EcoSec

Transcript

1. EcoSec: A thin security layer for interactive programming on WSN

   Chien-An “Zero” Cho Directed by Prof. Pai H. Chou

2. “Outline” • Introduction • System Overview • Technical Details •

   Evaluation • Conclusion

3. “Motivation”

4. None

5. sense> outdoor temp 30 °C query> room occupancy exec >

   A/C to 20 °C for occupied room HVAC Control

6. sense> room occupancy sense> room temperature for occupied room Fire

   Scene

7. • The world is dynamic • To adapt dynamic world,

   macroprogramming is gaining its popularity • How do you secure a dynamic sensor network?

8. “Challenges”

9. SMALL footprint for tough platform 16k code size + 1k

   RAM

10. fine-grained access control, down to sensor levels

11. U SECURE while running code at native speed

12. “Related Works”

13. Interactive Programming Virtualized Environment WSN Access Control

14. Interactive Programming EcoCast Marionette LiteShell

15. EcoCast/Marionette is a pure runtime environment. Both have no security

    features. This is where EcoSec can be integrated into.

16. LiteShell is a command console on node. It allows control

    and execute the hex files located on node. EcoSec can also integrated into it as a pre-flight HEX check mechanism.

17. Virtualized Environment SenShare Darjeeling

18. SenShare/Darjeeling can be seen as secured since the apps are

    sandboxed/virtualized. However, the footprint requirements are even higher and performance is bad.

19. WSN Access Control WirelessHART SpartanRPC

20. WirelessHART is de facto protocol for the industry- grade instrument

    comm. It uses AES-128 with various keys to protect end-to-end comm. It does not provide fine-grained ACL.

21. SpartanRPC is capable of define fine-grained policies. However, it is

    too abstract and high- level (built on nesC). The footprint is also big.

22. “Contributions”

23. Some Preface...

24. 1 2 3 Server Client Resources request?

25. EcoSec is a thin security layer for dynamic wireless sensor

    network composed by three layers.

26. the 3 layers cryptography handler resource locator policy enforcer

27. None

28. EcoSec

29. eco://epl.tw:9002/:RF/3F/PCRoom/temp.js?unit=c request (URI, CODE, AUTH)

30. check the credentials scan the code hook the sensitive instructions

    sign the sanitized code EcoSec Server

31. eco://epl.tw:9002/:RF/3F/PCRoom/temp.js?unit=c signed (URI, CODE’, CERT)

32. signed-request eco://epl.tw:9002/:RF/3F/PCRoom/temp.js?unit=c

33. verify-request eco://epl.tw:9002/:RF/3F/PCRoom/temp.js?unit=c

34. “System Components”

35. “Cryptography Handler”

36. Use for verifying certificates and code signing. We deployed an

    ARC4 cipher in current implementation.

37. “Resources Locator”

38. Resources are defined as sensors/memory on the nodes. We’ll use

    an independent server to resolve URI to actual resources, acting like DNS.

39. but before that...

40. How do we define URI for WSN? Note that current

    URI has no concept of transportation.

41. eco://epl.tw:9002/:RF/ 3F/PCRoom/temp.js? unit=c Last components is RESOURCE URI consists of

    ENDPOINTs and a RESOURCE. if no ENDPOINT specified, assume ANY.

42. “Policies Enforcer”

43. Policies is used to restrict access to resources. Gateway marks

    the sensitive codes and it’ll be verified upon execution on nodes.

44. “Technical Details”

45. “Object Space”

46. All objects/relationships are stored in a huge object space. Object

    can be referenced quickly by UUID.

47. #<WSNObject:: TemperatureSensor: Built-in temperature sensor([UUID])> Object Class

48. Relationships are retained in programming language and also object store.

    All metadata from ancestors will be available and overridable by children.

