Solutions and Tools for Secure Communication in Wireless Sensor Networks

Secure communication is considered a vital requirement in Wireless Sensor Network (WSN) applications. Such a requirement embraces different aspects, including confidentiality, integrity and authenticity of exchanged information, proper management of security material, and effective prevention and reaction against security threats and attacks. However, WSNs are mainly composed of resource-constrained devices. That is, network nodes feature reduced capabilities, especially in terms of memory storage, computing power, transmission rate, and energy availability. As a consequence, assuring secure communication in WSNs results to be more difficult than in other kinds of network. In fact, trading effectiveness of adopted solutions with their efficiency becomes far more important. In addition, specific device classes or technologies may require to design ad hoc security solutions. Also, it is necessary to efficiently manage security material, and dynamically cope with changes of security requirements. Finally, security threats and countermeasures have to be carefully considered since from the network design phase. This Ph.D. dissertion considers secure communication in WSNs, and provides the following contributions. First, we provide a performance evaluation of IEEE 802.15.4 security services. Then, we focus on the ZigBee technology and its security services, and propose possible solutions to some deficiencies and inefficiencies. Second, we present HISS, a highly scalable and efficient key management scheme, able to contrast collusion attacks while displaying a graceful degradation of performance. Third, we present STaR, a software component for WSNs that secures multiple traffic flows at the same time. It is transparent to the application, and provides runtime reconfigurability, thus coping with dynamic changes of security requirements. Finally, we describe ASF, our attack simulation framework for WSNs. Such a tool helps network designers to quantitatively evaluate effects of security attacks, produce an attack ranking based on their severity, and thus select the most appropriate countermeasures

Deploying RIOT operating system on a reconfigurable Internet of Things end-device

Dissertação de mestrado integrado em Engenharia Eletrónica Industrial e ComputadoresThe Internet of Everything (IoE) is enabling the connection of an infinity of physical objects to the Internet, and has the potential to connect every single existing object in the world. This empowers a market with endless opportunities where the big players are forecasting, by 2020, more than 50 billion connected devices, representing an 8 trillion USD market. The IoE is a broad concept that comprises several technological areas and will certainly, include more in the future. Some of those already existing fields are the Internet of Energy related with the connectivity of electrical power grids, Internet of Medical Things (IoMT), for instance, enables patient monitoring, Internet of Industrial Things (IoIT), which is dedicated to industrial plants, and the Internet of Things (IoT) that focus on the connection of everyday objects (e.g. home appliances, wearables, transports, buildings, etc.) to the Internet. The diversity of scenarios where IoT can be deployed, and consequently the different constraints associated to each device, leads to a heterogeneous network composed by several communication technologies and protocols co-existing on the same physical space. Therefore, the key requirements of an IoT network are the connectivity and the interoperability between devices. Such requirement is achieved by the adoption of standard protocols and a well-defined lightweight network stack. Due to the adoption of a standard network stack, the data processed and transmitted between devices tends to increase. Because most of the devices connected are resource constrained, i.e., low memory, low processing capabilities, available energy, the communication can severally decrease the device’s performance. Hereupon, to tackle such issues without sacrificing other important requirements, this dissertation aims to deploy an operating system (OS) for IoT, the RIOT-OS, while providing a study on how network-related tasks can benefit from hardware accelerators (deployed on reconfigurable technology), specially designed to process and filter packets received by an IoT device.O conceito Internet of Everything (IoE) permite a conexão de uma infinidade de objetos à Internet e tem o potencial de conectar todos os objetos existentes no mundo. Favorecendo assim o aparecimento de novos mercados e infinitas possibilidades, em que os grandes intervenientes destes mercados preveem até 2020 a conexão de mais de 50 mil milhões de dispositivos, representando um mercado de 8 mil milhões de dólares. IoE é um amplo conceito que inclui várias áreas tecnológicas e irá certamente incluir mais no futuro. Algumas das áreas já existentes são: a Internet of Energy relacionada com a conexão de redes de transporte e distribuição de energia à Internet; Internet of Medical Things (IoMT), que possibilita a monotorização de pacientes; Internet of Industrial Things (IoIT), dedicada a instalações industriais e a Internet of Things (IoT), que foca na conexão de objetos do dia-a-dia (e.g. eletrodomésticos, wearables, transportes, edifícios, etc.) à Internet. A diversidade de cenários à qual IoT pode ser aplicado, e consequentemente, as diferentes restrições aplicadas a cada dispositivo, levam à criação de uma rede heterogénea composto por diversas tecnologias de comunicação e protocolos a coexistir no mesmo espaço físico. Desta forma, os requisitos chave aplicados às redes IoT são a conectividade e interoperabilidade entre dispositivos. Estes requisitos são atingidos com a adoção de protocolos standard e pilhas de comunicação bem definidas. Com a adoção de pilhas de comunicação standard, a informação processada e transmitida entre dispostos tende a aumentar. Visto que a maioria dos dispositivos conectados possuem escaços recursos, i.e., memória reduzida, baixa capacidade de processamento, pouca energia disponível, o aumento da capacidade de comunicação pode degradar o desempenho destes dispositivos. Posto isto, para lidar com estes problemas e sem sacrificar outros requisitos importantes, esta dissertação pretende fazer o porting de um sistema operativo IoT, o RIOT, para uma solução reconfigurável, o CUTE mote. O principal objetivo consiste na realização de um estudo sobre os benefícios que as tarefas relacionadas com as camadas de rede podem ter ao serem executadas em hardware via aceleradores dedicados. Estes aceleradores são especialmente projetados para processar e filtrar pacotes de dados provenientes de uma interface radio em redes IoT periféricas

