TAMPRES · TAMPRES Deliverable D1.1 Disclaimer This document contains material, which is the copyright of certain TAMPRES consortium parties, and may not be reproduced or copied without

FP7-ICT-SEC-2009-5Contract no.: 258754www.TAMPRES.eu

TAMPRESDeliverable D1.1

Sensor Network Related Requirements

Editor: Carsten BuschmannDeliverable nature: Report (R)Dissemination level:(Confidentiality)

Public (PU)

Contractual delivery date: 31 March 2011Actual delivery date: 30 April 2011Suggested readers: Consortium, Research CommunityVersion: 1.0Total number of pages: 39Keywords: sensor networks, security, requirements

Abstract

This deliverable analyzes wireless sensor networks and their applications, as well as resulting requirements andproperties that have to be considered when designing security mechanisms for sensor networks. In the firstpart of this deliverable, requirements are identified: cost, size, computational complexity, storage demands, andpower consumption need to be minimized. In addition, scalability, adhoc network formation and robustnesshave to be supported. Most importantly, as sensor networks are often installed in public places, sensor nodesmust be able to resist attacks that become possible due to their accessibility. The second part of the deliverableintroduces criteria for categorizing sensor network applications: life time, mobility, network size and density,security requirements, accessibility, network structure, and deployment. Finally, three example applicationscenarios are introduced and described based on the aforementioned criteria: factory automation and processcontrol, temporary border surveillance, and harbour logistics.

TAMPRES Deliverable D1.1

Disclaimer

This document contains material, which is the copyright of certain TAMPRES consortium parties, and maynot be reproduced or copied without permission.

In case of Public (PU):All TAMPRES consortium parties have agreed to full publication of this document.

ImpressumTAMPRES - Tamper Resistant Sensor Node

TAMPRES

WP1 “Requirements and Methodology”

Editor: Carsten Buschmann, coalesenses GmbH

Copyright notice©2011 Participants in project TAMPRES

©TAMPRES consortium 2011 Page 2 of (39)


List of authors

Company Authorcoalesenses GmbH Carsten BuschmannIHP GmbH Steffen Peter

Page 3 of (39) ©TAMPRES consortium 2011


Contents

List of authors 3

List of Figures 6

1 Introduction 7

2 Wireless Sensor Networks 82.1 Wireless Sensor Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1.1 Commercial-Off-the-Shelf Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1.2 Application-specific Sensor Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.1.3 Component-based Sensor Node Platforms . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 General System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2.1 Memory and memory management . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2.2 Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2.3 Hardware Accelerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2.4 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Sensor Node Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.3.1 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.3.2 Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Wireless Sensor Networks and their Applications . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Security 163.1 Security Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2 Attacker Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2.1 Attacker Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.2.2 Attacker Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.3 Attack Space on WSN scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.3.1 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.2 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.3 ”Hole” Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.4 Sybil Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.5 Adding false nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.6 DOS - Denial of service attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.7 Forge Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.8 Message Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.9 Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.10 Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.11 Node compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Requirements Arising from Wireless Sensor Networks 234.1 Power consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.3 Computational Complexity and Code Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.4 Spontaneous Network Formation and Self-Organization . . . . . . . . . . . . . . . . . . . . . 254.5 Accessibility and Unattended Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.6 Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.7 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.8 Form Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27



5 Application Scenarios 285.1 Scenario Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.1.1 Life Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.1.2 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.1.3 Network Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1.4 Network Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1.5 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1.6 Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1.7 Network structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.1.8 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.2 Target Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.2.1 Factory Automation and Process Control . . . . . . . . . . . . . . . . . . . . . . . . 305.2.2 Temporary Border surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.2.3 Harbour Logistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

6 Conclusion 34

References 35



List of Figures

1 Different sensor nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Application specific sensor nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Photo of a stacked sensor node platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Typical hardware architecture of a sensor node . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Software architecture of a sensor node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Schematic illustration of a sensor network with a gateway node. . . . . . . . . . . . . . . . . 147 Classification of security-related terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Context of attacker motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Duty cycling and timings of two nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23



1 Introduction

In this task, special requirements for security that are typical and unique for wireless sensor networks and thatarise from application scenarios, deployment numbers and situation, resource, power and form-factor limita-tions were collected.

This document first gives a brief introduction to wireless sensor networks, highlighting the most importantproperties and limitations. Then, an overview of security primitives is given. Based upon these, requirementsfor protocols, algorithms and technologies for wireless sensor networks are elaborated, both in a general senseas well as with particular consideration of security. They are intended to serve as development guidelines inTAMPRES, minimizing potential conflicts between security and other development targets.

Then, criteria for categorizing applications are proposed and described. After that, three target scenariosare defined that are chosen to cover a broad range of wireless sensor network applications. By evaluating theirproperties with regard to the application criteria, their coverage in terms of manifold applications can be judged.They are intended as an application background for TAMPRES: By evaluating the applicability of developedsecurity mechanism in the proposed scenarios, their usefulness in a large number of different applications canbe ensured.



2 Wireless Sensor Networks

Because wireless sensor networks and their special requirements when designing security mechanism play animportant role in this document, this section gives a short introduction to sensor networks.

2.1 Wireless Sensor Nodes

Wireless sensor networks consist of so-called sensor nodes (short: nodes). These devices comprise a processorwith memory for code and data, a wireless transceiver, sensors and a power source or reservoir.

Sensor nodes are often used in places that do not provide constant mains power. Hence, they commonlyoperate from a battery. Even though they might be supported by a power harvesting facility like a solar cell,energy is an extremely scarce resource. As a consequence, minimizing power dissipation is of great importance.Consequently, low power controllers and radio chips are commonly employed, limiting computing power andstorage memory to a minimum. Also, the data transfer rate is relatively low.

2.1.1 Commercial-Off-the-Shelf Nodes

Today, a number of Commercial-Off-The-Shelf (COTS) sensor node systems have been developed and mar-keted commercially or for research purposes. In the following the major platforms are discussed briefly. Amore extended review of wireless sensor network node technologies is provided in [43].

(a) UC Berkeley Mica2. (b) FU Berlin ESB430/1. (c) IHP TSN

(d) MoteIV tmoteSky. (e) Scatterweb Scatternode. (f) coalesenses iSense.

Figure 1: Different sensor nodes.

The Mica node family developed by UC Berkeley [21, 38] (Figure 1(a)) comprises an 8-Bit-Processor



Figure 2: Application specific sensor nodes: a) a node applied in a firefighter monitoring project, b) A node asit is applied in the water monitoring application. (Note: the image of the node is scaled down. With its strongradio it is larger than the other two.), c) is a prototype node with a 32-bit application-specific microcontroller

with 2kB of RAM and 128kB of flash running at 4MHz and a 916 MHz transceiver that offers a data rate of19.2kBit/s. Later, the FU Berlin developed the ESB430/1 [22, 71] (Figure 1(b)). It’s 16-Bit processor including5 kB RAM and 60 kB flash also operates at 4 MHz, its transceiver offeres a data 19,2 kBit/s, too. Significantlymore modern are the devices that were also developed in Berkeley under the name TelosB [65, 58] and are nowsold by memsic (Figure 1(d)). The data transmission rate was increased to 250 kBit/s, it’s 16-Bit processor runsat 8 MHz and offers 10 kB of RAM and 48 kB Flash.

The Scatternodes [70] (Figure 1(e)) were developed for commercial applications. They offer an extendedcommunication range at the cost of a reduced data transmission rate. Its processor offers 5kB of RAM and50kB of flash. As the Telos, the iSense nodes from coalesenses build upon the IEEE 802.15.4 standard forcommunication. Working in the 2.4GHz band, they also offer a data transmission rate of 250kBit/s.

Future miniaturization might lead to nodes shrinking to a few cubic millimetres [29, 83]. Such Smart dustcould be employed in a large number of application scenarios. First steps into this direction where done withthe so called Spec node [40]. It combines all features of a Mica sensor node in a single chip. Although this wascelebrated as such, it has to be noted that this is not exactly a major breakthrough: other manufacturers alsooffer chips that integrate controllers and wireless transceivers.

2.1.2 Application-specific Sensor Nodes

Standard sensor node platforms are beneficial to build test networks. In many applications they are sufficient towork in practice. However many application scenarios have requirements that cannot be covered by standardnodes. Reasons may be dedicated radio requirements, form factors, specific memory configurations, the needfor dedicated circuits to reduce energy or accelerate operations, but also high security requirements that demandtamper resistance or cryptographic hardware accelerators.

Examples for such dedicated nodes developed in IHP [41] are shown in Figure 2. Figure 2 b) shows a nodewhich is applied in the pipeline monitoring application. In this scenario a small form factor is not as important asrobustness, a long lifetime without changing batteries, and the possibility to send over long distances. Thereforethe node has a powerful 868MHz radio able to send with up to 500mW sending power and a strong battery.The Lithium Size D battery can be recognized in the opened weather-resistant housing of the node depicted asFigure 2 b). The microcontroller is an MSP430 with 16 kB internal RAM and 256 kB internal flash memory.The node has no external non-volatile memory, reducing the risk of extraction of sensitive data from the nodes,which are deployed in the unprotected field.



Figure 3: Photo of a stacked sensor node platform: small boards for sensors, communication, and data process-ing are plugged to a sensor node.

Figure 2 a) is a node applied in the Feuerwhere application. The nodes have a smaller form factor, but themajor difference is the availability of redundant radios, allowing to send in the body area network and to thecontrol center concurrently, exploiting the beneficial radio properties of 2.4GHz radio and 868MHz radio,respectively. The nodes also contain the 16-bit MSP430 microcontroller, while the external flash of 4 MB andmany connectors for a diverse set of sensors increases the general flexibility of the nodes.The node depicted in Figure 2 c), based on the work presented in [62], contains a more powerful 32-bit MIPSprocessor with embedded accelerators for network protocols and cryptographic operations. While overpoweredfor traditional sensors this sort of nodes can be used as heads in clusters of the network or operate as sinks. Thehardware acceleration of protocols reduces energy by up to three orders of magnitude for specific operationsand thus increases the lifetime of the nodes, while still it is possible to process data of many nodes of the clusteror in the network. The disadvantage of such an application-specific integrated circuits (ASIC) is the increasedcosts due to engineering and manufacturing of the ASICs.

2.1.3 Component-based Sensor Node Platforms

Modularized sensor node platforms emerge as potential answer if individually developed dedicated sensornodes are too expensive, but off-the-shelf nodes do not provide the required flexibility. A system of stackablefunction layers (computation, communication, power supply) has been presented in [66] went even further andequipped the layers with FPGAs (Field Programmable Gate Arrays) allowing hardware acceleration withoutthe need for manufacturing silicon.Microsoft Research followed a similar approach in their mPlatform [50]. It includes reconfigurable hardwareto adapt interface protocols between different layers of the platform. It extends the possibilities of connectingdifferent service layers.An example for a configurable sensor node platform developed in IHP is shows in Figure3. There communication, computation, sensing and power supply are on individual layers that can be connectedto a physical stack. In theory the extended design space provided by such modular systems is promising. It ispossible to execute specific security related operation on a dedicated tamper-resistant layer on such a stackedsystem. However, expensive sockets and a complex design space for integrators are significant disadvantagesof this technology.

2.2 General System Architecture

Basically all sensor nodes follow the same general architecture which is depicted as Figure 4. Inside microcon-troller is a microprocessor connected to a system bus that also connects RAM, flash and several ports internally.The ports allow to access sensors, actuators and external memory units.

