secure routing in multi-hop wireless networks · secure routing in multi-hop wireless networks...

Secure Routing in Multi-hop Wireless Networks

Levente Buttyán

Budapest University of Technology and Economics Laboratory of Cryptography and Systems Security (CrySyS)

www.crysys.hu

Workshop on Security of Autonomous and Spontaneous Networks 13-14 October, 2008, Loctudy, France

- to be on the safe side -

w w w . c r y s y s . h u

--- to be on the safe side Laboratory of Cryptography and System Security 2

Outline

  routing protocols for ad hoc wireless networks

  attacker model

  securing the control plane –  model

–  on-demand route discovery –  proactive topology discovery

  securing the data plane –  acknowledgement schemes

–  neighbor and traffic monitoring

  conclusions


Routing protocols for ad hoc wireless networks

  routing is a fundamental function in packet networks –  responsible for transferring packets through the network from their source

to their destination

  routers do two things: –  acquire and maintain routing information (routing tables) (control plane) –  forward data packets (data plane)

  types of routing protocols for ad hoc wireless networks –  topology based routing

•  proactive –  distance vector (e.g., DSDV) –  link state (e.g., OLSR)

•  reactive (on-demand) –  distance vector (e.g., AODV) –  source routing (e.g., DSR)

–  position based routing •  based on real geographic positions (e.g., GPSR) •  based on virtual positions (e.g., BVR)


Proactive dissemination of routing information

  principle –  routers try to maintain up-to-date routing information to all potential

destinations –  for this reason, routers exchange routing control messages on a regular

basis (to handle possible changes in the network topology)

  content of routing control messages –  routing tables with next hop and routing metric value for destinations

•  neighboring routers exchange their routing tables with each other •  based on the received tables, each router updates its own table •  after some convergence period, each table contains correct metrics

–  link-state updates (list of neighbors and link metrics) •  every link-state update message is flooded in the network •  all nodes learn the topology of the entire network •  routing tables are then computed locally

  pros and cons: + (nearly) up-to-date routing information is available immediately, data

packets can be transferred with no delay –  large overhead when many of the potential destinations are actually not

used


On-demand route discovery

  principle –  routers maintain routing information only for those destinations

that are actually used –  if a data packet is intended for a new destination, routers acquire

fresh routing information for that destination (route discovery)

  general route discovery process –  a request message is generated by the source, and flooded in the

network; and a response is returned by the destination –  request and response messages accumulate routing information

(source routing) or set up routing table entries in intermediate routers (table driven routing) on their way

  pros and cons –  transfer of first data packet to a new destination is delayed + low overhead when only a few destinations are actually used


Routing information in position based routing

  principles –  each router needs to determine only its own position and the

positions of its neighbors

–  in case of real geographical positions, they can be obtained from GPS or by other positioning techniques

–  in case of virtual positions, special protocols are needed

  pros and cons + scalable

•  only local information is collected by each router

•  routers do not store any information per destination

–  special positioning techniques or hardware are needed


Packet forwarding

  topology based routing –  routing table driven

•  next hop router toward the destination of a data packet is defined by the routing table

–  source routing •  the header of each data packet contains the entire route that the

packet should follow

  position based routing –  next hop is determined by the positions of the destination, the

forwarding router, and its neighbors


Objective and target of attacks on routing

  general objectives –  increase adversarial control over the communications between

some nodes;

–  degrade the quality of the service provided by the network (including disruption of communications);

–  increase the resource consumption of some nodes (e.g., CPU, memory, or energy)

  target of attacks –  control plane

•  effects have larger scope (e.g., entire parts of the network may become disconnected or use suboptimal routes)

–  data plane •  effects have limited scope (e.g., a few communicating source –

destination pairs)


Amount of attacker control

  external attacker –  no control over any of the legitimate routers

–  can interfere with protocols by exploiting the properties of the wireless channels (eavesdropping, jamming, replay of messages)

  internal attacker –  capabilities of an external attacker + full control over some (corrupted)

routers •  access to cryptographic secrets of corrupted routers (sending authentic msgs)

