Upload
ginger-boyd
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole AttacksSIGNET SeminarUniversity of Delaware15 September 2004
David Evans(work with Lingxuan Hu)
University of VirginiaComputer Science
www.cs.virginia.edu/physicrypt 2
Computing is Entering Real World
Desktop PCProtected BoxNarrow Interface1 Machine per
User-Admin
Sensor NetworkUnprotected NodesWide InterfaceThousands of Nodes
per Admin
www.cs.virginia.edu/physicrypt 3
…this Changes Security
Desktop PCAccess ControlPerimetersAuthenticity
Sensor NetworkResource ConsumptionIntegrity, SurvivabilityResilience
www.cs.virginia.edu/physicrypt 4
Challenges in Sensor Networks
• Vulnerable communication channels
• Physically vulnerable devices
• Limited energy• No (or little) established
infrastructure• Depend on other nodes
to accomplish anything
www.cs.virginia.edu/physicrypt 5
New Opportunities• Embedded in an
environment– Physical properties of
the environment constrain reality (space)
– Inertia: it takes time for things to change
• Quantity– Many redundancies
www.cs.virginia.edu/physicrypt 6
This Talk• Two protocols for sensor networks:
– Secure neighbor discovery protocol that uses space and quantity.
– Localization protocol that uses space, time and quantity.
L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. NDSS 2004.
L. Hu and D. Evans. Localization for Mobile Sensor Networks. MobiCom 2004.
www.cs.virginia.edu/physicrypt 7
Wormhole Attacks
www.cs.virginia.edu/physicrypt 8
Wormhole Attack
S
DA
BC
Attacker needs a transceivers at two locations in the network, connected by a low latency link
Attacker replays (selectively) packets heard at one location at the other location
XY
Pirate image by Donald Synstelien
www.cs.virginia.edu/physicrypt 9
Beacon Routing
0
1
2
34
Nodes select parentsbased on minimumhops to base station
www.cs.virginia.edu/physicrypt 10
Wormhole vs. Beacon Routing
0
1
2
X
Y
0
1
2
Wormhole attack disruptsnetwork without needing to break any cryptography!
[Karlof and Wagner, 2003][Hu, Perrig, Johnson 2003]
www.cs.virginia.edu/physicrypt 11
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 50 100 150 200 250 300 350 400 450 500
Fract
ion o
f R
ou
tes
to B
ase
Sta
tion
Dis
rupte
d
Position of Endpoint (x,x)
Base Station at Corner
Base Station at Center
Wormhole Impact
0 500
0 500
A randomly placed wormhole disrupts ~5% of linksA single wormhole can disrupt 40% of links (center)
www.cs.virginia.edu/physicrypt 12
Previous Solution: Use Arrival Time
• “Leashes” constrain distance packet can travel• Geographical leashes: nodes know their location
– Sender includes its location and send time in packet– Receiver checks distance to sender
• Temporal leashes: tightly synchronized clocks– Sender sets expiration time when sending packet
• Drawback: requires clock synchronization or accurate localization
Yih-Chun Hu, Perrig and Johnson. INFOCOM 2003
www.cs.virginia.edu/physicrypt 13
Our Approach
• Use directional information– Directional antennas can identify direction
of sender
• Exploit simple physical properties of space
• Cooperate with neighbors (in different locations) to validate legitimacy of other nodes
• No clock synchronization or location information required
www.cs.virginia.edu/physicrypt 14
Directional Antennas
Model based on [Choudhury and Vaidya, 2002]General benefits: power saving, less collisions
1
23
4
5 6
North
Aligned to magnetic North, so zone 1 alwaysfaces East
Omnidirectional TransmissionDirectional Transmission from Zone 4
www.cs.virginia.edu/physicrypt 15
Assumptions• Legitimate nodes can establish secure node-
node links (all critical messages are authenticated)
• Network is fairly dense• Nodes are stationary• Most links are bidirectional (unidirectional links
cannot be established)• Transmissions are perfect wedges (relaxed later)• Nodes are aligned perfectly (relaxed later)
www.cs.virginia.edu/physicrypt 16
Protocol Idea
• Wormhole attack depends on a node that is not nearby convincing another node it is
• Verify neighbors are really neighbors– Directional consistency
• Only accept messages from verified neighbors
www.cs.virginia.edu/physicrypt 17
Directional Neighbor Discovery A
1. A Region HELLO | IDA
Sent by all antenna elements (sweeping)
2. B A IDB | EKBA (IDA | R | zone (B, A))Sent by zone (B, A) element, R is
nonce3. A B R
Checks zone is opposite, sent by zone (A, B)
B
zone (B, A) = 4is the antennazone in whichB hears A
1
23
4
5 6
www.cs.virginia.edu/physicrypt 18
1
23
4
5 6
A Bzone (B, A[Y]) = 1
zone (A, B [X]) = 1 False Neighbor:
zone (A, B) should be opposite zone (B, A)
Detecting False Neighbors
X Y
www.cs.virginia.edu/physicrypt 19
A B
zone (B, A[Y]) = 4
zone (A, B [X]) = 1
Undetected False Neighbor: zone (A, B) = opposite of zone (B, A)
Not Detecting False Neighbors
1
23
45 6
X Y
Directional neighbor discovery prevents 1/6 of false direct links…but doesn’t prevent disruption
www.cs.virginia.edu/physicrypt 20
Observation: Cooperate!
