sensor nodes, few malicious nodes


Malicious nodes can be bought separately


Legitimate nodes can be converted to malicious nodes


Adversary might be much powerful (e.g. laptop)


Physical and MAC layer attacks are not the focus


Nodes are not tamper
-
resistant


Trust requirements


Base stations are trustworthy


Aggregation points may or may not be trustworthy

EKC

July 2008

27

Secure Routing in WSNs


Problem Statement
2


Threat models


Mote class attackers vs. laptop
-
class attackers


Outsider attacks vs. insider attacks


Security goals


Ideally the security objective is CIAA of all messages


Due to aggregation E2E security is not possible


Outsider attacks can be prevented by link layer security


Insider attacks are challenging, LL security is not enough


Replay attacks should be prevented by the application layer

EKC

July 2008

28

Secure Routing in WSNs


Attacks on Sensor Network Routing
1


Attack categories:


Spoofed, altered, or replayed routing information


Selective forwarding


Sinkhole attacks


Sybil attacks


Wormholes


HELLO

flood attacks


Acknowledgement spoofing


Attacks differ based on:


Manipulating user data


Underlying routing topology

EKC

July 2008

29

Secure Routing in WSNs


Attacks on Sensor Network Routing
2


Spoofed, altered, or replayed routing information


Targets the routing info exchanged between nodes


Creates routing loops, partitions network, inc. E2E delay etc.


The Sybil attack


A single node presents multiple identities to other nodes


Significantly reduces effectiveness of fault tolerance
schemes: distributed storage, dispersity, multipath routing,
topology maintenance


Significant threat to geographic routing protocols

EKC

July 2008

30

Secure Routing in WSNs


Attacks on Sensor Network Routing
3

D (1,0)

B (0,1)

C (1,1)

D (2,1)

Bogus routing info: D (1,0)

A (0,2)

1

2


Spoofed, altered routing information


Sybil attack

EKC

July 2008

31

Secure Routing in WSNs


Attacks on Sensor Network Routing
4


Selective forwarding


Malicious nodes refuse to forward certain messages


If all messages are dropped a black hole is created


Black holes are easy to detect, i.e. may not serve an
attackers objective


Most effective when the malicious node is on the data path


If not on data path, sinkhole or Sybil attacks are effective


Sinkhole attacks


Attacker attracts all traffic nearby


Attraction occurs w.r.t. routing algorithm


e.g. high quality
route advertisement via laptop
-
class adversary


Enables selective forwarding (SF) but makes SF trivial

EKC

July 2008

32

Secure Routing in WSNs


Attacks on Sensor Network Routing
5

S


Selective forwarding, adversary on the data path

D

EKC

July 2008

33

Secure Routing in WSNs


Attacks on Sensor Network Routing
6


Wormholes


Adversary tunnels messages in one part of the network to a
different part via low latency link


Involvement of two adversaries is more common


Essentially a sinkhole attack


Exploits the routing race condition


ignoring later messages


Detection is difficult when used with Sybil attack

EKC

July 2008

34

Secure Routing in WSNs


Attacks on Sensor Network Routing
7

BS


Wormhole Illustration

Sinkhole creation

EKC

July 2008

35

Secure Routing in WSNs


Attacks on Sensor Network Routing
8


HELLO

flood attack


Nodes broadcast
HELLO

messages announce themselves to
neighbors


Powerful laptop
-
class device can be used to convince
network that the adversary is node’s neighbor


Nodes hearing this message will use this route


Acknowledgement spoofing


Several routing protocols rely on link layer acknowledgement


Adversary spoofs these messages to notify neighboring
nodes a weak link is strong, or a dead node is alive


Spoofed messages can be used to launch SF attack

EKC

July 2008

36

Secure Routing in WSNs


Attacks on Sensor Network Routing
9


HELLO

flood attack

BS

EKC

July 2008

37

Secure Routing in WSNs


Attacks on Sensor Network Protocols
1


All proposed sensor network routing protocols are
susceptible to attacks


The routing protocols analyzed are:


TinyOS beaconing


Directed diffusion


Geographic routing


Minimum cost forwarding


LEACH: low
-
energy adaptive clustering hierarchy


Rumor routing


Energy conserving topology maintenance (GAF, SPAN)

EKC

July 2008

38

Secure Routing in WSNs


Attacks on Sensor Network Protocols
2


TinyOS beaconing operation


Based on spanning tree construction


BS broadcasts route update periodically


Packets forwarded to parent node until they reach to BS


Attacks against TinyOS beaconing


No authenticated routing updates, any device can claim BS


Wormhole/sinkhole attacks


HELLO

flood attacks


Routing loops


EKC

July 2008

39

Secure Routing in WSNs


Attacks on Sensor Network Protocols
3


Directed diffusion operation


Sinks flood interest, gradients set
-
up


Nodes propagate data back to sink


Attacks against directed diffusion


Hard to attack during flooding phase


Suppression:

spoof control messages


Cloning:

enables eavesdropping


Path influence:

spoof control messages


Selective forwarding and tampering:


Multipath version is more robust against attacks


Sybil attacks are possible

EKC

July 2008

40

Secure Routing in WSNs


Attacks on Sensor Network Protocols
4


Geographic routing protocols operation


Greedy Perimeter Stateless Routing (GPSR)


Greedy forwarding, packets routed to the closest neighbor


Geographic and Energy Aware Routing (GEAR)