2.2.1 Memory and memory management

Commonly, the memory is divided into two sections: a relatively slow, non-volatile part that commonly usesflash technology and is used for storing code and static data, and a fast but volatile part (RAM) for storing data



Figure 4: Typical hardware architecture of a sensor node: In the microcontroller are integrated processor,internal memory and ports. Over the ports sensors, actuators and external memory are connected. Radio andhardware accelerators may be integrated on the controller or on the board.

when the node is in operation. Unlike in PCs the RAM in sensor nodes is not dynamic RAM but static RAM(SRAM). Since SRAM is relatively large in silicon and expensive, it is kept as small as possible. Clearly the4 kBytes available in the mica nodes is a design challenge for software developer.The amount of non-volatile flash memory for most nodes is more relaxed. It is also common practice to extendit with external flash memory blocks connected to the ports of the microcontroller. Of course a sensor networkdesigner should regard that external non-volatile memory can be easily accessed from potential data thefts.

Sensor nodes usually are not equipped with a memory management unit (MMU) or a memory protectionunit (MPU). In larger processors such units are applied to protect memory regions, manage memory attributes,overlapping protection regions and access permissions. Thus, they can be used to separate processes and tasks,and enforce access rules. To keep the system simple, reduce area and energy consumption such MMUs andMPUs are avoided in WSN nodes. It leaves the nodes vulnerable against potential attacks exploiting the lackof memory protection.

2.2.2 Radio

For most of todays sensor nodes the radio transceiver is not part of the microcontroller. It allows to combine themicrocontroller with the right radio for each application. Standard radio transceiver for current sensor nodesare the sub-GHz TI CC1100 [78] and the TI CC2420 [42] which uses the 2.4 GHz band.Recently chip manufacturers have presented integrated solutions such as the TI CC430 which combines theMSP430 microcontroller and a sub-GHz radio in one core, or the ATmega128RFA1 [19] which combine anATmega128 microcontroller and a 2.4 GHz radio.

2.2.3 Hardware Accelerators

are applied to execute specific operations faster and usually significantly more energy efficient. The disadvan-tage of such accelerators are the lack of flexibility and the increased costs to manufacture the circuits in silicon.Typical operations that are worth to be accelerated by dedicated units concern network access and cryptogra-phy.Several design options exist to place the accelerators. [46] extended the instruction set of a processor to ac-celerate cryptographic operations. That is the most invasive sort of extension. [62] presented a solution thatadded units to accelerate cryptography and network operations in the microcontroller - but left the actual pro-cessor untouched. Accelerators connected outside the microcontroller are realized for example in specific radiotransceivers such as the TI CC2420 which already contains an AES encryption unit. Indeed transmitting sen-sitive data over unprotected buses on the board seems to be ill-designed for many WSN scenarios - but it iscommon practice. Anyway such design decisions are correct if the application scenario does not permit attacksthat can exploit such a weakness.



2.2.4 Power Supply

WSNs are usually battery powered. The most commonly off-the-shelf sensor nodes, such as Mica2, MicaZ andTelosB, are equipped with 2 Alkaline AA cells. The rated capacity of an AA alkaline battery is about 2500 mAh[64]. Smaller nodes like the Mica2Dot a powered by CR2354 lithium coin cell battery. The rated capacity ofsuch a cell 560 mAh [35] and thus only about a tenth of the double AA setup. To ensure long lifetime of thenodes, batteries as the Tadiran SL-2880 [77] provide up to 19Ah at 3.6V, which is about ten times the energyof the double AA pack. They are suited well for long lasting networks such as the water pipeline monitoringapplication. However the benefits are traded off for a significantly higher price and the larger extend of thebatteries.It can be seen that the selection of the power supply effects the suitability of the nodes for specific applications.

2.3 Sensor Node Software

While the sensor node hardware has great importance, the actual functionality of the network is described assoftware running on the nodes.

2.3.1 Operating Systems

Several dedicated operating systems (OS) for WSNs have been developed during the last few years. TinyOS isthe de-facto standard operating system in the WSN research community. Other operating systems for WSN areContiki, or Reflex just to name a few. For a full list see [68]. In some cases, more powerful wireless sensorsuse light-weighted Linux-based OS.

TinyOS [48], is an open source operating system designed specifically for WSNs at the U.C. Berkeley. Itis a component based operating system that strictly uses the event-driven design paradigm. The event-drivennature of the OS is proven to be efficient for a large class of WSN applications.A major advantage of Tiny OS is the minimal code size. Since the operating system is nothing more than aset of components that are binded at compile time to a fixed application image no unused code or operationsremain in the software on the nodes.

In order to enable the component-based design TinyOS does not only has a clear definition of softwareinterfaces but also a well-defined Hardware Abstraction Architecture. This makes writing platform-independentapplications and adding new hardware platforms a simpler task. TinyOS uses a dedicated component-basedprogramming language in nesC [33].

Reflex [82] is an operating system for WSNs developed at the BTU Cottbus. It is strictly event flow based,but follows the object orient programming paradigm which is emphasized by the usage of C++ as programminglanguage.

Contrary to TinyOS, Reflex has an explicit kernel layer, containing interrupt handler and a scheduler. Ontop of the kernel it has libraries which provide the event-flow mechanisms that can be used by the application.Objects in Reflex are considered as activities that can be configured using the system scheduler. In fact theactivities logically replace threads. The scheduler receives interrupts from components or timers and calls orcontinues the activities. Since as result Reflex is a single thread operating system it manages to run on a singlestack, which reduces the amount of needed system memory.The program overhead is additionally reduced by compiling kernel, services and application to one systemimage.The objects are similar to classic components and allow a reusability over standardized interfaces of the object.Currently the number of available components for Reflex is still rather low.

Contiki [26] is another open source operating system for WSNs. It has been well recognized by the researchcommunity but also by industry. Contiki allows programming WSN applications in plain C. It is multi-taskingready and still promises to be memory-efficient. Thereby it contains many powerful services such as a fullInternet-compatible IP stack, which improves the interoperability with standard networks.

Applications in Contiki are defined as processes which run on top of the kernel. Contrary to most other OSsfor WSNs, processes and services can be loaded and changed at runtime.

Similar to the concepts in Reflex processes are called by a scheduler which is triggered by events. Processesare not preempted by the scheduler. As result the OS does not need to care about variables and states of theprocesses – a concept called protothreads [25].



Figure 5: Typical software architecture of a sensor node: An application uses an optional middleware layer touse the network and the services which access the hardware over an hardware abstraction layer.

However the disadvantage of the system services and the fixed system kernel is that “Contiki’s event kernelis significantly larger than that of TinyOS” [26].

2.3.2 Protocol Stack

Figure 5 shows a general abstracted software architecture of a sensor node: Below an application component isan optional middleware layer abstracting from the services below. Services can be general services or networkservices which are emphasized due to the importance for WSNs. The services may use a Hardware AbstractionLayer (HAL) to communicate with the hardware components.

Application: The application is one layer or one component that manages the node. It controls the access onsensors and actuators, coordinates the communication ans services. As discussed earlier in this chapter, thereare relatively few general types of applications. The difference appear in the usage of the application by theuser and in particular by the services the application uses.

Network services: The network services is basically a radio stack takes that care about sending and receivingdata of the nodes using a wireless radio channel. It can be considered as interface between application andthe network consisting of all other nodes. Technically the radio stack is a connection between the applicationand the radio hardware. This service is realized by network protocols which provide abstractions from thephysical radio. The protocols include Medium Access Control protocols, routing and forwarding, and transportprotocols. The tasks of these protocols is similar to the tasks in traditional networks. In contrast to the Internetwhere IP is the dominating standard, WSNs do not have a fixed network standard. Thus the network stacksa flexible and application-specific. For small networks even routing is not needed: then the nodes simplybroadcast their messages. The network design space is huge. [2] listed alone 22 routing protocols for WSNs.

Services: Beside the network a sensor nodes has many other services, usually covered by the operating sys-tem. The services include timers, memory storage, system drivers, but also higher level services like cryp-tography, code management operations, clock synchronization, random number generators. For most servicesseveral design alternatives are available, mostly not affecting functional aspects of the application but theirquality.

Middleware: Middlewares are means to provide abstraction from technical details for the application de-signer. The extend of the middlewares may vary from thin adaptation layers to middleware concepts thatinclude a significant subset of the services. Abstractions may be are node [47] or network abstractions [8],database concepts [36], [51], or storage abstractions [63], [34]. They are considered as key to improve pro-grammability and usability of WSNs. Their impact on security and trustworthiness of WSN systems is ratherlimited since these aspects commonly are not respected in todays’ WSN middleware approaches.



2.4 Wireless Sensor Networks and their Applications

The basic idea of sensor networking is that a large number of sensor nodes monitor a particular phenomenon.Like this, the object of interest can be observed in-situ, i.e. in its natural environment. By instrumenting objectsof everyday life, they can be converted into smart objects that have a perception of their surroundings and areable to communicate with other smart objects. Like this, the real world and the virtual world can be linkedtogether, keeping the data representations of things synchronized with the real world state. By this, sensornetworks pose an integral part of the Internet of things (IoT) in the Future Internet. The sensors will deliver thebasic measurement data connected systems depend on.

Other than classic measuring systems, wireless sensor networks often include intelligent protocols thatallow spontaneous network formation. Instead of being configured manually by the user, the devices useself-organization mechanisms to automatically form a network. Like this, the installation effort is minimized.Devices can be added or removed at any time during operation of the network. Hence, wireless sensor networksare of special advantage in application areas where a lengthy installation is difficult, expensive or impossible.

Wireless sensor networks are ad-hoc networks by nature. There is no strict division into end devices androuters that forward data. Instead, each device takes both roles: on the one hand, it generates data and injects itinto the network, on the other it forwards data packets from other devices to their destination devices.

Wireless sensor networks profit from their nodes’ ability to cooperate: like this, data from different sourcescan be correlated, aggregated and augmented with context information like time or location of acquirement.This however requires that the nodes are context aware [54]. Using such mechanisms, e.g. a series of tempera-ture measurements could be aggregated to a mean value over a certain time interval, or object detections fromdifferent sensor nodes can be aggregated into the trajectory that the object followed. This approach is calledin-network processing [28] and helps to minimized the communication load in the sensor network, as manyseparate measurements are aggregated locally into higher level information with a compact representation.

In many application scenarios, such event information is then forwarded to a gateway node, that interfaceswith other wide area networks (WAN) [67].

Gateway

Wide Area Network

Figure 6: Schematic illustration of a sensor network with a gateway node.

Figure 6 shows a schematic depiction of a sensor network and its interaction with the outside world: Anumber of nodes is deployed in the area of interest, and monitor physical properties of their vicinity with theirsensors. The acquired raw data is exchanged with neighbouring nodes using the automatically formed ad-hocnetwork. Data is aggregated, augmented with context information and then forwarded to the gateway node,which in term sends the data over a wide area network like the Internet to a monitoring and command centrethat logs data in a data base, notifies users of special events like alarms etc.

In such a setting, the main data flow goes from the sensor nodes to the gateway node, which is hence oftencalled sink. Instead of interacting with the sensor network via the gateway, users certainly can also interact withthe network locally. This can be done using portable handheld devices with a wireless communication interfacethat is compatible to the one used by the sensor nodes.

While the described scenario is static in itself, the communication relationships will be dynamic anyway:because of the volatile nature of wireless links due to changes in the environment, communication relationsbetween nodes can appear and vanish over time without nodes changing place. In addition, some or even all



nodes can be mobile, e.g. if sensor nodes are attached to moving objects such as containers.Sensor networks are not necessarily composed of just a few nodes. Especially in combination with ongoing

miniaturization and falling prices, networks consisting if hundreds or thousands of nodes are predicted. As aconsequence, scalability is an important property that all employed protocols and algorithms should exhibit[28].

Literature points to a vast number of application scenarios, examples are:

• glacier monitoring [27, 53],

• fire detection in forests [87],

• smart metering in private or commercial facilities [15, 57],

• voting systems [86],

• remote monitoring of elderly or ill persons [9, 16, 74],

• intrusion detection and protection from trespassing [84, 5],

• structural health monitoring of infrastructures like bridges [45, 61, 44, 17],

• surveillance of military combat areas [11, 14],

• wild life and habitat monitoring [52, 76, 75, 7, 88].