•  re-programming of the behavior of corrupted routers (arbitrary deviations)

–  rationale: in most of the applications, the network is unattended and routers are not tamper resistant they can be physically attacked and compromised

–  examples: •  sensor networks deployed over a large geographical area for monitoring wild life

•  routers embedded in vehicles

•  mesh routers deployed in publicly accessible areas


Examples for attacks

  external attacks –  on the control plane:

•  injection of fake routing control messages •  replay of old control messages •  deletion (by jamming) of control messages

result in dissemination of incorrect routing information, or prevent dissemination of routing information

–  on the data plane: •  deletion (by jamming) of data packets •  reordering (by jamming and replay) of data packets •  insertion of fake or modified data packets

  internal attacks –  on the control plane:

•  any deviations from the routing protocol (including sending incorrect routing information in an authentic manner)

–  on the data plane: •  dropping, modifying, misrouting data packets


Some observations

  most of the external attacks can be thwarted by using cryptographic protection of routing control messages and data packets –  an exception is jamming

•  physical layer countermeasures (e.g., spread spectrum)

•  detection of and re-routing around jammed areas

  internal attacks are more difficult to cope with –  cryptography alone will not help

–  problem is very much similar to designing distributed algorithms in the Byzantine fault model

•  corrupted routers can be modeled as Byzantine faulty nodes


Outline


  attacker model

  securing the control plane –  model




  conclusions


High-level requirements for the control plane

  in general, attacks against the control plane aim at disseminating incorrect routing information or preventing the dissemination of routing information in the first place

  correctness (safety): –  non-corrupted routers never get into an incorrect routing state

  effectiveness (liveness): –  if a non-corrupted path exists between two non-corrupted routers,

A and B, then eventually, the system gets into a state where A can potentially communicate with B

  both definitions need some refinement –  characteristics of the given type of routing –  “tolerable imperfections”


Network model

  an ad hoc network is represented by a graph G(V, E) –  V: vertices are routers (non-corrupted and corrupted) –  E: edges represent communication links (radio or wormhole)

  V* ⊂ V is the set of corrupted routers

  L is a labeling function that assigns IDs to routers with the following properties: –  each ID is either compromised or

uncompromised –  each non-corrupted router has a

unique, uncompromised ID –  each corrupted router is labeled

with all the compromised IDs –  each router can send messages

under any of the assigned IDs

  a configuration is a triplet: (G, V*, L)

{X,Y}

{A} {B}

{C}

{E} {F}

{G} {H}

{D} {X,Y}

{X,Y}


Model of computation

  Mi’s are processes that represent non-corrupted routers

  Ai’s are processes that represent corrupted routers

  C is a process that represents the communication links between the routers

  processes communicate through buffers   computation is performed in rounds

–  Mi’s and Aj’s read all messages from their incoming buffers, and perform state transitions and write messages in their outgoing buffers

–  C reads all messages from the outgoing buffers of the routers and copy those messages to the appropriate incoming buffers

•  broadcast communication is modeled by copying the message of a given router into the incoming buffers of all its neighbors

M1

Mn

A1

Am

. . .

. .

.

C

in1

out1

inn

outn

inA1

outA1

inAm

outAm


Model of computation (cont’d)

  input: –  each router process knows its own ID(s) and the IDs of its

neighboring routers –  process C knows the network graph G

  computation: –  each process Mi executes a program determined by the routing

protocol –  each process Aj executes an arbitrary program

•  cryptographic primitives cannot be broken •  sends messages that are feasible to compute under any of the

compromised identifiers

  output: –  internal state of the non-corrupted processes when the

computation terminates –  conditions for termination depend on the type of the protocol


Security of on-demand source routing

  assume that A and B are two non-corrupted routers, and A initiates a route discovery towards B –  computation terminates when this route discovery is completed (A receives

a route (or a set of routes) or timeouts)

  correctness: –  only plausible routes are accepted by A (in every possible configuration)

  effectiveness: –  if a non-corrupted path exists between A and B, then A will accept a route

