Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remote Software-based Attestation for Wireless Sensors July 13, 2005 Mark Shaneck, Karthikeyan Mahadevan Vishal Kher, Yongdae Kim Department of Computer.

Published byByron Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Remote Software-based Attestation for Wireless Sensors July 13, 2005 Mark Shaneck, Karthikeyan Mahadevan Vishal Kher, Yongdae Kim Department of Computer."— Presentation transcript:

1 Remote Software-based Attestation for Wireless Sensors July 13, 2005 Mark Shaneck, Karthikeyan Mahadevan Vishal Kher, Yongdae Kim Department of Computer Science University of Minnesota

2 2 Introduction Securing sensors in critical applications is importantSecuring sensors in critical applications is important E.g. military applicationsE.g. military applications Compromise of a sensor can enable attacker to inject false sensing informationCompromise of a sensor can enable attacker to inject false sensing information Compromise of shared keys can enable attacker to compromise secure communicationsCompromise of shared keys can enable attacker to compromise secure communications

3 3 Attestation How to detect compromise? Attest!How to detect compromise? Attest! Ensure that the contents of the memory are unchangedEnsure that the contents of the memory are unchanged Detects sensor compromise that involves a modification of the program memoryDetects sensor compromise that involves a modification of the program memory Compute a checksum of the memory contentsCompute a checksum of the memory contents

4 4 Naïve Attestation Model Attestation routine reads memory and computes a checksumAttestation routine reads memory and computes a checksum Attacker must offset memory reads to avoid detectionAttacker must offset memory reads to avoid detection Offsets incur measurable delay in executionOffsets incur measurable delay in execution Attester can measure execution time to detect compromiseAttester can measure execution time to detect compromise MalcodeAttest Unmodified Copy Of Original Program Memory of Sensor

5 5 Limitations Suitable for directly connected devicesSuitable for directly connected devices Slight execution delays can be accurately measuredSlight execution delays can be accurately measured What about remote attestation?What about remote attestation? Code is located on device - attacker can use static analysis to analyze the code offline and insert conditional offsetsCode is located on device - attacker can use static analysis to analyze the code offline and insert conditional offsets Slight execution delays cannot be accurately measured - overshadowed by unpredictable network latencySlight execution delays cannot be accurately measured - overshadowed by unpredictable network latency

6 6 Remote Attestation How can we adapt the attestation model to work in a remote setting?How can we adapt the attestation model to work in a remote setting? Prevent attacker from analyzing attestation code offlinePrevent attacker from analyzing attestation code offline Send the attestation routine to the sensorSend the attestation routine to the sensor Make it different each timeMake it different each time Prevent attacker from modifying attestation codePrevent attacker from modifying attestation code Use techniques to make it difficult to statically analyzeUse techniques to make it difficult to statically analyze

7 7 Why Remote Attestation? Is remote attestation really necessary?Is remote attestation really necessary? Physical access to the sensors is not always feasiblePhysical access to the sensors is not always feasible Military setting - sensors are located in hostile, enemy territoryMilitary setting - sensors are located in hostile, enemy territory Building monitoring - sensors could be located in dangerous/inaccessible locationsBuilding monitoring - sensors could be located in dangerous/inaccessible locations

8 8 Outline Problem ScopeProblem Scope Building BlocksBuilding Blocks Attestation Procedure ConstructionAttestation Procedure Construction Discussion/ConclusionDiscussion/Conclusion

9 9 Assumptions Base Station is secureBase Station is secure Base Station to sensor communication is encrypted/authenticated using a pairwise shared keyBase Station to sensor communication is encrypted/authenticated using a pairwise shared key Base Station has an exact memory image of each sensorBase Station has an exact memory image of each sensor Sensors do not have virtual memorySensors do not have virtual memory Sensors can receive and execute binary codeSensors can receive and execute binary code

10 10 Threat Model Attacker can perform any software based attack on the attestation routineAttacker can perform any software based attack on the attestation routine Attacker cannot tamper with hardwareAttacker cannot tamper with hardware Impersonation and DoS attacks are out of scopeImpersonation and DoS attacks are out of scope

11 11 Requirements Resistance toResistance to ReplayReplay PredictionPrediction Static AnalysisStatic Analysis Loose dependence on execution timeLoose dependence on execution time Complete memory coverageComplete memory coverage Efficient constructionEfficient construction

12 12 Building Blocks RandomizationRandomization EncryptionEncryption Self-Modifying CodeSelf-Modifying Code ObfuscationObfuscation Opaque Predicates/Pointer AliasingOpaque Predicates/Pointer Aliasing Junk InstructionsJunk Instructions

13 13 Self Modifying Code nop1: 0xFFF6 2: 0xFFF7 3: 0xFFF8 4: 0xFFF9 5: 0xFFFA 6: 0xFFFB 7: 0xFFFC 8: 0xFFFD 9: 0xFFFE 10: 0xFFFF nop mov $0x05, %eax inc %eax xor %eax, %eax test %eax, %eax jnz 0xFFFF mov 0x40, 0xFFFA jmp 0xFFF9 nop inc %eax 0x40 = “inc %eax”

14 14 Opaque Predicates Conditions that always evaluate to true or always evaluate to falseConditions that always evaluate to true or always evaluate to false Evaluation result is not obvious from static analysis Evaluation result is not obvious from static analysis Can be formed through pointer aliasingCan be formed through pointer aliasing known to be an NP-hard problem known to be an NP-hard problem

15 15 Opaque Predicates B A B A Does A == B ?

