Program Integrity Verification (PIV) - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Program Integrity Verification (PIV)

Description:

in Wireless Sensor Networks ... of a Sensor Is PIV Really Secure? Sensor Security How to ... and make PIV a fully distributed protocol Avoid ... – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 31
Provided by: Pri9151
Category:

less

Transcript and Presenter's Notes

Title: Program Integrity Verification (PIV)


1
  • Program Integrity Verification (PIV)
  • in Wireless Sensor Networks (WSN)
  • Based on Park and Shin 2005
  • presented by Therese Paul

2
Outline
  • Introduction to WSN
  • Security issues with WSN
  • Introduce Program Integrity Verification (PIV)
  • Security Framework in PIV
  • PIV Architecture
  • Distributed Authentication of PIV in WSNs
  • Summary
  • Reference

3
Wireless Sensor Networks (WSN)
  • Consists of large numbers of minimum capacity,
    small devices operating in demanding real-world
    environment
  • Typically covers a wide area, requiring thousands
    or even millions of sensors, each of which is
    capable of specific functions
  • Consists of Sensors, Data-collection Nodes and
    Control Nodes
  • For cost and size reasons, sensors are designed
    to minimize resource requirements
  • Each device has limited battery energy, memory,
    computation, and communication capacities

4
WSN Architecture
5
Applications of WSN
  • Environmental monitoring and habitat study
  • Military surveillance in battle fields
  • Condition based maintenance in factories
  • Infrastructure health monitoring in buildings
  • Precision agriculture, indoor climate control
  • Monitoring complex interactions, including
    wildlife habitats, disaster management, emergency
    response, asset tracking, healthcare, and
    manufacturing process flow

6
(No Transcript)
7
Security Issues in WSN
  • Physical attacks on sensor devices, e.g.,
    destroying, analyzing, and/or reprogramming
    sensors
  • Service disruption attacks on routing,
    localization, and time synchronization
  • Data attacks, e.g., Traffic capture, replaying,
    and spoofing
  • Resource-consumption and denial-of-service (DoS)
    attacks

8
Security Issues in the Sensor
  • Despite the critical role in their intended
    applications, sensor networks are vulnerable to
    various security attacks.
  • A captured sensor may be
  • Reverse-engineered to figure out what the
    sensors program is supposed to do
  • Modified with malicious code
  • Abused by the adversary
  • Adversary can deploy multiple copies of the
    manipulated sensor device in the network

9
Current Solutions
  • Make a sensor device tamperproof using
  • Code obfuscation - transform the executable code
    to make analysis/modification difficult
  • Result checking- examine the validity of
    intermediate results produced by the program
  • Self-decrypting programs- store the encrypted
    executables and decrypt them before execution
  • Self-checking- within programs, embed codes for
    hash computation as well as correct hash values
    to be invoked to verify the integrity of the
    program under execution

10
Current Solution Issues
  • Code Obfuscation easier to tamper with the
    program code as the code size in low-cost sensor
    devices shrinks
  • Result-Checking/Self-Decryption expensive to
    be employed in resource-limited sensor devices
    because they continuously incurs the overhead of
    verification or decryption, shortening the
    sensors battery lifetime
  • The security of self-decrypting programs can be
    easily broken unless the decryption routines are
    protected from reverse-engineering
  • All these approaches are unsuitable for sensor
    networks where a program runs on a slow,
    less-capable CPU in each sensor device

11
Is There a Better Solution?
  • Require each sensor to register itself with a
    dedicated server after verification of its
    program
  • Examine and verify the program in sensors as
    needed
  • Program Integrity Verification (PIV)
  • A protocol that verifies the integrity of the
    program residing in each sensor device when it
  • joins the network or
  • has experienced a long service blockage

12
What PIV Protocol Offers
  • Prevents manipulation/reverse-engineering/reprogra
    mming of sensors
  • Does not degrade normal sensor functions since
    PIV is triggered infrequently and relies on
    neither self decryption nor result checking
  • Purely software-based (and, thus, can be used
    with/without tamper-resistant hardware)
  • Tailored to the sensor devices with severe
    resource limitation (e.g., Motes with an 8-bit
    CPU and 4 KB RAM each)

13
PIV Security Framework
  • PIV consists of PIV Servers (PIVSs) that
    interact with PIV compliant sensors to verify
    programs in the sensors
  • Key Management typically hinges on a cluster
    based architecture, in which a cluster-head
    distributes/renews a cluster-specific key
    periodically or whenever a sensor within its
    cluster is found (via PIV) to have been
    compromised
  • Intrusion Detection runs on each cluster-head,
    continuously monitors/probes network activities
    to detect malfunctioning devices and, upon
    finding a suspicious device, requests its
    re-verification

14
PIV Security Framework Overview
15
PIV Components
  • PIV Servers (PIVSs)
  • equipped with more computation and storage
    capacities than sensor
  • examine each sensors program and check if it is
    the same as the original
  • maintains a local PIV_DB and stores IDs of the
    sensors belonging to its own cluster
  • performs the PIV protocol on a sensor and
    cooperates with other PIVSs in the network to
    update/manage PIV_DB

