An On-Demand Secure Byzantine Routing Protocol

An On-Demand Secure An On-Demand Secure Byzantine Routing Byzantine Routing

ProtocolProtocol

David HolmerDavid Holmer

Department of Computer ScienceDepartment of Computer Science

Presentation OutlinePresentation Outline

IntroductionIntroduction Attacks & Byzantine BehaviorAttacks & Byzantine Behavior ODSBRODSBR ResultsResults

Feel Free to Ask Questions Throughout the Presentation

Mobile Ad Hoc Wireless NetworksMobile Ad Hoc Wireless Networks

Non-centralized architecture - All nodes pass trafficNon-centralized architecture - All nodes pass traffic AdvantagesAdvantages

Increased Coverage (overall range & less gaps)Increased Coverage (overall range & less gaps) Reduced Deployment Cost (less wired connectivity)Reduced Deployment Cost (less wired connectivity) Rapid Deployment (self configuring & self healing)Rapid Deployment (self configuring & self healing)

Security ChallengesSecurity Challenges Collaborative natureCollaborative nature

All nodes participate in routing - can we trust them?All nodes participate in routing - can we trust them? Lack of physical securityLack of physical security

Wireless broadcast medium - anyone can eavesdropWireless broadcast medium - anyone can eavesdrop Mobile devices highly susceptible to theft and tamperingMobile devices highly susceptible to theft and tampering

Security is a Vital Component!Security is a Vital Component!

PublicationsPublications WiSE 2002 –WiSE 2002 – “An On-Demand Secure “An On-Demand Secure

Routing Protocol Resilient to Byzantine Routing Protocol Resilient to Byzantine Failures”Failures”

MILCOM 2004MILCOM 2004 – – “The Pulse Protocol: “The Pulse Protocol: Sensor Network Routing and Power Saving”Sensor Network Routing and Power Saving”

INFOCOM 2004INFOCOM 2004 – – “The Pulse Protocol: “The Pulse Protocol: Energy Efficient Infrastructure Access”Energy Efficient Infrastructure Access”

WONS 2004WONS 2004 – – “High Throughput Route “High Throughput Route Selection in Multi-rate Wireless Networks”Selection in Multi-rate Wireless Networks”

IZS 2004IZS 2004 – – “Swarm Intelligence Routing “Swarm Intelligence Routing Resilient to Byzantine Adversaries”Resilient to Byzantine Adversaries”

WONS 2005 –WONS 2005 – “The Pulse Protocol: “The Pulse Protocol: Mobile Ad hoc Network Performance Mobile Ad hoc Network Performance Evaluation”Evaluation”

SECURECOM 2005 –SECURECOM 2005 – “On the “On the Survivability of Routing Protocols in Ad Hoc Survivability of Routing Protocols in Ad Hoc Wireless Networks”Wireless Networks”

NDSS 2005 –NDSS 2005 – “Secure Multi-hop “Secure Multi-hop Infrastructure Access”Infrastructure Access”

INFOCOM 2005 –INFOCOM 2005 – “Provably Competitive “Provably Competitive Adaptive Routing”Adaptive Routing”

MONET Journal 2006 –MONET Journal 2006 – “The Medium “The Medium Time Metric: High Throughput Route Time Metric: High Throughput Route Selection in Multi-rate Wireless Networks” Selection in Multi-rate Wireless Networks”

ESAS 2006 –ESAS 2006 – “Dynamics of Learning “Dynamics of Learning Algorithms for the On-Demand Secure Algorithms for the On-Demand Secure Byzantine Routing Protocol”Byzantine Routing Protocol”

Most relevant to this talk Other work

Basic ProblemBasic Problem

Source Destination

Trusted Node Correct Node Adversarial Node

Shortest PathShortest Path Fault Free PathFault Free Path




Strong AttacksStrong Attacks Adversarial PropertiesAdversarial Properties

Single ~ MajoritySingle ~ Majority External ~ Byzantine / InsiderExternal ~ Byzantine / Insider Individual ~ ColludingIndividual ~ Colluding

