Upload
aron-bradley
View
215
Download
0
Embed Size (px)
DESCRIPTION
SenSys Tool for monitoring and attacking sensor networks – Active vs. Passive attacks – Security not built into many protocols Open to Attacks SenSys provides platform for executing attacks Split into 3 components – Sniffer, Attack, Network Visualization
Citation preview
SenSys Attack Tool
David WellingJon Silliman
Project Organization
• Three step procedure– Reading paper and research sensor networks– Setting up SenSys– Exploiting a protocol using the tool• Implementation• API• SenSys Extension!
SenSys
• Tool for monitoring and attacking sensor networks– Active vs. Passive attacks– Security not built into many protocols
• Open to Attacks• SenSys provides platform for executing attacks• Split into 3 components– Sniffer, Attack, Network Visualization
Sniffer Component
Attack Component
Network Visualization
Our Protocol
• Next node and Cost for that node set during install– Cost base on physical distance
• Admin message for updating individual node• Legitimate method– Relatively Static network topology– Efficient, low overhead
• Inherently insecure
SenSys Installation
• Pain-stacking Process!• Tinyos 1.x Requirement– Cygwin Installation Instructions– AVR AND MSP430 Tools Required for FULL
functionality– Comm Libraries• Installation into System directories, Properties file into
build directories and java path
SenSys Installation Cont.
• Get the tool from SenSys Site• Download libraries– Place Comm.jar in libraries
• Load into NetBeans– Build path and command line arguments
• TOSBase on your sensor node
Protocol API
• Split into separate client and base TinyOS Programs– Client sends to closest path on timer– Sends random 8 bit values as data
• Common message type– Handled over same radio ‘channel’– Different meanings for different data types based on
message types• Constants to handle important values
Data Flow Diagram
Client Program Base Program
CustomMsg
Listen for CustomMsgListen/Send CustomMsg
Send Data
Send Data
Protocol API Cont.Client_Program{
uint8_t next_nodeuint8_t cost
send()receive()
}
Base_Program{
send()receive()
}
typedef struct CustomMsg {uint8_t source;uint8_t destination;uint8_t cost;
uint8_t msgtype;uint8_t pos_x; uint8_t pos_y;} CustomMsg;
uint8_t ADMIN_MSG = 0xff;uint8_t REGULAR_MSG = 0x00;
SenSys Modifications
• Message Incorporation via mig• Sinkhole Modification– Implement our special Admin message to trick
protocol• Replay Modification– Send custom messages of our type
• Sniffer Modification– Ability to detect messages of our types
Demo One
• Initial Network Setup and viewing in sniffing tool and topology
• Replay message to change the topology• Sinkhole attack on network
Other Functionality -- Deluge• Deluge– Network Dissemination– Easy network image maintenance vs. safety – Built on-top of TOSBoot Bootloader
• SenSys provides GUI for this and nothing more• Deluge Demo
TOSBoot
Golden Image
Image 1
Image 2
DelugeBasic
Our View on SenSys
• Many of the tools already available– Nice GUI on top of them
• Well documented code, Easily extendible• First tool for attacking sensor networks• Hacking networks is difficult
Sensor Networks
• Lack of standard protocols– Hard to learn about protocols from hex dumps
• Easier to hack if you can take a physical node– Then dump image and reverse engineer
• Hard to implement Sinkhole– Some protocols based on radio strength or timers
• Motivation to hack
Installation Problems
• Oracle doesn’t provide Comm Libraries anymore• Can’t use any form of TinyOS 2.x– Protocols changed– Program requires TOSBase from 1.x
• Problems compiling tools without AVR-GCC– Export MOTECOM=serial@COM5:telos
• Baud Rate • Group ID• Boomerang For Dispatchers• Endian-ness