This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revoke the compromised nodes. The SCUBA protocol represents a promising approach for designing secure sensor networks by proposing a first approach for automatic recovery of compromised sensor nodes. The SCUBA protocol is based on ICE (Indisputable Code Execution), a primitive we introduce to dynamically establish a trusted code base on a remote, untrusted sensor node.

Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer’s state. We examine research on securely capturing a computer’s state, and consider the utility of this information both for improving security on the local computer (e.g., to convince the user that her computer is not infected with malware) and for communicating a remote computer’s state (e.g., to enable the user to check that a web server will adequately protect her data). Although the recent “Trusted Computing ” initiative has drawn both positive and negative attention to this area, we consider the older and broader topic of bootstrapping trust in a computer. We cover issues ranging from the wide collection of secure hardware that can serve as a foundation for trust, to the usability issues that arise when trying to convey computer state information to humans. This approach unifies disparate research efforts and highlights opportunities for additional work that can guide real-world improvements in computer security. 1

Sensors that operate in an unattended, harsh or hostile environment are vulnerable to compromises because their low costs preclude the use of expensive tamper-resistant hardware. Thus, an adversary may reprogram them with malicious code to launch various insider attacks. Based on verifying the genuineness of the running program, we propose two distributed software-based attestation schemes that are well tailored for sensor networks. These schemes are based on a pseudorandom noise generation mechanism and a lightweight block-based pseudorandom memory traversal algorithm. Each node is loaded with pseudorandom noise in its empty program memory before deployment, and later on multiple neighbors of a suspicious node collaborate to verify the integrity of the code running on this node in a distributed manner. Our analysis and simulation show that these schemes achieve high detection rate even when multiple compromised neighbors collude in an attestation process. 1.

Today’s applications are highly mobile; we download software from the Internet, machine executable code arrives attached to electronic mail, and Java applets increase the functionality and appearance of web pages. This movement has stirred a great deal of research in the area of mobile code security. The fact remains that a newly arrived program to a local host has the potential to inflict significant damage to the local host and local resources. Perhaps the new program originated from a charlatan host masquerading as a trusted server, or has been modified by a malicious party during transit from the trusted server to the local host. In light of this risk, security models that address mobile code are in high demand. We have developed a framework named SECRYT, which enables users of a mobile application to validate the application with integrity and authentication data while simplifying the management and distribution of the authentication data. 1

The paper “On the Difficulty of Software-Based Attestation of Embedded Devices ” had been published at the ACM CCS 2009 conference [1]. Although the paper contains many useful points, unfortunately, it also contains numerous errors and inaccuracies which we would like to rectify with this note. 1

Much of present day computer software is highly mobile, with a great amount of software being delivered to a client host via a network shortly before execution begins. The integrity of mobile code is one important aspect for the secure execution of the code on the client host. We describe a cryptographic-steganographic approach to embedding authentication data within executable object files. Our approach simplifies management of and requires no additional bandwidth to accommodate the authentication data. Initial experimental results show no runtime performance degradation for the execution of the protected program.

As society rushes to digitize sensitive information and services, it is imperative to adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [8, 72, 104]. In this dissertation, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacricing the performance and features expected ofcommodity systems. At a high level, we support this premise by developing techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. Rather than entrusting her data to the mountain of buggy code likely running on her computer, we construct an on-demand secure execution environment which can perform security-sensitive tasks and handle private data in complete isolation from all other softŸware (and most hardware) on the system. Meanwhile, non-security-sensitive soŸftware retains the same abundance of features and performance it enjoys today. Having established an environment for secure code execution on an individual computer, we then show how to extend trust in this environment to network elements in a secure and effi›cient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on endhosts and trust the results within the network. Lastly, we extend the user’s trust one more step to encompass computations performed on a remote host (e.g., in the cloud). We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both soŸware and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a non-interactive, asymptotically optimal (with respect to CPU and bandwidth) manner. Thus, extending a user’s trust, via softŸware, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.

Abstract—The paradigm of mobile agent provides a promising technology for the development of distributed and open applications. However, one of the main obstacles to widespread adoption of the mobile agent paradigm seems to be security. This paper treats the security of the mobile agent against malicious host attacks. It describes generic mobile agent protection architecture. The proposed approach is based on the dynamic adaptability and adopts the reflexivity as a model of conception and implantation. In order to protect it against behaviour analysis attempts, the suggested approach supplies the mobile agent with a flexibility faculty allowing it to present an unexpected behaviour. Furthermore, some classical protective mechanisms are used to reinforce the level of security. Keywords—Dynamic adaptability, malicious host, mobile agent security, reflexivity. I.

Recent research demonstrates that malware can infect peripherals’ firmware in a typical x86 computer system, e.g., by exploiting vulnerabilities in the firmware itself or in the firmware update tools. Verifying the integrity of peripherals’ firmware is thus an important challenge. We propose software-only attestation protocols to verify the integrity of peripherals ’ firmware, and show that they can detect all known software-based attacks. We implement our scheme using a Netgear GA620 network adapter in an x86 PC, and evaluate our system with known attacks.

Much effort has been spent to reduce the software Trusted Computing Base (TCB) of modern systems. However, the hardware TCB remains complex and untrustworthy. Components such as memory, peripherals, and system buses may become malicious via firmware compromise, a malicious manufacturer, a malicious supply chain, or local physical tampering. We seek to reduce the hardware TCB to a minimal set of hardware components that must be trusted. We describe the design and implementation of an isolated execution environment on commodity x86 platforms that only relies on the CPU, without needing to trust the memory, buses, peripherals, or any other system components.