ebook img

Scalable Attestation Resilient to Physical Attacks for Embedded Devices in Mesh Networks PDF

0.61 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Scalable Attestation Resilient to Physical Attacks for Embedded Devices in Mesh Networks

Scalable Attestation Resilient to Physical Attacks for Embedded Devices in Mesh Networks Florian Kohnhäuser Niklas Büscher TechnischeUnversitatDarmstadt,Germany TechnischeUnversitatDarmstadt,Germany [email protected] [email protected] Sebastian Gabmeyer Stefan Katzenbeisser TechnischeUnversitatDarmstadt,Germany TechnischeUnversitatDarmstadt,Germany [email protected] [email protected] 7 1 ABSTRACT embedded devices are frequently used in industrial control, 0 buildingautomation,militarycommunication,orsensornet- Interconnected embedded devices are increasingly used in 2 works. Assuchsystemsoftenprocessprivacy-sensitiveinfor- various scenarios, including industrial control, building au- mationorperformsafety-criticaltasks,theirmalfunctionor n tomation, or emergency communication. As these systems a commonly process sensitive information or perform safety misuse can cause serious damage. Unfortunately, software J critical tasks, they become appealing targets for cyber at- forembeddedsystemsistypicallywritteninunsafeprogram- minglanguagesandoftenreluctantlymaintained. Addition- 7 tacks. A promising technique to remotely verify the safe ally,eventhoughanadversaryrequiressignificantresources 2 and secure operation of networked embedded devices is re- mote attestation. However, existing attestation protocols to physically tamper with a device [8], (secure) hardware ] only protect against software attacks or show very limited onembeddedsystemsisusuallynothardenedagainstphys- R ical tampering; thus, interconnected embedded devices are scalability. Inthispaper,wepresentthefirstscalableattes- C tationprotocolforinterconnectedembeddeddevicesthatis appealing targets for cyber attacks [27, 30, 34]. To detect and mitigate such attacks, it is important to . resilient to physical attacks. Based on the assumption that s monitor the correct operation of embedded devices and de- c physicalattacksrequireanadversarytocaptureanddisable tect any malfunctioning or misuse as early as possible. For [ devices for some time, our protocol identifies devices with compromisedhardwareandsoftware. Comparedtoexisting this purpose, attestation protocols have been introduced, 1 whichallowathirdparty,theverifier,tochecktheintegrity solutions, our protocol reduces communication complexity v of a remote device, the prover. Since traditional single de- and runtimes by orders of magnitude, precisely identifies 4 viceattestationprotocolsareimpracticalinlargemeshnet- compromised devices, supports highly dynamic and parti- 3 works due to their overhead of attesting each device indi- tionednetworktopologies,andisrobustagainstfailures. We 0 vidually, scalable attestation protocols have recently been show the security of our protocol and evaluate it in static 8 proposed [5, 7]. These protocols perform an efficient at- as well as dynamic network topologies. Our results demon- 0 testation of large networks by distributing the attestation strate that our protocol is highly efficient in well-connected 1. networks and robust to network disruptions. burdenacrossalldevicesinthenetwork. Allscalableattes- 0 tation protocols are based on the assumption that an ad- 7 versary can only manipulate the software of provers. Thus, 1 1. INTRODUCTION they cannot withstand an adversary who is able to perform : physical attacks and tamper with the hardware of provers. v Nowadays, networked embedded devices are increasingly Yet, an adversary can rather easily capture a device and i present in every aspect of our lives. This paradigm, often X tamper with its hardware as devices forming MANETs are referred to as the Internet of Things (IoT), is expected to oftendistributedoverwidepublicareasandconsistofamul- r constantlyevolveinscaleandcomplexity,reaching20.8bil- a titudeofdevices.Hence,ascalableattestationprotocolthat liondevicesby2020[2]. TechnologieslikeBluetoothSmart, is resilient to physical attacks is much needed. IEEE802.15.4,Wi-FiDirect,ZigBee,orZ-Waveenableem- Ibrahim et al. [22] presented a first approach to solve beddeddevicestoformlargewirelessmobileadhocnetworks this problem by combining existing scalable attestation ap- (MANETs). InMANETs,alldevicescooperateinthedistri- proaches [5, 7] with absent detection [14] to detect both butionofdatainthenetwork,thusestablishingadecentral- softwareandhardwareattacks. Theabsentdetectionproto- ized and self-organized network topology. Interconnected colisbasedontheassumptionthatastrongadversary,who physicallytamperswithadevice,musttemporarilytakethe Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor