Buttyan

- to be on the safe side -
w w w . c r y s y s . h u
Secure Routing in Multi-hop Wireless Networks

Levente Buttyn Budapest University of Technology and Economics Laboratory of Cryptography and Systems Security (CrySyS) www.crysys.hu
Workshop on Security of Autonomous and Spontaneous Networks 13-14 October, 2008, Loctudy, France
Outline
routing protocols for ad hoc wireless networks attacker model securing the control plane
model on-demand route discovery proactive topology discovery
securing the data plane

acknowledgement schemes neighbor and traffic monitoring
conclusions
Laboratory of Cryptography and System Security
--- to be on the safe side
Routing protocols for ad hoc wireless networks

routing is a fundamental function in packet networks
responsible for transferring packets through the network from their source to their destination
routers do two things:

acquire and maintain routing information (routing tables) (control plane) forward data packets (data plane)
types of routing protocols for ad hoc wireless networks

topology based routing
proactive
distance vector (e.g., DSDV) link state (e.g., OLSR)
reactive (on-demand)
distance vector (e.g., AODV) source routing (e.g., DSR)
position based routing

based on real geographic positions (e.g., GPSR) based on virtual positions (e.g., BVR)
Proactive dissemination of routing information

principle
routers try to maintain up-to-date routing information to all potential destinations for this reason, routers exchange routing control messages on a regular basis (to handle possible changes in the network topology) routing tables with next hop and routing metric value for destinations
neighboring routers exchange their routing tables with each other based on the received tables, each router updates its own table after some convergence period, each table contains correct metrics
content of routing control messages
link-state updates (list of neighbors and link metrics)

every link-state update message is flooded in the network all nodes learn the topology of the entire network routing tables are then computed locally
pros and cons:

+ (nearly) up-to-date routing information is available immediately, data packets can be transferred with no delay large overhead when many of the potential destinations are actually not used
On-demand route discovery

principle
routers maintain routing information only for those destinations that are actually used if a data packet is intended for a new destination, routers acquire fresh routing information for that destination (route discovery)
general route discovery process

a request message is generated by the source, and flooded in the network; and a response is returned by the destination request and response messages accumulate routing information (source routing) or set up routing table entries in intermediate routers (table driven routing) on their way
pros and cons

transfer of first data packet to a new destination is delayed + low overhead when only a few destinations are actually used
Routing information in position based routing

principles
each router needs to determine only its own position and the positions of its neighbors in case of real geographical positions, they can be obtained from GPS or by other positioning techniques in case of virtual positions, special protocols are needed
pros and cons

+ scalable
only local information is collected by each router routers do not store any information per destination
special positioning techniques or hardware are needed
Packet forwarding
topology based routing
routing table driven
next hop router toward the destination of a data packet is defined by the routing table
source routing
the header of each data packet contains the entire route that the packet should follow
position based routing

next hop is determined by the positions of the destination, the forwarding router, and its neighbors
Objective and target of attacks on routing

general objectives
increase adversarial control over the communications between some nodes; degrade the quality of the service provided by the network (including disruption of communications); increase the resource consumption of some nodes (e.g., CPU, memory, or energy)
target of attacks
control plane
effects have larger scope (e.g., entire parts of the network may become disconnected or use suboptimal routes)
data plane
effects have limited scope (e.g., a few communicating source destination pairs)
Amount of attacker control

external attacker
no control over any of the legitimate routers can interfere with protocols by exploiting the properties of the wireless channels (eavesdropping, jamming, replay of messages)
internal attacker
capabilities of an external attacker + full control over some (corrupted) routers
access to cryptographic secrets of corrupted routers (sending authentic msgs) re-programming of the behavior of corrupted routers (arbitrary deviations)
rationale: in most of the applications, the network is unattended and routers are not tamper resistant they can be physically attacked and compromised examples:
sensor networks deployed over a large geographical area for monitoring wild life routers embedded in vehicles mesh routers deployed in publicly accessible areas
Examples for attacks

