Results 1 - 10
of
65
Code Injection Attacks on Harvard-Architecture Devices
- ACM CCS 08
, 2008
"... Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and ..."
Abstract
-
Cited by 68 (2 self)
- Add to MetaCart
(Show Context)
Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sensor. To our knowledge, this is the first result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient attacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.
Scuba: Secure code update by attestation in sensor networks
- IN PROCEEDINGS OF ACM WORKSHOP ON WIRELESS SECURITY (WISE’06). ACM
, 2006
"... This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revok ..."
Abstract
-
Cited by 50 (6 self)
- Add to MetaCart
(Show Context)
This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revoke the compromised nodes. The SCUBA protocol represents a promising approach for designing secure sensor networks by proposing a first approach for automatic recovery of compromised sensor nodes. The SCUBA protocol is based on ICE (Indisputable Code Execution), a primitive we introduce to dynamically establish a trusted code base on a remote, untrusted sensor node.
Sluice: Secure dissemination of code updates in sensor networks
- In Proceedings of the 26th International Conference on Distributed Computing Systems (ICDCS ’06
, 2006
"... Existing network reprogramming protocols target the efficient, reliable, multi-hop dissemination of application updates in sensor networks, but assume correct or fail-stop behavior from participating sensors. Compromised nodes can subvert such protocols to result in the propagation and remote instal ..."
Abstract
-
Cited by 42 (3 self)
- Add to MetaCart
(Show Context)
Existing network reprogramming protocols target the efficient, reliable, multi-hop dissemination of application updates in sensor networks, but assume correct or fail-stop behavior from participating sensors. Compromised nodes can subvert such protocols to result in the propagation and remote installation of malicious code. Sluice aims for the progressive, resource-sensitive verification of updates in sensor networks to ensure that malicious updates are not disseminated or installed, while trusted updates continue to be efficiently disseminated. Our verification mechanism provides authenticity and integrity through a hash-chain construction that amortizes the cost of a single digital signature over an entire update. We integrate Sluice with an existing network reprogramming protocol and empirically evaluate its effectiveness both in a real sensor testbed and through simulation. 1
Seluge: Secure and dos-resistant code dissemination in wireless sensor networks
- In Proceedings of the Seventh International Conference on Information Processing in Sensor Networks (IPSN ’08
, 2008
"... Wireless sensor networks are considered ideal candidates for a wide range of applications, such as industry monitoring, data acquisition in hazardous environments, and military operations. It is desirable and sometimes necessary to reprogram sensor nodes through wireless links after deployment, due ..."
Abstract
-
Cited by 25 (6 self)
- Add to MetaCart
(Show Context)
Wireless sensor networks are considered ideal candidates for a wide range of applications, such as industry monitoring, data acquisition in hazardous environments, and military operations. It is desirable and sometimes necessary to reprogram sensor nodes through wireless links after deployment, due to, for example, the need of removing bugs and adding new functionalities. The process of propagating a new code image to the nodes in a wireless sensor network is referred to as code dissemination. This paper presents the design, implementation, and evaluation of an efficient, secure, robust, and DoS-resistant code dissemination system named Seluge for wireless sensor networks. Seluge is a secure extension to Deluge, an open source, stateof-the-art code dissemination system for wireless sensor networks. It provides security protections for code dissemination, including the integrity protection of code images and immunity from, to the best of our knowledge, all DoS attacks that exploit code dissemination protocols. Seluge is superior to all previous attempts for secure code dissemination, and is the only solution that seamlessly integrates the security mechanisms and the Deluge efficient propagation strategies. Besides the theoretical analysis that demonstrates the security and performance of Seluge, this paper also reports the experimental evaluation of Seluge in a network of MicaZ motes, which shows the efficiency of Seluge in practice. 1
secFleck: A Public Key Technology Platform for Wireless Sensor Networks
- In Proceedings of the 6th European Conference on Wireless Sensor Networks
, 2009
"... Abstract. We describe the design and implementation of a public-key platform, secFleck, based on a commodity Trusted Platform Module (TPM) chip that extends the capability of a standard node. Unlike previous software public-key implementations this approach provides E-Commerce grade security; is com ..."
Abstract
-
Cited by 24 (5 self)
- Add to MetaCart
(Show Context)
Abstract. We describe the design and implementation of a public-key platform, secFleck, based on a commodity Trusted Platform Module (TPM) chip that extends the capability of a standard node. Unlike previous software public-key implementations this approach provides E-Commerce grade security; is computationally fast, energy efficient; and has low financial cost — all essential attributes for secure large-scale sen-sor networks. We describe the secFleck message security services such as confidentiality, authenticity and integrity, and present performance re-sults including computation time, energy consumption and cost. This is followed by examples, built on secFleck, of symmetric key management, secure RPC and secure software update. 1
TinyRNG: A cryptographic random number generator for wireless sensors network nodes
- In Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks and Workshops, 2007. WiOpt 2007. 5th International Symposium on
, 2007
"... Abstract — Wireless Sensors Network (WSN) security is a major concern and many new protocols are being designed. Most of these protocols rely on cryptography, and therefore, require a Cryptographic Pseudo-Random Number Generator (CPRNG). However, designing an efficient and secure CPRNG for wireless ..."