(in every possible configuration)

  the notion of plausible route captures the following unavoidable misbehaviors (tolerable imperfections) –  neighboring corrupted routers can freely communicate with each other in

a proprietary way logically they form one entity –  a corrupted router can pretend to be as many routers as many

compromised IDs it has


Definition of plausible routes

  reduced configuration: (G(V, E), V*, L) –  neighboring adversarial nodes are joined

  a route is plausible in a given configuration if –  it doesn’t contain repeating IDs and –  it can be partitioned in a way that each partition P can be associated with a

node v in G such that •  P ⊆ L(v), and •  neighboring partitions are associated with neighboring nodes in G

{X,Y}

{A} {B}

{C}

{E} {F}

{G} {H}

{D} {X,Y}

{X,Y}

{A} {B}

{C}

{E} {F}

{G} {H}

{D} {X,Y}

{X,Y}

A | X Y | G | C A X Y G C


Example: Ariadne protocol*

A : hA = macAH( RREQ | A | H | id ) A * : [ RREQ, A, H, id, hA, (), () ]

E : hE = H( E | hA ) E * : [ RREQ, A, H, id, hE, (E), (sigE) ]

F : hF = H(F | hE) F * : [ RREQ, A, H, id, hF, (E, F), (sigE, sigF) ]

H A: [ RREP, H, A, (E, F), (sigE, sigF), sigH ]

A

B

C

D

E

F

G

H

*Y-C Hu, A. Perrig, D. Johnson. Araidne: A secure on-demand routing protocol for ad hoc networks. Wireless Networks, 11(1-2), 2005


Example: Incorrectness of Ariadne

A : hA = H( A | … ) A * : [ RREQ, S, T, id, hA, (…, A), (…, sigA) ]

B : hB = H( B | hA ) B * : [ RREQ, S, T, id, hB, (…, A, B), (…, sigA, sigB) ]

C : hC = H( C | hB ) C * : [ RREQ, S, T, id, hC, (…, A, B, C), (…, sigA, sigB, sigC) ]

X : hB = H(B | hA) hX = H(X | hB) X * : [ RREQ, S, T, id, hX, (…, A, B, X), (…, sigA, sigB, sigX) ] …

T S: [ RREP, T, S, (…, A, B, X, …), (…, sigA, sigB, sigX, …), sigT ]

S A X

B C

T


Example: endairA protocol*

A * : [ RREQ, A, H, id, () ] E * : [ RREQ, A, H, id, (E) ] F * : [ RREQ, A, H, id, (E, F) ]

H F : [ RREP, A, H, id, (E, F), (sigH)] F E : [ RREP, A, H, id, (E, F), (sigH, sigF)] E A : [ RREP, A, H, id, (E, F), (sigH, sigF, sigE)]

target verifies: •  there’s no repeating ID in the node list •  last node in the node list is a neighbor

each intermediate node verifies: •  its own ID is in the node list •  there’s no repeating ID in the node list •  next and previous nodes in the node list are neighbors •  all signatures are valid

source verifies: •  there’s no repeating ID in the node list •  first node in the node list is a neighbor •  all signatures are valid

A

B

C

D

E

F

G

H

7.3 Securing ad hoc network routing protocols

*G. Acs, L. Buttyan, I. Vajda. Provably secure on-demand source routing in mobile ad hoc networks. IEEE Trans. on Mobile Computing, 5(11), 2006.


Example: Correctness of endairA

  Proposition: endairA is correct if there’s at most one corrupted router in the network.