AttacksAttacks Insertion/ModificationInsertion/Modification Black holeBlack hole WormholeWormhole Flood RushingFlood Rushing Denial of serviceDenial of service

Black hole Wormhole

Byzantine BehaviorByzantine Behavior Significant research to protect against external Significant research to protect against external

adversaries (traditional secret based exclusion)adversaries (traditional secret based exclusion) However, authenticity and integrity do not provide However, authenticity and integrity do not provide

any guarantee about the legitimacy of actions any guarantee about the legitimacy of actions taken by authenticated / insider nodestaken by authenticated / insider nodes

Attacks where the adversary hasAttacks where the adversary has full control full control of anof an authenticated device authenticated device and can and can perform arbitrary perform arbitrary actions to disrupt the networkactions to disrupt the network

Byzantine Generals problem [Lamport – ’82]Byzantine Generals problem [Lamport – ’82]

Related WorkRelated Work Byzantine robustness for Wired Link State routingByzantine robustness for Wired Link State routing: [Perlman – ’88]: [Perlman – ’88] Authentication and integrityAuthentication and integrity:: [Zhou, Haas – ’99][Zhou, Haas – ’99]

[Hubaux, Buttyan, Capkun – ’01][Hubaux, Buttyan, Capkun – ’01][Dahill, Levine, Shields, Royer – ’02][Dahill, Levine, Shields, Royer – ’02][Hu, Perrig, Johnson – ‘02, ’01][Hu, Perrig, Johnson – ‘02, ’01]

BlackholeBlackhole:: [Marti, Giuli, Lai, Baker - ‘00][Marti, Giuli, Lai, Baker - ‘00][Papadimitratos, Haas - ’03][Papadimitratos, Haas - ’03]

WormholeWormhole:: [Hu, Perrig, Johnson – ’03][Hu, Perrig, Johnson – ’03][Hu, Evans – ’04][Hu, Evans – ’04]

Flood rushingFlood rushing: [Hu, Perrig, Johnson – ‘03]: [Hu, Perrig, Johnson – ‘03]

Majority do not address the Byzantine adversarial modelMajority do not address the Byzantine adversarial model Focus on individual attacks - Focus on individual attacks - no comprehensive solutions!no comprehensive solutions!




OOn-n-DDemand emand SSecure ecure BByzantine yzantine RRoutingouting Provides Provides SurvivableSurvivable routing in a Byzantine environment routing in a Byzantine environment Original version published in WiSe 2002 (>25 cites)Original version published in WiSe 2002 (>25 cites) Trust modelTrust model

SourceSource and and DestinationDestination are are trustedtrusted IntermediateIntermediate nodes are authenticated (PKI & Symmetric keys) nodes are authenticated (PKI & Symmetric keys)

but but not fully trustednot fully trusted Adversarial modelAdversarial model

MajorityMajority of of colluding byzantinecolluding byzantine adversaries adversaries All routing attacksAll routing attacks except - eavesdropping, resource except - eavesdropping, resource

consumption, wormhole creation, other layersconsumption, wormhole creation, other layers Our solutionOur solution

An on-demand routing protocolAn on-demand routing protocol Link based reliability metricLink based reliability metric Bounded losses as long as there exists a Bounded losses as long as there exists a fault-free pathfault-free path Avoids the need for Byzantine Agreement (costly & less Avoids the need for Byzantine Agreement (costly & less

capable)capable)

ODSBR Protocol OverviewODSBR Protocol Overview

Route Discoverywith Fault Avoidance

Link WeightManagement

Byzantine FaultDetection

Discovered Path

Weight List Faulty Link

ODSBR Protocol OverviewODSBR Protocol Overview




Discovered Path


Route DiscoveryRoute Discovery On-demand protocolOn-demand protocol

Finds a least weight pathFinds a least weight path Request floodRequest flood

Request includes weight list and signatureRequest includes weight list and signature Signature verified at every hopSignature verified at every hop Prevents un-authorized route requestsPrevents un-authorized route requests

Route Discovery (cont.)Route Discovery (cont.) Response floodResponse flood

Prevents response block attackPrevents response block attack Path and weight accumulated hop by hopPath and weight accumulated hop by hop

