secure routing in wireless sensor networks. this paper one of the first to examine security on...
Post on 22-Dec-2015
214 views
TRANSCRIPT
This PaperThis Paper One of the first to examine security on sensor One of the first to examine security on sensor
networksnetworks prior work focused on wired and adhocprior work focused on wired and adhoc
Not an algorithms or systems paperNot an algorithms or systems paper DescribesDescribes
general attacks on routinggeneral attacks on routing attacks on specific sensor systemsattacks on specific sensor systems some countermeasuressome countermeasures
Also useful as survey of sensor routing protocolsAlso useful as survey of sensor routing protocols
OutlineOutline
ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?
Security for Sensor NetsSecurity for Sensor Nets A larger challenge in sensor netsA larger challenge in sensor nets
security not priority in protocol designsecurity not priority in protocol design• mainly optimize for power (CPU / transmissions)mainly optimize for power (CPU / transmissions)
E2E principle does not applyE2E principle does not apply• routers need access to data for aggregationrouters need access to data for aggregation
• many to one communication instead of end-to-endmany to one communication instead of end-to-end
ResultResult Protocols easy to attack and crippleProtocols easy to attack and cripple Security needs to be built-in at protocol designSecurity needs to be built-in at protocol design
ContextContext
Large static sensor networksLarge static sensor networks large # (100’s, 1000’s) of low power nodeslarge # (100’s, 1000’s) of low power nodes fixed location for their entire lifetimefixed location for their entire lifetime focused scenario: Berkeley Motesfocused scenario: Berkeley Motes
• 4Mhz CPU, 4KB RAM (data), 40Kbps max b/w4Mhz CPU, 4KB RAM (data), 40Kbps max b/w
ConnectivityConnectivity base stations: powerful pts of central controlbase stations: powerful pts of central control sensors form multi-hop wireless networksensors form multi-hop wireless network periodic data stream aggregated to BSperiodic data stream aggregated to BS
Worrying about PowerWorrying about Power Power is #1 concern for sensorsPower is #1 concern for sensors
small power reserves small power reserves 1% duty cycle or less 1% duty cycle or less radio uses power 10radio uses power 1033 more than sleep mode more than sleep mode
Other constraintsOther constraints minimal CPU, RAM, radio powerminimal CPU, RAM, radio power cannot support: public-key, source routing or distance cannot support: public-key, source routing or distance
vector, anything that requires vector, anything that requires
May not benefit from Moore’s lawMay not benefit from Moore’s law strong pressure to use cheaper nodesstrong pressure to use cheaper nodes is this a temporary trend? will eventually benefitis this a temporary trend? will eventually benefit
AssumptionsAssumptions
Network assumptionsNetwork assumptions radio is insecureradio is insecure base stations are trust-worthybase stations are trust-worthy
Attackers Attackers can control/turn nodes, colludecan control/turn nodes, collude mote-class vs. laptop-class attackersmote-class vs. laptop-class attackers inside vs. outside attackersinside vs. outside attackers
OutlineOutline
ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?
Attacks on Sensor RoutingAttacks on Sensor Routing
Spoofed, altered, replayed routing infoSpoofed, altered, replayed routing info result: routing loops, attract or repel network result: routing loops, attract or repel network
traffic, extend or shorten routes, partition traffic, extend or shorten routes, partition networknetwork
Selective forwardingSelective forwarding drop subset of packets w/o being detecteddrop subset of packets w/o being detected (enabled by) Sinkhole attack(enabled by) Sinkhole attack
• provide or falsely advertise shorter routesprovide or falsely advertise shorter routes
• many to one model makes this easymany to one model makes this easy
Routing Attacks IIRouting Attacks II Sybil attackSybil attack
one node, many (network) identitiesone node, many (network) identities
WormholesWormholes use out-of-band fast channel to route msgs faster than regular use out-of-band fast channel to route msgs faster than regular
networknetwork exploit out-of-order delivery (race conditions)exploit out-of-order delivery (race conditions)
hellohello flood flood broadcast msg to all nodes (laptop-class)broadcast msg to all nodes (laptop-class) disrupt topology constructiondisrupt topology construction
Ack spoofingAck spoofing replay link layer acks to misrepresent link quality between nodesreplay link layer acks to misrepresent link quality between nodes
Understanding Routing AttacksUnderstanding Routing Attacks Key weaknessKey weakness
insecure wireless channel insecure wireless channel (eavesdropping, replays)(eavesdropping, replays)
unequal transmission power / link qualityunequal transmission power / link quality
Selective forwardingSelective forwarding be a sinkhole (concentrate traffic into malicious node)be a sinkhole (concentrate traffic into malicious node)
Enablers (distort view of wireless network)Enablers (distort view of wireless network) wormholes, HELLO flood (leverage transmission pwr)wormholes, HELLO flood (leverage transmission pwr) acknowledgement/route spoofing (distort view of links)acknowledgement/route spoofing (distort view of links) sybil (appear as many nodes at once)sybil (appear as many nodes at once)
OutlineOutline
ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?