3 Security

Beside the basic functionality, security is certainly one of the main aspect in the development of wireless sensornetworks. However, security is a non-functional system property that is non-tangible and cannot be measureddirectly. Thus engineering security –even for standard IT systems– is a highly complex task without a silverbullet. WSNs are additionally challenged by the high diversity of potential attacks and the limited resourcessensor nodes have to protect themselves. Therefore, this section does not only provide an overview on securityobjectives, threats and measures, but also describes specific attacks and the motivation behind these attacks inthe domain of WSNs.

3.1 Security Attributes

A significant problem of security engineering is that even fundamental terms are not clearly defined. Alreadythe term security is not defined unambiguously. [37] considers it as the absence of unauthorized access to asystem, while the most researcher [6] [4] consider security as composite of other security-related attributes.More general definitions relate security to the degree of protection against dangers and loss. However, theactual meaning varies with environment, involved people, perspective and goals. While for politicians securitydepends international relationships, and for cars security concerns the safety of the passengers, for computersystems security is mostly about dependability and data protection.

Literature [6] [30] consider security as composite of primary and secondary attributes. The primary at-tributes are confidentiality, integrity and availability

Confidentiality is the absence of unauthorized disclosure of information. It means that unauthorized subjectsshould not be able to access sensitive information. In many sensor network applications sensitive data isgathered. For instance in health care and in industrial applications data confidentiality is from uttermostimportance. In some military and homeland security application scenarios it could be a goal to concealthe presence of the network.Concealment, Privacy and Secrecy are rather technical refinements of the term Confidentiality. Ander-son [4] and Hasselbring [37] among others, discussed partially conflicting views on the terms. In thisdocument they are used as synonyms.

Integrity is the prevention of unauthorized modification, amendment, or deletion of information. If an unau-thorized subject performs such actions the invalidity of the information should be detected. Since gather-ing of data is the primary objective of most WSNs, ensuring the correctness of the collected informationis the most important security concern. Corrupt data may turn a network useless if its task is to collectreliable data. This is true even for habitat and animal monitoring networks which generally have lowsecurity requirements. However, data integrity becomes imperative in application that use the data tocontrol actively, for instance industrial or agricultural automation.

Availability is the ability to ensure that system and information are readily accessible all time within therequired parameters. Availability does not concern data but the services. It means that no natural orintentional event should affect the readiness of the system to operate correctly. In WSNs availability isparticularly important in applications that need the sensor input to monitor the health status of people.For example in the firefighter monitoring scenario the data should be transfered correctly even in a harshenvironment with high temperatures and presence of water and dust.

The research community agrees on these three primary security attributes. Additionally, secondary at-tributes are described to extend, refine, or combine the primary attributes. Most common secondary securityattributes are [6] [23]:

Authentication is the ability to ensure that the source of information is accurate and unchanged. Basicallyit is the integrity of the source. Authentication is important in all WSNs. Without a certain degree ofauthentication everyone could access and reprogram the network.

Authorization checks whether the peer has permission to conduct some action. The check is based on au-thentication, while the restricted operation may affect the confidentiality or the availability of the system.



Authorization becomes important in WSNs with multi user access levels. For example when operatorsare allowed to configure the system while user may only use specific services.

Non-Repudiation is the undeniably of an action. Currently Non-Repudiation is no major concern in WSNapplications. This property may be important for future applications that include monetary services inthe WSN or if the sensor readings are used for forensic data gathering to support insurance companiesafter accidents.

Additionally to the information-centric security terms many security attributes concerning the correct be-havior of the system have been proposed. A set of behavioral attributes to realize trustworthiness is discussedin [37]. They are:

Safety is the absence of harmful environmental consequences. It means that the network system includingthe monitored or controlled infrastructure must not effect events that could cause significant physicaldamage. Safety in WSNs becomes more important in actuator networks and in networks that actuallycontrol machines. Due to the physical real-world effects, safety cannot be expressed entirely as part ofthe IT system. However, a secure IT system is precondition for a safe system.

Correctness is the absence of improper system states. Further, a correct system works as it was specified,while each possible state was specified. This attribute mainly refers to the correct implementation of thesystem.

Reliability is the ability of the system to provide the required service consistently without degradation or fail-ure. While Correctness refers to the correct implementation, Reliability describes the correct execution.Since the correct implementation is a prerequisite for the correct execution, Correctness is just a specificpartial aspect of Reliability. Also Availability as described above is a partial aspect of Reliability, becauseReliability requires the consistent service as it is defined for the Availability quality.

Performance describes the response time, throughput, and other time- and speed-related quality aspects. Per-formance basically is related to Availability and Reliability because in the moment the required perfor-mance is not met the availability requirements are not fulfilled.

Trustworthiness and Dependability: Trustworthiness is the assurance that a system will perform as expected.Anderson [4] described a trustworthy system as a system that won’t fail. Dependability is used similarto trustworthiness. In [6] it is described as composition of Availability, Reliability, Safety, Integrity, andMaintainability. For both Trustworthiness and Dependability, information security is a prerequisite.

As result of this description, Safety and Trustworthiness are terms that are out of scope of the IT security.Reliability is a superclass for availability, performance, and correctness, which qualifies Reliability as primarysecurity attribute.

Reusing the terms danger and loss to the information technology, we can state that security is the protectionagainst the danger of an unintended behavior of the system, and protection against loss of information. Follow-ing this definition, the correct behavior of a system can be secured if it is ensured that no event can bring thesystem in an undesired state. The loss of information can be prevented if all outgoing information is protectedagainst the loss.

Since events can be caused both in as well outside the system, this leads to three sub-classes:

• ensuring that outgoing information cannot be misused

• ensuring that incoming information is correct

• ensuring that the system does the right things with the information

This basically correspond to the three primary security attributes Confidentiality, Integrity, and Availability.Other data-centric security attributes can basically be inferred from confidentiality and integrity as describedabove. However, to highlight the requirements concerning behavioral correctness of the system we replace theterm Availability with Reliability. It is our understanding that availability is required for a reliable service. This



Figure 7: Classification of security-related terms: Security objective can be decomposed in Confidentiality,Integrity, and Reliability, which each describe distinct objectives and can be decomposed to other attributes.

extends the classic view on data-centric security by behavioral aspects such as correctness and assurance ofqualities.

Figure 7 illustrates our security term convention: Security is the superclass of the security objectives Con-fidentiality, Integrity, and Reliability. Each objective describes a distinct property of the system. Each of thethree objectives has similar or deducted terms. They are shown in the bottom row of the table.

3.2 Attacker Models

3.2.1 Attacker Classification

A substantial task in protecting computer networks against attacks is to understand the motivation of an attacker.It is the notion that attackers with different motivations react differently to countermeasures and the risk ofexposure. A review of different attacker motivations for traditional computer networks is given in [69]. Theauthors differentiate attacker in seven groups. Ranging from Amateurs/Script Kiddies over Malware developers,to Criminals and State-Sponsored Hackers. While in PC systems amateurs have become a lesser threat due tothe higher complexity and improved level of security of the systems, WSNs practically invite amateurs becauseof their low level of security and the relatively low complexity of the systems.

Severe hardware constraints of WSNs are reason for systems and software that are usually kept as simpleas possible and thus allow even amateur attackers to understand how the system works. The simplicity ofthe sensor nodes additionally allows to attack such a device with much smaller and less expensive tools andmachines. Also the level of security in most WSNs is kept rather low in order to reduce the computation andcommunication overhead. This is in particular true for network logging and intrusion detection. Since it ispossible to attack a network without using standard telecommunication access points the risk of being detectedare additionally reduced.

3.2.2 Attacker Goals

While literature is rich on classifications of attacker groups and their general motivation there is relatively fewfocus on the actual goals. Mostly it is implied that attacks aim on stealing or disclosing protected data. Howeverpossession of data or eavesdropping of secret information is only one of many possible goals. While basicallythe attacker goals depend on the actual application and environment, we still can classify general attacker goalsthat are valid in WSNs:

Disclosure of information: Attackers may be interested to extract actual data, but also the information ofnetwork activity or the existence of the network. Disclosing of information may be the actual target oronly a partial goal to implement a more complex attack scheme.

Possession of nodes: Getting access on a computer system is an attack already known from standard networks.There computation power can be used for extensive computation operations, e.g. for breaking passwords



Figure 8: Context of attacker motivation: The attacker motive contradicts a security goal, while the attacksrealize the motive and thus the violation.

or codes. Hijacked systems also can be used as proxy - either as relay to other trusted systems or forcoordinated distributed attacks. While exploiting computation resources of WSNs can be neglected dueto the limited resources, exploiting trust relations in a network is a feasible scenario.With respect to amateur hackers, access on sensor nodes allows to do fancy things with the nodes. Forexample changing LED configurations to demonstrate what’s possible, or to use sensors on the nodes forprivate projects.

Possession of nodes can be differentiated in physical possession and logical possession. Physical pos-session allows an adversary to steal the node or tamper the hardware. The effect of logical possessionconcerns changed behavior typically achieved by reprogramming.

Disruption of the network: One potential attacker goal is the destruction of nodes or network. The actualmotivation may vary between vandalism and directed attacks. Also the means may vary between physicaldestruction of nodes to logical disruption of the communication channel.

Harm to the monitored infrastructure: If the WSN actively influences the controls of a system, the attackon the WSN may be a means to harm the actual infrastructure. An example is the agriculture scenario.There competitors could have motivation to spoil the harvest of neighbors to increase the market price.In industry automation systems manipulation of the control system may have severe impact on the entirefacility.

Forging events: In a water pipeline monitoring application a just-for-fun attacker could forge events pretend-ing a hazard just to watch the maintenance team trying to fix a non-existent error. The same is consider-able for automatic fire detection in forests.

Change of stored events: If data is stored in the WSN, attackers may be interested in changing the data. Forinstance information in a WSN that record the status of a road could be manipulated to hide misbehaviorin a post-accident investigation [10].

Selective forwarding of information If an adversary is in control of a communication path packets may beforwarded or dropped deliberately. For example a trespasser is interested in dropping alarm messagesindicating the intrusion.

Personal challenge/prestige: To some extend hacking has always been a sort of competition. Hacking a real-life system is exciting and can increase the social status in the peer group, so that it is clearly an incentivefor the attacker.

The attack motivations clearly contradict possible security goals of the system, but they are no actual vio-lation. Attacks are required to realize the attacker goals. Figure 8 illustrates the connections. In this context itis important to note that attacks are motivated and need the motive to be executed. Knowledge about potentialmotives is important to understand the actions of the assumed attacker and to decompose the motives to actualattacks. Tackling security by resolving the motives is a theoretical approach that most likely in practice willnot work. Maybe social campaigns and strong prosecution of hacking and destruction attempts can help toreduce the motivation in particular for amateur hackers. Anyway, a technical solution is favorable. It needs anunderstanding of the actual attacks, which will be addressed in the following section.

3.3 Attack Space on WSN scenarios

The previous section introduced the general security goals of sensor network applications as well as the mo-tivations of the attackers. In this section these general terms will be mapped on practical attacks on WSNapplications. Basically attacks on sensor nodes are classified in active and passive attacks:



Passive Attacks These are the most important attacks. The adversary does nothing but listening to the trans-mitted packets. The primary security goal is that such an adversary is not able to gain any informationby simple eavesdropping. Due to the passivity of the adversary such attacks are not detectable. Withwell-designed antennas and powerful receivers passive attacks can be executed from significant largerdistance than the actual extend of the sensor network.

Active Attacks This kind of attack assumes that the adversary is able to interfere the communication (i.e. tocatch, destroy, modify, and send packets) or the nodes. Executing such attacks typically needs moreresources and knowledge than passive attacks. Active attacks are detectable. As for the passive attacks,with powerful equipment attackers may execute their attacks on the radio with large distance from thenetwork. Attacks on the nodes naturally need close distance and thus are easier to detect and to defend.