Appends signature to responseAppends signature to response Lower cost updates are re-broadcastLower cost updates are re-broadcast Every hops Every hops verifies the entire pathverifies the entire path Prevents flood rushing/blocking attackPrevents flood rushing/blocking attack

A min-weight path is always establishedA min-weight path is always established Path is not guaranteed to be fault freePath is not guaranteed to be fault free

Fault Detection PhaseFault Detection Phase




Discovered Path


Probing technique using authenticated Probing technique using authenticated acknowledgementsacknowledgements

Naïve probing techniqueNaïve probing technique

Too much overheadToo much overhead per data packet! per data packet!

Fault Detection StrategyFault Detection Strategy

Trusted Node

Intermediate Node

Secure Adaptive ProbingSecure Adaptive ProbingSource Destination

Success

Successful Probe

Failed Probe

Successful Interval

Faulty Interval

Fault 3

Fault 2

Fault 1

Fault 4

Binary search = identified in Binary search = identified in log nlog n faults faults

Probe & Ack PropertiesProbe & Ack Properties ProbesProbes

Inseparable from data - listed on all packetsInseparable from data - listed on all packets Integrity checked at each probe - HMACIntegrity checked at each probe - HMAC Enforces path order - reverse ordered HMAC listEnforces path order - reverse ordered HMAC list

AcksAcks Authenticated - HMACAuthenticated - HMAC Single combined ack packet - individual HMAC Single combined ack packet - individual HMAC

of entire ack packet so far added at each probeof entire ack packet so far added at each probe Adversary can’t selectively drop some of the acksAdversary can’t selectively drop some of the acks

Staggered timeouts - restarts ack packetStaggered timeouts - restarts ack packet A node can’t incriminate any link but its ownA node can’t incriminate any link but its own

Fault IdentificationFault Identification Fault DefinitionFault Definition

Packet loss rate violates a fixed thresholdPacket loss rate violates a fixed threshold Excessive delay also causes packet lossExcessive delay also causes packet loss

Identifies faulty links Identifies faulty links regardless of reasonregardless of reason Malicious behaviorMalicious behavior Non-malicious malfunctionNon-malicious malfunction Adverse network behaviorAdverse network behavior

CongestionCongestion Intermittent connectivityIntermittent connectivity

Link Weight Management PhaseLink Weight Management Phase




Discovered Path


Link Weight ManagementLink Weight Management Maintains a weight list of identified linksMaintains a weight list of identified links Faulty links have their weight doubledFaulty links have their weight doubled Resets link weightsResets link weights

Timed by successful transmissionsTimed by successful transmissions Bounds average loss rateBounds average loss rate

Weight scheme provides “soft” avoidanceWeight scheme provides “soft” avoidance Minimal penalty for false positivesMinimal penalty for false positives Network is never partitionedNetwork is never partitioned Allows use of aggressive fault thresholdsAllows use of aggressive fault thresholds




ODSBR Attack MitigationODSBR Attack Mitigation InjectingInjecting, , modifyingmodifying packets – HMAC packets – HMAC ReplayReplay attack – use of nonces attack – use of nonces Flood rushingFlood rushing – protocol relies on the – protocol relies on the

metric, and not on timing informationmetric, and not on timing information Black holeBlack hole – unreliable links are avoided – unreliable links are avoided

using metricusing metric WormholeWormhole – creation is not prevented, but – creation is not prevented, but

it is avoided using metricit is avoided using metric

Loss Bound AnalysisLoss Bound Analysis Network of n nodes of which k are Network of n nodes of which k are

adversariesadversaries Assume a fault free path existsAssume a fault free path exists

Protocol Protocol bounds the number of packets bounds the number of packets lostlost communicating with the destination communicating with the destination

lknbqq 2log

Byzantine Attack SimulationByzantine Attack Simulation Simulated attacks:Simulated attacks:

Black HoleBlack Hole WormholeWormhole Super-WormholeSuper-Wormhole Flood RushingFlood Rushing

