security issues related to cognitive radios and dynamic ... · 7/27/2010 timxb@colorado.edu 5 tcp...
Post on 14-Sep-2020
4 Views
Preview:
TRANSCRIPT
Security Issues Related to
Cognitive Radios and
Dynamic Spectrum Access
Timothy X Brown
Interdisciplinary Telecommunications Program
Dept. of Electrical, Computer, and Energy Engineering
University of Colorado, Boulder
11th Annual International Symposium on Advanced Radio Technologies
Boulder, CO July 27 2010
CR/DSA Security
� Why are CR/DSA special?
� 50 ways to deny your service.
� How to analyze and harden CR systems.
7/27/2010 timxb@colorado.edu 2
7/27/2010 timxb@colorado.edu 3
Review
� Spectrum is important to UAS
� The spectrum is fully allocated
� Most spectrum is unused
� Cognitive Radio:
� Avoid Licensed users
� Communicate in “white spaces”
Maximum Amplitudes
Frequency (MHz)
Am
plid
ue (
dB
m)
Heavy UseHeavy Use
Sparse UseSparse Use
Heavy UseHeavy Use
Medium UseMedium Use
7/27/2010 timxb@colorado.edu 4
Similar to other
wireless devices
Similar to other
wireless devices
Vulnerable to
Denial of Service
Vulnerable to
Denial of Service
The Big Question
Can CR/DSA be made secure?
Confidentiality
Integrity
Availability
7/27/2010 timxb@colorado.edu 5
TCP Denial of Service
SYN-ACK
SYN
ACK
HTTP GET
TCP Start Up
Data Exchange
SYN
xSYN
xSYN
x
SYN
3
6
12
Denial of Service
0
5
10
15
20
25
0 2 4 6 8 10 12
Number Jammed
Do
wn
loa
d T
ime (
sec
)
TCP-SYN-ACK
AODV-RREP
Brown, James, Sethi, “Jamming and Sensing of Encrypted Wireless Ad Hoc Networks,” in MobiHoc, 2006
7/27/2010 timxb@colorado.edu 6
<Preamble>
<DL-MAP><DCD>
<UL-MAP><UCD>
<RNG-REQ>
<SBC-REQ>
<PKM-REQ>
<REG-REQ>
<RNG-RSP>
<SBC-RSP>
<PKM-RSP>
<REG-RSP>
Channel Scan and Synchronization
Ranging and
Capability Exchange
Key Exchange and Authorization
Registration
<Preamble>
<DL-MAP><DCD>
<UL-MAP><UCD>
<RNG-REQ>
<RNG-RSP>
Ranging
Retries
<RNG-RSP>
<RNG-RSP>
De
lay in
ra
ngin
g
du
e t
o jam
min
g
DL-MAP, UL-MAP, DCD
and UCD expected at
regular intervals
BS SS BS SS
<DL-MAP><UL-MAP>
Throws client out
of network even
after association
<RNG-REQ>
<RNG-REQ>
Denial of Service
802.16 Network Entry and Initialization
Denial of Service
DSA/CR being pushed for
� Commercial
� Public Safety
� Military
Will not tolerate Denial of Service
7/27/2010 timxb@colorado.edu 8
Need to be careful with spectrum
� The spectrum is fully allocated
� Primary users fear
Harmful Interference
� “Mistakes” will bring down
regulatory hammer.
Maximum Amplitudes
Frequency (MHz)
Am
plid
ue (
dB
m)
Heavy UseHeavy Use
Sparse UseSparse Use
Heavy UseHeavy Use
Medium UseMedium Use
OK OK
Whoops!
7/27/2010 timxb@colorado.edu 9
Review
Many DSA conceptsQ. Zhao, B. Sadler, A Survey of Dynamic Spectrum Access, IEEE Signal Processing, May 2007
• Unlicensed• Access etiquettes
• Fast buy and sell• Short-term Rental
• Find whitespaces• Avoid harming primary
7/27/2010 timxb@colorado.edu 10
Cognitive vs. Traditional Radios
Radio
Cognitive Engine
Geolocator
Sensor
Policy Input
OperatingSystem
A CR does more than a traditional radio
User Interaction Via
7/27/2010 timxb@colorado.edu 11
Hierarchical
AccessDynamic
Exclusive
Use
Open
Sharing
Cognitive vs. Traditional Radios
Cognitive Engine
Geolocator
Sensor
Policy Input
OperatingSystem
Not all functions used in all cognitive radiosWhat are the most vulnerable?
