540 likes | 661 Views
Secure Routing in Sensor Networks: Attacks and Countermeasures (Authors: Chris Karlof and David Wagner, UC Berkeley). By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia. Focus of this Presentation . The Essential Ideas of Secure Routing Attacks & Countermeasures.
E N D
Secure Routing in Sensor Networks: Attacks and Countermeasures(Authors: Chris Karlof and David Wagner, UC Berkeley) By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia
Focus of this Presentation The Essential Ideas of Secure Routing Attacks & Countermeasures Selective Forwarding Not Addressed Bogus Routing Ref: Denial of Service in Sensor Networks; Wood & Stankovic NOTES: DOS Attacks aren’t directly addressed in this paper. Defenses / Countermeasures are similar.
The Essential Ideas of Secure Routing Attacks & Countermeasures • WSN’s have unique constraints that make secure routing difficult. • One must define the security goals of the network. • WSN’s offer the attacker unique attacks that aren’t found in traditional networks. • Analyzing attacks will give insight into effective countermeasures. • Not all attacks can be stopped (assuming insiders).
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
Introduction – Questions to Consider • What historical events drive us towards the need for secure networks? • Is Routing Security Necessary in all environments and applications? • How robust should the security be? • Is it even possible to have security that prohibits attacks? • If possible, then at what cost? • Can traditional routing security solutions be used in WSN’s?
Introduction – WSN Routing • Base stations and sensor nodes • Node vulnerabilities • Low overhead protocols • Broadcast media • Specialized traffic patterns • Potentially every node is a router • In-network processing • Resource constraints • Dynamic topologies
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
Novelty and Contribution • Proposes threat models and security goals for secure WSN Routing. • Adapts previously known attacks to WSN’s. • Addresses two novel attacks: HELLO Floods and Sinkholes. • Presents security analysis of major WSN routing protocols and energy-conserving topology maintenance algorithms. • Discusses countermeasures and design considerations for secure WSN routing protocols.
Outline • Introduction • Novelty and Contribution • The Problem Addressed: • Network Assumptions and Trust Requirements • Threat Models and Security Goals • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
Network Assumptions • Insecure radio links • Eavesdropping, injecting bits, and packet replays • Attacker has similar capabilities (HW, etc.) • Nodes can be “turned” • Attacker controls > 1 node; collusion is possible • Attacker may have high quality communications • Tamper resistant nodes are not realistic
Trust Requirements • Base Stations are trustworthy • Aggregation points may be trusted, but not guaranteed
Threat Models and Secure Routing Goals • Threat Model: • Mote-class vs. laptop-class adversaries • Insiders vs. outsiders • Security Goals: • Authenticity: verifies the identity of the sender • Integrity: messages are not tampered with • Availability: messages are received by intended receivers • Link layer security still possible • Insiders and laptop-class adversaries are the main challenge
Security Goals Out of Scope • Confidentiality / Secrecy of messages • Protection against Eavesdropping • Exception – protocol should prevent eavesdropping caused by misuse or abuse of the protocol itself • Protection against the replay of data packets • Claim 1 by Authors: It is possible to meet the security goals when only considering outsiders. • Claim 2 by Authors: It is most likely that some if not all of these goals are not fully attainable when considering insiders. • Question: What information / intelligence can be gained by the attacker through observing unencrypted overhead packets?
