Thoughts on the Formal
Modeling of Security of Sensor
Networks
Catherine Meadows
Center for High Assurance Computer Systems
Naval Research Laboratory
Washington, DC
Outline of Talk
• Brief introduction to sensor networks
• Brief introduction to standard Dolev-Yao notion of
protocol correctness
• In-depth discussion of how assumptions behind
sensor network security differ from Dolev-Yao notions
• Some examples
– Chose examples as different from DY-type protocols as
possible in order to illustrate points
• Some suggestions for future research
What is a Sensor Network?
• Network of sensors
and other devices
communicating by
wireless technology
• Responsible for
gathering and
coordinating data, and
communicating it to
data processing points
Security Needs of Sensor
Networks
• Nodes need to be able to authenticate themselves to network
• Receiver of data from network needs to be able to ensure that
that data is correct and consistent
– Receiver could be another node in the network our some
entity outside of network
– Data may be aggregate of data gathered by individual nodes
• Network needs to be able to protect itself from denial of service
attacks
• Network may also need to protect secrecy of data, although not
in all applications
– Will often be enough to guarantee that no single node
contains information about the entire network
How Can We Adapt Formal Crypto
Protocol Analysis to Sensor Networks
• Have generally accepted threat model, Dolev-Yao, that serves as
the basis for most formal analysis systems for crypto protocols
• Well-defined formal methods built using that model
– Recently, model has been extended to include cryptographic
notions of security
• Purpose of this talk:
– Explore where DY does and does not apply to sensor
networks
– Explore feasibility of developing general threat model for
security of sensor networks
Some Attacks on Sensor
Networks
• Collusion: Illegal collaboration among subset of nodes
• Sybil: Single entity impersonates multiple network nodes
– Effective against systems that rely on majority vote
• Sinkhole: Single node redirects all data through it
– Good for implementing denial of service attack
• Wormhole: Adversary has faster link for communication
between origin and destination point
– Can be used to confuse network about physical location of
Locators
origin
Adversary
destination
L1
L2
Wormhole link
L3
Adversary origin
Dolev-Yao Model
• Assume intruder who can
– Read, intercept, alter, or create traffic at any point
– Perform any cryptographic operation available to legitimate
member of system
• Assume principals divided up into honest and dishonest
– Honest principals follow rules of protocol
– Dishonest principals in league with intruder and share all
keys and other information with it
• Any message sent by dishonest principal
– Honest principals stay honest, dishonest principals say
dishonest
• Some variants of model do allow for compromise of keys
Dolev-Yao Model (cont.)
• Fixed set of operations allowed to principals
– Concatenation, deconcatenation
– Cryptographic functions (private key, public key, keyed hash,
etc.)
– Generation of random nonces
– Some versions also include timestamps
• Two general classes of security goals
– Secrecy
– Authentication: if a certain event occurs, then certain other
events must have or must not have occurred in the past
• Possibly in a prescribed order
ATTACKER MODEL
What’s Behind Attacker Model
in DY
• In wired networks, we generally assume strong
layering
– Crypto protocols will rely on routing to send data from
one point to another, but can’t make any special
demands on it
• For that reason, DY model makes the worst case
assumption that the network is completely under
control of the intruder
Sensor Network Model Not as
Pessimistic
• Severe energy constraints means that you need to have greater
cross-layer communication
– Secure services can and must be designed in closer
cooperation with other network services
• Thus, most security protocols for sensor networks interact
closely with the routing mechanism
• The upshot: modeling routing explicitly means that we can
assume that nodes controlled by intruder can only read or alter
traffic if they are in close physical proximity to sender of traffic
• More detailed, but weaker, intruder model
• Note: most, but not all, solutions rely on broadcast routing, so
can make simplifying assumption that attacker can pick up on or
interfere with communication only if within certain distance of
broadcasting node
DISHONEST PRINCIPALS
Assumptions About Dishonest
Principals
• In DY model, dishonest principals in league with
attacker and assumed to be in communication with it
• In sensor networks, ability to communicate limited to
physical proximity
• Only nodes that are close together are assumed
always to be able to communicate
• Again, attacker model is weaker, but more detailed
Assumptions About Dishonest
Principals (2)
• In DY, set of honest and dishonest nodes does not
change
• In sensor network, nodes usually assumed to start
out honest
• Much computation in sensor networks based on
consensus
– Thus necessary to identify bad nodes and remove
them
• Life trajectory of bad node: starts out good, becomes
bad, is identified and removed
Assumptions About Attacker
Computational Strength
• In sensor networks, nodes may have very limited
computational and memory capability in order to
conserve energy
• Some models assume that attacker nodes have no
more capability than honest nodes
– Allows us to use non-cryptographic solutions
• Algorithms that are not cryptographically strong, but
cannot be broken by resource-constrained node
ACTIONS AVAILABLE TO
HONEST PRINCIPALS
Operations Available to Honest
Principals
• Besides operations available to honest principals, have two
others
• Distance bounding
– Node can tell distance from other node by sending it a
message and see how long it takes to return
– If response authenticated, dishonest node can lie about
being further away than it is, but not closer
• Signal strength measurement
– Sender includes strength of transmitted message in message
– Receiver compares received strength to transmitted strength
to compute distance
– Not secure, but can be useful when combined with other
mechanisms
SECURITY GOALS
Security Goals
• DY Goals involve secrecy and authentication for some set of
principals
– What happens to rest of network is immaterial
• Sensor network goals usually apply to the entire network
– Network should be connected (securely)
– Majority of nodes in the network should be able to compute
their location
• Goals often probabilistic
– May be too difficult to get perfect of near-perfect assurance
of success
Protocol 1: Eschenauer-Gligor
Key Distribution Scheme
•
•
•
•
•
•
•
Public key cryptography often too expensive to implement in a sensor
network
Shared key crypto requires too many keys
Insight: don’t need every node to be able to communicate directly with
every other node
– What you need is a connected graph
Assign each node a random subset of given pool of keys
Nodes then go through a key discovery phase to determine which near
neighbors they share keys with
Resulting graph:
– Nodes are sensors
– Edges are (s,t) where s and t are near one-hop neighbors sharing
key
Probabilistic analysis to determine whether graph is connected
– Given two nodes, what is the probability there is a path between
them?
