Emergent Properties in AdHoc Networks: A Security Perspective

1
Emergent Properties in Ad-Hoc Networks A
Security Perspective

• Virgil D. Gligor
• University of Maryland
• College Park, MD 20815
• gligor_at_umd.edu
• Physical Security Workshop
• Stockholm, Sweden
• March 31, 2006

2
Outline

• Emergent Properties
• an old notion ?
• need detection of network node capture and
  physical tampering
• Two Examples of Emergent Properties
• no physical security for network nodes
• node-replica detection
• Appendix loss of secure (i.e., key)
  connectivity among nodes
• Conclusions
• E2E countermeasures to Man-in-the-Middle attacks
  are no longer sufficient (never claimed to be)
• Good physical security will always be very
  expensive
• Basic Invariant always augment (un)available
  phys. sec. With
• attack detection and recovery protocols
• Perfect countermeasures are the enemy of good ones

3
I think it is quite likely that there may be no
reduction possible it is conceivable that life
is an emergent property of physical
bodies. Sir Karl R. Popper in Objective
Knowledge An Evolutionary Approach Clarendon
Press, Oxford, 1979 (rev. ed.), p. 292.
4
Emergent Properties

• What is a (non-emergent) property ?
• set of system traces all of which satisfy the
  same predicate
• reduction all system properties are in the
  intersection
• of safety and liveness properties AS85

• In contrast, in some emergent properties
• some individual system traces may not satisfy
  the predicate of
• the entire set of system traces (no refinement)
• no reduction possible neither a safety nor a
  liveness property

5
Have we seen such properties before?

• Neither-safety-nor-liveness properties
• Some Security Examples
• Information Flow Policies McLean96
• System Administration Property GG98
• (i.e., for a given set of commands, there
  exists a trace that takes the
• system from an arbitrary state to a state that
  satisfies predicate P)
• Others GG98
• (e.g., a specific notion of compatibility of
  security policy with a given application)

6
Emergent Properties in Networks

• Network properties arising from interaction and
  collaboration among network nodes
• Different from typical protocol properties
• neither time nor locus of emergence can be
  easily anticipated,
• as emergence is uncertain (i.e.,
  probabilistic)
• emergence may be transient in normal mode of
  operation
• Our Focus
• emergent protocols to enhance (un)available
  phys. sec. measures
• practical countermeasures to new adversary
  attacks

7
My Thesis

• new network technologies sensors, mesh,
  vehicular
• new attacks nodes are captured
• - new adversary physically tampers with network
  nodes
• cannot be prevented with physical security
  measures
• cannot be detected in real-time
• require new methods and tools EX. emergent
  properties algorithms
• (for imperfect but good-enough security)

8
Some Characteristics of New Net. Technologies
1. Ease of Scalable Deployment and Extension -
ad hoc (i.e., no infrastructure) deployment and
extension - connectivity gt neither
administrative intervention nor
control-station (e.g., base station, CA
interaction)
2. Nodes Low-Cost, Commodity Hardware - low
cost gt physical node protection is
impractical gt ease of access to internal
node state (Q how good should physical node
protection be to prevent access a nodes
internal state ? A impractically good -- as of
now )
3. Unattended Node Operation gt - adversary
can capture, exploit physical access to nodes
- detection of tampering in real-time is
impractically expensive as of now
9
Ex. Physical Protection of Commodity Hardware
Neither dedicated standard nor criteria for phys.
protection - FIPS 140 (for crypto modules)
includes some requirements level 1 - none
level 2 - tamper evident coating or seals for
(administrative) tamper detection level 3 -
enhanced physical security separation and
control of dev. interfaces level 4 - tamper
detection and real-time response (erasure of
secret data)
Two Extreme Examples
Low end Smart Cards (lt 40)
High end IBM 4758 co-proc. ( 4K)

• tamper resistance, real time resp.
• independent battery, secure clock
• battery-backed RAM (BBRAM)
• wrapping several layers of non-metallic
• grid of conductors in a grounded shield
• to reduce detectable EM emanations
• tamper detection sensors ( battery)
• temp., humidity, pressure, voltage,
• clock, ionizing radiation
• - response erase BBRAM, reset device

• no tamper resistance
• non-invasive phys. attacks
• side-channel (timing, DPA)
• unusual operating conditions
• temperature, power clock glitches
• invasive phys. Attacks
• chip removal from plastic cover
• microprobes, electron beams

10
Two Examples of Emergent Properties

• Sensor Networks No Physical Security Measures
  are Available
• An Emergent Protocol node-replica detection
• An Emergent Threat loss of secure (i.e., key)
• connectivity among nodes