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks: • Spoofing, Selective Forwarding, Sinkhole Attack, Sybil Attack, Wormholes, HELLO Flood Attack, Acknowledgement Spoofing • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
Attack: Bogus routing information • Spoofed, altered, or relayed routing information causes problems • Example: spoof routing beacons and claim to be base station
Attack: Bogus routing information • Routing loops B A
Problems: Bogus routing information • Attract / Repel Traffic B A1 Enemy Area A2 A3 A4
Problems: Bogus routing information • Other Possibilities: • Extend / shorten source routes • Generate false error messages • Partition network • Increase end-to-end latency • Overall Affects: • Routing havoc • Low reliability • Questionable information reporting • Decreased lifetime of network • Congestion / collisions • Etc. • Allows the attacker to selectively “hide” information
Attacks: Selective Forwarding / Blackholes / Sinkholes • Only forward a select few… drop / modify remaining packets • Jamming can cause similar effects • Location of node mayhave significant effects Enemy Area
Attack: Sybil attack • An adversary may present multiple identities to other nodes • Geographic Routing is very susceptible – exchange of locality information B A
Attack: Wormholes • Tunnel packets received in one part of the network and replay them in a different part • Exploits routing race conditions • Enables other attacks • Can be launched by insiders and outsiders
Attack: HELLO floods • Protocols that use HELLO packets to announce to neighbors • Assumption: the sender of a received packet is within normal radio range • False! A powerful transmitter could reach the entire network • Can be launched by insiders and outsiders
Attack: Acknowledgement Spoofing • Spoof link layer ACK packets of neighbor nodes • Selective forwarding by encouraging sender to send via weak links
Protocols Analyzed in Paper All insecure
Protocols Analyzed in Paper Directed Diff Geographic Routing Energy Conserving Min Cost Fwding Rumor Routing Cluster Based TinyOS Attack
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
SPEED • SPEED: A Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables Strong Back-Pressure (Congestion) Uniform Back-Pressure
ID SPEED Delay 9 0.5s 20 7 0.1s 110 10 0.4s 30 3 0.1s 115 Node 5's NT SNGF - 3 (Example) 7 11 Packet Destination 5 Packet 9 2 Delay 3 10 Source Boo
SPEED (and RAP): Routing Security Analysis • Convince nodes to change their state tables (delay, source, destination, distance, deadlines). • Change the radius of the last mile process. • Lower the velocity of a packet which will end up missing its deadline later and will be dropped. • Flood network with high velocity packets (i.e. short deadlines or large distances). • Drop the SpeedReceive() messages. • Local forwarding decisions allow some types of attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.
Local Stabilization • F-Local Stabilization • Faults be contained locally around where they occurred. • Time taken for the system to stabilize is a function of the size of the perturbed region. Locally Contained Fault Regions Correction Definite Time which is proportional to size of perturbed region
Local Stabilization • Node of Fault Propagation to initiate a “Containment” action that moves faster than the stabilization (“Fault Propagation”) action. • “Corrective” action always lags behind“Fault propagation” action Correction Wave Fault Propagation Wave Containment Wave
LSRP: Routing Security Analysis • Send out false waves • Delay / drop correction & containment waves • Spoof link information (affects shortest paths)
Trajectory Based Forwarding • Improving routing in both mobile and fixed networks when position is available. Forbidden Zone Intermediate Destination Straightforward Path Destination Source
TBF: Routing Security Analysis • Change trajectory functions • Spoof nodal location information • Flood network with large broadcasts
Spatiotemporal Multicast Wake up just in time Sleeping nodes Awaken nodes
Adaptive Mobicast Hole Adaptive forwarding zone
Mobicast: Routing Security Analysis • Increase or decrease delivery and forwarding zone sizes • Provide false locations to nodes to make paths longer than they need be • Modify delta-values in adaptive mobicast
ASCENT and Energy Conserving Topology Management • Insecure routing protocol ASCENT will not guarantee correct neighbor sets. • Attacks on routing that makes the network look overly sparse or dense may negatively affect ASCENT – increased power consumption. • Misrepresent energy remaining levels. • All (successful) attacks may potentially counteract the energy savings of any given protocol.
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
Countermeasures: Bogus routing information • Outsiders: • Authenticated Routing • Crypto techniques (globally shared key) • Mitigates Sybil, Sinkhole, Selective Forwarding • Little affect on Wormhole and HELLO Flood • Insiders: • Consistency checks • Verify through trustworthy nodes • Crypto techniques (per-link keys)
Countermeasures : Selective Forwarding / Blackholes / Sinkholes • Multipath and probabilistic routing • Verify information where possible • Geographic-based protocols hold promise Enemy Area
Countermeasures : Wormholes • Difficult to defend against • Can be launched by insiders and outsiders • Difficult to detect • Best solution avoid routing race conditions • Geographic routing protocols hold promise
Countermeasures : Sybil attack • Verify identities of neighbors through unique symmetric keys with base station • Establish shared keys • Limit number of neighbors with keys B A
Countermeasures : HELLO floods • Bidirectional Links • Verify identities of neighbors • Base station can enforce limited number of neighbors
Countermeasures (Notes) • Nodes near base stations are attractive to compromise • Clustering and Overlays may reduce their significance • Can leverage global knowledge • Send localized info to base station • Base station maps network topology • Base station is periodically updated • Drastic / suspicious changes observed
Countermeasures (Notes) • Base Station Authentication – no node can spoof BS, but every node can verify messages from BS • Localized Node Authentications • SPINS - μTESLA & SNEP (next presentation)
Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions
SPEED Goals vs. Security • Soft real-time: predictable e2e delay • Uniform communication speed • High Scalability • Stateless Architecture • Localized Behavior • Load Balancing • Traffic Control • Void Avoidance • Security may cause unpredictable delays • Security may require stateful architecture • Security may require global behavior • Security may lessen the ability to load balance