Attacker Models for Wireless Sensor Networks - Pi1

Attacker Models for Wireless
Sensor Networks
(How Security in WSNs Differs From Traditional Security)
Felix Freiling
University of Mannheim, Germany
joint work with Zinaida Benenson
Summer School "Protocols and Security for Wireless Sensor Actor Networks"
Schloss Dagstuhl, March 2008
1

"A system without an adversary
definition cannot be secure."
Virgil Gligor
2

• Section 2.2 ...
– "... we assume that individual sensors are untrusted. Our
goal is to design the SPINS key setup so a compromise of a
node does not spread to other nodes."
– "... any adversary can eavesdrop on traffic, inject new
messages, and replay old messages."
• What does the adversary do with compromised
nodes?
• How many nodes can the adversary compromise?
3

ACM CCS 2002
• Section 2.4 ...
– "... active manipulation of sensor's data-inputs."
– "... sensor node is under complete physical control of the
adversary."
• Is this the same assumption as in SPINS?
• Is injection, replay, eavesdropping considered?
4

Problem and Goal
• Assumptions about adversaries critically influence
correctness and efficiency of protocols
– So they should be as precise as possible
• Precise adversary assumptions
– help to increase confidence in security of the scheme
– help to make schemes comparable
• Goal: Propose a set of well-defined attacker models
for WSNs
• Advantages:
– Gives algorithm designers a toolbox to choose from
– Makes it easier to compare algorithms
– Precise enough to support rigorous analysis
5

Toolbox Overview
• Node-centered model
– How is the behavior of nodes affected by
the adversary?
– Effects on channels are attributed to a
particular node
• Attacker model is a set of basic attacker
models
– Basic attacker model is a pair (i, p) of
values from two dimensions
6

Two Main Dimensions
• Intervention: What can the attacker do?
– How does the attacker potentially change
the normal behavior of an individual sensor
node?
• Presence: Where can he do it?
– Which part of the sensor network can the
attacker potentially influence?
7

Presence
• Local
– Attacker affects a small connected subset of sensors
– Example: single person ad-hoc attacker
• Distributed
– Attacker affects multiple small connected subsets of
sensors, total set of influenced sensors is unconnected
– Examples: single person mobile adversary, uniformly
distributed adversary, threshold adversary (t-out-of-k)
• Global
– Attacker affects all sensor nodes
– Examples: powerful organization with lots of eavesdropping
and manpower resources, worst case assumption about
software vulnerability (WSN worm)
8

Intervention (1/2)
• Crash
– Attacker can destroy the sensor node without reading any internally
stored data
– Examples: physical destruction, remove battery
• Eavesdropping
– Attacker can see all messages on incoming and outgoing channels
of the sensor node
– Example: place wireless receiver close to node
• X-ray
– Crash + Eavesdropping +
– Attacker can read the full memory contents of the sensor node
(data and code)
– Examples: access via JTAG interface, exploit software vulnerability,
take sensor node to the lab and open it physically
9

Intervention (2/2)
• Disturbing
– Crash + Eavesdropping +
– Attacker can modify part of the data memory of the sensor node
– Examples: Influence routing table by sending fake routing table
updates, influence temperature reading by placing a cigarette
lighter close to temperature sensor, inject fake packets, replay
packets, spoof packets
• Modifying
– Disturbing + X-ray +
– Attacker can inspect and modify full data memory of the sensor
node
– Examples: read access via JTAG, exploit software vulnerability
• Reprogramming
– Modifying +
– Attacker can inspect and modify full data and code memory of
sensor node
– Example: read/write access via JTAG
10

Lattice of Basic Attacker Models
reprogramming
modifying
disturbing
X-ray
crash
eavesdropping
X → Y = Y includes all
attacker behavior of X
null
11

Combining Basic Attackers to
Attacker Models
• An attacker model is a set of basic
attacker models
– Possibility to define hybrid attacker
assumptions
• Example: An adversary can be
– local reprogramming and
– global eavesdropping
12

Usage in the Literature
• Eschenauer, Gligor: A key-management scheme ... (ACM CCS 2002)
– "... active manipulation of sensor's data-inputs."
– "... sensor node is under complete physical control of the adversary."
– Probably combination of distributed disturbing, distributed reprogramming
and global eavesdropping
• Chan, Perrig, Song: Random key predistribution ... (IEEE S&P 2003)
– "... an adversary may be able to undetectably take control of a sensor node
and compromise the cryptographic keys."
– Probably distributed X-ray, but maybe distributed modifying.
• A. Perrig, R. Szewczyk, V. Wen, D. Culler, D. Tygar: SPINS ...
(MobiCom 2001)
– "... we assume that individual sensors are untrusted. Our goal is [that] the
compromise of a node does not spread to other nodes."
– Probably local or distributed X-ray, or distributed reprogramming.
13