Abstract
-
Cited by 17 (0 self)
- Add to MetaCart
(Show Context)
Abstract — Wireless Sensors Network (WSN) security is a major concern and many new protocols are being designed. Most of these protocols rely on cryptography, and therefore, require a Cryptographic Pseudo-Random Number Generator (CPRNG). However, designing an efficient and secure CPRNG for wireless sensor networks is not trivial since most of the common source of randomness used by standard CPRNGs are not present on a wireless sensor node. We present TinyRNG, a CPRNG for wireless sensor nodes. Our generator uses the received bit errors as one of the sources of randomness. We show that transmission bit errors on a wireless sensor network are a very good source of randomness. We demonstrate that these errors are randomly distributed and uncorrelated from one sensor to another. Furthermore, we show that these errors are difficult to observe and manipulate by an attacker.
Authenticated In-Network Programming for Wireless Sensor Networks
- In Proceedings of the 5th International Conference on AD-HOC Networks & Wireless (ADHOC-NOW 2006
, 2006
"... Abstract. Current in-network programming protocols for sensor networks allow an attacker to gain control of the network or disrupt its proper functionality by disseminating malicious code and reprogramming the nodes. We provide a protocol that yields source authentication in the group setting like a ..."
Abstract
-
Cited by 15 (5 self)
- Add to MetaCart
(Show Context)
Abstract. Current in-network programming protocols for sensor networks allow an attacker to gain control of the network or disrupt its proper functionality by disseminating malicious code and reprogramming the nodes. We provide a protocol that yields source authentication in the group setting like a public-key signature scheme, only with signature and verification times much closer to those of a MAC. We show how this can be applied to an existing in-network programming scheme, namely Deluge, to authenticate code update broadcasts. Our implementation shows that our scheme imposes only a minimal computation and communication overhead to the existing cost of network programming and uses memory recourses efficiently, making it practical for use in sensor networks. 1
People-Centric Urban Sensing: Security Challenges for the New Paradigm. Dartmouth
, 2007
"... We study the security challenges that arise in people-centric urban sensing, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static t ..."
Abstract
-
Cited by 9 (2 self)
- Add to MetaCart
(Show Context)
We study the security challenges that arise in people-centric urban sensing, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static topology and an application-aware infrastructure. People-centric urban sensing, however, involves collecting, storing, processing and fusing large volumes of data related to every-day human activities. Sensing is performed in a highly dynamic and mobile environment, and supports (among other things) pervasive computing applications that are focused on enhancing the user’s experience. In such a setting, where humans are the central focus, there are new challenges for information security; not only because of the complex and dynamic communication patterns, but also because the data originates from sensors that are carried by a person—not a tiny sensor thrown in the forest or mounted on the neck of an animal. In this paper we aim to instigate discussion about this critical issue—because peoplecentric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new paradigm of sensor networks.
An epidemic theoretic framework for evaluating broadcast protocols in wireless sensor networks
- in 4th IEEE International Conference on Mobile Ad-hoc and Sensor Systems
"... While multi-hop broadcast protocols, such as Trickle, Deluge and MNP, have gained tremendous pop-ularity as a means for fast and convenient propagation of data/code in large scale wireless sensor networks, they can, unfortunately, serve as potential platforms for virus propagation if the security is ..."
Abstract
-
Cited by 8 (3 self)
- Add to MetaCart
While multi-hop broadcast protocols, such as Trickle, Deluge and MNP, have gained tremendous pop-ularity as a means for fast and convenient propagation of data/code in large scale wireless sensor networks, they can, unfortunately, serve as potential platforms for virus propagation if the security is breached. To understand the vulnerability of such protocols and design defense mechanisms against piggy-backed virus attacks, it is critical to investigate the propagation process of these protocols in terms of their speed and reachability. In this paper, we propose a general framework based on the principles of epidemic theory, for vulnerability analysis of current broadcast protocols in wireless sensor networks. In particular, we develop
Towards a versatile problem diagnosis infrastructure for large wireless sensor networks
- in Proceedings of the 2nd OTM International Workshop on Pervasive Systems (PerSys 2007). Vilamoura
, 2007
"... Abstract. In this position paper, we address the issue of durable maintenance of a wireless sensor network, which will be crucial if the vision of large, long-lived sensornets is to become reality. Durable maintenance requires tools for diagnosing and fixing occurring problems, which can range from ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this position paper, we address the issue of durable maintenance of a wireless sensor network, which will be crucial if the vision of large, long-lived sensornets is to become reality. Durable maintenance requires tools for diagnosing and fixing occurring problems, which can range from internode connectivity losses, to time synchronization problems, to software bugs. While there are solutions for fixing problems, an appropriate diagnostic infrastructure is essentially still lacking. We argue that diagnosing a sensornet application requires the ability to dynamically and temporarily extend the application on a selected group of nodes with virtually any functionality. We motivate this claim based on deployment experiences to date and propose a highly nonintrusive solution to dynamically extending a running application on a resource-constrained sensor node. “During the spring of 2004, 80 mica2dot sensor network nodes were placed into two 60 meter tall redwood trees in Sonoma, California. [...]Onemonthlater,initial examination of the gathered data showed that the nodes in one tree had been entirely unable to contact the base station. Of the 33 remaining nodes, 15 % returned no data. Of the 80 deployed nodes, 65 % returned no data at all, from the very beginning. [...]One week into the Sonoma deployment, another 15 % of the nodes died [...]andnorecords exist oftheeventsthatmayhavecausedthisfailure.[...]” G. Tolle and D. Culler [2]. “[...]In2004, [Dutch] researchers [...]teamedupinanambitious project to use 150 wireless sensor nodes in a three-month pilot deployment on precision agriculture. [...] Out of 97 nodes running for [only] three weeks generating 1 message per 10 minutes, we received only 5874 messages, which amounts to 2%. [...]” 1