  Proof sketch: –  assume that a non-corrupted router A accepts a route R = (N1, …, Nr) and

R is non-plausible

–  in the reduced configuration adversarial nodes are non-adjacent each sequence of non-repeating IDs has a unique partitioning

•  non-compromised IDs form distinct partitions

•  consecutive compromised IDs form a single partition

–  case 1: Pj={Ni} and Pj+1={Ni+1} are non-corrupted partitions and the nodes v and v’ that belong to Ni and Ni+1 are not adjacent in G

•  v’ would detect that the previous ID in the list doesn’t belong to a neighbor

–  case 2: Pj={Ni}, Pj+1={Ni+1,…, Ni+k}, Pj+2={Ni+k+1} are two non-corrupted and a corrupted partition, and either the node v that belongs to Nj or the one v’ that belongs to Nj+k+1 is not a neighbor of the single corrupted node v*

a)  v would detect that the next ID in the list doesn’t belong to a neighbor

b)  v’ would detect that the previous ID in the list doesn’t belong to a neighbor


Research problem 1

  the proof does not work for more than one corrupted nodes –  corrupted routers can pass information to each other even if they

are not neighbors •  covert channels (e.g., route request is flooded in the network)

•  tunneling routing control messages within data packets

  Is it impossible to ensure correctness in general?

  Is there a meaningful model where correctness can still be guaranteed?


How about effectiveness?

  this requirement has been largely ignored in the literature –  most of the proposed protocols do not guarantee effectiveness

due to the duplicate suppression mechanism used to control flooding

  example:

•  if E is corrupted, then it can drop all route replies •  no route from A to F will be discovered, although there is a non

-corrupted route A, D, G, F •  a rushing attack can make things even worse

A

B

C

D

E

F

G

H

drop


Proposed countermeasures against rushing attacks

  sending route reply to more than one request may help, but will not guarantee effectiveness

  randomization of route request forwarding –  do not rebroadcast route request immediately

–  wait for more incoming requests, and select one randomly to re-broadcast

–  parameters: •  number of route requests collected

•  probability distribution of selection

•  time-outs

Y-C. Hu, A. Perrig, D. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. ACM WiSe, 2003.


Research problem 2

  How to measure the performance of this approach?

  How to tune the parameters?

  Are there other ways to address the problem of effectiveness?


Security of on-demand distance vector routing

  framework is very similar to that of source routing –  output of route discovery is not a set of explicit routes but a set of

routing table entries established within the routers

  assume that A and B are two non-corrupted routers, and A initiates a route discovery towards B –  computation terminates when this route discovery is completed (A

receives a route reply or timeouts)

  correctness: –  non-corrupted routers in the network create only plausible

routing entries (in every possible configuration)

  effectiveness: –  if a non-corrupted path exists between A and B, then A will receive

a route reply from B that traversed a route from B to A (in every possible configuration)


Definition of plausibility

  first attempt: –  a routing entry (dst: D, nxt: N, metric: x) of a router v is plausible

if •  there’s a neighbor v’ of v that uses the ID N •  there’s a path from v’ to the node v” that uses ID D such that this path

does not contain v •  the length of this path is x-1

  problems: –  a sequence of corrupted routers may appear to be a single router

perceived metric value of a path may be smaller than the real value

–  a single corrupted router may emulate a cascade of routers (length is the number of compromised identifiers)

perceived metric value of a path may be larger than the real value

consequently, any metric computation is inherently unreliable, even if protected (e.g., using hash chains)


Definition of plausibility (cont’d)

  second attempt: –  a routing entry (dst: D, nxt: N, metric: x) of a router v is plausible

if •  there’s a neighbor v’ of v that uses the ID N •  there’s a path from v’ to the node v” that uses ID D such that this path

does not contain v

  problem: (H, C, 3)

A H

B

C D

(H, B, 4)

F

(H, D, 4)

(H, F, 3)


Research problem 3

  What would be a meaningful definition of correctness for on-demand distance vector routing?

  Is it possible to design protocols that satisfy that definition?