Random & StrategicRandom & StrategicAdversary PlacementsAdversary Placements

AODV Simulation SummeryAODV Simulation Summery

0

10

20

30

40

50

60

70

80

90

100

0 2 4 6 8 10

Number of Adversaries

Del

iver

y R

atio

(%)

Black Hole

Wormhole Random

Black Hole Rushing

Super-Wormhole Random

Wormhole Random Rushing

Super-Wormhole RandomRushingCentral Wormhole

Central Wormhole Rushing

Cross of Death Wormhole

Cross of Death WormholeRushingComplete Coverage

Complete Coverage Rushing

ODSBR Simulation SummeryODSBR Simulation Summery

0

10

20

30

40

50

60

70

80

90

100

0 2 4 6 8 10


Del

iver

y R

atio

(%)

Black Hole

Black Hole Rushing

Wormhole Random

Wormhole Random Rushing

Super-Wormhole Random

Super-Wormhole RandomRushingCentral Wormhole

Central Wormhole Rushing

Cross of Death Wormhole

Cross of Death WormholeRushingComplete Coverage

Complete Coverage Rushing

ConclusionConclusion On-demand routing protocol On-demand routing protocol resilient to a resilient to a

wide range of colluding byzantine attackswide range of colluding byzantine attacks Adaptive probing scheme identifies faulty Adaptive probing scheme identifies faulty

link location without Byzantine Agreementlink location without Byzantine Agreement Bounded long term loss rate = Bounded long term loss rate =

guaranteed correctness in any networkguaranteed correctness in any network Excellent performance in a myriad of Excellent performance in a myriad of

practical scenariospractical scenarios

Experimental Lessons LearnedExperimental Lessons Learned

Most important factors:Most important factors: Flood rushingFlood rushing Strategic positioningStrategic positioning

Quantify the relative strength of different attacksQuantify the relative strength of different attacks ODSBRODSBR

able to mitigate wide range of Byzantine attacksable to mitigate wide range of Byzantine attacks not significantly affected by flood rushingnot significantly affected by flood rushing performance decreased when a large number of performance decreased when a large number of

adversarial links existsadversarial links exists

ODSBR - simulationODSBR - simulation

Implementation + simulation:Implementation + simulation:NS2 network simulatorNS2 network simulator

50 nodes randomly placed within a 1000 x 1000 50 nodes randomly placed within a 1000 x 1000 meter square areameter square area

In addition, 0 to 10 adversarial nodes were In addition, 0 to 10 adversarial nodes were addedadded

Random way-point mobility modelRandom way-point mobility model A traffic load of 10 CBR flowsA traffic load of 10 CBR flows ODSBR vs. AODVODSBR vs. AODV

[ACHR - SecureComm05]

Black HoleBlack HoleAttackAttack An attacker lies along the selected pathAn attacker lies along the selected path The attacker passes routing control traffic The attacker passes routing control traffic

correctly (route request, response, acks, etc.)correctly (route request, response, acks, etc.) However it drops or corrupts data trafficHowever it drops or corrupts data traffic Strong variants may do this adaptively to avoid Strong variants may do this adaptively to avoid

detectiondetection

Source Destination

Black HoleBlack HoleODSBR DefenseODSBR Defense Secured acks detect ANY damage of data flowSecured acks detect ANY damage of data flow Adaptive probing localizes the damage to one of Adaptive probing localizes the damage to one of

the adversaries linksthe adversaries links Weight of adversarial link is increased allowing Weight of adversarial link is increased allowing

correct path to be foundcorrect path to be found

Source Destination

Black hole attack + Flood RushingBlack hole attack + Flood Rushing

20

30

40

50

60

70

80

90

100

0 2 4 6 8 10


Del

iver

y R

atio

(%)

AODV 0 m/s 1 m/s 5 m/s 10 m/sODSBR 0 m/s 1 m/s 5 m/s 10 m/s

Worm HoleWorm HoleAttackAttack Two attackers establish a path and tunnel Two attackers establish a path and tunnel

packets from one to the otherpackets from one to the other The worm hole turns many hops into one virtual The worm hole turns many hops into one virtual

hop creating shortcuts in the networkhop creating shortcuts in the network This allows a group of adversaries to easily draw This allows a group of adversaries to easily draw

in packets and drop themin packets and drop them

Source Destination

Worm HoleWorm HoleODSBR DefenseODSBR Defense Worm hole creation is not preventedWorm hole creation is not prevented