deviceofflineforacertainamountoftime,e.g.,todisassem- classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed ble the device and extract secret keys [8]. To detect offline forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcita- tiononthefirstpage. Copyrightsforcomponentsofthisworkownedbyothersthan and thus physically compromised devices, each device peri- ACMmustbehonored.Abstractingwithcreditispermitted.Tocopyotherwise,orre- odically emits a heartbeat that needs to be received, veri- publish,topostonserversortoredistributetolists,requirespriorspecificpermission fied, and logged by every other device in the network. Al- and/[email protected]. though a functional solution to the problem, the protocol suffers from several shortcomings. First, the amount of ex- (cid:13)c 2017ACM.ISBN978-1-4503-2138-9. changed messages per heartbeat period scales quadratically DOI:10.1145/1235 withthenumberofdevicesinthenetwork. Thiscausesscal- • SCAP provides a novel efficient aggregation scheme, abilityissuesinlargenetworkswithrespecttonetworkcom- e.g.,attestsof4,000devicesfitinto1kB.Thisallowsto munication,energyconsumption,andruntimeperformance. attesthighlydynamicandpartitionednetworktopolo- Furthermore, the protocol is very error-prone, since a sin- gies efficiently. gle defective transmission of a heartbeat suffices to cause • SCAP is the first scalable attestation protocol that is a false positive, where a healthy device is mistakenly re- evaluated in dynamic network topologies. garded as compromised. Aggravating this, the protocol is onlyabletoattestthestateoftheoverallnetworkandcan- Outline. The rest of the paper is organized as follows. In notidentifyparticularcompromiseddevices. Hence,asingle § 2 we summarize existing work. In § 3 the system model, false positive causes the entire network to be considered as devicerequirements,andadversarymodelarepresented. In compromised. Finally, the protocol relies on the assump- § 4, we describe our novel attestation approach to detect tionthatduringprotocolexecutionthenetworktopologyis physically compromised devices. Then, in § 5 we extend static and connected, which is a very strong limitation for the attestation protocol to execute a recovery protocol on wireless mesh networks. failures,verifythesoftwareintegrityofdevices,andsupport Inthispaper,wepresentthefirstscalableattestationpro- dynamic topologies during attestation. The performance of tocol (SCAP) for interconnected embedded devices that is SCAP is evaluated in § 6. Finally, we conclude in § 7. resilient to physical attacks. To protect against strong ad- versaries, we build on the established assumption that an 2. RELATEDWORK adversaryneedstotakeadeviceofflinetophysicallytamper with it [8, 14, 22]. In our protocol, a single leader device Device Attestation. Remote attestation is a mecha- periodicallyemitsanewheartbeatthatispropagatedinthe nism that allows a third party, the verifier, to check the network. Toobtainthenewestheartbeatfromaneighboring integrity of a remote system, the prover. Protocols that device, a device must authenticate itself with the previous target the attestation of a single embedded device are ei- heartbeat. Sinceadevicethatisunderphysicalattackhasto ther software-based [25, 26] or hardware-based [11, 18, 28]. beabsentforatleastoneheartbeatperiod,itwillmissthis Software-based techniques require no secure hardware, but period’sheartbeatandthusbeunabletoobtainanyfurther rely on assumptions that have been shown to be hard to heartbeats. To prevent a collusion between compromised achieve in practice [6]. Hardware-based attestation mecha- devices, heartbeats are stored in lightweight secure hard- nisms provide much stronger security guarantees by relying ware and transmitted encrypted via secure channels. Dur- on lightweight security architectures. Nevertheless, single- ing the actual attestation, devices that fail to authenticate device approaches are impractical in mesh networks due to with the newest heartbeat are regarded as physically com- the large overhead of attesting each device individually. promised,whereasdeviceswithacompromisedsoftwareare Recently, protocols started to focus on an efficient attes- detected based on existing software attestation techniques. tation of multiple embedded devices. Park et al. [29] pro- In case of an outage of the leader, a new leader device is posed to compare the integrity measurements of multiple determinedthroughaleaderelectionprocess. Byoptionally devices. Yet, their approach requires identical devices and storing the attestation result in each device, our protocol only enables a probabilistic attack detection rate. Asokan is able to efficiently attest highly dynamic and partitioned et al. [7] present a highly efficient attestation scheme for network topologies. large-scalenetworksofembeddeddevicesthatrequiresonly