In the following typical attacks on WSNs are described briefly. Only the first two sorts of attacks arepassive, while the other attacks are active attacks.

3.3.1 Eavesdropping

is the most common passive attack. It refers to listening to the communication in the network with the goal toextract classified information. The attack is often connected with decoding and deciphering of the messages.Eavesdropping is also precondition for most other attacks where knowledge about the status of the WSN isneeded to perform the attack.

3.3.2 Traffic Analysis

Traffic analysis basically is a specific eavesdropping attack that does not eavesdrop the content of data packetsbut has the goal to extract valuable information from the presence and timing of such packets. In particularfor event-driven systems the presence of an event may reveal exploitable information. For example a perimetercontrol that only sends alarms in case movements have been detected reveals valuable information to trespasserswhen a packet is sent. It is either a warning or tells the adversary which packet should be stopped fromtransmitting (either by jamming or selective forwarding)Traffic analysis can also be valuable to detect network structures and to identify important routing nodes. Suchnodes are a valuable goal for node compromising attacks.

3.3.3 ”Hole” Attacks

The sinkhole and wormhole attacks are active attack techniques executed from inside the network. The attackscompromise the routing structure in the network with the aim to attract as much network traffic to a node whichis controlled by the attacker. In a sinkhole attack the attacker attracts the network traffic by sending forgedrouting messages. In wormhole attacks additional routes over faster links are embedded in the network by anattacker. Vulnerable routing protocols use the new powerful link (the wormhole) to improve the total networkperformance. The problem is that the attacker has control over the link and can eavesdrop packets, controlforwarding, but also can easily change or replay packets.

3.3.4 Sybil Attacks

In Sybil attacks [59] an attacker node incorporates multiple identities to tamper fault-tolerant or distributedalgorithms. For instance reputation-based algorithms can be compromised by “ballot-stuffing” to improve thereputation of a specific node, or by “bad mouthing” to reduce reputation of other nodes. Routing protocols maybe vulnerable to attacks in which many nodes inject faulty route. In such a scenario the Sybil attack may beused to enable other attacks, e.g. sinkholes.

3.3.5 Adding false nodes

Adversaries may add nodes to the network that behave like normal sensor nodes in first place but pursue the thetarget of executing malicious actions, such as injecting wrong readings or affecting the network traffic. Added



nodes may be stronger than actual sensor nodes and thus are able to perform more complex attacks from theinside of the network.

3.3.6 DOS - Denial of service attacks

Denial of service attacks are basically attacks on the availability or reliability security attribute of WSNs. Avariety of DOS attacks are considerable and have been discussed in literature [85].

Physically destroying the nodes If the nodes are reachable for an attacker it is easy to destroy them to stopthe service.

Jamming the radio channel Jamming fulfills the attacker goal of DOS in two ways: first, since communica-tion over the is a fundamental requirement for WSN networks, a jamming attack can stop this communi-cation and thus can stop the service. And second, processing of the additional radio packets may need asignificant amount of energy and will shorten the battery life time of the nodes.

Tampering the network routing An attacker who can influence the radio packet routing in the network isable isolate nodes by not forwarding their messages. The nodes become invisible to the network and thenetwork becomes unusable for the nodes, which results in a DOS. The attack is likely in WSNs becauseevery sensor node may be a routing node.

Resource exhaustion A better-powered attacker (e.g. a laptop attacker) can request services continuously,depriving the nodes the possibility of sleeping. It will reduce the life time of the node and thus affect thetime of service. A special variation of this sort of attack is an algorithmic complexity attack in which thenodes are asked to solve complicated tasks that need complicated processing [20].

3.3.7 Forge Messages

Attackers may be interested in the creation of messages and packets in order to inject false information. Theseinformation can be actual data but also control information which affect the data flow in the network. Forexample false routing packets can support “hole” attacks.

3.3.8 Message Modification

Similar to forged messages, existing messages may be changed. This modification can be a change of datacontent. For instance a periodic packet at a border control could be changed from one detected event to zerodetections. Many stream cipher encryption approaches are vulnerable against this sort of attacks: It is notpossible to forge a new message but to modify an existing valid message. This sort of message modificationtypically needs to delete the original message, which requires either intelligent active jamming attacks [1] orcontrol of routing nodes in the network.

3.3.9 Replay Attacks

Replay attacks concern the malicious resending of previously sent packets. In WSNs this means a regularpacket is sent at wrong time. This attack works in application that use encryption or integrity codes withoutinteger information of sequence or time.

3.3.10 Buffer Overflows

On the software executed on the nodes overwriting the end of a fixed length buffer may open the possibility tochange data and to inject malicious code. Due to the dominant Harvard architecture in WSNs code injectionwith buffer overflows is less trivial. However a successful attack on such systems has been described in [31].



3.3.11 Node compromise

Physical attacks on sensor nodes bears many risks for the sensor network. A node captured by an attacker mayreveal sensitive data, cryptographic keys, or implementation details that may be exploited in combination withother attacks.

Reading the content of the memory: Reading non-volatile memory, i.e. typically flash memory is technicallytrivial, in particular if the memory is an external chip. Accessing the volatile memory (registers andRAM) is more challenging since the content is lost once the node is disabled.

Extracting cryptographic keys by side-channel attacks: If the keys cannot easily extracted from the mem-ory, side-channel attacks may help to obtain secret keys. Such side-channels may be the timing analgorithm needs, but also electro magnetic emissions or the dynamic power consumption. Such attackscan target cryptographic accelerators or the microcontroller. Also data sent over the system bus may beaccessed.

Attacking the debug/reprogramming interfaces: With direct physical access to the nodes the usage of de-bug and programming interfaces to extract or inject information is a reasonable attack scenario. Theprogramming interfaces of todays sensor nodes cannot be protected or disabled.

In contrast to most other attack types this sort of attack cannot easily handled by protocols but needs specificresistant hardware. Sensor nodes deployed today typically have no protection against this sort of attacks mainlydue to the increased cost such tamper resistant sensor nodes would imply.



4 Requirements Arising from Wireless Sensor Networks

This section discusses the different requirements that security mechanisms in particular (and in many casesalgorithms and protocols in general) have to comply with in order to be applicable in wireless sensor networks.

4.1 Power consumption

As already mentioned, sensor nodes are commonly battery powered or rely on energy harvesting. As a con-sequence, their energy budget is limited. Once the battery is depleted, the node will die. Because nodes areoften also used as routers, this does not only result in a loss of measurement capability, rather can an increasingfraction of dying nodes lead to a complete network breakdown.

Because replacing batteries is not economical in most cases, minimizing the power consumption of all nodecomponents is of outmost importance. For many systems, an average current consumption of only a few µA isrequired. Apart from using low power components, a common approach is duty cycling: After being active fora short time, the sensor nodes changes into a power down mode, where most components (especially radio andcontroller, potentially sensors) are powered down, and only a timer for wakeup is left running.

tpwrup tdrift teff tsleeptpwrdwntdrift

Figure 9: Duty cycling and timings of two nodes.

Given that sensor nodes can only communicate if source and destination device are awake at the same time,the cycle phases have to be (at least partially) coordinated. The above figures symbolizes the coordinated dutycycles of two nodes. tpwrup and tpwrdwn are the time intervals the controller and the radio take to wake up andgo back to sleep. tdrift indicates time intervals required to compensate for inaccuracies in synchronization,here the radio has to be receive ready, but the node must not send itself. Consequently, only teff is left aseffective communication time. Commonly, the cycle time is dictated in one or the other way by the application.As tpwrup, tpwrdwn and tdrift have to be considered constant, duty cycling gets more ineffective the shorterteff has to be.

As drifting clocks have a negative influence on the efficiency of duty cycling, stable clocks are extremelyhelpful in saving power. If possible, clock drift should less than 10 ppm.

The below table gives an overview of the relation between average current consumption, consumed chargeper year, and the device life time out of different battery types (coin cell, 2 AA cells, 2 D cells)

Average current [µA] Consumption/year [Ah] Lifetime [years] at a battery capacity of0.5 Ah 2.5 Ah 16 Ah

5 0.04 11.4 57.1 433.810 0.09 5.7 28.5 216.925 0.22 2.3 11.4 86.850 0.44 1.1 5.7 43.4

100 0.88 0.6 2.9 21.7250 2.19 0.2 1.1 8.7500 4.39 0.1 0.6 4.3



Targeting a lifetime of a year or two for devices with the smallest batteries and 5 to 10 years for thosewith a larger battery, the average current budget is somewhere between 25µA and 500µA. Further assuming asleep current of the sensor node of 5µA and a full operation current (controller, sensors and radio) of 20mA,one ends up with a duty cycle between 0.1% and 2.5%, which obviously imposes significant challenges on thedevelopment of multi-hop networking protocols.

All in all, all employed components must be optimized for power consumption. This means not only toemploy controllers and radios that have low power consumptions, but also to make choices for quick wakeupand power down. Components not absolutely required should be left away. As many subcomponents (e.g.controller peripherals) as possible have to be switched off. For RF transceivers, current consumption must betraded against data rate. For controllers, computing power has to be traded against current consumption. It isof special importance to minimize the current consumption in power down mode, as this state easily dominatesthe overall consumption.

Hardware accelerators for data encryption and decryption can be very helpful in saving power, as they oftendo the job much faster than the controller could do it in software, and use less current. However, powering downsuch units to zero when not in use is an absolute must.

A second means of adjusting the power consumption to the absolute minimum possible is scaling the con-troller frequency at run-time. This is particularly attractive if there is merely any current socket (consumptionat 0MHz) that adds to the frequency dependent part.

Forcing nodes into consuming a lot of power can by the way be an effective denial-of-service attack, andmust be prevented if nodes can control their power dissipation (e.g. be adapting their sleep cycle) or if they canbe woken externally (e.g. by their sensors).

4.2 Cost

Wireless sensor nodes are cost sensitive devices. Still, the networks we see today consist of relatively fewdevices, which means that onetime costs for development etc. contribute a large share of the cost per unit.Anyhow, with falling prices, the number of devices per network will grow, and the cost per device will becomemore and more important.

This implies a number of consequences for the employed electronics. First of all, few and cheap componentsshould be used. Wherever possible, mass-produced standard parts should be the first choice. The number ofPCB layers should be as small as possible, and the PCB area should be reduced to the possible minimum.Consequently, small electronic components with small footprints should be employed. The exclusive use ofSMD parts, high component integration and the use of PCB antennae are further means of cost reduction. Froma chip design perspective, the die area as a key cost factor of chips should be minimized, which implies that thebenefit of special hardware units e.g. for cryptography or larger memories must be traded against their extracost.Chip area is also a major issue with regard to tamper resistance. Current protection schemes against side-channel and fault-attacks usually need significantly more silicon area which makes them less suitable for WSNs.The same is true for protection components in the microcontroller, such as memory protection unit or protecteddebug and programming interfaces. Since they need additional silicon area which increases the cost of thenodes, they are typically avoided.

Also, as few mechanical parts (housing components, screws, battery holders, etc.) as possible should beused. Assembly time must be reduced to cut down manufacturing cost, too. It might be worthwhile to considerfully integrated solutions using compound sealing instead of plastic or metal housings. As they cannot beopened easily with destroying the enclosed electronics, such housings might also increase the nodes’ resistanceto tampering (c.f. section 4.5).

4.3 Computational Complexity and Code Size

Driven by restrictions in cost, form factor and power consumption, the employed components usually offer onlyvery restricted resources.

Often 8-bit and/or 16-bit controllers are used, running at low frequencies of e.g. 4MHz. On such restrictedplatforms, complex signal processing or encryption algorithms can easily have an execution time of several sec-onds. Many modern controllers offer more computing power as well as means to scale the operating frequency



at run time, but more complex code still lengthens the time of activity and hence increases power consumption.Consequently, a key requirement for all employed security mechanism to be done in software is their low

computational complexity.Besides execution time, code size is a strong argument for reduced complexity. Controllers offer only few

tens of kilobytes of flash and RAM memory, and hence complex programs easily touch the given bounds. Thisparticularly holds when network stacks, sensor drives, security algorithms, and last but not least the applicationitself compete for the scarce memory resources.