external attacks
on the control plane:
injection of fake routing control messages replay of old control messages deletion (by jamming) of control messages
result in dissemination of incorrect routing information, or prevent dissemination of routing information on the data plane:
deletion (by jamming) of data packets reordering (by jamming and replay) of data packets insertion of fake or modified data packets
internal attacks
on the control plane:
any deviations from the routing protocol (including sending incorrect routing information in an authentic manner)
on the data plane:

dropping, modifying, misrouting data packets
10
Some observations
most of the external attacks can be thwarted by using cryptographic protection of routing control messages and data packets
an exception is jamming
physical layer countermeasures (e.g., spread spectrum) detection of and re-routing around jammed areas
internal attacks are more difficult to cope with

cryptography alone will not help problem is very much similar to designing distributed algorithms in the Byzantine fault model
corrupted routers can be modeled as Byzantine faulty nodes
11
Outline
model on-demand route discovery proactive topology discovery

conclusions
12
High-level requirements for the control plane

in general, attacks against the control plane aim at disseminating incorrect routing information or preventing the dissemination of routing information in the first place correctness (safety):
non-corrupted routers never get into an incorrect routing state
effectiveness (liveness):
if a non-corrupted path exists between two non-corrupted routers, A and B, then eventually, the system gets into a state where A can potentially communicate with B
both definitions need some refinement

characteristics of the given type of routing tolerable imperfections
13
Network model
an ad hoc network is represented by a graph G(V, E)
V: vertices are routers (non-corrupted and corrupted) E: edges represent communication links (radio or wormhole)
V* V is the set of corrupted routers L is a labeling function that assigns IDs to routers with the following properties:
each ID is either compromised or uncompromised each non-corrupted router has a unique, uncompromised ID each corrupted router is labeled with all the compromised IDs each router can send messages under any of the assigned IDs {X,Y} {B} {X,Y} {G} {H} {E} {F} {X,Y} {C} {D}
{A}
a configuration is a triplet: (G, V*, L)

14
Model of computation
in1 M1 out1
inn Mn outn inA1 A1 outA1 C
Mis are processes that represent non -corrupted routers Ais are processes that represent corrupted routers C is a process that represents the communication links between the routers processes communicate through buffers computation is performed in rounds
Mis and Ajs read all messages from their incoming buffers, and perform state transitions and write messages in their outgoing buffers C reads all messages from the outgoing buffers of the routers and copy those messages to the appropriate incoming buffers
broadcast communication is modeled by copying the message of a given router into the incoming buffers of all its neighbors
...
...
inAm Am outAm
15
Model of computation (contd)

input:
each router process knows its own ID(s) and the IDs of its neighboring routers process C knows the network graph G
computation:
each process Mi executes a program determined by the routing protocol each process Aj executes an arbitrary program
cryptographic primitives cannot be broken sends messages that are feasible to compute under any of the compromised identifiers
output:
internal state of the non-corrupted processes when the computation terminates conditions for termination depend on the type of the protocol
16
Security of on-demand source routing

assume that A and B are two non-corrupted routers, and A initiates a route discovery towards B
computation terminates when this route discovery is completed (A receives a route (or a set of routes) or timeouts)
correctness:
only plausible routes are accepted by A (in every possible configuration)
effectiveness:
if a non-corrupted path exists between A and B, then A will accept a route (in every possible configuration)
the notion of plausible route captures the following unavoidable misbehaviors (tolerable imperfections)
neighboring corrupted routers can freely communicate with each other in a proprietary way logically they form one entity a corrupted router can pretend to be as many routers as many compromised IDs it has
17
Definition of plausible routes

reduced configuration: (G(V, E), V*, L)
neighboring adversarial nodes are joined it doesnt contain repeating IDs and it can be partitioned in a way that each partition P can be associated with a node v in G such that
P L(v), and neighboring partitions are associated with neighboring nodes in G
a route is plausible in a given configuration if
{A}
{B} {X,Y} {C} {G} {H} {D}
{A}
{B} {X,Y} {G} {H} {C} {D}
{X,Y}
{E}
{F}
{X,Y}
{E}
{F}
{X,Y}
AXYGC A|XY|G|C
18
Example: Ariadne protocol*