Protocol 2: Capkun & Hubaux
Secure Positioning Scheme
• When newcomer claims position,
three nodes forming triangle
around that position perform
distance bounding protocol
• Newcomer can’t claim to be farther
away from one node than it is
without also claiming to be closer
to another node
• It’s impossible to pretend to be
closer than you are!
Features of a Secure Distance
Bounding Protocol
• Timed response must be quick to compute
– Computationally intensive response will mess up timing
– Authentication is computationally expensive
• But, if protocol not authenticated properly, honest node’s
connection could be hijacked by another node
• Need a way of including both crypto and fast responses in the
same protocol
• Problem first addressed by Brands and Chaum, 1998
– Seeking to defeat “grandmaster attack” on zero knowledge
protocols
– Attacker passes off honest node protocol responses as its
own
– Dual of problem we are considering here
Capkun and Hubaux Protocol
u
: Generate random nonce Nu
: Generate commitment (c, d) = commit(Nu)
u -> v : c
v : Generate random nonce Nv
v -> u : Nv
u -> v : Nu XOR Nv
v
: Measure time tvu between sending Nv and receiving Nu XOR
Nv
u -> v : Nu,Nv,d,MACKuv (u, Nu,Nv,d)
v: Verify MAC and verify if Nu = open(c, d)
Security property: If protocol finishes successfully, u should have
sent Nu XOR Nv to v after receiving Nv
Protocol 3: SerLoc (Lazos and
Poovendran, 2004)
• Secure location protocol designed to defeat wormhole
attack
• Depends on architecture consisting of powerful
beacons who have access to location information
(e.g. via GPS), and less powerful sensors who locate
themselves wrt beacons
• Attacker may try to replay beacon information from
one part of network in other parts, confusing sensors
SerLoc Idea
L4
S1
L1
Locators heard at
the sensor LHs
s
S3
L3
s
S2
• Sensor s defines the region
of intersection (ROI), from
all locators it hears –
Majority Vote
S4
L2
(0, 0)
Locator
• Each locator Li transmits
information that defines
the sector Si, covered by
each transmission
ROI 
Sensor
ROI
LH s
S
i 1
i
Dealing with Wormholes (1)
Accept only single message per locator
obstacle
R
Ac
R
Wormhole link
Multiple messages from the
same locator are heard due
to:
–Multi-path effects
–Imperfect sectorization
–Replay attack
Multi-path or Imperfect Sectors
are not attacks! False Alarms!
R: locator-to-sensor communication range.
sensor
Locator
Attacker
Dealing with Wormholes (2)
Exploit the range bounds to detect anomalies
2R
Ai
Li
Aj
R
R
Lj
• Locators heard by a
sensor cannot be more
than 2R apart, where R
= locator-to-sensor
communication range
Li  L j  2 R
Wormhole link
•This allows you to identify anomalies, but not to choose correct location
•If you hear from two locators greater than 2R apart, can use distance
bounding to detect which is closer
Protocol not Secure Against
Jamming
2R
Ai
Li
Aj
R
R
Wormhole link
Lj
• If attacker can block
transmission from close-by
locators, sensor can no longer
identify anomalies
• Lazos, Poovendran, and
Capkun have developed
protocol robust against
jamming combining ideas of
SerLoc and Capkun-Hubaux
• Use metric Maximum Spoofing
Impact (MSI): maximum
distance between actual
location and spoofed location
• Protocol reduces MSI
Where do we go from here?
•
•
•
Look what’s been done for similar problems
Nature of problem
– Network-wide properties to be guaranteed
– Guarantee only statistical
– Attacker with limited powers
Two examples
– Denial of service
• Meadows’ denial of service model
• Application of probabilistic model checkers to anti-DoS
– Agha et al. Use PMAude and VESTA to model Gunter et al.’s packet
dropping protocol
– Anonymizing networks
• Stubblebine and Syverson’s group intruder logic models intruder with
limited abilities
• Application of probabilistic model checkers to anonymizing networks
– Shmatikov application of PRISM to Crowds
Conclusions
• Number of new problems to consider when analyzing
security of sensor network protocols
– Consensus-related goals
– Probabilistic definitions of correctness
– Need to take geometry, timing, and other physical
factors into account
• What are the best ways of dealing with these?
References
L. Eschenauer and V. Gligor, “A Key-Management Scheme for
Distributed Sensor Networks” Proc. of the 9th ACM Conference
on Computer and Communication Security, Washington D.C.,
November 2002
S. Capkun and J. Hubaux, “Secure Positioning of Wireless Devices
and Applications to Sensor Networks,” Proc. of INFOCOM,
Miami FL, March 2005
L. Lazos and R. Poovendran, “SeRloc: Secure Range-Independent
Localization for Wireless Sensor Networks,” Proc. Of WISE,
Philadelpia, PA, October 2004
L. Lazos, R. Poovendran, and S. Capkun, “ROPE: Robust Position
Estimation in Wireless Sensor Networks,” Proc. of ISPN 2005