As security is just one of the code parts running on the node, it must hence restrict its code space to a fewkilobytes.

4.4 Spontaneous Network Formation and Self-Organization

A key property of wireless sensor networks is their spontaneous constitution and adhoc availability.It implies that devices do not have to be manually configured individually, as it is common today with

conventional networks. Instead, sensor nodes should be configuration-free for a number of reasons. One is thepotentially large number of devices in a sensor network (c.f. Section 4.7). When dealing with thousands ofdevices, an individual configuration is impossible due to the required effort.

In addition, it is desirable that sensor networks can be deployed in unknown environments. This impliesthat a preset configuration does not make sense even in small networks, because a priori settings inherentlycannot take into account the environmental properties of the target area.

To be useful in application scenarios that involve the immediate monitoring of spontaneously arising phe-nomena such as forest fires, wireless sensor networks have to be ready as soon as possible after deployment.Hence, sensor nodes must be able to configure themselves automatically [3, 67, 28]. However, this propertycalled self-configuration [54] is just one out of a larger number of self-x properties wireless sensor networksshould have, other include but are not limited to self-organization [3, 67, 28] or self-monitoring [39].

The pursuit of such properties for computer system in general and for wireless sensor networks in particularsupported the development of a new paradigm: Organic Computing (OC) [56, 60]. The core idea is developmechanism for self-x properties that are nature-inspired [12, 24]. The manifold proposals yielded include self-healing routing inspired by ant behaviour [13, 79], grouping and flocking algorithms mimicking insect swarms[49] or role negotiating based upon virtual pheromones [18].

The term self-organization includes but is not limited to automatic initial configuration. It also comprisesthe dynamic adaptation of the network’s behaviour to changing environmental conditions, reflected in termslike self-optimization and self-healing [72, 73]. Algorithms that control the global behaviour through merelocal interaction, so-called emergent behaviour algorithms, are especially interesting for sensor networks.

All in all, security mechanisms must enable secure auto-configuration of the sensor network. They mustnot rely on centralized components or global communication, but restrict themselves to local interaction. Inaddition, they must support manifold local communication patterns to allow for efficient network organization.

4.5 Accessibility and Unattended Operation

Compared to other information and communication systems, wireless sensor networks operate without a userin the loop.

This holds particularly for operation phase of the network, but in many cases also for the deployment.When thinking of deployment methods like dropping smart dust from a plane flying over the area of interest,one thing becomes obvious: neither is user intervention possible, nor is it feasible to have something like a”save deployment” where it is assumed that no attackers are present, so that key material etc. can be distributedwirelessly in a weak protected fashion.

Consequently, all key material and other secrets required during the operating time of the network must bealready contained in the nodes before deployment, or secure mechanisms for introducing such secrets over timemust be implemented.

Secondly, classic communication system are often not accessible physically, as they are locked away inserver farms, offices etc. In other words, the devices are not available for direct intervention (at least if oneignores internal attackers).



Opposite, wireless sensor networks are often freely accessible, because they are deployed outside of build-ings. Despite the fact that the effort that an attacker has to invest can be increased by tough housings with locksor by placing the nodes at locations hard to reach, physical access to the node hardware cannot be preventedcompletely. Attackers can hence potentially destroy devices, physically access them e.g. for wiretapping ormanipulation, or remove devices as a whole.

Consequently, hijacked devices must not disclose any secrets that might threaten the secure operation of therest of the network even when physical access is possible.

Unfortunately, up to now no real solutions have been found to this challenge. One possibility to face thisproblem is trying to detect (upcoming) physical manipulation, and deleting all security relevant information.This is also referred to as ”committing suicide”, as the node will not be able to re-enter the network later on.

Such manipulation detection can e.g. make use of accelerometers: It is assumed that nodes are not movingin their intended operation. If movement is detected, it is assumed that an attacker tries to manipulate thedevice. This technique suffers from a number of shortcomings. First of all, the accelerometer is an additionalcomponent, adding to cost and current consumption (although best in class accelerometers use as few as 3µAat a sampling rate of 10Hz [55]). Monre importantly, this is not a robust protection: It is hard to define anacceleration threshold low enough to detect all manipulation but high enough to avoid false alarms. Also,manipulations that do not induce movement cannot be detected. Last but not least, it makes nodes vulnerableto vibration as they could arise from natural sources such as earth quakes or from attackers that apply force tothe nodes in order to render them inoperative.

Another idea is to use the radio to detect displacement of the nodes: If an attacker steels a node to manipulateit at a safe location, communication with neighbouring nodes formerly available will break down. Upon such anevent, the node will commit suicide. However, this cannot protect from in-field manipulation, as communicationwill not be influenced here. In addition, there can be natural reason for communication losses as well, so nodesmight disable themselves without being taken away.

All in all, hardening nodes against the threats arising from their accessibility is a must for secure wirelesssensor networking. Nodes must not only withstand vandalism, but must also be tamper-proof. This includes

• secured programming and debugging interfaces,

• resistance against wiretapping of busses or communication interfaces,

• resistance to side-channel-attacks such as power analysis or measurements of electromagnetic radiation,

• resistance to fault injections such as power failures or clock glitches.

4.6 Robustness

There is large number of potential sources of failure in wireless sensor networks. Examples are the low-costhardware components used, unreliable wireless communication or limited energy supply, resulting in deficitswith regard to system reliability. In addition, unmanaged deployment may lead to (partial) destruction ofdevices, malfunction or isolation from the rest of the network.

These facts can be faced by introducing a certain redundancy, e.g. by deploying slightly more nodes perarea than absolutely required for the intended operation. However, this directly leads to an increase in systemcost. Rather than increasing the network density, algorithms and protocols must be fault-tolerant and robustagainst device failures.

Consequently, security mechanisms must not rely on the availability of particular devices. Instead, algo-rithms themselves should be redundant in the sense that they should keep their distributed state redundantlyon multiple devices, should be able to compensate for failure of one or more host devices by migrating thefunctionality to others etc.

A key issue is the volatile and unreliable nature of RF communication links. The communication range mayvary significantly: Experiments showed that due to simple transceivers and antennae, the RF propagation is nota all circular [32, 89]. Instead, the communication range varies heavily depending on the direction. [80] and[81] discuss the evaluation of long term experiments that showed that propagation varies over time, resultingin oscillating links. A further consequence is a significant fraction of unidirectional links. In addition, thereception probability decreases over the distance between sender and receiver [32].



Consequently, security mechanisms must by design be able to compensate for unreliable communication.They must be disconnection-tolerant, should allow for varying delays due to retransmissions, and maintain aredundant set of potential communication partners.

It should be kept in mind that lossy links tremendously handicap reliable multihop communication: If thepacket arrival rate is 90%, after four hops more than one third of packets will be lost. Hence, communicationshould be kept local whenever possible.

4.7 Scalability

As wireless sensor networks may consist of a large number of nodes, scalability of the used algorithms andprotocols is an important property. It aims at decoupling the computational and storage complexity as well asthe amount of communication from the number of devices in the network as well as in the direct vicinity of eachnode. Consequently, only scalable mechanisms are applicable to networks regardless of their size and density.

While it is commonly impossible to completely avoid the increase of storage and computation complexityresulting from growing network size and density, still algorithms should be designed to reduce such effects asfar as possible.

A direct implication of the scalability requirement is the zero-configuration requirement, because manualconfiguration and continuous network management are inherently not scalable. User intervention is impossiblewhen dealing with thousands of nodes.

In addition, decentralized algorithms must be used instead of centralized ones. In most cases, centralizedmechanisms that have to collect and process information from all nodes in the network will not applicable tosensor networks. On the one hand, global communication will lead to an explosion of exchanged messages.These will completely overload the RF communication channels in the vicinity of the central components. Onthe other hand, computational and storage requirements can rapidly rise with the number of nodes, additionallyincreasing the power dissipation of the central instance. Last but not least, centralism introduces single pointsof failure. These do not only conflict with the robustness requirement, but are also attractive goals for potentialattacks.

Besides centralized components, global communication as such is critical in sensor networks (c.f. Section4.6) because unreliability problems pile up along long multihop paths. Consequently, communication betweennodes must be kept local whenever possible, as global communication will not scale with network size.

All in all, to be scalable, security mechanisms should be founded on local interaction and avoid globalinteraction or centralized entities. Where global interaction is required anyway, mechanisms must be delay anddisconnection tolerant.

4.8 Form Factor

For a number of reasons, wireless sensor nodes should be small: To allow for unobtrusive monitoring, a smallform factor will be a benefit. In addition, smaller nodes can be integrated easier even into small objects. Also,reduced size will ease the handling of large numbers of nodes and will reduce transport cost. In addition,some application will only be possible at all with small nodes: the envisioned cubic millimetre nodes can bedeployed in new ways (e.g. dropped from planes) and can be used in new scenarios (e.g. mixed into othermaterials, constituting smart paint or rubber).

Hence, size reduction is important for sensor nodes. From the perspective of electronic engineering, thisimplies keeping the component count low, choosing components with small housings and foot prints, keepingthe die sizes as small as possible, using SMD components rather than THT parts or using SMD antennae wherepossible. From the mechanical perspective, ”‘tight”’ housings and the reduction of the part count is imperative.

However, today the power supply commonly is the biggest component used. As often batteries are em-ployed, using a compact battery will be the key approach to minimization. However, reducing size meanseither to reduce the capacity (which reduces the network life time and as such the networks value proposition),or to increase the energy density. Unfortunately, dense batteries are expensive, and often fail to deliver highcurrents. The later can be alleviated by supporting capacitors, but those will have negative effects on size andcost again.



5 Application Scenarios

This section is concerned with application scenarios for secure wireless sensor networks. At first, a numberof criteria that can be used to differentiate applications will be introduced and discussed. Then, target appli-cation scenarios as well as their properties will be described. By evaluating their properties with regard tothe aforementioned application criteria, their coverage in terms of manifold applications can be judged. Theyare intended as an application background for TAMPRES: By evaluating the applicability of developed secu-rity mechanism in the proposed scenarios, their usefulness in a large number of different applications can beensured.

5.1 Scenario Classification

This section introduces different criteria that can be used to classify sensor network applications. They willlater be used to characterize the target applications.

5.1.1 Life Time

This criterion relates to how long the application will be running. The range of values taken reaches from shortterm deployments (i.e. the application runs for a few days) to long term deployments (i.e. the application willrun for many years).

The network life time especially induces consequences of the power requirements. Because battery capac-ities have an upper limit, the longer the application will be running, the less power can be dissipated per timeunit.

In addition, security considerations are also influenced. With increased network life time, security mecha-nism must withstand potential attackers longer. This holds not only for encryption and authentication of datapackets exchanged wirelessly, but also for physical attacks on the nodes (c.f. section 4.5).

5.1.2 Mobility

This criterion relates to whether or not nodes move. Basically, 4 different cases can be distinguished:

• Mobile applications: All nodes move most of the time

• Nomadic applications: All nodes are mobile, but they move only occasionally and then stay imobile fora while, before they move again

• Hybrid applications: Some nodes are mobile or nomadic, while others do not move at all

• Static applications: All nodes never move.

The degree of mobility influences most if not all sensor network communication protocols, in general itcan be said that mobility will commonly increase the communication overhead. Routes will have to be createdmuch more often if nodes move, messages will be lost or acknowledgements will not be received because nodesleft their communication vicinity. As a consequence, power consumption will rise with increased mobility.Transforming a mobile network into a hybrid one by adding nodes that remain at the same place can help toreduce the effects of mobility, especially if the static nodes are deployed dense enough so that every mobilenode always has a static one in its neighbourhood.