Protocols Attacks Protocols Attacks
TinyOS beaconingTinyOS beaconing base station constructs depth first spanning base station constructs depth first spanning
tree with itself as roottree with itself as root
AttacksAttacks w/o authentication: anyone can claim 2b BSw/o authentication: anyone can claim 2b BS wormhole wormhole sinkhole attack w/ laptop-class sinkhole attack w/ laptop-class
nodesnodes HELLO flood HELLO flood strand nodes out of range strand nodes out of range
Protocol Attacks IIProtocol Attacks II Directed diffusionDirected diffusion
BS flood “interests” for named dataBS flood “interests” for named data sensors send data on reverse interest pathsensors send data on reverse interest path paths “reinforced” to in/decrease data flowpaths “reinforced” to in/decrease data flow
AttacksAttacks flooding is more robust to sinkholesflooding is more robust to sinkholes once path established, can suppress or clone flows once path established, can suppress or clone flows
using path reinforcementsusing path reinforcements can modify in-flight data once it’s on pathcan modify in-flight data once it’s on path
Protocol Attacks IIIProtocol Attacks III Geographic routing (GPSR, GEAR)Geographic routing (GPSR, GEAR)
use coordinates to route towards destinationuse coordinates to route towards destination GEAR spreads out path to load-balanceGEAR spreads out path to load-balance attackattack: misrepresent location data for sinkhole attack: misrepresent location data for sinkhole attack attackattack: use sybil to surround target node (sinkhole): use sybil to surround target node (sinkhole)
Minimum cost forwardingMinimum cost forwarding each node keeps local each node keeps local cost cost of reaching BSof reaching BS broadcast out msg w/ budget, each hop subtracts broadcast out msg w/ budget, each hop subtracts
cost. If budget exceeded, msg droppedcost. If budget exceeded, msg dropped attackattack: advertise low cost path (can also use HELLO): advertise low cost path (can also use HELLO)
Protocol Attacks IVProtocol Attacks IV
Rumor routingRumor routing send out send out agentagent carrying useful events on carrying useful events on
random walk through network w/ TTLrandom walk through network w/ TTL queries and data both sent out via agentsqueries and data both sent out via agents attackattack: mishandle agents & remove data: mishandle agents & remove data attackattack: send out tendrils with large TTLs : send out tendrils with large TTLs
advertising low costadvertising low cost
Protocol Attacks VProtocol Attacks V Energy conserving topology maintenanceEnergy conserving topology maintenance
GAF: nodes placed into grid squaresGAF: nodes placed into grid squares• occasionally wake to see if they’re needed, occasionally wake to see if they’re needed,
otherwise sleepotherwise sleep SPAN: “coordinators” keep connectivitySPAN: “coordinators” keep connectivity
• nodes occasionally wake to see if they should be nodes occasionally wake to see if they should be upgraded to coordinatorupgraded to coordinator
AttacksAttacks spoof route/discovery msgs to lull nodes to spoof route/discovery msgs to lull nodes to
sleep sleep destroy connectivity destroy connectivity
Understanding Protocol AttacksUnderstanding Protocol Attacks Inherent tradeoff: energy vs. securityInherent tradeoff: energy vs. security
optimizing route vs. susceptibility to attacksoptimizing route vs. susceptibility to attacks
AttacksAttacks all leading to sinkhole attackall leading to sinkhole attack manipulate cost function to represent self as optimal manipulate cost function to represent self as optimal
pathpath
Is resistance futile?Is resistance futile? flooding flooding useful, but high cost useful, but high cost random walks random walks potentially high cost potentially high cost key is randomizationkey is randomization
OutlineOutline
ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?
CountermeasuresCountermeasures Link layer security (shared key auth.)Link layer security (shared key auth.)
costly, but can disable sybil attackscostly, but can disable sybil attacks useless against compromised nodes (insiders)useless against compromised nodes (insiders)
Hello floodsHello floods verify bi-directionality, or authenticate identity of verify bi-directionality, or authenticate identity of
neighbors w/ separate protocolneighbors w/ separate protocol
Use global knowledgeUse global knowledge nodes are static, so learn global mapnodes are static, so learn global map scalability: enough state to keep info?scalability: enough state to keep info?
IntuitionIntuition
Tight tradeoffTight tradeoff energy conservation via optimized pathsenergy conservation via optimized paths optimization optimization manipulation of cost factors manipulation of cost factors
AvoidAvoid powerful nodes (they can’t be authenticated)powerful nodes (they can’t be authenticated) centralized functionality (same reason)centralized functionality (same reason)
What can we use?What can we use? randomization / probabilistic routing?randomization / probabilistic routing?