11
New Attacks Node Capture, Replication Insertion
NEIGHBORHOOD j
NEIGHBORHOOD i
shared key outside neighborhood
1
path key
shared key inside neighborhood
NEIGHBORHOOD k
i
3
shared key outside neighborhood
2
12
New Attacks Node Capture, Replication Insertion
NEIGHBORHOOD j
NEIGHBORHOOD i
1
NEIGHBORHOOD k
i
3
2
13
Threats Emerging from Replication Attacks
1. Collusion to Subvert Applications - Ex. 1
subvert aggregation of sensor data replicated
nodes block legitimate transmissions, modify
legitimate data and inject false data
2. Collusion to Subvert Network Operation -
Ex. 1 replicated nodes block traffic to
partition the network
3. Circumvent Intrusion Detection (and nets
immune system) - Ex spread abnormal
behavior over multiple replicas to avoid
detection
14
Node-to-Node Broadcast Naïve Deterministic
Solution for Replica Detection
1. Network-wide Broadcast - each node
broadcast of its claim ltID, locator, signaturegt
- locator geographic locations (GPS),
list of neighbors IDs, or any property
verifiable by neighbors - a nodes public key
can be added to broadcast
2. Perfect Detection - receipt of conflicting
claims same ID, different locator
3. Replica Elimination - broadcast
conflicting claims - broadcast recipient
revokes keys of node ID (if node is in)
neighborhood
4. Problem - communication cost O(n2) is
very high for a large network
15
Line-Selected Multicast Emergent Protocol
Solution for Replica Detection
1. Node Local broadcast Neighbor Multicast to
Witnesses - each node local broadcast of its
claim ltID, locator, signaturegt - neighbors
multicast to g random witnesses with probability
p - each line (set of nodes from neighbor to
witness) stores claim
2. Probabilistic Detection - at least two
lines will intersect and receive a pair of
conflicting claims - Probability ?
3. Replica Elimination - same as above
16
Line-Selected Multicast Emergent Protocol
Solution for Replica Detection
NEIGHBORHOOD j
witness 3
Conflicting Claims
3
witness 1
Replica
witness 2
Captured Node
witness 1
witness 2
3
Conflicting Claims
witness 3
NEIGHBORHOOD k
17
Emergent Property Replica (Conflicting-Claim)
Detection
1. Detection of Conflicting Claims is a
Probabilistic Property - probability
determined by Monte-Carlo simulations IEEE SP
2005 2. Subsets of the system traces
may not satisfy Property i.e., some system
traces may not detect conflicting claims
(i.e.,replicas) - increase probability of
satisfying the property by adding system traces
(i.e., repeated runs of the protocol)
18
Conclusions

• E2E countermeasures to Man-in-the-Middle Attacks
  are neither
• sufficient nor relevant in physical attacks
• - never claimed to handle physical attacks
  always disclaimed

2. Good physical security is (will always be)
expensive - a never ending arms race
3. Basic Invariant - always augment
(un)available physical security measures with
attack detection and recovery protocols
4. How good should detection and recovery be ?
Perfect is the Enemy of the Good - must accept
probabilistic security properties (with
non-asymptotic 0/1 probabilities)
19
Other Attacks and Emergent Properties (Threats)

• Loss of Secure Connectivity
• - Colluding Captured Nodes execute Correct
  Distributed Revocation Protocol

20
Example 2 Selective Revocation of Nodes
m6, t 4 revoke votes in a session gt revoke
target
Keying Neighborhood
revocation target
Communication Neighborhood
4
10
3
2
8
14
5
11
propagate revocation decision
1
7
propagate revocation decision
13
9
6
12
21
Distributed Revocation - Protocol Properties
1. Complete Revocation If a compromised node
is detected by t or more uncompromised neighbors,
then the node is revoked from the entire network
permanently 2. Sound Revocation If a node
is revoked from the network, then at least t
nodes must have agreed on its revocation 3.
Bounded-Time Revocation Completion
Revocation decision and execution occur within a
bounded time from the sending of the first
revocation vote 4. Unitary Revocation
Revocations of nodes are unitary (all-or-nothing,
everywhere-or-nowhere) in the network
22
Adversary Model and Protocol Assumptions

• A. Adversary Model
• 1. Universal Communication Presence
• 2. Can Compromise any Node it Chooses
• 3. Can Force Collaboration among Compromised
  Nodes
• 4. Cannot block or significantly delay
  communication

• B. Protocol Assumptions
• 1. Network is quiescent during deployment of new
  nodes
• 2. Locality of Compromised Nodes global
  revocation events visible to all local nodes
• 3. Minimum Node Degree gt t
• 4. Revocation Sessions are Relatively Rare and
  Cannot be Exhausted

23
Emergent Vulnerability Example
Initial State Secure Connectivity
7 legitimate nodes
4
10
3
2
8
14
5
11
1
7
13
9
6
12
24
Emergent Vulnerability Example
Intermediate State m6, t 4 compromised
nodes execute revocation protocol
3 legitimate node
4
10
3
8
14
5
11
13
9
12
25
Emergent Vulnerability Example
Emergent Property Loss of Key (Secure)
Connectivity
key-disconnected node
4
10
3
2
8
14
5
11
1
7
13
9
6
12
26
Emergent Vulnerability Example
1. Resistance to Revocation Attack If c nodes are
compromised, then they can only revoke at most ac
other nodes, where a ltlt m/t is a constant and m
is the maximum number of neighbors (at key
distribution) 2. Revocation Attack
Detection Revocation attacks are detected
centrally by a base station in bounded time
27
Emergent Property (Threat) Loss of Key
Connectivity in Sensor Net

• Loss of Key Connectivity is a Probabilistic
  Property
• - probability of key-connectivity determined by
  key pre-distribution scheme
• 2. Subsets of the system traces may not satisfy
  Property
• i.e., some system traces may not
  key-disconnect the sensor network
• - increase probability of satisfying the
  property by adding system traces
• (i.e., repeated runs of revocation protocol
  by adversary-captured nodes)