Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole
advertisement
Wireless Security in
the Real World:
Using Physical Properties
to Mitigate Wormhole
Attacks
SIGNET Seminar
University of Delaware
15 September 2004
David Evans
(work with Lingxuan Hu)
University of Virginia
Computer Science
Computing is Entering Real World
Desktop PC
Protected Box
Narrow Interface
1 Machine per UserAdmin
Sensor Network
Unprotected Nodes
Wide Interface
Thousands of Nodes
per Admin
www.cs.virginia.edu/physicrypt
2
…this Changes Security
Desktop PC
Access Control
Perimeters
Authenticity
Sensor Network
Resource Consumption
Integrity, Survivability
Resilience
www.cs.virginia.edu/physicrypt
3
Challenges in Sensor Networks
• Vulnerable
communication channels
• Physically vulnerable
devices
• Limited energy
• No (or little) established
infrastructure
• Depend on other nodes
to accomplish anything
www.cs.virginia.edu/physicrypt
4
New Opportunities
• Embedded in an
environment
– Physical properties of
the environment
constrain reality (space)
– Inertia: it takes time for
things to change
• Quantity
– Many redundancies
www.cs.virginia.edu/physicrypt
5
This Talk
• Two protocols for sensor networks:
– Secure neighbor discovery protocol
that uses space and quantity.
L. Hu and D. Evans. Using Directional Antennas
to Prevent Wormhole Attacks. NDSS 2004.
– Localization protocol that uses space,
time and quantity.
L. Hu and D. Evans. Localization for Mobile
Sensor Networks. MobiCom 2004.
www.cs.virginia.edu/physicrypt
6
Wormhole Attacks
www.cs.virginia.edu/physicrypt
7
Wormhole
Attack
B
A
C
D
S
Y
X
Attacker needs a transceivers at two locations in the
network, connected by a low latency link
Attacker replays (selectively) packets heard at
one location at the other location
www.cs.virginia.edu/physicrypt
8
Pirate image by Donald Synstelien
Beacon Routing
1
0
2
3
4
Nodes select parents
based on minimum
hops to base station
www.cs.virginia.edu/physicrypt
9
Wormhole vs. Beacon Routing
1
[Karlof and Wagner, 2003]
[Hu, Perrig, Johnson 2003]
0
2
2
1
X
0
Wormhole attack disrupts
network without needing
to break any cryptography!
www.cs.virginia.edu/physicrypt
Y
10
Fraction of Routes to Base Station Disrupted
Wormhole Impact
1
0.9
0.8
0.7
Base
Station at
Corner
0.6
0.5
500
0
0.4
0.3
Base
Station at
Center
0.2
0.1
0
0
50
100
150
200
250
300
350
400
450
500
Position of Endpoint (x,x)
A randomly placed wormhole disrupts ~5% of links
A single wormhole can disrupt 40% of links (center)
0
www.cs.virginia.edu/physicrypt
500
11
Previous Solution: Use Arrival Time
Yih-Chun Hu, Perrig and Johnson. INFOCOM 2003
• “Leashes” constrain distance packet can travel
• Geographical leashes: nodes know their location
– Sender includes its location and send time in packet
– Receiver checks distance to sender
• Temporal leashes: tightly synchronized clocks
– Sender sets expiration time when sending packet
• Drawback: requires clock synchronization or
accurate localization
www.cs.virginia.edu/physicrypt
12
Our Approach
• Use directional information
– Directional antennas can identify direction of
sender
• Exploit simple physical properties of space
• Cooperate with neighbors (in different
locations) to validate legitimacy of other
nodes
• No clock synchronization or location
information required
www.cs.virginia.edu/physicrypt
13
Directional Antennas
3
2
4
1
5
Directional
Transmission
from Zone 4
North
6
Aligned to
magnetic North,
so zone 1 always
faces East
Omnidirectional Transmission
Model based on [Choudhury and Vaidya, 2002]
General benefits: power saving, less collisions
www.cs.virginia.edu/physicrypt
14
Assumptions
• Legitimate nodes can establish secure node-node