D B G E H F
A: hA = macAH( RREQ | A | H | id ) A * : [ RREQ, A, H, id, hA, (), () ] E: hE = H( E | hA ) E * : [ RREQ, A, H, id, hE, (E), (sigE) ] F: hF = H(F | hE) F * : [ RREQ, A, H, id, hF, (E, F), (sigE, sigF) ] H A: [ RREP, H, A, (E, F), (sigE, sigF), sigH ] *Y-C Hu, A. Perrig, D. Johnson. Araidne: A secure on-demand routing protocol
for ad hoc networks. Wireless Networks, 11(1-2), 2005
19
Example: Incorrectness of Ariadne

B C
A: hA = H( A | ) A * : [ RREQ, S, T, id, hA, (, A), (, sigA) ] B: hB = H( B | hA ) B * : [ RREQ, S, T, id, hB, (, A, B), (, sigA, sigB) ] C: hC = H( C | hB ) C * : [ RREQ, S, T, id, hC, (, A, B, C), (, sigA, sigB, sigC) ] X: hB = H(B | hA) hX = H(X | hB) X * : [ RREQ, S, T, id, hX, (, A, B, X), (, sigA, sigB, sigX) ] T S: [ RREP, T, S, (, A, B, X, ), (, sigA, sigB, sigX, ), sigT ]
20
Example: endairA protocol*

D B G E H F
target verifies: theres no repeating ID in the node list last node in the node list is a neighbor each intermediate node verifies: its own ID is in the node list theres no repeating ID in the node list next and previous nodes in the node list are neighbors all signatures are valid source verifies: theres no repeating ID in the node list first node in the node list is a neighbor all signatures are valid
A * : [ RREQ, A, H, id, () ] E * : [ RREQ, A, H, id, (E) ] F * : [ RREQ, A, H, id, (E, F) ]
H F : [ RREP, A, H, id, (E, F), (sigH)] F E : [ RREP, A, H, id, (E, F), (sigH, sigF)] E A : [ RREP, A, H, id, (E, F), (sigH, sigF, sigE)] *G. Acs, L. Buttyan, I. Vajda. Provably secure on-demand source routing in
ad hoc networks. IEEE Trans. on Mobile Computing, 5(11), 2006.
--- to be on the safe side 7.3
mobile
Securing ad hoc network routing protocols
21
Example: Correctness of endairA

Proposition: endairA is correct if theres at most one corrupted router in the network. Proof sketch:
assume that a non-corrupted router A accepts a route R = (N1, , Nr) and R is non-plausible in the reduced configuration adversarial nodes are non-adjacent each sequence of non-repeating IDs has a unique partitioning
non-compromised IDs form distinct partitions consecutive compromised IDs form a single partition
case 1: Pj={Ni} and Pj+1={Ni+1} are non-corrupted partitions and the nodes v and v that belong to Ni and Ni+1 are not adjacent in G
v would detect that the previous ID in the list doesnt belong to a neighbor
case 2: Pj={Ni}, Pj+1={Ni+1,, Ni+k}, Pj+2={Ni+k+1} are two non-corrupted and a corrupted partition, and either the node v that belongs to Nj or the one v that belongs to Nj+k+1 is not a neighbor of the single corrupted node v*
a) v would detect that the next ID in the list doesnt belong to a neighbor b) v would detect that the previous ID in the list doesnt belong to a neighbor
Laboratory of Cryptography and System Security 22
Research problem 1
the proof does not work for more than one corrupted nodes
corrupted routers can pass information to each other even if they are not neighbors
covert channels (e.g., route request is flooded in the network) tunneling routing control messages within data packets
Is it impossible to ensure correctness in general? Is there a meaningful model where correctness can still be guaranteed?
23
How about effectiveness?