• Wormhole can only trick nodes in particular locations
• Verify neighbors using other nodes• Based on the direction from which
you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor
www.cs.virginia.edu/physicrypt 21
Verifier Region
v
zone (B, A) = 4zone (V, A) = 3
1
23
4
5 6
A verifier must satisfy these two properties:1. Be heard by B in a different zone:
zone (B, A) ≠ zone (B, V)otherwise V could be through wormhole
2. B and V hear A in different zones: zone (B, A) ≠ zone (V, A)otherwise A could have tricked V too
zone (B, A) = 4zone (B, V) = 5
(one more constraint will be explained soon)
www.cs.virginia.edu/physicrypt 22
V
Verified Neighbor Discovery
1. A Region Announcement, done through sequential sweeping2. B A Include nonce and zone information in the
message3. A B Check zone information and send back the
nonce
A B 4. INQUIRY | IDB | IDA | zone (B, A)
5. IDV | EKBV (IDA | zone (V, B))
Same asbefore
4. B Region Request for verifier to validate A5. V B If V is a valid verifier, sends confirmation6. B A Accept A as its neighbor and notify A
Verifier Analysis
vB
A
Region 1
Region 2
X
Y
1
23
4
5 6
1
23
4
5 6
Wormhole cannot trick a valid verifier:zone (V, A [Y]) = 5zone (A, V [X]) = 1 Not opposites: verification fails
www.cs.virginia.edu/physicrypt 24
Connectivity
0
50
100
150
200
250
300
350
400
450
500
0 50 100 150 200 250 300 350 400 450 500
y (m
eter
s)
x (meters)
Establishedall linksEstablishedsome links(but not all)
Disconnected
Verified Protocol,Density = 3(Directional Density = 9.7)
www.cs.virginia.edu/physicrypt 25
Worawannotai Attackv
B
A
Region 1
Region 2
X
1
23
5 6
23
4
5 6
V hearsA and B directly
A and B hear V directly
But, A and B hear each other only through repeated X
www.cs.virginia.edu/physicrypt 26
Preventing Attack
1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A)3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A)
www.cs.virginia.edu/physicrypt 27
Cost Analysis• Communication Overhead
– Minimal– Establishing link keys typically requires
announcement, challenge and response– Adds messages for inquiry, verification
and acceptance
• Connectivity– How many legitimate links are lost
because they cannot be verified?
www.cs.virginia.edu/physicrypt 28
Lose Some Legitimate Links
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Link
Dis
covery
Pro
babili
ty
Node Distance (r)
Verified Protocol
Strict Protocol(Preventing
Worawannotai Attack)
Network Density = 10
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1Node Distance (r)
0
Verified Protocol
Strict Protocol(Preventing
Worawannotai Attack)
Network Density = 3
www.cs.virginia.edu/physicrypt 29
…but small effect on connectivity and routing
0
1
2
3
4
5
6
7
8
9
10
4 6 8 10 12 14 16 18 20
Avera
ge P
ath
Length
Omnidirectional Node Density
Strict Protocol
Trust All
Verified Protocol
Network density = 10
Verified protocol: 0.5% links are lost no nodes disconnectedStrict protocol: 40% links are lost 0.03% nodes
disconnected
www.cs.virginia.edu/physicrypt 30
Dealing with Error
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50 60
Rati
o
Maximum Directional Error Degree
Lost Links, Strict Protocol
Lost Links, Verified Protocol
Disconnected Nodes, Strict Protocol
Disconnected Nodes, Verified Protocol
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50 60Maximum Directional Error Degree
Lost Links, Strict Protocol
Lost Links, Verified Protocol
Disconnected Nodes
Network Density = 10Network Density = 3
Even with no control over antenna alignment, few nodes are
disconnected
www.cs.virginia.edu/physicrypt 31
Vulnerabilities
• Attacker with multiple wormhole endpoints– Can create packets coming from different
directions to appear neighborly
• Magnet Attacks– Protocol depends on compass alignment of
nodes
• Antenna, orientation inaccuracies– Real transmissions are not perfect wedges
www.cs.virginia.edu/physicrypt 32
Moral• An attacker with few
resources and no crypto keys can substantially disrupt a network with a wormhole attack
• Mr. Rogers was right: “Be a good neighbor”– If you know your neighbors, can detect
wormhole– Need to cooperate with your neighbors to know
who your legitimate neighbors are
www.cs.virginia.edu/physicrypt 33
Roadmap
• Use directional information to defeat wormhole attacks– Simple properties of space– Cooperation of nodes