Radio
Why are CR/DSA different?
� More functions:
� more functions = more vulnerabilities
� Two DoS attacks:
� Directly: degrade one or more radios
� Indirectly: induce harmful interference
� Wide range of architectures
� What are best choices?
7/27/2010 timxb@colorado.edu 12
CR/DSA Security
� Why are CR/DSA special?
� 50 ways to deny your service.
� How to analyze and harden CR systems.
7/27/2010 timxb@colorado.edu 13
7/27/2010 timxb@colorado.edu 14
CR Detect Range
Victim CR
Non-Cooperative Arch: Attacker Successfully “Denies” Access
Attacker Emulates Primary User
(Spoofs Sensor Input)
Distributed Cooperative Arch: Collated measurements make the attack less effective.
Cooperative CR
Network
Central
Authority
Active
Primary Users
Database
Centralized Cooperative Arch: Ineffective due to collated measurements in DB
Vulnerability Depends on Architecture
Non-Cooperative Cooperative
Centralized Distributed
CR Network Architectures
Example:
CR-specific DoS Attack
7/27/2010 timxb@colorado.edu 15
CR
Example CR-specific DoS Attack
CR PP P
CR
PP P
P PP P
P
Spoof
PPP P
PPP PCR
CR is Denied Access
Or Induced to Interfere
PP PCR
P
Spoof
PP P
CR does not React to
Primary User Emulation
Overlay Underlay
Time
P
P
Vulnerability Depends on Spectrum Access Methods
Overlay Underlay
Spectrum Access Methods
7/27/2010 timxb@colorado.edu 16
Geo-locate/
Access DB
Beacon/Control Signal
Detection/Sensing
Policy Database
PrimaryUsers
Database
TVDatabase
RadarDatabase
CellularDatabase
RF Environment
Prone to
Beacon/Control
Signal Spoof,
Jam,
Relay
Prone to
Location/DB
Spoof, Jam,
Replay
Prone to
Sensing
Spoof, Jam,
Replay
Geo-locate/Access DB
Beacon/Control Signal
Detection/Sensing
Spectrum Awareness Methods
Vulnerability Depends on Spectrum Awareness Methods
Spectrum Awareness
7/27/2010 timxb@colorado.edu 17
Many Attacks and Many Cofigurations
Analysis of Multiple Attacks against
Multi-Dimensional CR Configurations
CR/DSA Security
� Why are CR/DSA special?
� 50 ways to deny your service.
� How to analyze and harden CR systems.
7/27/2010 timxb@colorado.edu 18
7/27/2010 timxb@colorado.edu 19
Analysis Approach
� Combines
� likelihood/impact risk assessment (Barbeau/ETSI TS 102 165-1 V4.1.1)
� aviation risk analysis techniques (Hammer)
� Two Analyses
� Open: e.g. no encryption
� Hardened
Qualitative ranking
Organizes complex
interactions
7/27/2010 timxb@colorado.edu 20
Attack Analysis: Risk Assessment (1/3)
1. Attack Likelihood
Technical Problems to Attacker Likelihood Case Rank
Insolvable Impossible 0
Strong Low 1
Solvable Medium 2
None High 3
7/27/2010 timxb@colorado.edu 21
Attack Analysis: Risk Assessment (2/3)
Rationale: Impact on VictimImpact Case Rank
Denial Attacks Induce Attacks
None None None 0
Perceptible but insignificant
degradation in CR
communication.
Perceptible but infrequent
interference to active
primary users
Low 1
Significant degradation but still
operational CR
communication.
Perceptible frequent
interference to active
primary users
Medium 2
Non-operational CR
communication
Continuous interference to
active primary usersHigh 3
2. Attack Impact
7/27/2010 timxb@colorado.edu 22
Attack Analysis: Risk Assessment (3/3)
3. Risk Level = f(Likelihood, Impact)
Risk Case Risk Mitigation Action
Minor No Countermeasures Required
Major Threat cannot be Ignored
Critical Mandates High Priority Handling
7/27/2010 timxb@colorado.edu 23
Attack Analysis: Risk Analysis using
Hammer Model Framework (1/3)
Attacker
Actions
CR
Vulnerabilities
Attack
Outcome
Interaction
Logic
• Organizes complex interactions
• Based on FAA System Safety Hazard Analysis
Preconditions
Initiating Threat Contributory Threat Primary Threat
7/27/2010 timxb@colorado.edu 24
Attack Analysis: Risk Analysis using
Hammer Model Framework (2/3)
� Modeling tool to represent an attack scenario into a sequence
of initiating and contributory threats that result in one of more
primary threats.