Impossible without assumptions about links and/or Impossible without assumptions about links and/or additional non-standard hardware/informationadditional non-standard hardware/information

Worm holes are “benign” unless they disrupt Worm holes are “benign” unless they disrupt data flowdata flow

Worm hole “link” can be identified and avoidedWorm hole “link” can be identified and avoided

Source Destination

Wormhole attack: random placementWormhole attack: random placement

20

30

40

50

60

70

80

90

100

0 2 4 6 8 10


Del

iver

y R

atio

(%)

AODV 0 m/s 1 m/s 5 m/s 10 m/sODSBR 0 m/s 1 m/s 5 m/s 10 m/s

Central wormhole simulationCentral wormhole simulation

20

30

40

50

60

70

80

90

100

0 1 2 3 4 5 6 7 8 9 10

Speed (m/s)

Del

iver

y R

atio

(%)

AODV-normal AODV-worm AODV-worm-rushODSBR-normal ODSBR-worm ODSBR-worm-rush

Complete Coverage simulationComplete Coverage simulation

20

30

40

50

60

70

80

90

100

0 1 2 3 4 5 6 7 8 9 10

Speed (m/s)

Del

iver

y R

atio

(%)

AODV-normal AODV-worm AODV-worm-rushODSBR-normal ODSBR-worm ODSBR-worm-rush

Flood Rushing AttackFlood Rushing Attack

exploits flood duplicate suppressionexploits flood duplicate suppression authentication doesn’t helpauthentication doesn’t help can result in many adversarial controlled pathscan result in many adversarial controlled paths

ODSBR Defense:ODSBR Defense: hop-by-hop authenticationhop-by-hop authentication process all duplicate flood packets and rebroadcast process all duplicate flood packets and rebroadcast

lower metric valid flood packetslower metric valid flood packets

Byzantine Wormhole attackByzantine Wormhole attack

• ODSBR Defense:– wormhole formation is not prevented– wormhole will be detected and avoided

Source Destination

Adversary Adversary

wormhole

Super-WormholeSuper-Wormhole

a more general (and stronger) variant of the a more general (and stronger) variant of the wormhole attackwormhole attack

several adversaries collude and form an overlay several adversaries collude and form an overlay of Byzantine wormholesof Byzantine wormholes

for for nn adversaries, it is equivalent to adversaries, it is equivalent to nn22 wormholeswormholes

ODSBR - continuedODSBR - continued

Fault = any disruption that causes significant Fault = any disruption that causes significant loss or delay in the networkloss or delay in the network

End-to-end ACKsEnd-to-end ACKs Reliability metric based on past historyReliability metric based on past history Faulty links are identified using an adaptive Faulty links are identified using an adaptive

probing technique, and avoided during the probing technique, and avoided during the secure route discoverysecure route discovery

Maximum damage that can be caused by Maximum damage that can be caused by adversaries is bounded:adversaries is bounded:

qq-- - - q q++ b b kn kn log log22nn

Black Hole + Flood RushingBlack Hole + Flood Rushing Black Hole = Adversary selectively drops Black Hole = Adversary selectively drops

only only data packetsdata packets, but still participates in the , but still participates in the routing protocol correctlyrouting protocol correctly

Flood Rushing = takes advantage of the Flood Rushing = takes advantage of the flood suppressionflood suppression mechanism mechanism

Simulation:Simulation: Black hole: drop all data packetsBlack hole: drop all data packets Flood rushing: ignore broadcast delaysFlood rushing: ignore broadcast delays

Overhead – non-adversarial scenarioOverhead – non-adversarial scenario

0

10

20

30

40

50

60

0 1 2 3 4 5 6 7 8 9 10

Speed (m/s)

