Implementation of Fuzzy Based Simulation for Clone Detection in Wireless Sensor Networks

Wireless sensor networks are usually left unattended and serve hostile environment, therefore can easily be compromised. With compromised nodes an attacker can conduct several inside and outside attacks. Node replication attack is one of them which can cause severe damage to wireless sensor network if left undetected. This paper presents fuzzy based simulation framework for detection and revocation of compromised nodes in wireless sensor network. Our proposed scheme uses PDR statistics and neighbor reports to determine the probability of a cluster being compromised. Nodes in compromised cluster are then revoked and software attestation is performed.Simulation is carried out on MATLAB 2010a and performance of proposed scheme is compared with conventional algorithms on the basis of communication and storage overhead. Simulation results show that proposed scheme require less communication and storage overhead than conventional algorithms

Secure Routing Optimization in Hierarchical Cluster-Based Wireless Sensor Networks

Popularity of wireless sensor networks (WSNs) is increasing continuously in different domains of daily life, as they provide efficient method of collecting valuable data from the surroundings for use in different applications. Routing in WSNs is the vital functionality that allows the flow of information generated by sensor nodes to the base station, while considering the severe energy constraint and the limitations of computational and storage resources. Indeed, this functionality may be vulnerable and must be in itself secured, since conventional routing protocols in WSNs provide efficient routing techniques with low power consumption, but they do not take into account the possible attacks. As sensor nodes may be easily captured and compromised, the classical cryptographic solutions become insufficient to provide optimal routing security, especially, for cluster-based WSNs, where cluster heads can be still among the compromised nodes. In this work, we propose a hierarchical, robust and well-adapted intrusion detection system, named THIDS, which is intended to be integrated into the secure hierarchical cluster-based routing protocols. We have chosen the protocol RLEACH to be equipped with the proposed IDS. The results of simulation performed under NS2 simulator show that the resulting protocol ORLEACH is much more resistant to compromised nodes exercising the most dangerous attacks

Secure Code Update for Embedded Devices via Proofs of Secure Erasure

Abstract. Remote attestation is the process of verifying internal state of a remote embedded device. It is an important component of many security protocols and applications. Although previously proposed re-mote attestation techniques assisted by specialized secure hardware are effective, they not yet viable for low-cost embedded devices. One no-table alternative is software-based attestation, that is both less costly and more efficient. However, recent results identified weaknesses in some proposed software-based methods, thus showing that security of remote software attestation remains a challenge. Inspired by these developments, this paper explores an approach that relies neither on secure hardware nor on tight timing constraints typi-cal of software-based technqiques. By taking advantage of the bounded memory/storage model of low-cost embedded devices and assuming a small amount of read-only memory (ROM), our approach involves a new primitive – Proofs of Secure Erasure (PoSE-s). We also show that, even though it is effective and provably secure, PoSE-based attestation is not cheap. However, it is particularly well-suited and practical for two other related tasks: secure code update and secure memory/storage erasure. We consider several flavors of PoSE-based protocols and demonstrate their feasibility in the context of existing commodity embedded devices.

Distributed IoT Attestation via Blockchain (Extended Version)

The growing number and nature of Internet of Things (IoT) devices makes these resource-constrained appliances particularly vulnerable and increasingly impactful in their exploitation. Current estimates for the number of connected things commonly reach the tens of billions. The low-cost and limited computational strength of these devices can preclude security features. Additionally, economic forces and a lack of industry expertise in security often contribute to a rush to market with minimal consideration for security implications. It is essential that users of these emerging technologies, from consumers to IT professionals, be able to establish and retain trust in the multitude of diverse and pervasive compute devices that are ever more responsible for our critical infrastructure and personal information. Remote attestation is a well-known technique for building such trust between devices. In standard implementations, a potentially untrustworthy prover attests, using public key infrastructure, to a verifier about its configuration or properties of its current state. Attestation is often performed on an ad hoc basis with little concern for historicity. However, controls and sensors manufactured for the Industrial IoT (IIoT) may be expected to operate for decades. Even in the consumer market, so-called smart things can be expected to outlive their manufacturers. This longevity combined with limited software or firmware patching creates an ideal environment for long-lived zero-day vulnerabilities. Knowing both if a device is vulnerable and if so when it became vulnerable is a management nightmare as IoT deployments scale. For network connected machines, with access to sensitive information and real-world physical controls, maintaining some sense of a device\u27s lifecycle would be insightful. In this paper, we propose a novel attestation architecture, DAN: a distributed attestation network, utilizing blockchain to store and share device information. We present the design of this new attestation architecture, and describe a virtualized simulation, as well as a prototype system chosen to emulate an IoT deployment with a network of Raspberry Pi, Infineon TPMs, and a Hyperledger Fabric blockchain. We discuss the implications and potential challenges of such a network for various applications such as identity management, intrusion detection, forensic audits, and regulatory certification