Generic sensor network architecture for wireless automation (GENSEN)

fi=vertaisarvioimaton|en=nonPeerReviewed

On Information-centric Resiliency and System-level Security in Constrained, Wireless Communication

The Internet of Things (IoT) interconnects many heterogeneous embedded devices either locally between each other, or globally with the Internet. These things are resource-constrained, e.g., powered by battery, and typically communicate via low-power and lossy wireless links. Communication needs to be secured and relies on crypto-operations that are often resource-intensive and in conflict with the device constraints. These challenging operational conditions on the cheapest hardware possible, the unreliable wireless transmission, and the need for protection against common threats of the inter-network, impose severe challenges to IoT networks. In this thesis, we advance the current state of the art in two dimensions. Part I assesses Information-centric networking (ICN) for the IoT, a network paradigm that promises enhanced reliability for data retrieval in constrained edge networks. ICN lacks a lower layer definition, which, however, is the key to enable device sleep cycles and exclusive wireless media access. This part of the thesis designs and evaluates an effective media access strategy for ICN to reduce the energy consumption and wireless interference on constrained IoT nodes. Part II examines the performance of hardware and software crypto-operations, executed on off-the-shelf IoT platforms. A novel system design enables the accessibility and auto-configuration of crypto-hardware through an operating system. One main focus is the generation of random numbers in the IoT. This part of the thesis further designs and evaluates Physical Unclonable Functions (PUFs) to provide novel randomness sources that generate highly unpredictable secrets, on low-cost devices that lack hardware-based security features. This thesis takes a practical view on the constrained IoT and is accompanied by real-world implementations and measurements. We contribute open source software, automation tools, a simulator, and reproducible measurement results from real IoT deployments using off-the-shelf hardware. The large-scale experiments in an open access testbed provide a direct starting point for future research