this requirement has been largely ignored in the literature
most of the proposed protocols do not guarantee effectiveness due to the duplicate suppression mechanism used to control flooding
example:
B
drop G E H F
if E is corrupted, then it can drop all route replies no route from A to F will be discovered, although there is a non -corrupted route A, D, G, F a rushing attack can make things even worse
24
Proposed countermeasures against rushing attacks

sending route reply to more than one request may help, but will not guarantee effectiveness randomization of route request forwarding
do not rebroadcast route request immediately wait for more incoming requests, and select one randomly to re -broadcast parameters:
number of route requests collected probability distribution of selection time-outs
Y-C. Hu, A. Perrig, D. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. ACM WiSe, 2003.
25
Research problem 2
How to measure the performance of this approach? How to tune the parameters? Are there other ways to address the problem of effectiveness?
26
Security of on-demand distance vector routing

framework is very similar to that of source routing
output of route discovery is not a set of explicit routes but a set of routing table entries established within the routers
assume that A and B are two non-corrupted routers, and A initiates a route discovery towards B
computation terminates when this route discovery is completed (A receives a route reply or timeouts)
correctness:
non-corrupted routers in the network create only plausible routing entries (in every possible configuration)
effectiveness:
if a non-corrupted path exists between A and B, then A will receive a route reply from B that traversed a route from B to A (in every possible configuration)
Definition of plausibility
first attempt:
a routing entry (dst: D, nxt: N, metric: x) of a router v is plausible if
theres a neighbor v of v that uses the ID N theres a path from v to the node v that uses ID D such that this path does not contain v the length of this path is x-1
problems:
a sequence of corrupted routers may appear to be a single router perceived metric value of a path may be smaller than the real value a single corrupted router may emulate a cascade of routers (length is the number of compromised identifiers) perceived metric value of a path may be larger than the real value consequently, any metric computation is inherently unreliable, even if protected (e.g., using hash chains)
28
Definition of plausibility (contd)

second attempt:
a routing entry (dst: D, nxt: N, metric: x) of a router v is plausible if
theres a neighbor v of v that uses the ID N theres a path from v to the node v that uses ID D such that this path does not contain v
problem:
(H, F, 3)
(H, C, 3)
F B H D
(H, B, 4)
C (H, D, 4)
29
Research problem 3
What would be a meaningful definition of correctness for on -demand distance vector routing? Is it possible to design protocols that satisfy that definition?
30
Security of proactive topology discovery

reminder of principles
each node proactively floods its (believed) neighbor list in the network based on the received neighbor lists, each node tries to re-construct the topology of the entire network routing tables are computed locally from the reconstructed network topology duplicate use of a compromised ID can be easily detected (two different neighbor lists are flooded under the same ID) we may assume that each corrupted node uses a single ID
correctness:
each non-corrupted router A computes a plausible topology
effectiveness:
if a non-corrupted path exists between two non-corrupted routers, A and B, then the topology that they compute contains at least one non -corrupted path between them
31
Definition of plausible topology

intuition:
a plausible topology should not contain non-existent links (edges)
tolerable imperfections:
assume that A announces a link (A, B), while B does not announce this link
no way to decide which one of them is corrupted as A may be corrupted and B may be non-corrupted, a non-corrupted node should exclude link (A, B) from the topology but it may be also the case that A is non-corrupted and B is corrupted plausible topology can only be a subgraph of the real graph
assume that two corrupted routers A and B both announce a non -existent link (A, B)
link (A, B) should be included in the reconstructed topology we cannot require that a plausible topology is a subgraph of the real graph
32
An approach to solve the contradiction

we define a plausible topology as a subgraph of the real network topology correctness may be achieved by requiring non-corrupted nodes to detect non-existent links in the reconstructed topology
problem is similar to that of centralized wormhole detection* first topology is reconstructed from local neighborhood information, and then inconsistencies (distortions) are identified in the reconstructed topology example:
length distribution of the shortest paths between all pairs of nodes can be estimated if the size of the deployment area, the node density and the power range of the nodes are known (non-existent) links between remote nodes create shortcuts and distort the distribution this distortion may be detected by statistical hypothesis tests
*L. Buttyan, L. Dora, I. Vajda. Statistical wormhole detection in sensor networks. ESAS 2005
33
Research problem 4
How to reliably identify virtual links in the topology?
false negative:
virtual link is not detected routers may select routes that contain a virtual link
false positive:
a real link may be removed from the topology assumption that any two non-corrupted router is connected through a non-corrupted path may become invalid effectiveness may not be achieved
34
How about effectiveness?