49. ecosd_node0 Class: WSNObject::Node UUID: 7e786020-7179-012f-ce09-549a20d0e1e2 Based On: 7e785510-7179-012f-ce08-549a20d0e1e2 Metadata: Tag:

    NTHUCS-3F-PCROOM-00 Path: /3f/pcroom/00 Connections: [0] WSNObject::Connection -SPI-> WSNObject::TemperatureSensor

50. ecosd_node0 Class: WSNObject::Platform UUID: 7e785510-7179-012f-ce08-549a20d0e1e2 Based On: 00000000-0000-0000-0000-000000000000 Metadata: Platform:

    EPL EcoSD Connections: [0] WSNObject::Connection -Built-In-> WSNObject::Accelerometer EcoSD Platform

51. “EcoSec Server”

52. EcoSec Server is a HTTP service on the gateway. It

    provides facilities for nodes registration, node lookup and user request signing.

53. Verb Path Description GET / Server Report GET [WSN Path]

    Object Lookup POST [WSN Path] Object Request / (de)registration POST /sign Sign a request

54. “Code Signing”

55. Code signing works by swap out sensitive instructions to a

    call for parameters check.

56. 0103: MOV 0x80, #0x2 trying to pull high to GPIO

    P0.1 0100: MOV R0, 0x2 0103: MOV 0x80, R0

57. MOV 0x80, R0 MOV 0x80, R0 MOV 0x18, 1 MOV

    0x19, 0x01 MOV 0x20, 0x03 LCALL ecosec_sentry MOV 0x80, 0x20 RET code stub

58. Sentry check if the access is allowed. If so, execute

    the original command, or abort execution and reboot.

59. “EcoSec Node”

60. EcoSD Hardware Platform Operating System / Runtime EcoSec Userspace Code

61. XDATA CODE SRAM BLK 1 0x0000 0x01FF Host OS EcoSec

    1. map 0x000 ~ 0x01FF to CODE (black region indicates area after memory remap) Mapped: Payload SRAM 2. jump to payload

62. Function Description void ecosec_init() Init cryptography system of EcoSec bool

    ecosec_verify() Verify if payload is properly signed and authorized bool ecosec_execute() Execute payload securely * To save code/mem size, arguments like PSK, payload are pre-configured at compile-time.

63. CODE EcoSec Sanitized Code SRAM EPC RSL 1. jump to

    EPC to preserve env. 5. continue execution 2. call sentry to verify access 3. jump back to EPC to run the instruction 4. return to sentry to cleanup

64. “Evaluations”

65. EPL EcoSD Platform 16Mhz 8051-compatible MCU Integrated nRF24L01 RF 16KB

    code + 1KB RAM

66. “Payload Overhead”

67. overhead = (α+β) * Ɣ α: size of sensitive instruction

    β: size of code stub = 12 Ɣ: num. of sensitive instructions

68. to find out α, Ɣ...

69. lots of real world apps* average numbers

70. α = 58, Ɣ = 2 for full app

71. 812 extra bytes for sanitizing a full app

72. RPC payload will usually have 5 ~ 10 sensitive instructions

    only. ≑140 bytes extra

73. “Latency”

74. latency = Δ + (ε * Ɣ) Δ: RF transmission

    delay ε : execution time latency Ɣ: num. of sensitive instructions

75. Δ overhead = 812 bytes RFrate = 1Mbit/s ≑ 0.0061

    seconds

76. codestub: 19 verification: 166 + 138 * 20 total: 2945

    cycles ≑ 0.0001 seconds

77. total delay

78. ≑ 0.0062 seconds

79. “Future Work”

80. “Toolchain Integration”

81. Our current work does not know anything about the payload.

    Integration with compiler allows more advanced optimization and relocation to be done.

82. “Security Algorithms”

83. 8051 platform is too resource- constrained. We would like to

    explore more algorithms such as One-Way Hashes to be used with EcoSec.

84. “Hybrid Static Analysis”

85. Current server does not do static analysis. We would like

    to distribute some load to server by allowing server to perform a quick scan to pick out those denied access using direct addressing/immd. value.

86. “Conclusion”

87. EcoSec is a novel security framework for the dynamic WSN.

    It’s small, high-performance while providing fine-grained control.

88. DEMO

89. None

90. Q&A