links (all critical messages are authenticated)
• Network is fairly dense
• Nodes are stationary
• Most links are bidirectional (unidirectional links
cannot be established)
• Transmissions are perfect wedges (relaxed later)
• Nodes are aligned perfectly (relaxed later)
www.cs.virginia.edu/physicrypt
15
Protocol Idea
• Wormhole attack depends on a node
that is not nearby convincing another
node it is
• Verify neighbors are really neighbors
– Directional consistency
• Only accept messages from verified
neighbors
www.cs.virginia.edu/physicrypt
16
Directional
Neighbor
Discovery
3
4
2
1
A
5
6
B
zone (B, A) = 4
is the antenna
zone in which
B hears A
1. A Region
HELLO | IDA
Sent by all antenna elements (sweeping)
2. B A
IDB | EKBA (IDA | R | zone (B, A))
Sent by zone (B, A) element, R is nonce
3. A B
R
Checks zone is opposite, sent by zone (A, B)
www.cs.virginia.edu/physicrypt
17
Detecting
False
Neighbors
A
X
3
2
4
1
5
zone (B, A[Y]) = 1
6
B
Y
zone (A, B [X]) = 1
False Neighbor:
zone (A, B) should be opposite zone (B, A)
www.cs.virginia.edu/physicrypt
18
3
Not Detecting
False Neighbors
A
4
1
5
Y
X
2
6
B
zone (B, A[Y]) = 4
zone (A, B [X]) = 1
Undetected False Neighbor:
zone (A, B) = opposite of zone (B, A)
Directional neighbor discovery prevents 1/6 of
false direct links…but doesn’t prevent disruption
www.cs.virginia.edu/physicrypt
19
Observation: Cooperate!
• Wormhole can only trick nodes in
particular locations
• Verify neighbors using other nodes
• Based on the direction from which you
hear the verifier node, and it hears the
announcer, can distinguish legitimate
neighbor
www.cs.virginia.edu/physicrypt
20
Verifier
Region
3
v
2
4
1
5
6
A verifier must satisfy these two properties:
1. Be heard by B in a different zone:
zone (B, A) = 4
zone (B, A) ≠ zone (B, V)
zone (B, V) = 5
otherwise V could be through wormhole
2. B and V hear A in different zones:
zone (B, A) ≠ zone (V, A)
otherwise A could have tricked V too
(one more constraint will be explained soon)
www.cs.virginia.edu/physicrypt
zone (B, A) = 4
zone (V, A) = 3
21
Verified Neighbor Discovery
V
A
1. A Region
2. B A
3. A B
5. IDV | EKBV (IDA | zone (V, B))
B 4. INQUIRY | IDB | IDA | zone (B, A)
Announcement, done through sequential sweeping
Include nonce and zone information in the message
Check zone information and send back the nonce
4. B Region
5. V B
6. B A
Same as
before
Request for verifier to validate A
If V is a valid verifier, sends confirmation
Accept A as its neighbor and notify A
www.cs.virginia.edu/physicrypt
22
Verifier Analysis
3
3v
2
1
4
X
A
5
6
Region 1
4
2
B
1
Y
5
6
Region 2
Wormhole cannot trick a valid verifier:
zone (V, A [Y]) = 5
Not opposites: verification fails
zone (A, V [X]) = 1
Connectivity
500
Established
all links
Established
some links
(but not all)
Disconnected
450
400
y (meters)
350
300
250
200
Verified Protocol,
Density = 3
150
100
(Directional Density = 9.7)
50
0
0
50 100 150 200 250 300 350 400 450 500
x (meters)
www.cs.virginia.edu/physicrypt
24
Worawannotai Attack
V hears
A and B directly
v
3
3
2
2
B
4
A
5
1
X
6
Region 1
5
6
Region 2
www.cs.virginia.edu/physicrypt
A and B hear
V directly
But, A and B
hear each other
only through
repeated X
25
Preventing Attack
1. zone (B, A) zone (B, V)
2. zone (B, A) zone (V, A)
3. zone (B, V) cannot be both adjacent to zone (B, A)
and adjacent to zone (V, A)
www.cs.virginia.edu/physicrypt
26
Cost Analysis
• Communication Overhead
– Minimal
– Establishing link keys typically requires
announcement, challenge and response
– Adds messages for inquiry, verification and
acceptance
• Connectivity
– How many legitimate links are lost because
they cannot be verified?