assume that each router floods the network with a digitally signed neighbor list
signature ensures that the neighbor list cannot be changed assuming that there is a non-corrupted path between each pair of non-corrupted routers, each non-corrupted router will receive the intact neighbor list of all other non-corrupted routers
consider two non-corrupted routers, A and B, and assume that there is a non-corrupted path between them
the links of this path will be announced by each non-corrupted router of the path as explained above, A and B will get all these announcements the topology constructed by A and B will contain this path
effectiveness follows from the above arguments

Outline
requirements on-demand route discovery proactive topology discovery

conclusions
36
Securing the data plane

we want to detect corrupted routers that
drop modify misroute
data packets once detected, we may also want to react to misbehavior

exclude the corrupted routers from the network exclude only the links on which misbehavior is detected
the rationale is that in practice the router may not be malicious, it may be the case that only one of its interface is faulty
approaches for detection

37
Example: Detection of faulty links in ODSBR

ODSBR* On-Demand Source routing with Byzantine Robustness uses an adaptive acknowledgement scheme
consider two (non-corrupted) nodes, S and T, using a route R (source routing S knows R) T is required to acknowledge every packet received when the packet loss ratio exceeds a threshold, S specifies probe nodes on the route that should also return acks for subsequent packets the selection of probe nodes implements a binary search on the route that results in the identification of the faulty link corrupted either end of the link may be corrupted router S send acks, please send acks, please
* Awerbuch et al. ODSBR: An On-Demand Secure Routing Protocol Resilient to Byzantine Failures, ACM WiSe 2002.
one of these links is detected faulty

38
Research problem 5
detection of faulty link requires a long time
if first router on the path is corrupted, then each round of the detection algorithm requires ~2nD time, where
n is the number of hops on the route D is an upper bound on the delay on a link
and there are log(n) rounds
Herzberg and Kutten* proposed faulty router detection algorithms that need only O(n + fD) time, where
f is the number of corrupted routers on the path is the average delay on a non-faulty link
Is there a way to combine the adaptive approach with the early detection approach?
*A. Herzberg, S. Kutten. Early detection of message forwarding faults.

SIAM Journal of Computing, 30(4), 2000
39
Example: Watchdog and Pathrater*

the Watchdog mechanism is responsible for monitoring neighbors and detecting misbehaving routers Pathrater is used to select routes that avoid misbehaving routers operating principle of Watchdog:
routers listen in promiscuous mode if a router A does not overhear the transmission of a packet by the next hop router B, then A suspects B for misbehaving
assumptions:
omni-directional antennae use of a single channel no power control
other problems:
when B transmits to C, A may receive something from another node collision at A A will falsely suspect B Bs transmission may be received by A but not by C B may skip retransmission A will falsely believe that the packet has been forwarded monitoring nodes may misbehave too B drops the packet, but A may not report this
*S. Marti et al. Mitigating routing misbehavior in mobile ad hoc networks.

ACM Mobicom, 2000.
40
Example: WATCHERS*
detection of routers that drop or misroute packets based on the conservation of flow principle
(amount of data going into A amount of data destined to A) must be equal to (amount of data coming out from A amount of data originating from A)
implemented by counters maintained by neighboring routers and disseminated in the network

X TXY SXY DXY Y
diagnosis procedure
snapshot of counter values is flooded in the network each router verifies its neighbors validation: neighbors counter must match the counters of its neighbors conservation of flow: difference between neighbors incoming traffic flow and its outgoing traffic flow must be below a threshold
*K. Bradley et al. Detecting disruptive routers: A distributed monitoring approach.