Routing and Mobility on IPv6 over LoWPAN

The IoT means a world-wide network of interconnected objects based on standard communication protocols. An object in this context is a quotidian physical device augmented with sensing/actuating, processing, storing and communication capabilities. These objects must be able to interact with the surrounding environment where they are placed and to cooperate with neighbouring objects in order to accomplish a common objective. The IoT objects have also the capabilities of converting the sensed data into automated instructions and communicating them to other objects through the communication networks, avoiding the human intervention in several tasks. Most of IoT deployments are based on small devices with restricted computational resources and energy constraints. For this reason, initially the scientific community did not consider the use of IP protocol suite in this scenarios because there was the perception that it was too heavy to the available resources on such devices. Meanwhile, the scientific community and the industry started to rethink about the use of IP protocol suite in all IoT devices and now it is considered as the solution to provide connectivity between the IoT devices, independently of the Layer 2 protocol in use, and to connect them to the Internet. Despite the use of IP suite protocol in all devices and the amount of solutions proposed, many open issues remain unsolved in order to reach a seamless integration between the IoT and the Internet and to provide the conditions to IoT service widespread. This thesis addressed the challenges associated with the interconnectivity between the Internet and the IoT devices and with the security aspects of the IoT. In the interconnectivity between the IoT devices and the Internet the problem is how to provide valuable information to the Internet connected devices, independently of the supported IP protocol version, without being necessary accessed directly to the IoT nodes. In order to solve this problem, solutions based on Representational state transfer (REST) web services and IPv4 to IPv6 dual stack transition mechanism were proposed and evaluated. The REST web service and the transition mechanism runs only at the border router without penalizing the IoT constrained devices. The mitigation of the effects of internal and external security attacks minimizing the overhead imposed on the IoT devices is the security challenge addressed in this thesis. Three different solutions were proposed. The first is a mechanism to prevent remotely initiated transport level Denial of Service attacks that avoids the use of inefficient and hard to manage traditional firewalls. It is based on filtering at the border router the traffic received from the Internet and destined to the IoT network according to the conditions announced by each IoT device. The second is a network access security framework that can be used to control the nodes that have access to the network, based on administrative approval, and to enforce security compliance to the authorized nodes. The third is a network admission control framework that prevents IoT unauthorized nodes to communicate with IoT authorized nodes or with the Internet, which drastically reduces the number of possible security attacks. The network admission control was also exploited as a management mechanism as it can be used to manage the network size in terms of number of nodes, making the network more manageable, increasing its reliability and extending its lifetime.A IoT (Internet of Things) tem suscitado o interesse tanto da comunidade académica como da indústria, uma vez que os campos de aplicação são inúmeros assim como os potenciais ganhos que podem ser obtidos através do uso deste tipo de tecnologia. A IoT significa uma rede global de objetos ligados entre si através de uma rede de comunicações baseada em protocolos standard. Neste contexto, um objeto é um objeto físico do dia a dia ao qual foi adicionada a capacidade de medir e de atuar sobre variáveis físicas, de processar e armazenar dados e de comunicar. Estes objetos têm a capacidade de interagir com o meio ambiente envolvente e de cooperar com outros objetos vizinhos de forma a atingirem um objetivo comum. Estes objetos também têm a capacidade de converter os dados lidos em instruções e de as comunicar a outros objetos através da rede de comunicações, evitando desta forma a intervenção humana em diversas tarefas. A maior parte das concretizações de sistemas IoT são baseados em pequenos dispositivos autónomos com restrições ao nível dos recursos computacionais e de retenção de energia. Por esta razão, inicialmente a comunidade científica não considerou adequado o uso da pilha protocolar IP neste tipo de dispositivos, uma vez que havia a perceção de que era muito pesada para os recursos computacionais disponíveis. Entretanto, a comunidade científica e a indústria retomaram a discussão acerca dos benefícios do uso da pilha protocolar em todos os dispositivos da IoT e atualmente é considerada a solução para estabelecer a conetividade entre os dispositivos IoT independentemente do protocolo da camada dois em uso e para os ligar à Internet. Apesar do uso da pilha protocolar IP em todos os dispositivos e da quantidade de soluções propostas, são vários os problemas por resolver no que concerne à integração contínua e sem interrupções da IoT na Internet e de criar as condições para a adoção generalizada deste tipo de tecnologias. Esta tese versa sobre os desafios associados à integração da IoT na Internet e dos aspetos de segurança da IoT. Relativamente à integração da IoT na Internet o problema é como fornecer informação válida aos dispositivos ligados à Internet, independentemente da versão do protocolo IP em uso, evitando o acesso direto aos dispositivos IoT. Para a resolução deste problema foram propostas e avaliadas soluções baseadas em web services REST e em mecanismos de transição IPv4 para IPv6 do tipo pilha dupla (dual stack). O web service e o mecanismo de transição são suportados apenas no router de fronteira, sem penalizar os dispositivos IoT. No que concerne à segurança, o problema é mitigar os efeitos dos ataques de segurança internos e externos iniciados local e remotamente. Foram propostas três soluções diferentes, a primeira é um mecanismo que minimiza os efeitos dos ataques de negação de serviço com origem na Internet e que evita o uso de mecanismos de firewalls ineficientes e de gestão complexa. Este mecanismo filtra no router de fronteira o tráfego com origem na Internet é destinado à IoT de acordo com as condições anunciadas por cada um dos dispositivos IoT da rede. A segunda solução, é uma framework de network admission control que controla quais os dispositivos que podem aceder à rede com base na autorização administrativa e que aplica políticas de conformidade relativas à segurança aos dispositivos autorizados. A terceira é um mecanismo de network admission control para redes 6LoWPAN que evita que dispositivos não autorizados comuniquem com outros dispositivos legítimos e com a Internet o que reduz drasticamente o número de ataques à segurança. Este mecanismo também foi explorado como um mecanismo de gestão uma vez que pode ser utilizado a dimensão da rede quanto ao número de dispositivos, tornando-a mais fácil de gerir e aumentando a sua fiabilidade e o seu tempo de vida