www.cs.virginia.edu/physicrypt
27
Lose Some Legitimate Links
1
Network Density = 10
Network Density = 3
Verified
Protocol
Link Discovery Probability
0.9
0.8
0.7
Verified
Protocol
0.6
0.5
0.4
0.3
Strict Protocol
(Preventing
Worawannotai Attack)
Strict Protocol
(Preventing
Worawannotai Attack)
0.2
0.1
0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Node Distance (r)
10
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Node Distance (r)
www.cs.virginia.edu/physicrypt
28
…but small effect on connectivity
and routing
10
Network density = 10
9
Average Path Length
8
7
Strict Protocol
6
Verified Protocol
5
Trust All
4
3
2
1
0
4
6
8
10
12
14
16
18
20
Verified protocol:
0.5% links are lost
no nodes disconnected
Strict protocol:
40% links are lost
0.03% nodes
disconnected
Omnidirectional Node Density
www.cs.virginia.edu/physicrypt
29
Dealing with Error
Network Density = 3
1
1
0.9
0.9
0.8
0.8
0.7
Ratio
Network Density = 10
0.7
Lost Links, Strict Protocol
0.6
0.6
0.5
0.5
Lost Links, Verified Protocol
0.4
0.4
Disconnected
Nodes,
Strict Protocol
0.3
0.2
Lost Links, Verified Protocol
0.3
0.2
0.1
0
Lost Links, Strict Protocol
0.1
0
10
20
30
40
50
Maximum Directional Error Degree
Disconnected Nodes,
Verified Protocol
60
0
Disconnected Nodes
0
10
20
30
40
50
Maximum Directional Error Degree
60
Even with no control over antenna
alignment, few nodes are disconnected
www.cs.virginia.edu/physicrypt
30
Vulnerabilities
• Attacker with multiple wormhole
endpoints
– Can create packets coming from different
directions to appear neighborly
• Magnet Attacks
– Protocol depends on compass alignment of
nodes
• Antenna, orientation inaccuracies
– Real transmissions are not perfect wedges
www.cs.virginia.edu/physicrypt
31
Moral
• An attacker with few
resources and no crypto
keys can substantially
disrupt a network with a wormhole attack
• Mr. Rogers was right: “Be a good neighbor”
– If you know your neighbors, can detect
wormhole
– Need to cooperate with your neighbors to know
who your legitimate neighbors are
www.cs.virginia.edu/physicrypt
32
Roadmap
• Use directional information to defeat
wormhole attacks
– Simple properties of space
– Cooperation of nodes
• But…most sensor nodes don’t have
directional antennas
– Rest of the talk: Location Determination
www.cs.virginia.edu/physicrypt
33
Location Determination
• Important for many sensor network
applications
• Approaches:
– Nodes can determine their locations
directly (GPS)
• Too expensive for many applications
– Nodes determine their locations indirectly
by using information received from a few
seed nodes that know their locations
www.cs.virginia.edu/physicrypt
34
Localization Error and Routing
100%
90%
GPSR
Routing
Karp and Kung.
MobiCom 2000
80%
70%
Delivery
60%
Ratio
50%
No Error
0.2R
0.4R
0.6R
0.8R
1R
40%
30%
20%
10%
0%
6
8
10
12
14
16
18
20
Density (Neighbors)
Slide from Qing Cao. Details in Qing Cao and Tarek
Abdelzaher, A Scalable Logical Coordinates Framework
for Routing in Wireless Sensor Networks. RTSS 2004
www.cs.virginia.edu/physicrypt
35
Our Approach:
Monte Carlo Localization
• Take advantage of mobility:
– Moving makes things harder…but provides
more information
– Properties of time and space limit possible
locations; cooperation from neighbors
• Adapts an approach from robotics
localization Frank Dellaert, Dieter Fox, Wolfram
Burgard and Sebastian Thrun. Monte Carlo
Localization for Mobile Robots. ICRA 1999.