Weshowthatourprotocolissecureagainstanadversary Read-Only Memory (ROM) and a simple Memory Protec- whocompromisesallbutonedeviceinthenetwork.Finally, tion Unit (MPU). In their scheme, each device attests its we demonstrate the practicability of our protocol in static neighborsandreportstheaggregatedresultbacktoitspar- anddynamicnetworks.Insummary,SCAPprovidesthefol- ent, eventually received by the verifier. Ambrosin et al. [5] lowing improvements over existing work: enhance this work by introducing a novel signature scheme thatenablesanyonetopubliclyverifytheattestationresult • SCAP can precisely identify devices whose hardware andallowsthenetworktocontainuntrustworthyaggregator and/orsoftwareiscompromised,iflessthanhalfofall devices, such as routers or cloud severs. Yet, besides the devices in the network are compromised. workbyIbrahimet. al[22],whichhasbeendiscussedin§1, existing works consider the adversary to compromise only • SCAP is very efficient. Compared to the best previ- thesoftwareondevices. Inmeshnetworks,thisassumption ous work [22], we reduce the number of sent messages per time period from O(n2) to O(n)1, thus, achieving may not hold, since an adversary can comparatively easy capture a device and physically tamper with it. scalability to millions of devices (where n denotes the total number of devices in the network). CaptureDetection. Severalworkshavebeenproposedon the detection of node capture attacks, where an adversary • SCAPisrobustagainstnetworkanddevicefailuresby physically approaches and manipulates a device. They all (1)relyingonaone-to-manydelay-tolerantlinkincon- build on the assumption that an adversary needs to take trasttoamany-to-manycontinuouslink,asusedinthe a device offline, in order to tamper with it [8]. Conti et best previous work [22], and al. suggested that a node is collaboratively flagged as cap- (2) offering a recovery mechanism, the leader election turedifitfailstore-meetwithanyothernodewithinafixed protocol,thatminimizestheamountoffalsenegatives. time interval [14, 15]. In the approach by Ho [20], nodes usestatisticalmethodstodetectabsentneighbordevicesin 1Infact,whendetectingphysicallycompromiseddevicesthrough static network topologies. Recently, Agrwal et al. proposed theirabsence, O(n)transmittedmessagespertimeperiodisthe best possible solution, since each device must at least send or to deploy multiple TPM-equipped cluster heads in the net- receiveonemessagetoshowthatitispresent. work, which check the integrity of the software as well as the physical presence of all nodes in the cluster [4]. Nev- clocksarealreadybuilt-inmanyexistingcommodityembed- ertheless, existing approaches are unable to detect devices ded devices [35, 37]. We henceforth refer to the execution with compromised software [14, 15, 20], require the deploy- space, where all required hardware properties are fulfilled, mentofadditionalhardware[4],areonlyapplicableinstatic as Trusted Execution Environment (TEE). network topologies [20], or lack scalability [22]. Secure Data Aggregation. Since ad hoc networks are Adversary Model. In this work, we regard a powerful often deployed to collect sensory data, many efficient and adversary Adv, who is able to mount attacks on the net- integrity-preservingaggregationschemesformeshnetworks work as well as the software and hardware of devices. In have been proposed. Unfortunately, these schemes rely on detail, Adv is granted full control over all messages in the verycostlyasymmetriccryptographicoperations[13,31],re- network(Dolev-Yaomodel). Thus,Advcaneavesdrop,mod- quire to maintain a specific network topology during aggre- ify, delete, or synthesize all message between any two enti- gation[21,31],orneedmultiplecommunicationrounds[36], ties.2 Moreover, Adv is allowed to compromise the software whichbothisundesirable,asitleadstocommunicationover- of all devices in the network. This gives Adv full control head in dynamic network topologies. Thus, a lightweight over the devices’ execution state and storage, yet, no ac- aggregation scheme suitable for remote attestation of em- cess to the protected contents inside the TEE. We further beddeddevicesthatsupportsdynamictopologiesandallows allow Adv to capture and physically tamper with up to all the identification of compromised devices is missing. but one device in the network, when attesting the overall network state, and up to half of all devices in the network, 3. PRELIMINARIES whenknowledgeonthepreciseidentityofcompromisedde- vices is required. For the physically compromised devices, System Model. In our model, we consider embedded de- AdvisabletoaccessdevicesecretsandcodeinsidetheTEE vices that can be heterogeneous in terms of hardware ca- and is allowed to manipulate the clock. We note that it is pabilitiesandsoftwareresources,e.g.,deviceswithdifferent