• But…most sensor nodes don’t have directional antennas– Rest of the talk: Location Determination
www.cs.virginia.edu/physicrypt 34
Location Determination• Important for many sensor network
applications • Approaches:
– Nodes can determine their locations directly (GPS)• Too expensive for many applications
– Nodes determine their locations indirectly by using information received from a few seed nodes that know their locations
www.cs.virginia.edu/physicrypt 35
Localization Error and Routing
GPSRRouting
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
6 8 10 12 14 16 18 20
Density (Neighbors)
Delivery Ratio No Error
0.2R0.4R0.6R0.8R1R
Slide from Qing Cao. Details in Qing Cao and Tarek Abdelzaher, A Scalable Logical Coordinates Framework for Routing in Wireless Sensor Networks. RTSS 2004
Karp and Kung. MobiCom 2000
www.cs.virginia.edu/physicrypt 36
Our Approach: Monte Carlo Localization
• Take advantage of mobility:– Moving makes things harder…but
provides more information– Properties of time and space limit
possible locations; cooperation from neighbors
• Adapts an approach from robotics localization
Frank Dellaert, Dieter Fox, Wolfram Burgard and Sebastian Thrun. Monte Carlo Localization for Mobile Robots. ICRA 1999.
www.cs.virginia.edu/physicrypt 37
Scenarios
NASA Mars TumbleweedImage by Jeff Antol
Nodes moving, seeds stationary
Nodes and seeds moving
Nodes stationary, seeds moving
www.cs.virginia.edu/physicrypt 38
MCL: Initialization
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
Node’s actual position
www.cs.virginia.edu/physicrypt 39
MCL Step: Predict
Node’s actual position
Predict: Node guesses new possible locations based on previous possible locations and maximum velocity, vmax
Filter
Filter: Remove samples that are inconsistent with observations
Seed node: knowsand transmits location
r
www.cs.virginia.edu/physicrypt 40
Prediction
p(lt | lt-1) = c if d(lt, lt-1) < vmax
0 if d(lt, lt-1) ≥ vmax
Assumes node is equally likely to move in any direction with any speed between 0 and vmax.
www.cs.virginia.edu/physicrypt 41
Filtering
Direct Seed Indirect Seed
s s
If you don’t hear a seed, but one of your neighbors hears it, must be within distance (r, 2r] of that seed’s location.
If you hear a seed,must (likely) be
with distance r ofthe seed’s location
www.cs.virginia.edu/physicrypt 42
Resampling
Use prediction distribution to create enough sample points that are consistent with the observations.
www.cs.virginia.edu/physicrypt 43
Recap: AlgorithmInitialization: Node has no knowledge of its location. L0 = { set of N random locations in the deployment area }
Iteration Step: Compute new possible location set Lt based on Lt-1, thepossible location set from the previous time step, and the new observations. Lt = { } while (size (Lt) < N) do R = { l | l is selected from the prediction distribution } Rfiltered = { l | l where l R and filtering condition is met } Lt = choose (Lt Rfiltered, N)
www.cs.virginia.edu/physicrypt 44
Parameters
• Effect accuracy and convergence time:– Speed of nodes and seeds– Density of nodes and seeds
• Tradeoff memory and accuracy:– Number of samples maintainted
• Movement:– Control should help; interdependence
hurts
www.cs.virginia.edu/physicrypt 45
Convergence
Node density nd = 10, seed density sd = 1
The localization error converges in first 10-20 steps
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
0 5 10 15 20 25 30 35 40 45 50
Est
imate
Err
or
(r)
Time (steps)
vmax=.2 r, smax=0
vmax=r, smax=0
vmax=r, smax=r
www.cs.virginia.edu/physicrypt 46
Speed Helps and Hurts
Increasing speed increases location uncertainty ̶[ but provides more observations.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.10.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2
Est
imat
e E
rror
(r)
vmax (r distances per time unit)
sd=1, smin=0, smax=vmax
sd=1, smax=smin=r
sd=2, smax=vmax
sd=2, smax=smin=r
Node density nd = 10
www.cs.virginia.edu/physicrypt 47
00.20.40.60.81
1.21.41.61.82
2.22.42.62.83
0.1 0.5 1 1.5 2 2.5 3 3.5 4
Est
imate
Err
or
(r)
Seed Density
MCL
Centroid
Amorphous
Seed Density
nd = 10, vmax = smax=.2r
Better accuracy than other localization algorithms
Centroid: Bulusu, Heidemann and Estrin. IEEE Personal Communications Magazine. Oct 2000.