16
PIV Components Contd
  • PIV Code (PIVC)
  • a special-purpose mobile agent that is generated
    by a PIVS and executed on a sensor being verified
    to read/process the program
  • Authentication Server (AS)
  • acts as a trusted third party by which the sensor
    can make sure that the PIVS is authentic and,
    hence, it is safe to execute the PIVC
  • maintains a list of all legitimate PIVSs in the
    network and updates the list whenever a PIVS is
    added or removed
  • authenticates a PIVS using either public-key
    cryptography or a secret authentication key
    shared with each sensor

17
PIV Interactions
  • The interactions among AS, PIVS, and the sensor
    during PIV consists of the following three tasks
  • Authentication of PIVS via AS
  • Transmission and execution of PIVC
  • Program verification by PIVS/PIVC

18
PIV Architecture Details
19
The Verification Protocol Between PIVS and Sensor
20
The Verification Steps
  • Step 1- Initialize This step starts the
    verification protocol between the PIVS and the
    sensor by exchanging their IDs. The sensor, after
    receiving the ID of PIVS, asks an AS for
    authentication of the PIVS and, if the
    authentication fails, terminates the protocol
  • Step 2- SendPIVC The PIVS generates a PIVC and
    then sends it to the sensor. It also records the
    time when PIV starts
  • Step 3- AckPIVC The sensor sends an
    acknowledgment back to the PIVS
  • Step 4- StartPIVC The sensor executes the
    received PIVC

21
The Verification Procedure Contd
  • Step 5- RequestVerification The PIVC computes a
    hash value on the program by executing and sends
    it back to the PIVS
  • Step 6- NotifyVerification The PIVS, if it
    received the hash result within a certain timeout
    period, examines the received hash value to check
    if the program has not been tampered with. If it
    passes the test, the PIVS registers the sensor in
    the PIV_DB. Then, the PIVS notifies the PIVC of
    the verification result
  • Step 7- Activate/lock sensor The PIVC, based on
    the verification result, either activates or
    locks the sensor. The sensor state will be
    changed to either ACTIVATED or LOCKED,
    accordingly

22
Sensor Verification
  • A Randomized Hash Function (RHF)
  • Used for computing hash on the program
  • For each sensor verification, the PIVS creates a
    new RHF and sends it to the sensor in the PIVC
  • Verify the integrity of the program of each
    sensor device by comparing the hash value of the
    sensor program digests maintained in its local
    database with the hash value returned by the
    sensor after calculating it by executing the PIVC
  • Only sensors that passed the verification will be
    registered in PIV DB rest will be deleted from
    the database and becoming unable to join the
    network

23
State Diagram of a Sensor
24
Is PIV Really Secure?
  • Sensor Security
  • How to Protect the sensor from a malicious
    server/code disguised as a PIVS/PIVC?
  • Sensor security is achieved by using the
    authentication server (AS)
  • Code security
  • How to Protect the PIVC from a malicious sensor?
  • Code security by verifying PIVC using the
    Randomized Hash Function (RHF)

25
Suggested Improvements to PIV
  • Provide Distributed Authentication of PIV
  • Eliminates the requirement of the centralized
    authentication server and make PIV a fully
    distributed protocol
  • Avoid bottleneck for reliability, security, and
    communication
  • Be consistent with the distributed structure of
    sensor networks
  • Solution DAPP

26
Distributed Authentication Protocol of PIVSs
(DAPP)
  • Used by sensors to securely communicate with
    PIVSs without the dedicated and trusted
    Authentication Server (AS)
  • DAPP enable sensors to validate a PIVS before
    using it for their verification
  • Sensors and PIVSs establishes a pair-wise key and
    for PIVSs to authenticate one another
  • Provides a protocol for PIVSs to cooperatively
    detect and revoke malicious PIVSs in the network
  • DAPP reduces the sensors communication traffic
    in the network by more than 90 and the energy
    consumption on each sensor by up to 85, as
    compared to the case of using a centralized AS
    for authenticating PIVSs

27
DAPP Overview
28
Summary
  • PIV Offers
  • Prevention of manipulation, reverse-engineering,
    and reprogramming of sensors
  • Purely software based protection with/without
    tamper-resistant hardware
  • Infrequent triggering of the verification
  • PIV Protocol security analysis shows that PIV
    effectively defeats possible attacks like replay
    attacks and the only plausible attack requires
    modification of sensor hardware.
  • Performance analysis/evaluation demonstrated that
    the communication and processing overheads are
    very small
  • The hash computation algorithm has a small time
    overhead

29
Reference
  • Soft Tamper-Proofing via Program Integrity
    Verification in Wireless Sensor Networks By
    Taejoon Park, Student Member, IEEE, and Kang G.
    Shin, Fellow. IEEE TRANSACTIONS On Mobile
    Computing, Vol. 4, No. 3, May/June 2005
  • Distributed Authentication of Program Integrity
    Verification in Wireless Sensor Networks By
    Katharine Chang, Kang G. Shin. Proceedings of
    2nd International Conference on Security and
    Privacy in Communication Networks (SecureComm),
    Baltimore, MD 2006 IEEE
  • Secure Routing In Wireless Sensor Networks
    Attacks And Countermeasures By Chris Karlof and
    David Wagner. University of California at
    Berkeley, Berkeley, CA 94720, USA
  • Wireless Sensor Networks By F. L. Lewis. Smart
    Environments Technologies, Protocols, and
    Applications ed. D.J. Cook and S.K. Das, John
    Wiley, New York, 2004.

30
Questions??
Write a Comment
User Comments (0)
About PowerShow.com