Active FPGA Security through Decoy Circuits

Field Programmable Gate Arrays (FPGAs) based on Static Random Access Memory (SRAM) are vulnerable to tampering attacks such as readback and cloning attacks. Such attacks enable the reverse engineering of the design programmed into an FPGA. To counter such attacks, measures that protect the design with low performance penalties should be employed. This research proposes a method which employs the addition of active decoy circuits to protect SRAM FPGAs from reverse engineering. The effects of the protection method on security, execution time, power consumption, and FPGA resource usage are quantified. The method significantly increases the security of the design with only minor increases in execution time, power consumption, and resource usage. For the circuits used to characterize the method, security increased to more than one million times the original values, while execution time increased to at most 1.2 times, dynamic power consumption increased to at most two times, and look-up table usage increased to at most seven times the original values. These are reasonable penalties given the size and security of the modified circuits. The proposed design protection method also extends to FPGAs based on other technologies and to Application-Specific Integrated Circuits (ASICs). In addition to the design methodology proposed, a new classification of tampering attacks and countermeasures is presented

Progetto e realizzazione di un protocollo di sicurezza per la verifica remota dell'integrità delle applicazioni in una rete di sensori

Gli obiettivi di questa tesi sono la progettazione e la realizzazione di un protocollo di sicurezza per la verifica remota dell'integrità delle applicazioni in una rete di sensori. Le reti di sensori vengono spesso installate in ambienti vasti e non sorvegliati. I sensori posso essere catturati da un avversario che può manometterli e reintrodurli nella rete allo scopo di attaccare i servizi oppure i dati che transitano nella rete. Questo tipo di protocollo permette di creare delle reti di sensori composte soltanto da nodi ‘affidabili’, verificando l’integrità delle applicazioni installate sui sensori. Il cuore del protocollo é una funzione di hash, studiata appositamente per CPU povere di risorse, grazie alla quale é possibile effettuare il calcolo di una hash sul contenuto della memoria di un sensore ogni qual volta sia necessario verificarne l’integrità. Grazie a questo protocollo é possibile contrastare attacchi che prevedono la cattura, il reverse-engineering e la riprogrammazione dei sensori con una soluzione semplice, efficiente e che non necessita di hardware aggiuntivo (software-only). In questo lavoro vengono analizzati i principali requisiti che deve possedere un protocollo per la verifica dell’integrità e vengono analizzati alcuni protocolli già esistenti. Tra questi, il protocollo PIV (Program Integrity Verification) é sicuramente il più efficiente. Purtroppo esso é vulnerabile perché soggetto ad attacchi di parallelizzazione (parallel attack). Dopo aver analizzato la vulnerabilità di PIV, ne viene proposta una modifica (PIVm) per aumentarne il livello di sicurezza e renderlo resistente ad attacchi di tipo parallel attack. Infine vengono mostrate le applicazioni che sono state create per implementare il protocollo e vengono illustrati i risultati ottenuti. L’architettura scelta per l’implementazione sono i sensori Moteiv Tmote Sky della famiglia Berkeley Motes. Con un overhead computazionale di +11,5% rispetto alla funzione PIVC originale, il modulo PIVCm é in grado di calcolare una hash in 3,4 secondi. Inoltre, grazie alle modifiche introdotte é possibile risparmiare il 97,8% dei costi di trasmissione dati tra server e sensori

Defense in Depth of Resource-Constrained Devices

The emergent next generation of computing, the so-called Internet of Things (IoT), presents significant challenges to security, privacy, and trust. The devices commonly used in IoT scenarios are often resource-constrained with reduced computational strength, limited power consumption, and stringent availability requirements. Additionally, at least in the consumer arena, time-to-market is often prioritized at the expense of quality assurance and security. An initial lack of standards has compounded the problems arising from this rapid development. However, the explosive growth in the number and types of IoT devices has now created a multitude of competing standards and technology silos resulting in a highly fragmented threat model. Tens of billions of these devices have been deployed in consumers\u27 homes and industrial settings. From smart toasters and personal health monitors to industrial controls in energy delivery networks, these devices wield significant influence on our daily lives. They are privy to highly sensitive, often personal data and responsible for real-world, security-critical, physical processes. As such, these internet-connected things are highly valuable and vulnerable targets for exploitation. Current security measures, such as reactionary policies and ad hoc patching, are not adequate at this scale. This thesis presents a multi-layered, defense in depth, approach to preventing and mitigating a myriad of vulnerabilities associated with the above challenges. To secure the pre-boot environment, we demonstrate a hardware-based secure boot process for devices lacking secure memory. We introduce a novel implementation of remote attestation backed by blockchain technologies to address hardware and software integrity concerns for the long-running, unsupervised, and rarely patched systems found in industrial IoT settings. Moving into the software layer, we present a unique method of intraprocess memory isolation as a barrier to several prevalent classes of software vulnerabilities. Finally, we exhibit work on network analysis and intrusion detection for the low-power, low-latency, and low-bandwidth wireless networks common to IoT applications. By targeting these areas of the hardware-software stack, we seek to establish a trustworthy system that extends from power-on through application runtime

Intrusion Prevention and Detection in Wireless Sensor Networks

The broadcast nature of the transmission medium in wireless sensor networks makes information more vulnerable than in wired applications. In this dissertation we first propose a distributed, deterministic key management protocol designed to satisfy authentication and confidentiality, without the need of a key distribution center. Next we propose Scatter, a secure code authentication scheme for efficient reprogramming sensor networks. Scatter avoids the use of Elliptic Key Cryptography and manages to surpass all previous attempts for secure code dissemination in terms of energy consumption and time efficiency. Next we introduce the problem of intrusion detection in sensor networks. We define the problem formally based on a generic system model and we prove a necessary and sufficient condition for successful detection of the attacker. Finally we present the architecture and implementation of an intrusion detection system which is based on a distributed architecture and it is lightweight enough to run on the nodes