360 likes | 539 Vues
Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures. Authors: Chris Karlof and David Wagner Presenter: Ivanka Todorova. Outline. Introduction and Contributions Background Sensor vs. ad-hoc wireless networks Problem Statement Attacks on sensor network routing
E N D
Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures Authors: Chris Karlof and David Wagner Presenter: Ivanka Todorova
Outline • Introduction and Contributions • Background • Sensor vs. ad-hoc wireless networks • Problem Statement • Attacks on sensor network routing • Attacks on specific sensor network protocols • Countermeasures • Conclusions
Introduction and Contributions • Threat models and security goals for routing in WSNs • Two new attacks • Sinkhole attacks • HELLO floods • How to adapt attacks against ad-hoc wireless networks into powerful attacks against WSNs • Practical attacks against routing protocols and topology maintenance algorithms for WSNs • Countermeasures and design considerations for secure routing protocols in WSNs
Background • WSNs consist of hundreds or thousands of low-power, low-cost nodes having a CPU, power source, radio, and other sensing elements • Have one or more points of centralized control called base stations or sinks • Sensor readings from multiple nodes processed at aggregation points • Power is the scarcest resource
Background • A representative sensor network architecture Picture from [7]
WSNs Communication method - multihop networking One or more points of centralized control such as base stations Routing - specialized communication pattern Resource-starved nature Trust relationships between nodes assumed Public key cryptography not feasible AD-hoc WNs Communication method - multihop networking There is no fixed infrastructure such as base stations Routing - any pair of nodes Limited resources Trust relationships between nodes not assumed Public key cryptography possible WSNs vs. Ad-hoc WNs
Problem Statement • Network assumptions • Insecure radio links • Malicious nodes may collude to attack the network • Sensor nodes not temper resistant • Physical and MAC layers vulnerable to direct attacks • Trust Requirements • Base stations are trustworthy • Aggregation points not necessarily trustworthy
Problem Statement cont’d • Two types of threat models • Based on type of attacking devices • Mote-class attackers • Laptop-class attackers • Based on attacker location • Outsider attacks • Insider attacks • Security goals • Confidentiality, integrity, authenticity, and availability of all messages
Attacks on sensor network routing • Spoofed, altered, or replayed routing information • Selective forwarding • Sinkhole attacks • Adversary’s goal is to lure traffic through a compromised node • Work by making the compromised node look attractive • Makes selective forwarding trivial
Attacks on sensor network routing cont’d Sybil Attack “One can have, some claim, as many electronic personas as one has time and energy to create.” Judith S. Donath [1] Picture from [2]
Attacks on sensor network routing cont’d Wormhole An adversary tunnels packets received in one part of the network over a low-latency link and replays them in a different part of the network Picture from http://library/thinkquest.org/27930/wormhole.htm
Attacks on sensor network routing cont’d • HELLO flood attack • Many protocols require that nodes broadcast HELLO packets to announce themselves to their neighbors • Laptop-class attacker can convince all nodes that it is their neighbor by transmitting at high power • Acknowledgement spoofing
Attacks on specific sensor network protocols • TinyOS beaconing • Description • Attacks • Can authenticated routing updates solve the problem? Picture from [7]
Attacks on specific sensor network protocols cont’d • Combined wormhole/sinkhole attack Picture from [7]
Attacks on specific sensor network protocols cont’d • What if a laptop-class adversary uses a HELLO flood attack? • What about mote-class adversaries? • Routing loops Picture from [7]
Attacks on specific sensor network protocols cont’d • Directed diffusion Interest propagation Initial gradients set up Data delivery along reinforced path • Attacks – Suppression, Cloning, Path influence, Selective forwarding and data tampering Pictures from [6]
Attacks on specific sensor network protocols cont’d • Geographic routing • Two protocols • GPSR (Greedy Perimeter Stateless Routing) • GEAR (Geographic and Energy Aware Routing) • Description • Greedy forwarding routing each packet to the neighbor closest to the destination • GEAR weighs the choice of the next hop by both remaining energy and distance from the target
Attacks on specific sensor network protocols cont’d • Geographic routing Greedy forwarding failure: x is a local maximum in its geographic proximity toD; w andy arefarther fromD. Greedy forwarding example: y is x’s closest neighbor to D Pictures from [14]
Attacks on specific sensor network protocols cont’d • Geographic routing Node x’s void with respect to destination D. Picture from [14]
Attacks on specific sensor network protocols cont’d • Geographic routing • Attacks • Sybil attack Picture from [7]
Attacks on specific sensor network protocols cont’d • Attacks cont’d • Creating routing loops in GPSR Picture from 7
Attacks on specific sensor network protocols cont’d • Minimum cost forwarding • Description • Attacks • Sinkhole attack • HELLO flood attack can disable the entire network CN CM N M CM+LN, M
Attacks on specific sensor network protocols cont’d • LEACH: low-energy adaptive clustering hierarchy • Description • Nodes organized into clusters with one node serving as a cluster-head • Cluster-heads aggregate data for transmission to a base station • Attacks • HELLO flood attack • Countermeasures defeated by a Sybil attack
Attacks on specific sensor network protocols cont’d Node redundancy • Energy conserving topology maintenance • Geographic Adaptive Fidelity (GAF) State transitions Virtual grid Pictures from [5]
Countermeasures • Shared key and link layer encryption • Prevent outsider attacks - Sybil attacks, selective forwarding, ACK spoofing • Cannot handle insider attacks - Wormhole, HELLO flood, TinyOS beaconing attacks • In case of a wormhole encryption may make selective forwarding more difficult but cannot prevent blackholes • Sybil and HELLO flood attacks • A globally shared key allows an insider to masquerade as any node • A pair of nodes can use a Needham-Schroeder protocol to establish a shared key • Limit the number of neighbors for a node • Verify the bidirectionality of the link for a HELLO flood attack
Countermeasures • Amended Needham Schroeder Symmetric Key • Author(s): Roger Needham and Michael Schroeder (1987) • Distribution of a shared symmetric key by a trusted server and mutual authentication. Symmetric key cryptography with server.