Security of proactive topology discovery

  reminder of principles –  each node proactively floods its (believed) neighbor list in the network

–  based on the received neighbor lists, each node tries to re-construct the topology of the entire network

–  routing tables are computed locally from the reconstructed network topology

–  duplicate use of a compromised ID can be easily detected (two different neighbor lists are flooded under the same ID) we may assume that each corrupted node uses a single ID

  correctness: –  each non-corrupted router A computes a plausible topology

  effectiveness: –  if a non-corrupted path exists between two non-corrupted routers, A and

B, then the topology that they compute contains at least one non-corrupted path between them


Definition of plausible topology

  intuition: –  a plausible topology should not contain non-existent links (edges)

  tolerable imperfections: –  assume that A announces a link (A, B), while B does not announce

this link •  no way to decide which one of them is corrupted •  as A may be corrupted and B may be non-corrupted, a non-corrupted

node should exclude link (A, B) from the topology •  but it may be also the case that A is non-corrupted and B is corrupted plausible topology can only be a subgraph of the real graph

–  assume that two corrupted routers A and B both announce a non-existent link (A, B)

•  link (A, B) should be included in the reconstructed topology we cannot require that a plausible topology is a subgraph of

the real graph


An approach to solve the contradiction

  we define a plausible topology as a subgraph of the real network topology

  correctness may be achieved by requiring non-corrupted nodes to detect non-existent links in the reconstructed topology –  problem is similar to that of centralized wormhole detection* –  first topology is reconstructed from local neighborhood

information, and then inconsistencies (distortions) are identified in the reconstructed topology

–  example: •  length distribution of the shortest paths between all pairs of nodes

can be estimated if the size of the deployment area, the node density and the power range of the nodes are known

•  (non-existent) links between remote nodes create shortcuts and distort the distribution

•  this distortion may be detected by statistical hypothesis tests

*L. Buttyan, L. Dora, I. Vajda. Statistical wormhole detection in sensor networks. ESAS 2005


Research problem 4

  How to reliably identify virtual links in the topology? –  false negative:

•  virtual link is not detected

•  routers may select routes that contain a virtual link

–  false positive: •  a real link may be removed from the topology

•  assumption that any two non-corrupted router is connected through a non-corrupted path may become invalid effectiveness may not be achieved


How about effectiveness?

  assume that each router floods the network with a digitally signed neighbor list –  signature ensures that the neighbor list cannot be changed

–  assuming that there is a non-corrupted path between each pair of non-corrupted routers, each non-corrupted router will receive the intact neighbor list of all other non-corrupted routers

  consider two non-corrupted routers, A and B, and assume that there is a non-corrupted path between them –  the links of this path will be announced by each non-corrupted

router of the path

–  as explained above, A and B will get all these announcements

the topology constructed by A and B will contain this path

  effectiveness follows from the above arguments


Outline


  attacker model

  securing the control plane –  requirements




  conclusions


Securing the data plane

  we want to detect corrupted routers that –  drop –  modify –  misroute

data packets

  once detected, we may also want to react to misbehavior –  exclude the corrupted routers from the network –  exclude only the links on which misbehavior is detected

•  the rationale is that in practice the router may not be malicious, it may be the case that only one of its interface is faulty

  approaches for detection –  acknowledgement schemes –  neighbor and traffic monitoring


Example: Detection of faulty links in ODSBR

  ODSBR* – On-Demand Source routing with Byzantine Robustness   uses an adaptive acknowledgement scheme

–  consider two (non-corrupted) nodes, S and T, using a route R (source routing S knows R)

–  T is required to acknowledge every packet received –  when the packet loss ratio exceeds a threshold, S specifies probe nodes on

the route that should also return acks for subsequent packets –  the selection of probe nodes implements a binary search on the route that

results in the identification of the faulty link –  either end of the link may be corrupted

S T

corrupted router

send acks, please

send acks, please

one of these links is detected faulty

* Awerbuch et al. ODSBR: An On-Demand Secure Routing Protocol Resilient to Byzantine Failures, ACM WiSe 2002.


Research problem 5

  detection of faulty link requires a long time –  if first router on the path is corrupted, then each round of the detection

algorithm requires ~2nD time, where •  n is the number of hops on the route •  D is an upper bound on the delay on a link

–  and there are log(n) rounds

  Herzberg and Kutten* proposed faulty router detection algorithms that need only O(nδ + fD) time, where –  f is the number of corrupted routers on the path –  δ is the “average” delay on a non-faulty link

  Is there a way to combine the adaptive approach with the early detection approach?

