Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sensor. To our knowledge, this is the first result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient attacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.

This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revoke the compromised nodes. The SCUBA protocol represents a promising approach for designing secure sensor networks by proposing a first approach for automatic recovery of compromised sensor nodes. The SCUBA protocol is based on ICE (Indisputable Code Execution), a primitive we introduce to dynamically establish a trusted code base on a remote, untrusted sensor node.

Existing network reprogramming protocols target the efficient, reliable, multi-hop dissemination of application updates in sensor networks, but assume correct or fail-stop behavior from participating sensors. Compromised nodes can subvert such protocols to result in the propagation and remote installation of malicious code. Sluice aims for the progressive, resource-sensitive verification of updates in sensor networks to ensure that malicious updates are not disseminated or installed, while trusted updates continue to be efficiently disseminated. Our verification mechanism provides authenticity and integrity through a hash-chain construction that amortizes the cost of a single digital signature over an entire update. We integrate Sluice with an existing network reprogramming protocol and empirically evaluate its effectiveness both in a real sensor testbed and through simulation. 1

Abstract. Current in-network programming protocols for sensor networks allow an attacker to gain control of the network or disrupt its proper functionality by disseminating malicious code and reprogramming the nodes. We provide a protocol that yields source authentication in the group setting like a public-key signature scheme, only with signature and verification times much closer to those of a MAC. We show how this can be applied to an existing in-network programming scheme, namely Deluge, to authenticate code update broadcasts. Our implementation shows that our scheme imposes only a minimal computation and communication overhead to the existing cost of network programming and uses memory recourses efficiently, making it practical for use in sensor networks. 1

Abstract — Wireless Sensors Network (WSN) security is a major concern and many new protocols are being designed. Most of these protocols rely on cryptography, and therefore, require a Cryptographic Pseudo-Random Number Generator (CPRNG). However, designing an efficient and secure CPRNG for wireless sensor networks is not trivial since most of the common source of randomness used by standard CPRNGs are not present on a wireless sensor node. We present TinyRNG, a CPRNG for wireless sensor nodes. Our generator uses the received bit errors as one of the sources of randomness. We show that transmission bit errors on a wireless sensor network are a very good source of randomness. We demonstrate that these errors are randomly distributed and uncorrelated from one sensor to another. Furthermore, we show that these errors are difficult to observe and manipulate by an attacker.

We study the security challenges that arise in people-centric urban sensing, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static topology and an application-aware infrastructure. People-centric urban sensing, however, involves collecting, storing, processing and fusing large volumes of data related to every-day human activities. Sensing is performed in a highly dynamic and mobile environment, and supports (among other things) pervasive computing applications that are focused on enhancing the user’s experience. In such a setting, where humans are the central focus, there are new challenges for information security; not only because of the complex and dynamic communication patterns, but also because the data originates from sensors that are carried by a person—not a tiny sensor thrown in the forest or mounted on the neck of an animal. In this paper we aim to instigate discussion about this critical issue—because peoplecentric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new paradigm of sensor networks.

Abstract. In this position paper, we address the issue of durable maintenance of a wireless sensor network, which will be crucial if the vision of large, long-lived sensornets is to become reality. Durable maintenance requires tools for diagnosing and fixing occurring problems, which can range from internode connectivity losses, to time synchronization problems, to software bugs. While there are solutions for fixing problems, an appropriate diagnostic infrastructure is essentially still lacking. We argue that diagnosing a sensornet application requires the ability to dynamically and temporarily extend the application on a selected group of nodes with virtually any functionality. We motivate this claim based on deployment experiences to date and propose a highly nonintrusive solution to dynamically extending a running application on a resource-constrained sensor node. “During the spring of 2004, 80 mica2dot sensor network nodes were placed into two 60 meter tall redwood trees in Sonoma, California. [...]Onemonthlater,initial examination of the gathered data showed that the nodes in one tree had been entirely unable to contact the base station. Of the 33 remaining nodes, 15 % returned no data. Of the 80 deployed nodes, 65 % returned no data at all, from the very beginning. [...]One week into the Sonoma deployment, another 15 % of the nodes died [...]andnorecords exist oftheeventsthatmayhavecausedthisfailure.[...]” G. Tolle and D. Culler [2]. “[...]In2004, [Dutch] researchers [...]teamedupinanambitious project to use 150 wireless sensor nodes in a three-month pilot deployment on precision agriculture. [...] Out of 97 nodes running for [only] three weeks generating 1 message per 10 minutes, we received only 5874 messages, which amounts to 2%. [...]” 1

Wireless sensor networks need broadcast for operations such as software updates, network queries, and command dissemination. Alongside ensuring authenticity of the source and data, keeping the broadcast data secret is vital in certain applications such as battlefield control, emergency response, and natural resource management. In this paper we propose and prototype a mechanism for ensuring confidentiality and authenticity of broadcast data in single-hop networks, and discuss possible extensions to multi-hop settings. Our scheme uses known lowcomplexity symmetric encryption techniques for confidentiality, while changing the encryption key on a per-packet basis in a verifiable but non-forgeable way to ensure authenticity. Message integrity, freshness, and semantic security are also provided, and the broadcast data can be dynamic and incrementally processed. We incorporate our security scheme into Deluge, the de facto network programming protocol in TinyOS, and quantify the cost in terms of broadcast data transfer time and node memory space on a TelosB mote based platform. I.

If the vision of large, long-lived wireless sensor networks serving the society is to become reality, deployment and durable maintenance need much more attention. Both these issues require the ability to first diagnose, and then fix occurring problems. While there are solutions for fixing problems, an appropriate diagnostic infrastructure is essentially still lacking. Our position is that diagnosing a sensornet application requires the ability to dynamically and temporarily extend the application on a selected group of nodes with virtually any functionality. We propose a solution to this problem that is highly nonintrusive.

The AutoWitness project aims to deter, detect, and track theft of everyday objects using a combination of ultra lowpower mobile tags and a wide-area network of static anchors. Key research challenges include dramatically driving down the cost and size of tags and increasing their lifetime, discriminating between normal activities and theft using motion detection and classification algorithms, reconstructing getaway trajectories from sparse anchor rendezvous, and ensuring sufficient coverage and connectivity in a sparse, widearea network of anchors. The demonstration will show AutoWitness in operation including motion detection, classifying theft signatures, and tracking the trajectories of “stolen” objects near the conference venue.