Reliable Telemetry in White Spaces usingRemote Attestation

Omid Fatemieh, Michael D. LeMay, Carl A. Gunter

University of Illinois at Urbana-Champaign

Annual Computer Security Applications Conference (ACSAC)Dec 9, 2011

• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)

• Emerging solution: opportunistic access to unused portions of licensed bands

Opportunistic Spectrum Access

2

• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)

• Emerging solution: opportunistic access to WHITE SPACES

• Cognitive Radio: A radio that interacts with the environment and changes its transmitter parameters accordingly

Opportunistic Spectrum Access

3

Primary TransmitterPrimary ReceiverSecondary Transmitter/Receiver(Cognitive Radio)

• Allowed by FCC in Nov 2008 (and Sep 2010)– TV White Spaces: unused TV channels 2-51 (54 MHz-698MHz)– Much spectrum freed up in transition to Digital Television (DTV) in 2009– Excellent penetration and range properties

• Applications– Super Wi-Fi– Campus-wide Internet– Rural broadband

(e.g. Claudville, VA)– Advanced Meter

Infrastructure (AMI) [FatemiehCG – ISRCS ‘10]

White Space Networks

4

• Spectrum Sensing – Energy Detection– Requires sensing-capable devices -> cognitive radios– Signal is variable due to terrain, shadowing and fading– Sensing is challenging at low thresholds

• Central aggregation of spectrum measurement data– Base station (e.g. IEEE 802.22)– Spectrum availability database (required by the FCC)

How to Identify Unused Spectrum?

No-talk Region for Primary Transmitter

5

Collaborative Sensing

• Malicious misreporting attacks– Exploitation: falsely declare a frequency occupied – Vandalism: falsely declare a frequency free

• Why challenging to detect?– Spatial variations of primary

signal due to signal attenuation– Natural differences due to

shadow-fading, etc.– Temporal variations of primary– Compromised nodes may collude

and employ smart strategies to hide under legitimate variations

• How to defend against such coordinated/omniscient attackers?

Malicious Misreporting Attacks

6

Compromised Secondary – Vandalism Compromised Secondary – Exploitation

Limitations of Previous Work

7

• Initially assume all sensors are equal• Rely only on comparing measurements

• Shadow-fading correlation filters for abnormality detection [MinSH – ICNP ‘09]• Model-based (statistical) outlier detection [FatemiehCG – DySPAN ‘10]• Data-based (classification) attacker detection [FatemiehFCG – NDSS ‘11]

• Resulting drawback: attacker penetration has to be significantly limited for solutions to work

• What if we can have a subset of “super-nodes"?

A Subset of Trusted Nodes

8

• Remote attestation: A technique to provide certified information about software, firmware, or configuration to a remote party– Detect compromise– Establish trust

• Root of trust for remote attestation– Trusted hardware: TPM on PCs or MTM on mobile devices– Software on chip [LeMayG - ESORICS ‘09]

• Why a subset?– Low penetration among volunteer nodes– Cost: manufacturing, energy, time, bandwidth (see paper for numbers)

Attestation-Capable System

Remote Server

Nonce

Signed[Nonce || System State]

• Goal: obtain an estimate of signal power in any cell to compare to threshold

• Cell A: Safety or precision?• Cells B and C: How many regular

nodes to include? Which ones?• Steps

1. A systematic strategy to determine when there is enough data

2. If we need additional data, which ones to add to aggregation pool?

3. Ensure pool not attacker-dominated

Key Observations

9

A B C

Attested Node Regular Node

• Sequential intra-cell node selection– Include all attested nodes– Include regular nodes until a

precision goal is met

• Precision goal: Ensure margin of error for aggregate smaller than requirements (e.g. 3dB) with high confidence (e.g. 95%) (unknown distribution)– Mean: Asymptotically efficient

Chow-Robbins sequential procedure:– Median: Find a and b (order statistics):

Intra-cell Node Selection

10

• Last step: Classification-basedinter-cell attacker detection– If detected: only use attested data in E

• Median as aggregate:– (+) Less vulnerable to legitimate

variations or minority attackers– (-) Achieving the required precision

requires more data– (-) Majority attackers can move

median while being less ‘abnormal’

• Aggregate: median when attested majority, and mean otherwise

Classification-based inter-cell detection

11

Evaluation

12

• Hilly Southwest Pennsylvania • TV transmitter data from FCC• Terrain data from NASA • Ground truth: predicted signal

propagation using empirical Longley-Rice model

• Takes into account:– Transmitter power, location,

height, frequency– Terrain and distance

• Added aggressive log-normal shadow-fading variations• Used data to build classifier and evaluate protection against attacks

Results

13

False Outcome Rate Attack Deterrence Rate(Attested fraction ≈ .25)

• Showed how to use a small subset attestation-capable nodes to improve trustworthiness of distributed sensing results.

• Proposed methods:– Provide quantifiably precise results.– Provide effective protection against attacks with small fraction of attested nodes.– Can lower attestation costs for real deployment.

• Future direction: Developing a framework for formulating costs associated with including regular and attested nodes, and systematically striking a balance between the costs (from spectrum data aggregation and remote attestation) and obtaining precise aggregation results.

Conclusions and Future Work

14