16 16 Junk Instructions Full or partial machine code instructionsFull or partial machine code instructions Full - distract analysisFull - distract analysis Partial - confuse analysisPartial - confuse analysis

17 17 Compare Results Measure Response Time Generate Attestation Routine Precompute Result Attestation Protocol Base Attestation Routine Checksum Result Execute Attestation Routine Sensor

18 18 Attestation Routine Overview Randomly step through program memory, adding values to the checksum resultRandomly step through program memory, adding values to the checksum result Loop repeats O(n log n) times to ensure complete coverage of the memoryLoop repeats O(n log n) times to ensure complete coverage of the memory Routine will incorporate the building blocks to prevent attacks on the routine itselfRoutine will incorporate the building blocks to prevent attacks on the routine itself

19 19 Attestation Routine Encrypted Code Decryption Routine Main Attestation Loop Seed Calculation Junk Instructions Jump Memory Reads & Jump Hash Calculation Random Number Generator Self Modifying Code Junk Instructions Junk Instructions Junk Instructions Jump Memory Reads & Jump Junk Instructions

20 20 Security Analysis What can the attacker do?What can the attacker do? Replay responseReplay response Countered by randomization and random memory read pattern (seed)Countered by randomization and random memory read pattern (seed) Attacker must attack each codeAttacker must attack each code Goal: force attacker to do intensive computation for each attestation procedureGoal: force attacker to do intensive computation for each attestation procedure

21 21 What Attacker Must Do Break EncryptionBreak Encryption Find key, which is protected by opaque predicatesFind key, which is protected by opaque predicates Determine SeedDetermine Seed Protected the same way as the encryption keyProtected the same way as the encryption key Examine self-modifying codeExamine self-modifying code Rewrite this portion of the code to insert conditional offsetsRewrite this portion of the code to insert conditional offsets

22 22 Emulation Attacker could install an emulatorAttacker could install an emulator Each read is directed to the appropriate offsetEach read is directed to the appropriate offset Computation is not I/O bound - significant overheadComputation is not I/O bound - significant overhead Attack will be foiled with an appropriate choice of the timeout periodAttack will be foiled with an appropriate choice of the timeout period

23 23 Extension Fill sensor’s free memory space with random values (known to base station)Fill sensor’s free memory space with random values (known to base station) Attest entire memory contentsAttest entire memory contents Malicious code would be limited in size by data memoryMalicious code would be limited in size by data memory Copy of original is forced to be located in data memoryCopy of original is forced to be located in data memory

24 24 Related Work SWATT (Seshadri et al.)SWATT (Seshadri et al.) Genuinity (Kennell et al.)Genuinity (Kennell et al.) Trusted Hardware - TPM, BIND, Copilot (Sailer et al., Shi et al., N. L. P. Jr et al.)Trusted Hardware - TPM, BIND, Copilot (Sailer et al., Shi et al., N. L. P. Jr et al.) Obfuscation (Collberg et al., Barak et al., etc)Obfuscation (Collberg et al., Barak et al., etc) Program Evolution (F. Cohen)Program Evolution (F. Cohen) Self-checksumming (Chang et al., Horne et al.)Self-checksumming (Chang et al., Horne et al.) Integrity Verification Kernel (D. Aucsmith)Integrity Verification Kernel (D. Aucsmith)

25 25 Future Work ImplementationImplementation Test and measure how lightweight/heavyweight the attestation procedure isTest and measure how lightweight/heavyweight the attestation procedure is Measure and test to determine appropriate timeout periodMeasure and test to determine appropriate timeout period Impersonation AttackImpersonation Attack May require hardware supportMay require hardware support Enhance the attestation protocol to work in multihop settingsEnhance the attestation protocol to work in multihop settings

26 26 Questions?

Download ppt "Remote Software-based Attestation for Wireless Sensors July 13, 2005 Mark Shaneck, Karthikeyan Mahadevan Vishal Kher, Yongdae Kim Department of Computer."

Similar presentations

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”

Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”
The Sybil Attack in Sensor Networks: Analysis & Defenses J. Newsome, E. Shi, D. Song and A. Perrig IPSN’04.

The Sybil Attack in Sensor Networks: Analysis & Defenses J. Newsome, E. Shi, D. Song and A. Perrig IPSN’04.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.

Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.
Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.

Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.

ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Similar presentations

Ads by Google