Software-based Code Attestation for Wireless Sensors

Introduction

• Securing sensors in critical applications is important

• Compromise of a sensor can enable attacker to inject false sensing information

• Compromise of shared keys can enable attacker to compromise secure communications

2

Attestation

• How to detect compromise? Attest!

• Ensure that the contents of the memory are unchanged– Detects sensor compromise that involves a

modification of the program memory– Compute a checksum of the memory contents

3

Naïve Attestation Model

• Attestation routine reads memory and computes a checksum

• Attacker must offset memory reads to avoid detection– Offsets incur measurable delay in execution– Attester can measure execution time to detect compromise

4

MalcodeAttest

UnmodifiedCopyOf

Original

Program Memory of Sensor

Limitations

• Suitable for directly connected devices– Slight execution delays can be accurately measured

5

Remote Attestation

• How can we adapt the attestation model to work in a remote setting?

• Prevent attacker from analyzing attestation code offline– Send the attestation routine to the sensor– Make it different each time

• Prevent attacker from modifying attestation code– Use techniques to make it difficult to statically analyze

6

Why Remote Attestation?

• Is remote attestation really necessary?

• Physical access to the sensors is not always feasible– Military setting - sensors are located in hostile,

enemy territory– Building monitoring - sensors could be located in

dangerous/inaccessible locations

7

Building Blocks

• Randomization• Encryption• Self-Modifying Code• Obfuscation– Opaque Predicates/Pointer Aliasing– Junk Instructions

8

Opaque Predicates

• Conditions that always evaluate to true or always evaluate to false– Evaluation result is not obvious from static

analysis

• Can be formed through pointer aliasing – known to be an NP-hard problem

9

Junk Instructions

• Full or partial machine code instructions

– Full - distract analysis

– Partial - confuse analysis

10

Attestation Protocol

11

CompareResults

MeasureResponse Time

Generate AttestationRoutine

Precompute Result

Base

Attestation Routine

Checksum Result

Execute Attestation

RoutineSensor

Attestation Routine Overview

• Randomly step through program memory, adding values to the checksum result

• Loop repeats O(n log n) times to ensure complete coverage of the memory

• Routine will incorporate the building blocks to prevent attacks on the routine itself

12

• New attacks:– Return oriented programming: does not need to

inject malicious code– Manipulate the program stack– Completeness in the libc library– Not complete for sensor OS, but prototype has

been demonstrated

13