Effects to security are that the establishment of trust between nodes will be more difficult in mobile andnomadic applications. In addition, node manipulation or displacement cannot be detected from changing neigh-bourhoods or accelerometers. Also, mobility can significantly reduce the flexibility to place the nodes in a waythat makes them hard to access.



5.1.3 Network Size

This criterion relates to the number of overall nodes in the network. The range of values taken can vary betweensmall networks consisting of less than 50 nodes to large ones having 1000 and more nodes.

A related criterion is the network diameter, commonly defined as the number of hops in the shortest pathbetween the furthest pair of nodes. Although not a must, the diameter usually increases with the network size,too.

First of all, the network size and diameter influence in-network communication. Long paths make routingmore difficult, message have to be forwarded over many possibly lossy links. Also, scalability problems mayarise, e.g. if many devices try to establish routes by flooding route requests or try to send data to a particulardevice.

With regard to security, implications are not as severe. Still, a large number of potential communicationpartners might result in a large number of individual or pair-wise keys that must be stored when end-to-endsecurity is used.

5.1.4 Network Density

This criterion relates to number of neighbours a device has, be it on average or at most, where a device isconsidered a neighbour if messages can be sent to or received from it directly.

The network density can vary from sparse (five or less neighbours) to dense (20 or more neighbours).The density has manifold consequences. On the one hand, it defines the number of devices that compete for

the communication medium in the worst case, on the other it is a measure for the communication redundancyavailable. In addition, neighbour lists must be kept for a large variety of protocols. Also, to be able to exchangeindividually encrypted and/or authenticated messages with their neighbours, nodes must obtain and store keysfor each neighbour. Consequently, the network density can also influences storage requirements on the nodes.

5.1.5 Security Requirements

This criterion relates to which security primitives an application requires. Security attributes are discussed inSection 3. There we described that beside the major security attributes

• Confidentiality which concerns the protection of outgoing data,

• Integrity which concerns the correctness of data and information,

• Reliability: which concerns readiness and correctness of the services,

in particular the attacker motivation is a major aspect that has to be considered.

5.1.6 Accessibility

This criterion relates to whether the nodes are physically accessible for the attacker or not. Basically, threecases can be distinguished:

• Inaccessible: nodes cannot be accessed by external attackers, because they are mounted inside of com-pletely closed facilities with strict access control.

• Difficult to access: nodes can be accessed, but measures have been taken to hinder external attackersfrom access (e.g. nodes mounted in locations difficult to reach or on premises surrounded by a fence)

• Accessible: nodes are accessible to attackers, e.g. because they are mounted in public places or theattackers premises

Consequences of accessibility are manifold: On the one hand, protection against vandalism is required ifnodes are (easily) accessible. On the other, physical access gives ground to a large number of security attacks(c.f. section 4.5). Accessible nodes should not reveal any security relevant information, be it by design, byconstruction or due to appropriate enclosures.



5.1.7 Network structure

This criterion relates to the kind of devices the network is composed of, especially the nodes hardware andsoftware. In general, homogeneous networks can be distinguished from heterogeneous ones. In homogeneousnetworks, there is only one kind of node, whereas heterogeneous networks consist of different device types,usually taking different roles in the application. If in that case also different communication technologies areemployed (e.g. low power short range communication and higher power long range communication), one oftenspeaks of multi-tiered networks.

Besides for communication, the network structure has significant implications for security. Device diversityin terms of power budget, computational power, storage capacity, or communication technologies can be ex-ploited to increase security. If there are few but more powerful devices accompanying lots of reduced devices,often security functionality can be concentrated at the former, especially if they have more extensive if notunlimited power budgets. Such concentration of security functionality might also permit to only protect thesedevices against tampering, if all other devices could limit themselves to containing only security material ofsubordinated importance.

In multi-tiered networks, long-range communication can often replace multihop communication over longroutes. By reducing the number of communication partners, this opens the door for more complex and hencemore secure keying schemes while it eases re-keying.

5.1.8 Deployment

The criterion relates to the deployment process of the wireless sensor network. While mixtures of the two arenot uncommon, the basic variants are planned and random deployments.

In the first case, the nodes are deployed in a carefully planned process (potentially including RF measure-ments) where every node is put into a particular position. While this is obviously only possible for small andmedium size networks, it still requires an enormous effort that can only be economic for long-term deploy-ments. Such a planned deployment must result in significant benefits such as improved network operation (e.g.due to ensuring more stable communication by selecting optimal device positions) or cost savings (e.g. due toensuring the same sensor coverage with less devices). From the security perspective, this kind of deploymentis preferable because a priori knowledge about inter-device relations in the deployed network can be collectedduring deployment, device access can at least be hindered by installing them in hard-to-reach location, andnetwork density and sensor coverage can be carefully controlled.

The random deployment is fast and cheap: here, devices are distributed in a more or less random fashion,e.g. by dropping them from airborne vehicles or by placing them without deeper care. It is assumed that thenetwork will function properly despite of irregular device positions due to a certain redundancy. Variations incommunication quality, network density or sensor coverage are tolerated for the sake of reduced deploymenteffort. Consequently, devices will commonly be easily accessible in outdoor settings. This deployment typeis usually pursued for large networks consisting of cheap devices, if a particularly fast deployment is required,or if the area of sensor network operation is hard to reach for a planned deployment. As a consequence, noa-priori information will be available.

5.2 Target Scenarios

This section outlines three applications that will be targeted in TAMPRES.

5.2.1 Factory Automation and Process Control

In this type of application, sensor nodes measure machine properties like temperature, rounds per minute orvibration, process properties like liquid or gas flows, temperature or pressures, gas concentrations and alike.Sensor data is then used as part of the feedback data flow reporting back the state of the factory as a whole,or of certain processes or pieces of equipment. The information is used as input for control decisions taken toinfluence processes or for scheduling usage based servicing for machinery.

Besides collecting information, wireless nodes may also be used in combination with actuators, controllingvalves, engines or machines.



This type of application exhibits the following properties with regard to the classification criteria introducedin section 5.1:

• Life time: Long Term. Once installed, such an sensor/actuator network will usually be in duty for manyyears. Hence, security mechanisms must withstand attacks over long time periods.

• Mobility: Static. Assuming that no mobile equipment is part of the sensor network, the network will becompletely static.

• Network Size: Small (<100 nodes). Although such networks may grow to a considerable size, it isassumed that they would be logically divided into smaller portions once they exceed a certain size limit.Consequently, the networks to consider will have sizes of less than hundred nodes, yielding a typicalnetwork diameter of 10 to 15 hops.

• Network Density: Sparse (<5 neighbours). In complex environments such as factory buildings or chem-ical plants, connectivity between the nodes can usually only be guaranteed despite of low power radiosby using a certain number of repeaters. Repeater do not fulfil sensing tasks but only contribute to thenetwork connectivity. As the number of nodes used is the key cost factor besides installation, it must beassumed that the network is rather sparse, as only as few repeaters as really required will be installed.

• Security requirements: To prevent external attackers from manipulating the system, authenticity is re-quired in order to be sure that information received by nodes is really coming from the sender that isclaimed by the delivering protocol. In addition, confidentiality ensures that no externals will be able togain information about the processes inside of the plant, as those will commonly be business secrets ofthe plant operator. Obviously, availability is of special importance here not only for guaranteeing a con-tinuous information flow, but especially if actuators are part of the network. Finally, integrity in requiredto be sure that information was not manipulated during its way through the network.

• Accessibility: Difficult to access. Even though in many cases the nodes of the network will be inside aclosed building, there will also be scenarios (such as chemical plants) where the nodes will be installedoutside. While the premises will commonly be protected by fences or walls, those will not completely beable to prevent the intrusion by externals.

• Network structure: Heterogeneous. As already mentioned before, the network would in general probablyconsist of two kinds of devices: On the one hand, there will be sensors that are either battery power orthat use energy harvesting. Consequently, they will be short on power and hence remain nearly always atsleep, while on the other hand there will be mains powered repeaters and base stations that are awake allthe time.

• Deployment: Planned. In such an application, sensors will be place deliberately, as their sensing capa-bility will be required at particular locations of the plant. In a second step, one would then add repeatersat selected locations to support the network wherever required.

5.2.2 Temporary Border surveillance

In this kind of application, sensor nodes are deployed spontaneously to monitor a border for a limited periodin time. Such borders do not have to be national borders, other target areas could be perimeter surveillancein conflict zones where European forces intervene for humanitarian reasons, or at the venues of internationalsummit meetings. It is assumed that a relatively large number of nodes would have to be deployed in a fast andcheap way, be it by spreading the nodes manually or by dropping ”‘smart dust”’ from a plain. The main task ofthe sensor nodes would be to detect intruders, and to report such information to an operations centre.


• Life time: Short Term. Such a network would be installed spontaneously and would last for a relativelyshort time, e.g. a few days. While the network is of high importance during this period, it will becompletely obsolete afterwards, e.g. after the summit has ended.



• Mobility: Static. Once deployed, the nodes will stay in place during the course of operation. Hence, nomobility is expected in this kind of application.

• Network Size: Large (10 thousands of nodes). Depending on the length of the border, sensor networksin this kind of application can grow very large. As nodes are deployed in a more or less random fashion,more nodes that absolutely required must be deployed to ensure a certain redundancy. In addition, thenetwork area will commonly not be compact but rather lengthy in shape. Hence, significant networkdiameters can arise here.

• Network Density: Medium (approx. 15 neighbours). It is assumed that this kind of network would havea medium density, on the one hand to account for the fact that the radio range might be larger than thesensor range, and to ensure a certain redundancy on other hand.

• Security: As potential intruders of the protected perimeter would have to disengage the sensor networkoperation to enter the protected area without being noticed, security requirements are particularly high inthis application scenario. Consequently, availability might be the most important security primitive here.Proper network operation must be ensured, or at least unavailability must be reported immediately, asdetected network malfunction due to denial-of-service attacks is as alarming as if the network detectedan intrusion. Authenticity and integrity are of similar importance, as they constitute the trust in the de-tection messages of the network as well as in messages that no intruders are currently detected. Althoughnot as important as the aforementioned, confidentially should be offered in order to hide informationcommunicated in the network from externals, e.g. in order to not let potential intruders know whether ornot they have been already detected.

• Accessibility: Accessible. As this kind of sensor network will commonly be deployed on public groundor even on premises that are not under the complete temporal or spatial control of the network operator,it must be assumed that the nodes can easily be accessed by potential attackers. Consequently, theprotection of secret information inside the nodes such a key material from attackers that have physicalaccess to the nodes is very important here. Consequently, tamper-resistance of the nodes is an absolutemust in this kind of application.

• Network structure: Homogeneous. Because an easy and fast deployment is of special importance in thiskind of application, a homogeneous network structure is favourable as it facilitates the handling of nodessignificantly and is a prerequisite for true random deployment.

• Deployment: Random. As mentioned it may be required to deploy this kind of network within a fewhours, maybe even in remote and potentially inaccessible areas. Nodes might be deployed in variousways, including dropping them from airborne vehicles, so no special care can be taken when the nodesare deployed.

5.2.3 Harbour Logistics

This kind of application exemplifies a smart object scenario with mobility. It assumes that on the one handa number of international harbours are equipped with interoperable sensor networks. Devices are attached toharbour machinery such as gantries, stackers or cranes to monitor their location and condition.

On the other hand, a certain fraction of containers is also tagged with sensor nodes. These are not only usedfor identifying containers, but they also monitor the containers’ condition and location, be it in the harbour,when loading or unloading, or while at sea.


• Life time: Long/short term: The application itself has long-term characteristics, and so do some of thecommunication relationships. An example for this could be the equipment in the harbours itself. Incontrast, particular nodes will only be part of the network for a few hours. Container arrive onboard aship, are unloaded and remain in the harbour for a short time. They will then leave the networked areaagain for days, weeks or months, just for showing up again at the same or a different harbour or othernetworked site later.