*A. Herzberg, S. Kutten. Early detection of message forwarding faults. SIAM Journal of Computing, 30(4), 2000


Example: Watchdog and Pathrater*

  the Watchdog mechanism is responsible for monitoring neighbors and detecting misbehaving routers

  Pathrater is used to select routes that avoid misbehaving routers

  operating principle of Watchdog: –  routers listen in promiscuous mode –  if a router A does not overhear the transmission of a packet by the next hop router B,

then A suspects B for misbehaving

  assumptions: –  omni-directional antennae –  use of a single channel –  no power control

  other problems: –  when B transmits to C, A may receive something from another node collision at A

A will falsely suspect B –  B’s transmission may be received by A but not by C B may skip retransmission A

will falsely believe that the packet has been forwarded –  monitoring nodes may misbehave too B drops the packet, but A may not report

this

*S. Marti et al. Mitigating routing misbehavior in mobile ad hoc networks. ACM Mobicom, 2000.


Example: WATCHERS*

  detection of routers that drop or misroute packets   based on the conservation of flow principle

–  (amount of data going into A – amount of data destined to A) must be equal to (amount of data coming out from A – amount of data originating from A)

  implemented by counters maintained by neighboring routers and disseminated in the network

  diagnosis procedure –  snapshot of counter values is flooded in the network –  each router verifies its neighbors –  validation: neighbor’s counter must match the counters of its neighbors –  conservation of flow: difference between neighbor’s incoming traffic flow

and its outgoing traffic flow must be below a threshold

X Y TXY

SXY DXY

*K. Bradley et al. Detecting disruptive routers: A distributed monitoring approach. IEEE Symp. on Security and Privacy (Oakland), 1998.


Research problem 6

  How to make this approach effective in practice? –  how about reordering and modification of data packets?

–  how about legitimate dropping of packets (TTL, congestion, …) ?

–  how to determine threshold values used in the detection algorithm?

J. Hughes, T. Aura, M. Bishop. Using Conservation of Flow as a Security Mechanism in Network Protocols. IEEE Symp. on Security and Privacy (Oakland), 2000.

A. Mizrak et al. Detecting and Isolating Malicious Routers. IEEE Trans. on Dependable and Secure Computing, 3(3), 2006.


Conclusions

  securing routing is a complex problem –  complexity of routing itself –  internal attacker model (Byzantine fault model)

  some interesting research problems –  theory

•  meaningful definitions of security •  models and proof techniques to reason about security properties of routing

protocols

–  practice •  implementation of and experimenting with various approaches in real test beds •  (EU-MESH project: www.eu-mesh.eu)

  remark: –  routing problems in wired networks are similar –  while the principles are similar, design and implementation of mechanisms

for wireless networks must take into account resource constraints (e.g., in sensor networks) and the broadcast nature of wireless channel


A book

  written by –  Levente Buttyan (BME)

–  Jean-Pierre Hubaux (EPFL)

  published in 2007 by –  Cambridge University Press

–  ISBN 9780521873710

  intended to –  graduate students

–  researchers and practitioners

  material available on-line at secowinet.epfl.ch –  full manuscript in pdf

–  slides for each chapter (progressively)


The EU-MESH Project

  Enhanced, Ubiquitous, and Dependable Broadband Access using MESH Networks

  funded by the EC within FP7 (project no. 215320)   started in Jan 2008, duration is 2.5 years

  objectives: –  development, evaluation, and trial of –  multi-radio, multi-channel mesh network with QoS support and

security

  partners: –  industry: Proximetry, Forthnet, Thales, Ozone –  academia: FORTH-ICS, CNR, TU Berlin, SUPSI, TU Budapest (BME)

  more information: www.eu-mesh.eu

secure routing in multi-hop wireless networks · secure routing in multi-hop wireless networks...

Documents