reliable telemetry in white spaces using remote attestation
DESCRIPTION
Reliable Telemetry in White Spaces using Remote Attestation. Omid Fatemieh , Michael D. LeMay, Carl A. Gunter University of Illinois at Urbana-Champaign Annual Computer Security Applications Conference (ACSAC) Dec 9, 2011. Opportunistic Spectrum Access. Spectrum crunch Increased demand - PowerPoint PPT PresentationTRANSCRIPT
Reliable Telemetry in White Spaces usingRemote Attestation
Omid Fatemieh, Michael D. LeMay, Carl A. Gunter
University of Illinois at Urbana-Champaign
Annual Computer Security Applications Conference (ACSAC)Dec 9, 2011
• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)
• Emerging solution: opportunistic access to unused portions of licensed bands
Opportunistic Spectrum Access
2
• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)
• Emerging solution: opportunistic access to WHITE SPACES
• Cognitive Radio: A radio that interacts with the environment and changes its transmitter parameters accordingly
Opportunistic Spectrum Access
3
Primary TransmitterPrimary ReceiverSecondary Transmitter/Receiver(Cognitive Radio)
• Allowed by FCC in Nov 2008 (and Sep 2010)– TV White Spaces: unused TV channels 2-51 (54 MHz-698MHz)– Much spectrum freed up in transition to Digital Television (DTV) in 2009– Excellent penetration and range properties
• Applications– Super Wi-Fi– Campus-wide Internet– Rural broadband
(e.g. Claudville, VA)– Advanced Meter
Infrastructure (AMI) [FatemiehCG – ISRCS ‘10]
White Space Networks
4
• Spectrum Sensing – Energy Detection– Requires sensing-capable devices -> cognitive radios– Signal is variable due to terrain, shadowing and fading– Sensing is challenging at low thresholds
• Central aggregation of spectrum measurement data– Base station (e.g. IEEE 802.22)– Spectrum availability database (required by the FCC)
How to Identify Unused Spectrum?
No-talk Region for Primary Transmitter
5
Collaborative Sensing
• Malicious misreporting attacks– Exploitation: falsely declare a frequency occupied – Vandalism: falsely declare a frequency free
• Why challenging to detect?– Spatial variations of primary
signal due to signal attenuation– Natural differences due to
shadow-fading, etc.– Temporal variations of primary– Compromised nodes may collude
and employ smart strategies to hide under legitimate variations
• How to defend against such coordinated/omniscient attackers?
Malicious Misreporting Attacks
6
Compromised Secondary – Vandalism Compromised Secondary – Exploitation
Limitations of Previous Work
7
• Initially assume all sensors are equal• Rely only on comparing measurements
• Shadow-fading correlation filters for abnormality detection [MinSH – ICNP ‘09]• Model-based (statistical) outlier detection [FatemiehCG – DySPAN ‘10]• Data-based (classification) attacker detection [FatemiehFCG – NDSS ‘11]
• Resulting drawback: attacker penetration has to be significantly limited for solutions to work
• What if we can have a subset of “super-nodes"?
A Subset of Trusted Nodes
8
• Remote attestation: A technique to provide certified information about software, firmware, or configuration to a remote party– Detect compromise– Establish trust
• Root of trust for remote attestation– Trusted hardware: TPM on PCs or MTM on mobile devices– Software on chip [LeMayG - ESORICS ‘09]
• Why a subset?– Low penetration among volunteer nodes– Cost: manufacturing, energy, time, bandwidth (see paper for numbers)
Attestation-Capable System
Remote Server
Nonce
Signed[Nonce || System State]
• Goal: obtain an estimate of signal power in any cell to compare to threshold
• Cell A: Safety or precision?• Cells B and C: How many regular
nodes to include? Which ones?• Steps
1. A systematic strategy to determine when there is enough data
2. If we need additional data, which ones to add to aggregation pool?
3. Ensure pool not attacker-dominated
Key Observations
9
A B C
Attested Node Regular Node
• Sequential intra-cell node selection– Include all attested nodes– Include regular nodes until a
precision goal is met
• Precision goal: Ensure margin of error for aggregate smaller than requirements (e.g. 3dB) with high confidence (e.g. 95%) (unknown distribution)– Mean: Asymptotically efficient
Chow-Robbins sequential procedure:– Median: Find a and b (order statistics):
Intra-cell Node Selection
10
• Last step: Classification-basedinter-cell attacker detection– If detected: only use attested data in E
• Median as aggregate:– (+) Less vulnerable to legitimate
variations or minority attackers– (-) Achieving the required precision
requires more data– (-) Majority attackers can move
median while being less ‘abnormal’
• Aggregate: median when attested majority, and mean otherwise
Classification-based inter-cell detection
11
Evaluation
12
• Hilly Southwest Pennsylvania • TV transmitter data from FCC• Terrain data from NASA • Ground truth: predicted signal
propagation using empirical Longley-Rice model
• Takes into account:– Transmitter power, location,
height, frequency– Terrain and distance
• Added aggressive log-normal shadow-fading variations• Used data to build classifier and evaluate protection against attacks
• Showed how to use a small subset attestation-capable nodes to improve trustworthiness of distributed sensing results.
• Proposed methods:– Provide quantifiably precise results.– Provide effective protection against attacks with small fraction of attested nodes.– Can lower attestation costs for real deployment.
• Future direction: Developing a framework for formulating costs associated with including regular and attested nodes, and systematically striking a balance between the costs (from spectrum data aggregation and remote attestation) and obtaining precise aggregation results.
Conclusions and Future Work
14