Countermeasures • Wormhole and sinkhole attacks • Protocols that construct a topology initiated by a base station are the most vulnerable • Good routing protocol design may be the solution – geographic routing protocols • Geographic routing attacks • Use fixed topology to eliminate the need for location information • Selective forwarding • Multipath routing • Braided paths • Allowing nodes to dynamically choose a packet’s next hop probabilistically from a set of possible candidates
Countermeasures Braided path Picture from [10]
Countermeasures • Authenticated broadcast and flooding • μTESLA protocol to prevent replay of broadcast messages issued by the base station • Replay is prevented because messages authenticated with previously disclosed keys are ignored • Flood the information about the malicious nodes in the network
Conclusions • End-to-end security mechanisms between a sensor node and a base station unlikely to guarantee integrity, authenticity, and confidentiality of messages • Link layer security not enough to protect against insider attacks • The routing protocol itself must be secure
Conclusions • Protection against the replay of data packets should not be a security goal of a routing protocol • Sinkhole attacks and wormholes are a significant challenge • Wormholes are hard to detect because they use private, out-of-band channel invisible to the underlying network • Sinkholes are difficult to defend against because they leverage hard to verify information such as remaining energy • Protocols that construct topology initiated by a base station are most vulnerable • Geographic routing protocols are resistant • Crucial to design routing protocols in which these attacks are meaningless
Conclusions • Geographic routing relatively secure against wormhole, sinkhole, and Sybil attacks • Traffic naturally routed toward the physical location of a base station • The main remaining problem is that location information must be trusted • Restricting the structure of the topology eliminates the need for nodes to advertise their locations • If nodes are arranged in a grid every node can easily derive its neighbors’ locations
Conclusions • Clustering protocols like LEACH may yield the most secure solutions against node compromise and insider attacks • Virtual base stations can be used to create an overlay network
Future Work • How the feature of autonomic computing can be applied to WSNs to improve security [11,12] • Self-healing in WSNs [13]
References • J. S. Donath, “Identity and Deception in the Virtual Community”, Communities in Cyberspace, Routledge, 1998. • J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to-Peer Systems (IPTPS 02), 2002. • L. Zhou, Z. Haas, Securing ad hoc networks, IEEE Network Magazine 13 (6) (1999) 24–30. • F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad-hoc wireless networks, in: Seventh International Security Protocols Workshop, 1999, pp. 172–194. • Y. Xu, J. Heidemann, D. Estrin, Geography-informed energy conservation for ad hoc routing, in: Proceedings of the Seventh Annual ACM/IEEE International Conference on Mobile Computing and Networking, 2001. • C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and robust communication paradigm for sensor networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networks (Mobi-COM 00), 2000. • C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures," in IEEE SPNA, 2002
References • F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding in large sensor networks, in: Tenth International Conference on Computer Communications and Networks, 2001, pp. 304–309. • W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor networks, in: 33rd Annual Hawaii International Conference on System Sciences, 2000, pp. 3005–3014. • Deepak Ganesan, Ramesh Govindan, Scott Shenker, Deborah Estrin, Highly-resilient, energy-efficient multipath routing in wireless sensor networks, in: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing, 2001, pp. 251-254. • http://s3lab.cs.okstate.edu/projects/CIP-WSN/ • http://www.cse.msu.edu/~mckinley/920/Spring-2006/920-reading-final.html • Tatiana Bokareva, Nirupama Bulusu, Sanjay Jha, SASHA: Toward a Self-Healing Hybrid Sensor Network Architecture. Retrieved from http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf on March 2, 2008. • Brad Karp, H.T. Kung, GPSR: Greedy Perimeter Stateless Routing for WirelessNetworks, Retrieved March 4, 2008 from http://www.eecs.harvard.edu/~htk/publication/2000-mobi-karp-kung.pdf