www.cs.virginia.edu/physicrypt
36
Scenarios
Nodes stationary, seeds moving
NASA Mars Tumbleweed
Image by Jeff Antol
Nodes moving, seeds stationary
Nodes and seeds moving
www.cs.virginia.edu/physicrypt
37
MCL: Initialization
Node’s actual position
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
www.cs.virginia.edu/physicrypt
38
MCL Step: Filter
Predict
Node’s actual position
r
Seed node:
knows
and transmits
location
Predict:Remove
Node guesses
locationswith
based on
Filter:
samplesnew
thatpossible
are inconsistent
previous
possible locations and maximum velocity, vmax
observations
www.cs.virginia.edu/physicrypt
39
Prediction
p(lt | lt-1) =
c
0
if d(lt, lt-1) < vmax
if d(lt, lt-1) ≥ vmax
Assumes node is equally likely to move in any
direction with any speed between 0 and vmax.
www.cs.virginia.edu/physicrypt
40
Filtering
s
s
Direct Seed
If you hear a seed,
must (likely) be
with distance r of
the seed’s location
Indirect Seed
If you don’t hear a seed,
but one of your neighbors
hears it, must be within
distance (r, 2r] of that
seed’s location.
www.cs.virginia.edu/physicrypt
41
Resampling
Use prediction distribution to create enough sample
points that are consistent with the observations.
www.cs.virginia.edu/physicrypt
42
Recap: Algorithm
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
Iteration Step:
Compute new possible location set Lt based on Lt-1, the
possible location set from the previous time step, and
the new observations.
Lt = { }
while (size (Lt) < N) do
R = { l | l is selected from the prediction distribution }
Rfiltered = { l | l where l R and filtering condition is met }
Lt = choose (Lt Rfiltered, N)
www.cs.virginia.edu/physicrypt
43
Parameters
• Effect accuracy and convergence time:
– Speed of nodes and seeds
– Density of nodes and seeds
• Tradeoff memory and accuracy:
– Number of samples maintainted
• Movement:
– Control should help; interdependence hurts
www.cs.virginia.edu/physicrypt
44
Convergence
2
Node density nd = 10, seed density sd = 1
1.8
Estimate Error (r)
1.6
1.4
1.2
v max =.2 r , s max =0
1
0.8
v max =r, s max =0
0.6
0.4
v max =r, s max =r
0.2
0
0
5
10
15
20
25
30
35
40
45
50
Time (steps)
The localization error converges in first 10-20 steps
www.cs.virginia.edu/physicrypt
45
Speed Helps and Hurts
1
Node density nd = 10
0.9
Estimate Error (r)
0.8
0.7
0.6
0.5
sd=1, smin =0, smax =vmax
sd=1, smax =smin =r
0.4
0.3
sd=2, smax =vmax
0.2
0.1
0
sd=2, smax =smin =r
0.1 0.2 0.4
0.6 0.8 1
1.2 1.4 1.6
vmax (r distances per time unit)
1.8
2
Increasing speed increases location uncertainty
̶ but provides more observations.
www.cs.virginia.edu/physicrypt
46
Estimate Error (r)
Seed Density
3
2.8
2.6
2.4
2.2
2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
nd = 10, vmax = smax=.2r
Centroid: Bulusu,
Heidemann and
Estrin. IEEE
Centroid
Personal
Communications
Magazine. Oct 2000.
Amorphous
Amorphous: Nagpal,
Shrobe and
Bachrach. IPSN
2003.