Comparison
• Fault-Tolerance/Self-Stabilization:
– Byzantine processes (Lamport, Shostak, Pease) as random node
behavior
• Byzantine = reprogramming adversary
– Arbitrary data (not code) perturbation of self-stabilization (Dijkstra)
• Self-stabilization adversary is a "finite" modifying adversary
• Dolev-Yao attacker model
– Network-centered model aiming at confidentiality and formal
analysis
• Global eavesdropping with parts of the disturbing adversary (no data
modifications)
• Cryptography attacker models
– Notion of polynomially bounded adversary
– Practical vs. information theoretic security
– Notion of passive adversary (X-ray without injection)
14

Why is the toolbox
specific to WSNs?
• Existence of environmental sensors result in
disturbing adversary
• If you can inspect a node you can also crash
it (X-ray vs. passive crypto adversary)
• Difference between data and code in Harvard
architecture motivates difference between
modifying and reprogramming adversary
15

Theoretical Basis
of Intervention Dimension
• Three general dimensions of behavior based on goals of the
attacker
– Different property types are fundamentally different
• Three types of properties:
– Safety: If something is done, then it is done correctly
• Examples: Correct aggregation computation, integrity of computation,
authentication of messages
– Liveness: Something (eventually) is done
• Examples: Messages are sent periodically, termination of a protocol run
– Information flow: Who learns which information
• Examples: Confidentiality of message contents, confidentiality of
cryptographic keys stored in memory
• Specific useful combinations yield Intervention levels
• Unification of attacker models from Crypto and Fault-tolerance
16

safety
full code
perturbation
full state
perturbation
participants
limited state
perturbation
crash
crashrecovery
liveness
network
information flow
17

Discussion
• Time-dependent development of basic
attacker models can be incorporated
• Base station is usually uncompromised; is
this necessary?
• Is a presence level between local and global
necessary?
– Example: Jamming in large connected parts of the
network
• Open for suggestions ...
18

References (1/3)
Attacks on sensor networks:
• Physical attacks:
– A. Becher, Z. Benenson, M. Dornseif: Tampering with motes: Real-world
physical attacks on wireless sensor networks. Security in Pervasive
Computing (SPC), 2006
• Performing stack smashing (buffer overflow exploit) on a Mote:
– http://travisgoodspeed.blogspot.com/2007/08/machine-code-injection-forwireless.html
– http://travisgoodspeed.blogspot.com/2007/09/memory-constrained-codeinjection.html
• Software attacks and countermeasures:
– N. Cooprider, W. Archer, E. Eide, D. Gay, J. Regehr: Efficient Memory
Safety for TinyOS. SenSys 2007.
– Q. Gu and R. Noorani: Towards Self-propagate Mal-packets in Sensor
Networks. Proc. ACM Conference on Wireless Network Security, 2007.
19

References (2/3)
Investigated WSN security papers:
• L. Eschenauer, V. D. Gligor: A keymanagement
scheme for distributed sensor
networks. ACM CCS 2002.
• H. Chan, A. Perrig, D. Song: Random key
predistribution schemes for sensor networks.
IEEE Symp. on Security and Privacy. 2003
• A. Perrig, R. Szewczyk, V. Wen, D. Culler, J.
D. Tygar: SPINS: Security protocols for
Sensor networks. MobiCom 2001.
20

References (3/3)
Background on attacker modeling:
• Z. Benenson, P. M. Cholewinski, F. C. Freiling: Vulnerabilities and Attacks in
Wireless Sensor Networks. Chapter in Wireless Sensors Networks Security,
Cryptology & Information Security Series (CIS). IOS Press, 2007
• Z. Benenson, F. C. Freiling, T. Holz, D. Kesdogan, L. Draque Penso: Safety,
Liveness, and Information Flow: Dependability Revisited. ARCS Workshops
2006.
Classic descriptions of attacker models in crypto and fault-tolerance:
• D. Dolev, A. C. Yao: On the security of public key protocols. IEEE Transactions
on Information Theory, Vol. 29 (2), 1983.
• M. Fitzi, M. Hirt, U. Maurer: General Adversaries in Unconditional Multi-party
Computation, Proc. ASIACRYPT 1999.
• L. Lamport, R. Shostak, M. Pease: The Byzantine generals problem. ACM
Trans. Programming Languages and Systems. Vol 4(3), 1982
• Z. Liu, M.Joseph: Specification and verification of fault-tolerance, timing and
scheduling. ACM Trans. Programming Languages and Systems, Vol 21(1),
1999.
• H. Schepers, J. Hooman: A trace-based compositional proof theory for fault
tolerant distributed systems. Theoretical Computer Science, Vol. 128 (1-2),
1994.
21

Advertisement:
Utimaco Cryptoserver
• (German) Competitor of IBM 4758 PCI
22