Amorphous: Nagpal, Shrobe and Bachrach. IPSN 2003.
www.cs.virginia.edu/physicrypt 48
Samples Maintained
00.10.20.30.40.50.60.70.80.91.0
1.2
1 2 5 10 20 50 100 200 5001000
Est
imate
Err
or
(r)
Sample Size (N)
sd=1, vmax=smax=.2r
sd=1, vmax=smax=r
sd=2, vmax=smax=.2rsd=2, vmax=smax=r
1.1 nd = 10
Good accuracy is achieved with only 20 samples (~100 bytes)
www.cs.virginia.edu/physicrypt 49
Radio Irregularity
nd = 10, sd = 1, vmax = smax=.2r
Insensitive to irregular radio pattern
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
0 0.1 0.2 0.3 0.4 0.5
Est
imate
Err
or
(r)
Degree of Irregularity (r varies ±dr)
MCL
Centroid
Amorphous
www.cs.virginia.edu/physicrypt 50
Motion
nd=10, vmax=smax=r
Adversely affected by consistent group motion
00.51
1.52
2.53
3.54
4.55
5.56
0 0.5 1 2 4 60
0.51
1.52
2.53
3.54
4.55
5.56
0 0.5 1 2 4 6
Est
imate
Err
or
(r)
Maximum Group Motion Speed (r units per time step)
sd =.3
sd =1
sd =2
0
1
2
3
4
0 20 40 60 80 100 120 140 160 180 200Est
imate
Err
or
(r)
Time
Random, vmax=smax=.2r
Area Scan
Random, vmax=0, smax=.2r
Scan
Stream and Currents Random Waypoint vs. Area Scan
Controlled motion of seeds improves accuracy
www.cs.virginia.edu/physicrypt 51
Recap• MCL:
– Maintain set of samples representing possible locations
– Filter out impossible locations based on observations from direct and indirect seeds
• Achieves accurate localization cheaply
• But…what about security?Caveat: this is the speculative part of the talk!
www.cs.virginia.edu/physicrypt 52
Attacks on Localization
• Interfere with seed locations– Overload GPS signal
• Inject bogus seed announcements– Need to authenticate announcements
• Replay attacks (including wormhole)– Ranging information– Physical challenges
www.cs.virginia.edu/physicrypt 53
MCL Advantages• Filtering
– Bogus seeds filter out possible locations
• Direct– Does not require long range seed-node
communication
• Mobile– Nodes expect to hear announcements from
different seeds over time
• Historical– Current sample set reflects history of
previous observations
www.cs.virginia.edu/physicrypt 54
Prevent Bogus Announcements
• Pairwise authentication: assumes nodes preloaded with pairwise keys for each seed
1. S region IDS Broadcast identity2. N S EKNS
(RN) | IDN Send nonce challenge
3. S N EKNS(RN | LS ) Respond with location
Nonce prevents standard replays, but not wormhole attacks
www.cs.virginia.edu/physicrypt 55
“Expensive” Defense
• Distance Bounding– Light travels 1 ft per nanosecond (2-4
cycles on modern PC!)– Need special hardware to instantly
respond to received bits
• Use distance bounding to perform secure multilateration
• Prove node encounters
Brands and Chaum, EUROCRYPT 1993
Capkun and Hubaux, 2004
Capkun, Buttyan and Hubaux, 2003
www.cs.virginia.edu/physicrypt 56
“Cheap” Defense:Multiple Location
Speculation• As long as one legitimate seed
announcement is received, worst an attacker can do if filter out all possible locations: denial of service attack
• Maintain multiple possible locations instead of giving up when observations are inconsistent
• Current work: – Can we design routing protocols that work well
with multiple locations?
www.cs.virginia.edu/physicrypt 57
Conclusion• Computing is moving into the real
world:– Rich interfaces to environment– No perimeters
• Simple properties of physical world are useful:– Directional consistency can prevent
wormhole attacks– Space and time can be used to achieve
accurate localization cheaply
www.cs.virginia.edu/physicrypt 58
Thanks!
Students: Lingxuan Hu, Chalermpong Worawannotai Nathaneal Paul, Jinlin Yang, Joel Winstead
Funding: NSF ITR, NSF CAREER, DARPA SRS
For more information and paper links:http://www.cs.virginia.edu/physicrypt