Energy is weighted in forwarding decisions


Attacks against geographic routing protocols


Sybil attack to misrepresent a node’s location


False advertisements of location information


Selective forwarding


Routing loops


EKC

July 2008

41

Secure Routing in WSNs


Attacks on Sensor Network Protocols
5


Minimum cost forwarding operation


Essentially Distributed Shortest Path algorithm


Attacks against minimum cost forwarding


Sinkhole attacks


False advertisement of zero cost from an adversary


A laptop
-
class adversary can utilize wormhole to help sinkhole
attacks


HELLO

flood attacks


EKC

July 2008

42

Secure Routing in WSNs


Attacks on Sensor Network Protocols
6


Low Energy Adaptive Clustering Hierarchy operation


Two phases:


Setup: Clusterheads are randomly picked for energy savings


Steady
-
state: Clusterheads send/receive aggregated data to BS
in TDMA


Attacks against LEACH


HELLO

flood attacks


Adversary acts as clusterhead by sending powerful signal


Small size networks are prone to selective forwarding


Sybil attacks are possible


Attacks aim higher levels in the hierarchy

EKC

July 2008

43

Secure Routing in WSNs


Attacks on Sensor Network Protocols
7


Rumor routing operation


Probabilistic selection of next hop


Agents carry the events, TTL etc.


Energy saving compared to flooding


Attacks against rumor routing


Selective forwarding


Can be easier by creating wormhole


EKC

July 2008

44

Secure Routing in WSNs


Attacks on Sensor Network Protocols
8


Energy conserving topology maintenance


Essentially more nodes are deployed than what is needed


GAF, SPAN, CEC, AFECA are examples


Attacks against GAF and SPAN


Broadcasting high
-
ranking control messages


Selective forwarding


HELLO

flood attack


Sybil attack

EKC

July 2008

45

Secure Routing in WSNs


Countermeasures
1


Outsider attacks and link layer security


The Sybil attack


HELLO

flood attacks


Wormhole and sinkhole attacks


Leveraging global knowledge


Selective forwarding


Authenticated broadcast and flooding

EKC

July 2008

46

Secure Routing in WSNs


Countermeasures
2


Outsider attacks and link layer security


Major outsider attacks can be prevented via link layer
encryption and authentication using global shared key


Sybil attack is irrelevant


Sinkhole attack and SF is not possible


LL mechanisms are not sufficient for wormhole or
HELLO

flood attacks


Link layer security cannot encounter against insider
attacks


EKC

July 2008

47

Secure Routing in WSNs


Countermeasures
3


The Sybil attack can be prevented via identity
verification


Identity verification can be done using public key
cryptography which generates digital signatures


DS is costly for resource constrained Sensor Nets


To overcome this: Nodes can share unique shared
key with the BS, and verify each other’s identity and
establish a shared key


This is still costly but the cost is lower

EKC

July 2008

48

Secure Routing in WSNs


Countermeasures
4


HELLO

flood attacks can simply prevented via
verification of bidirectionality of the link


If the attacker has a sensitive receiver, this is useless


To prevent attacks:


Use identity verification for authentication


Adversary claiming to be neighbor of unusual large number
nodes should raise an alarm


EKC

July 2008

49

Secure Routing in WSNs


Countermeasures
5


Wormhole and sinkhole attacks are hard to defend


Harder when used in combination


Geographic routing protocols are resistant to sinkhole
attacks


Base station initiated topology construction protocols
are most susceptible to wormhole attacks


Defensive mechanisms should be considered at the
design phase of the protocols

EKC

July 2008

50

Secure Routing in WSNs


Countermeasures
6


Leveraging global knowledge


Keep inventory of the network (# nodes, topology), and be
alerted during suspicious changes


Probabilistic selection of next hop against sink hole attacks


Placement of nodes to known locations


Selective forwarding


Multipath routing to counter selective forwarding attacks


Authenticated broadcast and flooding


Authenticated broadcast protocol
µ
TESLA


Use of flooding which is robust, attackers need to partition


Flooding is expensive, SPIN and gossiping is more efficient

EKC

July 2008

51

Overall Conclusions


Highlights on WSN Security


WSNs are not secure


Attacks similar to other networks (e.g. MANET, wireless)


Different defense mechanisms (limited res. & large scale)


E2E security is not possible due to in network
processing of WSNs


Flooding is robust to attacks, FT helps defense


The security should be considered during the design
phase of protocols, not afterwards


Addition of security is expensive in terms of
processing, energy, memory, cost

EKC

July 2008

52

Backup


Key Management in WSNs
1


A networkwide shared key


Pros: simple


Cons: even 1 node compromise can reveal everything


One key for link establishment, one per pair for
communication, erase networkwide key after session
establishment


Cons: doesn’t allow addition of new nodes after initial key
-
establishment


Public
-
key cryptography


Pros: any node can set
-
up secure key with any other node


Cons: expensive for WSNs

EKC

July 2008

53

Backup


Key Management in WSNs
2


Preconfigure the network with a shared unique key
between nodes


Cons: Doesn’t scale well, need n.(n
-
1)/2 keys. Also how
would you know location info in a random deployment?


Bootstraping keys using a base station


Cons: BS becomes single point of failure


Random
-
key predistribution


Pros: require less keys (memory) in the node


Cons: sufficient amount of compromised nodes can reveal
the scheme