IEEE Symp. on Security and Privacy (Oakland), 1998.
41
Research problem 6
How to make this approach effective in practice?
how about reordering and modification of data packets? how about legitimate dropping of packets (TTL, congestion, ) ? how to determine threshold values used in the detection algorithm?
J. Hughes, T. Aura, M. Bishop. Using Conservation of Flow as a Security Mechanism in Network Protocols. IEEE Symp. on Security and Privacy (Oakland), 2000. A. Mizrak et al. Detecting and Isolating Malicious Routers. IEEE Trans. on Dependable and Secure Computing, 3(3), 2006.
42
Conclusions
securing routing is a complex problem
complexity of routing itself internal attacker model (Byzantine fault model)
some interesting research problems

theory
meaningful definitions of security models and proof techniques to reason about security properties of routing protocols
practice
implementation of and experimenting with various approaches in real test beds (EU-MESH project: www.eu-mesh.eu)
remark:
routing problems in wired networks are similar while the principles are similar, design and implementation of mechanisms for wireless networks must take into account resource constraints (e.g., in sensor networks) and the broadcast nature of wireless channel
43
A book
written by
Levente Buttyan (BME) Jean-Pierre Hubaux (EPFL)
published in 2007 by
Cambridge University Press ISBN 9780521873710
intended to
graduate students researchers and practitioners
material available on-line at secowinet.epfl.ch

full manuscript in pdf slides for each chapter (progressively)
The EU-MESH Project

Enhanced, Ubiquitous, and Dependable Broadband Access using MESH Networks funded by the EC within FP7 (project no. 215320) started in Jan 2008, duration is 2.5 years objectives:
development, evaluation, and trial of multi-radio, multi-channel mesh network with QoS support and security
partners:
industry: Proximetry, Forthnet, Thales, Ozone academia: FORTH-ICS, CNR, TU Berlin, SUPSI, TU Budapest (BME)
more information: www.eu-mesh.eu

45

Buttyan

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Buttyan

Enviado por

Direitos autorais:

Formatos disponíveis

- to be on the safe side -

Secure Routing in Multi-hop Wireless Networks

securing the data plane

Laboratory of Cryptography and System Security

--- to be on the safe side

Routing protocols for ad hoc wireless networks

routers do two things:

types of routing protocols for ad hoc wireless networks

position based routing

Laboratory of Cryptography and System Security

--- to be on the safe side

Proactive dissemination of routing information

content of routing control messages

link-state updates (list of neighbors and link metrics)

pros and cons:

--- to be on the safe side

On-demand route discovery

general route discovery process

pros and cons

Laboratory of Cryptography and System Security

--- to be on the safe side

Routing information in position based routing

pros and cons

special positioning techniques or hardware are needed

Laboratory of Cryptography and System Security

--- to be on the safe side

position based routing

Laboratory of Cryptography and System Security

--- to be on the safe side

Objective and target of attacks on routing

Laboratory of Cryptography and System Security

--- to be on the safe side

Amount of attacker control

Laboratory of Cryptography and System Security

--- to be on the safe side

Examples for attacks

on the data plane:

Laboratory of Cryptography and System Security

--- to be on the safe side

internal attacks are more difficult to cope with

Laboratory of Cryptography and System Security

--- to be on the safe side

securing the data plane

Laboratory of Cryptography and System Security

--- to be on the safe side

High-level requirements for the control plane

both definitions need some refinement

Laboratory of Cryptography and System Security

--- to be on the safe side

a configuration is a triplet: (G, V*, L)

inn Mn outn inA1 A1 outA1 C

Laboratory of Cryptography and System Security

--- to be on the safe side

Model of computation (contd)

Security of on-demand source routing

Laboratory of Cryptography and System Security

--- to be on the safe side

Definition of plausible routes

a route is plausible in a given configuration if

{B} {X,Y} {C} {G} {H} {D}

{B} {X,Y} {G} {H} {C} {D}

Example: Ariadne protocol*

Example: Incorrectness of Ariadne