• Mobility: Hybrid/nomadic. While such a network may also comprise static components such as basestations or repeaters, most devices will be either mobile or at least nomadic. Most of the networkedequipment will constantly roam around in the complete harbour area. Containers, on the other hand, willbe rather nomadic in nature. Mobile while entering or leaving the harbour, they will more or less sit atthe same place most of the time. Nevertheless, containers exhibit an inter-harbour mobility in addition tomoving within one site.

• Network Size: medium to large (>1000 nodes). While the whole application could comprise thousandsor even millions of nodes, all these networked objects are scattered over different locally networked sitessuch as harbours. While these sites will often be interconnected by wide area networks, they will beisolated islands with much fewer devices from the wireless perspective. Still, with an increasing ratio ofcontainers equipped, network sizes might rise to impressive numbers. However, the network diameterswill probably be limited as we have to assume high network densities.

• Network Density: high (20+ neighbours). The network density mainly depends on the container equip-ments ratio and the radio communication range. Given that potentially all containers could be equipped,network densities might be quite high.

• Security: In this application, integrity and authenticity seem to be the most important security primitives,as they ensure that the recorded information is correct. Nevertheless, availability is important, too, iffor example the retrieval of containers in the harbour relies on a properly operating sensor network.While confidentially seems to be of subordinated importance here, two additional aspects come intoplay: Access control might be of interest, e.g. if only the owner of a container is privileged to read-outparticular information from the embedded device. Secondly, indefeasibility might be interesting, e.g.if the embedded device also logs data regarding whether and in what condition certain goods wherereceived by the recipient.

• Accessibility: Difficult to access or accessible. While devices embedded into harbour equipment willcommonly be hard to access be attackers, the containers will be unattended most of the time, beingshipped over the seven seas, stored for weeks and months in potentially more or less public places outsideof the harbour, transported on open trucks and alike. While it can be assumed that most parts of theelectronic circuitry could be located inside of the container and would hence not be accessible fromthe outside, there would still be occasions when the interior of the container is also accessible, e.g. ifcontainers are rent to third parties. Consequently, nodes must protect secret information from attackerswith physical access, and tamper resistance is important here.

• Network structure: Heterogeneous. In this kind of application, two categories of nodes are used. On theone hand, there are the nodes deployed in the harbours or embedded into harbour equipment. These willbe mains powered and do not have any energy restrictions, some of them will be mobile while others willbe static. On the other hand, the devices integrated into containers will have to employ energy harvestingor run from batteries, and are hence bound to tight energy restrictions. As they are deployed in largenumbers, they have to be particularly cheap, and will probably offer only very limited functionality andresources in terms of computational power and storage space.

• Deployment: Planned but mobile. While thorough planning is possible for a kind of repeater infras-tructure inside of the harbour, most of the deployment will be dictated by the mobility of the equippedobjects. Mobile machinery such as gantries and stackers will roam around in the harbour area, and thelocation of containers cannot be foreseen, either.



6 Conclusion

Wireless Sensor Networks (WSN) are networks of small-sized computer systems which measure environmentalphenomena and communicate over wireless radio channels. They share a lot of security requirements withother IT systems. They need to provide confidentiality, integrity, availability, authenticity, and authorization.To implement these feature the sensor nodes have to resist a broad range of possible attacks since many systemsof the Future Internet will depend on data and measurements provided by the sensor network.

Despite of the high quality requirements of the Future Internet, Wireless Sensor Network have two fun-damental differences two classic networked computer system. The first difference is that the above goals aremuch harder to reach in WSNs than in other systems due to severe resource constraints. Devices must not bemore expensive than a few Euros (and maybe less in the future). They have to sustain operation from batteriesfor years. They offer only simple processors and only a few kilobytes of memory that severely limit complexityof security algorithms. Last but not least, sensor nodes must be able to spontaneously form a network withoutany user intervention with possibly fluctuating neighbours, cope with network sizes of potentially thousands ofnodes, and do all that using a lossy communication channel. As explained in the discussion of the three targetscenarios, the range of properties and requirements in actual WSNs poses a broad variety.

As second major difference to classic computer systems we could identify the advent of additional threatsthat arise from the fact that sensor nodes are installed outside. Other than traditional IT systems being protectedby the walls of server farms, sensor nodes can easily be physically accessed. This opens the door for newattacks like wiretapping, side-channel-attacks or fault injection, all of which can be conducted either in-situ orby stealing nodes for later analysis or manipulation. Implementing countermeasures against such tamperingwill be the key challenge for securing the Internet of things against attacks targeting devices that are until todaythe weakest link of the chain.



References

[1] G. Acs, L. Buttyan, and I. Vajda. Modelling adversaries and security objectives for routing protocols inwireless sensor networks. In Proceedings of the fourth ACM workshop on Security of ad hoc and sensornetworks, pages 49–58. ACM, 2006.

[2] K. Akkaya and M. Younis. A survey on routing protocols for wireless sensor networks. Ad hoc networks,3(3):325–349, 2005.

[3] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. Wireless sensor networks: A survey.Computer Networks, 38(4):393–422, March 2002.

[4] Ross Anderson. Security Engineering - A guide to building dependable distributed systems. Wiley, 2008.

[5] Sasikanth Avancha, Jeffrey L Undercoffer, Anupam Joshi, and John Pinkston. Secure sensor networks forperimeter protection. Computer Networks, 43(4):421–435, November 2003.

[6] A. Avizienis, J.C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable andsecure computing. IEEE transactions on dependable and secure computing, 1(1):11–33, 2004.

[7] Martha Baer. The ultimate on-the-fly network. Wired Magazine, (12), 2003.http://www.wired.com/wired/archive/11.12/network.html.

[8] R. Barr, J.C. Bicket, D.S. Dantas, B. Du, TW Kim, B. Zhou, and E.G. Sirer. On the need for system-levelsupport for ad hoc and sensor networks. ACM SIGOPS Operating Systems Review, 36(2):1–5, 2002.

[9] P. Bauer, M. Sichitiu, R. Istepanian, Uxbridge England, and K. Premaratne. The mobile patient: wirelessdistributed sensor networks for patient monitoring and care. In Proc. of the IEEE EMBS InternationalConference on Information Technology Applications in Biomedicine, pages 17–21, 2000.

[10] J.M. Bohli, A. Hessler, O. Ugus, and D. Westhoff. A secure and resilient WSN roadside architecture forintelligent transport systems. In Proceedings of the first ACM conference on Wireless network security,pages 161–171, 2008.

[11] T. Bokareva, W. Hu, S. Kanhere, B. Ristic, N. Gordon, T. Bessell, M. Rutten, and S. Jha. Wirelesssensor networks for battlefield surveillance. In Proc. of The Land Warfare Conference (LWC), Brisbane,Queensland, Australia, 2006.

[12] E. Bonabeau, Marco Dorigo, and G. Theraulaz. Swarm Intelligence: From Natural to Artificial Systems.Oxford University Press, New York, 1999.

[13] Imed Bouazizi. ARA - the ant-colony based routing algorithm for MANETs. In ICPPW ’02: Proc. of the2002 International Conference on Parallel Processing Workshops, Washington, DC, USA, 2002. IEEEComputer Society.

[14] Linda Briesemeister. Sensor data dissemination through ad hoc battlefield communications. In In Com-munication Networks and Distributed Systems Modeling and Simulation Conference (CNDS), 2003.

[15] Liting Cao, Jingwen Tian, and Yanxia Liu. Remote real time automatic meter reading system basedon wireless sensor networks. In International Conference on Innovative Computing, Information andControl, page 591, Los Alamitos, CA, USA, 2008. IEEE Computer Society.

[16] Marie Chan, Daniel Esteve, Christophe Escriba, and Eric Campo. A review of smart homes-present stateand future challenges. Comput. Methods Prog. Biomed., 91(1):55–81, 2008.

[17] Krishna Kant Chintalapudi. Design of a wireless sensor network based structural health monitoringsystems. PhD thesis, University of Southern California, Los Angeles, CA, USA, 2006.

[18] Daniel Coore. Botanical Computing: A Developmental Approach to Generating Interconnect Topolo-gies on an Amorphous Computer. PhD thesis, MIT Department of Electrical Engineering and ComputerScience, 1999.



[19] Atmel Corp. Atmel Corp. - Homepage, 2011. http://www.atmel.com/.

[20] S.A. Crosby and D.S. Wallach. Denial of service via algorithmic complexity attacks. In Proceedings ofthe 12th conference on USENIX Security Symposium-Volume 12, pages 3–3, 2003.

[21] Crossbow Technology Inc. Mica2Mote. http://www.xbow.com.

[22] CST group, FU Berlin. Website of the Embedded Sensor Board ESB 430/2. http://www.inf.fu-berlin.de/inst/ag-tech/scatterweb net/.

[23] Neil Daswani, Christoph Kern, and Anita Kesavan. Foundations of Security: What Every ProgrammerNeeds to Know. Apress, Berkely, CA, USA, 2007.

[24] Marco Dorigo and Thomas Stutzle. Ant Colony Optimization. MIT Press, Cambridge, MA, 2004.

[25] A. Dunkels, O. Schmidt, T. Voigt, and M. Ali. Protothreads: Simplifying event-driven programming ofmemory-constrained embedded systems. In Proceedings of the 4th international conference on Embeddednetworked sensor systems, pages 29–42, 2006.

[26] Adam Dunkels, Bjorn Gronvall, and Thiemo Voigt. Contiki - a lightweight and flexible operating systemfor tiny networked sensors. In Proceedings of the First IEEE Workshop on Embedded Networked Sensors(Emnets-I), Tampa, Florida, USA, November 2004.

[27] Ahmed Elsaify, Paritosh Padhy, Kirk Martinez, and Gang Zou. GWMAC - a TDMA based MAC protocolfor a glacial sensor network. In 4th ACM PE-WASUN 2007. Sheridan Printing Company, Inc., 2007.

[28] Deborah Estrin, David Culler, Kris Pister, and Gaurav Sukhatme. Connecting the physical world withpervasive networks. IEEE Pervasive Computing, 1(1):59–69, 2002.

[29] Deborah Estrin, Ramesh Govindan, and John Heidemann. Embedding the internet: introduction. Com-munications of the ACM, 43(5):38–41, 2000.

[30] D.G. Firesmith. A taxonomy of security-related requirements. In International Workshop on High Assur-ance Systems (RHAS’05). Citeseer, 2005.

[31] A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In Proceedingsof the 15th ACM conference on Computer and communications security, pages 15–26, 2008.

[32] D. Ganesan, B. Krishnamachari, A. Woo, D. Culler, D. Estrin, and S. Wicker. Complex behavior at scale:An experimental study of low-power wireless sensor networks. Technical report, UCLA, 2002.

[33] D. Gay, P. Levis, R. Von Behren, M. Welsh, E. Brewer, and D. Culler. The nesC language: A holisticapproach to networked embedded systems. In Proceedings of the ACM SIGPLAN 2003 conference onProgramming language design and implementation, pages 1–11. ACM, 2003.

[34] J. Girao, D. Westhoff, E. Mykletun, and T. Araki. Tinypeds: Tiny persistent encrypted data storage inasynchronous wireless sensor networks. Ad Hoc Networks, 5(7):1073–1089, 2007.

[35] Panasonic Industrial Europe GmbH. CR2354 Lithium Battery datasheet. Available at:http://www.panasonic-industrial.com/2464.pdf.

[36] R Govindan, J.M. Hellerstein, W. Hong, S. Madden, M. Franklin, and S. Shenker. The sensor network asa database - technical report 02-771. Technical report, USC Computer Science Department, 2002.

[37] W. Hasselbring and R. Reussner. Toward trustworthy software systems. Computer, 39(4):91–92, 2006.

[38] Jason Hill, Mike Horton, Ralph Kling, and Lakshman Krishnamurthy. The platforms enabling wirelesssensor networks. Commun. ACM, 2004.