MCL
0.1 0.5
1
1.5
2
2.5
Seed Density
3
3.5
4
Better accuracy than other localization algorithms
www.cs.virginia.edu/physicrypt
47
Estimate Error (r)
Samples Maintained
1.2
1.1
1.0
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
01
nd = 10
sd=1, vmax =smax =.2r
sd=1, vmax =smax =r
sd =2, v max =smax =r
2
5
sd=2, vmax =smax =.2r
10 20
50 100 200
Sample Size (N)
500 1000
Good accuracy is achieved with only 20 samples (~100 bytes)
www.cs.virginia.edu/physicrypt
48
Radio Irregularity
2
nd = 10, sd = 1, vmax = smax=.2r
1.8
Estimate Error (r)
1.6
Centroid
1.4
1.2
1
Amorphous
0.8
0.6
MCL
0.4
0.2
0
0
0.1
0.2
0.3
0.4
Degree of Irregularity (r varies ±dr)
0.5
Insensitive to irregular radio pattern
www.cs.virginia.edu/physicrypt
49
Motion
Stream and Currents
Adversely affected by
consistent group motion
4
Estimate Error (r)
Estimate Error (r)
6
5.5
nd=10, vmax=smax=r
5
4.5
4
3.5
sd =.3
3
2.5
2
sd =1
1.5
1
sd =2
0.5
0
0 0.5 1
2
4
6
Maximum Group Motion Speed (r units per time step)
Random Waypoint vs. Area Scan
Random,
vmax=0, smax=.2r
3
2
Random, vmax=smax=.2r
Area Scan
1
Scan
0
0
20
40
60
80 100 120 140 160 180 200
Time
Controlled motion of seeds
improves accuracy
www.cs.virginia.edu/physicrypt
50
Recap
• MCL:
– Maintain set of samples representing
possible locations
– Filter out impossible locations based on
observations from direct and indirect seeds
• Achieves accurate localization cheaply
• But…what about security?
Caveat: this is the speculative part of the talk!
www.cs.virginia.edu/physicrypt
51
Attacks on Localization
• Interfere with seed locations
– Overload GPS signal
• Inject bogus seed announcements
– Need to authenticate announcements
• Replay attacks (including wormhole)
– Ranging information
– Physical challenges
www.cs.virginia.edu/physicrypt
52
MCL Advantages
• Filtering
– Bogus seeds filter out possible locations
• Direct
– Does not require long range seed-node
communication
• Mobile
– Nodes expect to hear announcements from
different seeds over time
• Historical
– Current sample set reflects history of previous
observations
www.cs.virginia.edu/physicrypt
53
Prevent Bogus Announcements
• Pairwise authentication: assumes nodes
preloaded with pairwise keys for each
seed
1. S region IDS
2. N S
EKNS(RN) | IDN
3. S N
EKNS(RN | LS )
Broadcast identity
Send nonce challenge
Respond with location
Nonce prevents standard replays, but not wormhole attacks
www.cs.virginia.edu/physicrypt
54
“Expensive” Defense
• Distance Bounding
Brands and Chaum, EUROCRYPT 1993
– Light travels 1 ft per nanosecond (2-4
cycles on modern PC!)
– Need special hardware to instantly respond
to received bits
• Use distance bounding to perform
secure multilateration Capkun and Hubaux, 2004
• Prove node encounters Capkun, Buttyan and Hubaux, 2003
www.cs.virginia.edu/physicrypt
55
“Cheap” Defense:
Multiple Location Speculation
• As long as one legitimate seed announcement
is received, worst an attacker can do if filter
out all possible locations: denial of service
attack
• Maintain multiple possible locations instead of
giving up when observations are inconsistent
• Current work:
– Can we design routing protocols that work well with
multiple locations?
www.cs.virginia.edu/physicrypt
56
Conclusion
• Computing is moving into the real
world:
– Rich interfaces to environment
– No perimeters
• Simple properties of physical world are
useful:
– Directional consistency can prevent
wormhole attacks
– Space and time can be used to achieve
accurate localization cheaply
www.cs.virginia.edu/physicrypt
57
Thanks!
Students: Lingxuan Hu, Chalermpong Worawannotai
Nathaneal Paul, Jinlin Yang, Joel Winstead
Funding: NSF ITR, NSF CAREER, DARPA SRS
For more information and paper links:
http://www.cs.virginia.edu/physicrypt
www.cs.virginia.edu/physicrypt
58