Ove

rhea

d (p

acke

ts /

seco

nd)AODV ODSBR

Overhead – attack scenarioOverhead – attack scenario

0

5

10

15

20

25

0 2 4 6 8 10


Ove

rhea

d (p

acke

ts /

seco

nd)

AODV-BH AODV-SW ODSBR-BH ODSBR-SW

AnalysisAnalysis for a good pathfor a good path# Losses – (# Gains ) X LossRate < 0# Losses – (# Gains ) X LossRate < 0

We getWe get# Losses – (# Gains ) X LossRate < delta# Losses – (# Gains ) X LossRate < delta

Delta = #nodes X # adv X log ^2 #nodesDelta = #nodes X # adv X log ^2 #nodes

Link Weight ManagementLink Weight Management Maintains a weight list of identified linksMaintains a weight list of identified links Faulty links have their weight doubledFaulty links have their weight doubled Resets link weightsResets link weights

Timed by successful transmissionsTimed by successful transmissions Bounds average loss rateBounds average loss rate

Network is never partitionedNetwork is never partitioned1 1

1

1

1

1

On-Demand vs. Proactive Routing On-Demand vs. Proactive Routing Security ConcernsSecurity Concerns

On-DemandOn-Demand Source AuthenticationSource Authentication Caching presents adversarial opportunityCaching presents adversarial opportunity

Pro-activePro-active Harder to secure since pieces of information Harder to secure since pieces of information

can not be traced back to a single source.can not be traced back to a single source.

Black Hole AttackBlack Hole AttackProblem: Adversary may delete a packetProblem: Adversary may delete a packetHow do we detect and avoid black holes ?How do we detect and avoid black holes ? Reliable node may be blamedReliable node may be blamed Detecting failing node: Consensus costs ($)Detecting failing node: Consensus costs ($)

a b cXa b cX

Worm HolesWorm Holes Two attackers establish a path and tunnel Two attackers establish a path and tunnel

packets from one to the otherpackets from one to the other The worm hole turns many adversarial hops into The worm hole turns many adversarial hops into

one virtual hop creating shortcuts in the networkone virtual hop creating shortcuts in the network This allows a group of adversaries to easily draw This allows a group of adversaries to easily draw

packets into a black hole packets into a black hole

Source Destination

Flood BlockingFlood Blocking Flood Blocking AttackFlood Blocking Attack

Adversary propagates a false short pathAdversary propagates a false short path Intermediate nodes do not forward “inferior” Intermediate nodes do not forward “inferior”

valid path informationvalid path information Source ignores the false pathSource ignores the false path No path is establishedNo path is established

Path must be verified at intermediate Path must be verified at intermediate nodesnodes

Fault Detection StrategyFault Detection Strategy Probing technique using authenticated Probing technique using authenticated

acknowledgementsacknowledgements Naïve techniqueNaïve technique

Receiving an ack from every node overly Receiving an ack from every node overly costly!costly!

D

OLD Route DiscoveryOLD Route Discovery On-demand protocolOn-demand protocol Bi-directional floodBi-directional flood

Request floodRequest flood Source includes weight list and a signatureSource includes weight list and a signature Request verified at each hopRequest verified at each hop

Request Response

OLD Probe & Ack SpecificationOLD Probe & Ack Specification ProbesProbes

List of probes attached to every packetList of probes attached to every packet Each probe is specified by an HMACEach probe is specified by an HMAC Probes listed in path orderProbes listed in path order Remainder of probe list is onion encryptedRemainder of probe list is onion encrypted

AckAck Authentication via HMACAuthentication via HMAC Collected and onion encrypted at each probe Collected and onion encrypted at each probe

pointpoint

Thank You!

Questions??

AuthorsAuthorsBaruch Awerbuch, Reza Curtmola,

David Holmer,Herbert Rubens

Johns Hopkins UniversityDepartment of Computer Science

{baruch, crix, dholmer, herb}@cs.jhu.edu

Cristina Nita-Rotaru

Purdue UniversityDepartment of Computer Science

[email protected]

http://www.cnds.jhu.edu/archipelago

Documents

An On-Demand Secure Byzantine Routing Protocol