[39] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David Culler, and Kristofer Pister. System architec-ture directions for networked sensors. SIGPLAN Not., 35(11):93–104, 2000.



[40] Jason Lester Hill. System architecture for wireless sensor networks. PhD thesis, University of California,Berkeley, 2003.

[41] IHP. IHP - Innovations for High Performance Microelectronics - Homepage. Innovations for HighPerformance Microelectronics, 2011. http://www.ihp-microelectronics.com/.

[42] Texas Instruments Inc. 2.4 GHz IEEE 802.15.4 / ZigBee-Ready RF Transceiver, 2007.http://www.ti.com/lit/gpn/cc2420.

[43] M. Johnson, M. Healy, P. van de Ven, M.J. Hayes, J. Nelson, T. Newe, and E. Lewis. A comparativereview of wireless sensor network mote technologies. In Sensors, 2009 IEEE, pages 1439–1442. IEEE.

[44] Sukun Kim, S. Pakzad, D. Culler, J. Demmel, G. Fenves, S. Glaser, and M. Turon. Health monitoring ofcivil infrastructures using wireless sensor networks. In Information Processing in Sensor Networks, 2007.IPSN 2007. 6th International Symposium on, pages 254–263, 2007.

[45] Sukun Kim, Shamim Pakzad, David Culler, James Demmel, Gregory Fenves, Steve Glaser, and MartinTuron. Wireless sensor networks for structural health monitoring. In SenSys ’06: Proc. of the 4th interna-tional conference on Embedded networked sensor systems, pages 427–428, New York, NY, USA, 2006.ACM.

[46] S. Kumar and C. Paar. Reconfigurable instruction set extension for enabling ECC on an 8-bit processor.Field Programmable Logic and Application, pages 586–595, 2004.

[47] P. Levis and D. Culler. Mate: a tiny virtual machine for sensor networks. In ACM Sigplan Notices,volume 37, pages 85–95, 2002.

[48] P. Levis, S. Madden, J. Polastre, R. Szewczyk, K. Whitehouse, A. Woo, D. Gay, J. Hill, M. Welsh,E. Brewer, et al. Tinyos: An operating system for sensor networks. Ambient Intelligence, pages 115–148,2005.

[49] Qingyong Li, Zhiping Shi, Jun Shi, and Zhongzhi Shi. Swarm intelligence clustering algorithm based onattractor. In ICNC : International conference on advances in natural computation, pages 496–504. ICNC(3), 2005.

[50] D. Lymberopoulos, N.B. Priyantha, and F. Zhao. mPlatform: a reconfigurable architecture and efficientdata sharing mechanism for modular sensor nodes. In Proceedings of the 6th international conference onInformation processing in sensor networks, pages 128–137. ACM, 2007.

[51] S.R. Madden, M.J. Franklin, J.M. Hellerstein, and W. Hong. TinyDB: an acquisitional query processingsystem for sensor networks. ACM Transactions on Database Systems (TODS), 30(1):122–173, 2005.

[52] Alan Mainwaring, David Culler, Joseph Polastre, Robert Szewczyk, and John Anderson. Wireless sensornetworks for habitat monitoring. In WSNA ’02: Proc. of the 1st ACM international workshop on Wirelesssensor networks and applications, pages 88–97, New York, NY, USA, 2002. ACM Press.

[53] K. Martinez, P. Padhy, A. Elsaify, G. Zou, A. Riddoch, J. K. Hart, and H. L. R. Ong. Deploying a sensornetwork in an extreme environment. In SUTC ’06: Proc. of the IEEE International Conference on SensorNetworks, Ubiquitous, and Trustworthy Computing -Vol 1 (SUTC’06), pages 186–193, Washington, DC,USA, 2006. IEEE Computer Society.

[54] Friedemann Mattern and Kay Romer. Drahtlose Sensornetze. Informatik Spektrum, 26(3):191–194, 2003.

[55] ST Microelectronics. Data sheet lis3dh mems digital output motion sensor ultra low-power high perfor-mance 3-axes nano accelerometer, May 2010.

[56] Christian Muller-Schloer, Christoph von der Malsburg, and Rolf P. Wurtz. Organic Computing. AktuellesSchlagwort. Informatik Spektrum, 27(4):332–336, August 2004.



[57] Francisco Javier Molina, Julio Barbancho, and Joaquın Luque. Automated meter reading and SCADAapplication for wireless sensor network. In ADHOC-NOW, pages 223–234, 2003.

[58] Moteiv Corporation. Tmote Sky. http://www.moteiv.com/products-tmotesky.php, 2005.

[59] J. Newsome, E. Shi, D. Song, and A. Perrig. The sybil attack in sensor networks: analysis & defenses.In Proceedings of the 3rd international symposium on Information processing in sensor networks, pages259–268. ACM, 2004.

[60] Organic Computing Initiative. A novel computing paradigm. http://www.organic-computing.org.

[61] Jeongyeup Paek, Krishna Chintalapudi, and Ramesh Govindan. A wireless sensor network for structuralhealth monitoring: Performance and experience. In Proc. of the Second IEEE Workshop on EmbeddedNetworked Sensors (EmNetS-II), 2005.

[62] S. Peter, M. Zessack, F. Vater, G. Panic, H. Frankenfeldt, and M. Methfessel. An encryption-enabled net-work protocol accelerator. In Proceedings of the 6th international conference on Wired/wireless internetcommunications, pages 79–91. Springer-Verlag, 2008.

[63] K. Piotrowski, P. Langendoerfer, and S. Peter. tinyDSM: A highly reliable cooperative data storage forWireless Sensor Networks. In Collaborative Technologies and Systems, 2009. CTS’09. InternationalSymposium on, pages 225–232. IEEE, 2009.

[64] Krzysztof Piotrowski, Peter Langendoerfer, and Steffen Peter. How public key cryptography influenceswireless sensor node lifetime. In SASN ’06: Proceedings of the fourth ACM workshop on Security of adhoc and sensor networks, pages 169–176, New York, NY, USA, 2006. ACM Press.

[65] Joseph Polastre, Robert Szewczyk, and David E. Culler. Telos: enabling ultra-low power wireless re-search. In IPSN ’05: Proc. of the 4th international symposium on Information processing in sensornetworks, pages 364–369, 2005.

[66] J. Portilla, A. De Castro, E. De La Torre, and T. Riesgo. A modular architecture for nodes in wirelesssensor networks. Journal of Universal Computer Science, 12(3):328–339, 2006.

[67] G. J. Pottie and W. J. Kaiser. Wireless integrated network sensors. Commun. ACM, 43(5):51–58, 2000.

[68] A.M.V. Reddy, A.V.U.P. Kumar, D. Janakiram, and G.A. Kumar. Wireless sensor network operatingsystems: a survey. International Journal of Sensor Networks, 5(4):236–255, 2009.

[69] M. Rounds and N. Pendgraft. Diversity in network attacker motivation: A literature review. In 2009International Conference on Computational Science and Engineering, pages 319–323. IEEE, 2009.

[70] ScatterWeb GmbH. ScatterNode. http://www.scatterweb.com/, 2005.

[71] Jochen Schiller, Achim Liers, Hartmut Ritter, Rolf Winter, and Thiemo Voigt. ScatterWeb - low powersensor nodes and energy aware routing. In HICSS ’05: Proc. of the 38th Annual Hawaii InternationalConference on System Sciences (HICSS’05) - Track 9, page 286.3, Washington, DC, USA, 2005. IEEEComputer Society.

[72] Hartmut Schmeck. Organic computing – vision and challenge for system design. In Proc. of the ParallelComputing in Electrical Engineering, International Conference on (PARELEC 2004), pages 3–3, LosAlamitos, CA, USA, 2004. IEEE Computer Society.

[73] Hartmut Schmeck. Organic computing - a new vision for distributed embedded systems. isorc, 00:201–203, 2005.

[74] Andrew Sixsmith and Neil Johnson. A smart sensor to detect the falls of the elderly. IEEE PervasiveComputing, 3(2):42–47, 2004.



[75] Robert Szewczyk, Alan Mainwaring, Joseph Polastre, John Anderson, and David Culler. An analysis ofa large scale habitat monitoring application. In Proc. of the 2nd international conference on Embeddednetworked sensor system, SenSys 2004, November 2004.

[76] Robert Szewczyk, Joseph Polastre, Alan Mainwaring, and David Culler. Lessons from a sensor networkexpedition. In Proc. of the First European Workshop on Sensor Networks (EWSN), January 2004.

[77] TADIRAN Batteries. Datasheet battery type sl-2880, 01 2011. available fromhttp://www.tadiranbatteries.de/eng/downloads/lithium/pdc06engsl-2880.pdf.

[78] Texas Instruments. Cc1100 low-power sub- 1 ghz rf transceiver, 2006. Athttp://focus.ti.com/lit/ds/symlink/cc1100.pdf.

[79] Parimala Thulasiraman, Ruppa K. Thulasiram, and Mohammad T. Islam. An ant colony optimizationbased routing algorithm in mobile ad hoc networks and its parallel implementation. High performancescientific and engineering computing: hardware/software support, pages 267–284, 2004.

[80] Volker Turau, Christian Renner, Marcus Venzke, Sebastian Waschik, Christoph Weyer, and Matthias Witt.The heathland experiment: Results and experiences. In Proc. of the REALWSN’05 Workshop on Real-World Wireless Sensor Networks, Stockholm, Sweden, June 2005.

[81] Volker Turau, Matthias Witt, and Christoph Weyer. Analysis of a real multi-hop sensor network deploy-ment: The heathland experiment. In Proc. of the 3rd International Conference on Networked SensingSystems (INSS’06), Chicago, Illinois, USA, June 2006.

[82] Karsten Walther and Jorg Nolte. A flexible scheduling framework for deeply embedded systems. InProceedings of the 21st International Conference on Advanced Information Networking and ApplicationsWorkshops - Volume 01, AINAW ’07, pages 784–791, Washington, DC, USA, 2007. IEEE ComputerSociety.

[83] Brett Warneke, Matt Last, Brian Liebowitz, and Kristofer S. J. Pister. Smart dust: Communicating with acubic-millimeter computer. Computer, 34(1):44–51, 2001.

[84] Georg Wittenburg, Kirsten Terfloth, Freddy Lopez Villafuerte, Tomasz Naumowicz, Hartmut Ritter, andJochen Schiller. Fence monitoring - experimental evaluation of a use case for wireless sensor networks. InProc. of the 4th European Conference on Wireless Sensor Networks (EWSN’07), Delft, The Netherlands,January 2007.

[85] A.D. Wood and J.A. Stankovic. A taxonomy for denial-of-service attacks in wireless sensor networks.Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, pages 739–763, 2004.

[86] Mark D. Yarvis, W. Steven Conner, Lakshman Krishnamurthy, Jasmeet Chhabra, Brent Elliott, and AlanMainwaring. Real-world experiences with an interactive ad hoc sensor network. icppw, 00:143, 2002.

[87] Liyang Yu, Neng Wang, and Xiaoqiao Meng. Real-time forest fire detection with wireless sensor net-works. In Proc. of the 2005 International Conference on Wireless Communications, Networking andMobile Computing, volume 2, pages 1214–1217, 2005.

[88] Pei Zhang, Christopher M. Sadler, Stephen A. Lyon, and Margaret Martonosi. Hardware design experi-ences in ZebraNet. In Proc. of the 2nd international conference on Embedded networked sensor systems,pages 227–238. ACM Press, 2004.

[89] Gang Zhou, Tian He, Sudha Krishnamurthy, and John A. Stankovic. Impact of radio irregularity onwireless sensor networks. In MobiSys ’04: Proc. of the 2nd international conference on Mobile systems,applications, and services, pages 125–138, New York, NY, USA, 2004. ACM Press.

[end of document]


Documents

TAMPRES · TAMPRES Deliverable D1.1 Disclaimer This document contains material, which is the copyright of certain TAMPRES consortium parties, and may not be reproduced or copied without