Upload
gordon-ryan
View
216
Download
2
Embed Size (px)
Citation preview
Software-based Code Attestation for Wireless Sensors
Introduction
• Securing sensors in critical applications is important
• Compromise of a sensor can enable attacker to inject false sensing information
• Compromise of shared keys can enable attacker to compromise secure communications
2
Attestation
• How to detect compromise? Attest!
• Ensure that the contents of the memory are unchanged– Detects sensor compromise that involves a
modification of the program memory– Compute a checksum of the memory contents
3
Naïve Attestation Model
• Attestation routine reads memory and computes a checksum
• Attacker must offset memory reads to avoid detection– Offsets incur measurable delay in execution– Attester can measure execution time to detect compromise
4
MalcodeAttest
UnmodifiedCopyOf
Original
Program Memory of Sensor
Limitations
• Suitable for directly connected devices– Slight execution delays can be accurately measured
5
Remote Attestation
• How can we adapt the attestation model to work in a remote setting?
• Prevent attacker from analyzing attestation code offline– Send the attestation routine to the sensor– Make it different each time
• Prevent attacker from modifying attestation code– Use techniques to make it difficult to statically analyze
6
Why Remote Attestation?
• Is remote attestation really necessary?
• Physical access to the sensors is not always feasible– Military setting - sensors are located in hostile,
enemy territory– Building monitoring - sensors could be located in
dangerous/inaccessible locations
7
Building Blocks
• Randomization• Encryption• Self-Modifying Code• Obfuscation– Opaque Predicates/Pointer Aliasing– Junk Instructions
8
Opaque Predicates
• Conditions that always evaluate to true or always evaluate to false– Evaluation result is not obvious from static
analysis
• Can be formed through pointer aliasing – known to be an NP-hard problem
9
Junk Instructions
• Full or partial machine code instructions
– Full - distract analysis
– Partial - confuse analysis
10
Attestation Protocol
11
CompareResults
MeasureResponse Time
Generate AttestationRoutine
Precompute Result
Base
Attestation Routine
Checksum Result
Execute Attestation
RoutineSensor
Attestation Routine Overview
• Randomly step through program memory, adding values to the checksum result
• Loop repeats O(n log n) times to ensure complete coverage of the memory
• Routine will incorporate the building blocks to prevent attacks on the routine itself
12
• New attacks:– Return oriented programming: does not need to
inject malicious code– Manipulate the program stack– Completeness in the libc library– Not complete for sensor OS, but prototype has
been demonstrated
13