Calculating trust in sensor networks

More documents

Recommendations

Info

[PSW04]. A shared network-wide key would create a single point of failure, where a compromised node may leak the key. Public-key cryptography (such as Diffie-Hellman key establishment) can prove to be computationally beyond the capabilities of sensor nodes. Other approaches, such as using the sink-node or a distributed pool of random keys to authenticate other nodes, have been proposed but they still are vulnerable to one or several captured nodes. Another aspect to consider is the ease of access an attacker may have to a node. A sensor network will most likely consist of many unattended nodes scattered across a large area so gaining access to a node will most likely be easy. Because of financial considerations, a node may not have a very tamper-proof exterior. Thus, one possible attack on a sensor network is node capture, where an attacker can capture and reprogram a node [BBD06]. If this attack goes unnoticed it may result in a node that behaves in an arbitrarily malicious way. If an attacker captures a node, he may extract code and keys from the node and use this information to launch an attack from more powerful computers. An off-the-shelf laptop will have hugely more powerful processors, more sensitive antennas and higher-powered radio transmitters than any node. A laptop computer can more efficiently eavesdrop or disrupt the sensor network. Several laptops may also be connected by a faster low-latency network that allows an attacker to mount coordinated assaults from different parts of the network. There are several ways an attacker may take advantage of a node upon gaining physical access [BBD06]. An attacker may change the sensing unit of a node and thus inject erroneous data to the network. Some nodes are designed as modular units and changing the sensing component could be as easy as unplugging the old one and replacing it with a new one. This operation could only take a couple of seconds. If the sensing component is soldered into the node it may be harder to change, but a skilled attacker could still do it in a matter of minutes. An attacker may also be interested in reading or writing the external memory of the node if it is possible that sensitive information is stored in it. The simplest way to do this 14
would be to eavesdrop on the wires of the memory-chip. This passive attack could go on for a long period of time without anyone noticing. Another way would be to use a second micro-controller to effectively hijack the I/O of the memory-chip, thus replacing the nodes external memory with the attackers. A more serious method would be to attack the micro-controller of the node. This may be possible through the node bootloader or a possible debugging port found on some node- types. Both of these attacks allow the attacker to obtain the contents of the nodes memory. A realistic method of attacking the bootloader requires the source code of the node to be known in advance. The attacker may also take advantage of the standard IEEE 1149.1 JTAG test access port found on many types of nodes. If the test port is not disabled, an attacker may read the contents of the nodes memory. All of the physical attacks presented above require special instruments and can most likely be committed on the field. The most damaging ones will most likely take the node off the network for a while. This absence could be used to detect captured nodes [BBD06]. A working method of remote code injection and node capture on Crossbow Technologies MICAz-nodes has been demonstrated [FC08]. The attack exploits software vulnerabilities and permanently injects code into the program memory of an Atmel AVR-based sensor. The attack requires that the version of the node operating system (TinyOS) and the program memory content is known in advance and the running code has at least one expoitable buffer overflow vulnerability. A fake stack is injected into the node’s data memory by using instructions already present in the node (also called ”gadgets”). The injected code can then be written onto the permanent flash memory thus permanently infecting the node. The attack can be used to install malware on the sensor node and spread the malware onto other nodes. No permanent and foolproof solution is given to protect a MICAz node from this type of attack. Routing protocols are highly susceptible to node capture. A captured node may be used to spoof, alter or replay routing data. This allows the attacker to manipulate the network by disrupting the networks routing. A malicious node may commit several different kinds of attacks to a network and disrupt its routing [KW03]. 15
Page 1 and 2: Calculating trust in sensor network
Page 3 and 4: Contents 1 Introduction 1 2 Sensor
Page 5 and 6: 1 Introduction Wireless sensor netw
Page 7 and 8: 2 Sensor networks Advances in integ
Page 9 and 10: low power. A good guideline for des
Page 11 and 12: Figure 2: The SPEC mote and the tip
Page 13 and 14: n neither use every drop of enthe b
Page 15 and 16: of transmitting directly to the sin
Page 17: for sensor networks. SensorML conta
Page 21 and 22: Development of these sensors leans
Page 23 and 24: called recommending or gossiping ab
Page 25 and 26: of trustworthy nodes. These are nod
Page 27 and 28: node uses this table to determine i
Page 29 and 30: and the nodes willingness (or malic
Page 31 and 32: Trust-based geographical routing do
Page 33 and 34: The rating component also employs a
Page 35 and 36: trust = (1 − w) ∗ trustold + w
Page 37 and 38: that nodes around it send in their
Page 39 and 40: positives, nodes that seem to be fi
Page 41 and 42: 4 Analysis of trusted service disco
Page 43 and 44: To other sensors... Simulated Senso
Page 45 and 46: A simple way of defining this metri
Page 47 and 48: esults. The square root-method reac
Page 49 and 50: 5 Results The JSIM network simulato
Page 51 and 52: Figure 12: A graph describing chain
Page 53 and 54: (a) Average reputations with no mal
Page 55 and 56: (a) Chains of trust for node 0, wit
Page 57 and 58: (a) Average reputations with no mal
Page 59 and 60: • The trustworthiness of nodes de
Page 61 and 62: (a) Average reputations with blackh
Page 63 and 64: (a) Chains of trust for node 28 wit
Page 65 and 66: Figure 20: Identifying malicious no
Page 67 and 68: BB02 Buchegger, S. and Boudec, J.-Y
Page 69 and 70:
MICAZ The MicaZ datasheet. http://w
show all

Calculating trust in sensor networks

Create successful ePaper yourself

Delete template?

Save as template?