� Primarily Used for Qualitative Scenario based Attack
Analysis.
7/27/2010 timxb@colorado.edu 25
Example: Primary User Emulation Attack
in Non-Cooperative Architecture (3/3)
Main
Initiating
Threat
Attack
Pre-
conditions
7/27/2010 timxb@colorado.edu 26July 2008Timothy X Brown, University of
ColoradoSlide 26
Open System Attack Analysis Summary
Assumes open
system with no
encryption on any
link
CR/DSA Security
� Why are CR/DSA special?
� 50 ways to deny your service.
� How to analyze and harden CR systems.
7/27/2010 timxb@colorado.edu 27
7/27/2010 timxb@colorado.edu 28
System Hardening
Can we mitigate:
� Primary User Emulation Attack
� Policy Spoofing
� Beacon Replay Attack
� Location Denial of Service
� …
7/27/2010 timxb@colorado.edu 29
Example:
How to Get Policies
� Simplest mechanism: Someone tells you
� Who do you trust?
� What if DB is unavailable?
� How do you manage?
CR
Policy DB
Policy DB
CR
Policy
DB (?)
7/27/2010 timxb@colorado.edu 30
Policy Communication Model
� Example: Centralized Model
BSA BSB
Communication Network
Policy DB Policy DB Policy DB
7/27/2010 timxb@colorado.edu 31
Hierarchical Policy Authorization
Frequency
Location
FCC/NTIA
FAA
DEN
FAA
10MHzCONUS
NTIA
N860CP
DEN
10MHzColorado
FAA
GCS
1MHzColorado
DENSecure certificate chain
ensures authority to assign spectrum
Ignore unauthorized
policies
GCSGround
Control
Station
How can we harden the DSA/CR?
� Digital Signatures (false messages)
� Encrypted control channels (coordinated attacks)
� Spread spectrum control channels (jamming)
� Trust/reputation (malicious messages/users)
� Cooperative analysis (primary user emulation)
� Cooperative policing (unauthorized spectrum access)
� Multi-mode geolocation (GPS jamming)
� Multi time-scale policies (policy/beacon jamming)
7/27/2010 timxb@colorado.edu 33July 2008Timothy X Brown, University of
ColoradoSlide 33
Hardened System Attack Analysis Summary
Assumes strongest
mitigation technique
identified
7/27/2010 timxb@colorado.edu 34
Risk Assessment Results
Overlay Underlay
Beacon Geo-locate
Database
Detection
Sensing
Beacon Geo-locate
Database
Detection
Sensing
Non-
Cooperative1, 2 0, 3 0, 2 0, 2 0, 1 0, 2
Centralized
Cooperative0, 3 0, 3 0, 3 0, 1 0, 1 0, 2
Distributed
Cooperative0, 3 0, 3 0, 2 0, 1 0, 1 0, 2
Least Vulnerable
CR
Configurations
CR
Configuration
used in
802.22
(Critical, Major)
Disaster
Cellular:
Handset
Disaster
Cellular:
Base-Station
7/27/2010 timxb@colorado.edu 35
Conclusion
� CRs are susceptible to attacks.
� CRs open new avenues of attack.
� A Formal Risk Analysis and Assessment Process can help guide the least vulnerable CR Design Paradigm
Depends on concept of operations
Policy-based CR
Spread spectrum
Are we done?
� Not quite:
� Software defined radios
� Malicious DSP software
� Hardware
� Separating CR from rest of device
� Limits: Intermods and Spurs
(Confidentiality, Integrity, Availability)
7/27/2010 timxb@colorado.edu 37
References
� Brown, T.X, Sethi, A., “Hammer Model Threat Assessment of Cognitive Radio Denial of Service Attacks,” Proc. Of Dynamic Spectrum Access Networks, Chicago, 2008.
� M. Barbeau, “WiMax/802.16 Threat Analysis” in Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks, Quebec, Canada, 2005.
� U. S. Department of Transportation, Federal Aviation Administration. (2005, Jan). System safety process steps. [Online]. Available: http://www.faa.gov/library/manuals/aviation/risk_management/media/ssprocdscrp.pdf (accessed Jun 1, 2007).
top related