impossibletoguaranteeasecuredeviceattestation,ifallde- software,computationalpower,storagecapacity,orsecurity vicesinthenetworkhavephysicallybeencompromised[22]. functionalities. All embedded devices are connected in a Finally, as in [22] we assume that mounting a physical at- mesh network topology. This topology can be static, where tack requires at least a time t , in which the device is attack devices remain stationary and the network is connected, or offline,e.g.,todecapsulatethedeviceandtolaunchamicro- dynamic,wheredevicescanmovefreelyandthenetworkcan probing attack. Depending on the device’s level of tamper be temporarily partitioned. However, in dynamic network resistance and the adversaries resources, such attacks typ- topologies, we assume that devices meet each other regu- ically require hours up to weeks in specialized laboratory larlyduetotheirmobility. Devicesthatareunreachablefor environments [33]. sometimeδ areregardedascompromised,sinceitisuncer- tainwhethertheywillevercontributetothenetworkagain. 4. SCAP We further assume that each device D gets initialized and i deployed by a trusted network operator O, once (§ 4.1). In the following, we describe the SCAP protocol, which After deployment, the goal of O is to ensure the correct identifies devices in the network have physically been tam- and safe operation of all devices D ,D ,...,D in the net- pered with. Note that the detection of hybrid attacks, i.e., 1 2 n work. Therefore, O regularly verifies the integrity of all de- attacks that target hardware and software, is discussed in vices by executing the proposed attestation protocol. The the next section (§ 5.2). SCAP consists of three different attestationprotocoldeterminesalldeviceswhosesoftwareis phases. In the initialization phase (§ 4.1), the trusted net- in a trustworthy, i.e., unmanipulated and up-to-date, state work operator O initializes each device once, before the de- and whose hardware has not been tampered with. We refer ployment of the network. The heartbeat phase (§ 4.2) is pe- to these devices as healthy devices, in contrast to compro- riodically executed during the operation of the network. In mised devices. Executingtheprotocol,Oisabletolearnthe this phase, all physically uncompromised devices maintain precise identity of all healthy and all compromised devices. a valid state by sharing a common group key, namely the This may serve as a first step towards physically locating heartbeat. We will show how the heartbeat is periodically and recovering compromised devices. In order to perform regeneratedandpropagatedinthenetworkanddemonstrate theattestationprotocol,O requiresaconnectiontoatleast that physically compromised devices are unable to obtain one device in the network. the heartbeat. Finally, in the attestation phase (§ 4.3), O initiatesanattestationofthenetworkandobtainsareport, Device Requirements. We assume that each device D i which exhibits all physically compromised devices. provides the minimal hardware properties for remote attes- tation, according to the work by Francillon et al. [19]. In 4.1 InitializationPhase practice, these properties can be implemented with ROM and a simple MPU. ROM stores the protocol code and Preliminaries. Devices can either be in a healthy or com- cryptographic keys, and the MPU ensures an uninterrupt- promised hardware state. We discretize the time into non- ible execution of the protocol code and allows only pro- overlapping time periods t ∈ {1,2,3,...} of fixed length δ. tocol code to access the cryptographic keys. Recently, it We reference the starting times of each time period with hasbeenshownthattheseminimalhardwarepropertiesare T ,T ,T ,.... TherealtimeT canbereadbyanydevice 1 2 3 clock available even on many low-cost commodity embedded de- 2WenotethatthemodelallowsDenialofService(DoS)attacks, vices [24]. Additionally, our attestation protocol relies on such as jamming or cutting wires. These attacks cannot be pre- authentic time measurements. In order to prevent malware ventedagainstaphysicallypresentadversary. However,DoSat- fromtamperingwiththedeviceclock,eachdevicemustpro- tacks have no influence on the security of our scheme, as Adv vide a write-protected real-time clock. Protected real-time cannotusethemtoforgeahealthysystemstate. Sender device Di Receiver device Dj broadcast(msgnew) msgnew ExecuteinTEE: if Checktime(t) = HB: hb ←hb cur next ExecuteinTEE: msgreq msgreq ←AEnc(hbcur⊕kij,0) if Checktime(t−1) = HB: ExecuteinTEE: z←ADecOrAbort(hb ⊕k ,msg ) cur ij req if Checktime(t) = HB: if z=0: msg ←AEnc(hb ⊕k ,hb ) msghb hbnext ←ADecOrAbort(hbcur⊕kij,msghb) hb cur ij next t←t+1 D ←D min i broadcast(msg ) new Figure1: TheheartbeattransmissionprotocolbetweenasenderDi andreceiverDj aftersecurechannelestablishment,i.e,bothdevices shareachannelkeykij andknowtheiridentities. from a reliable read only clock RROC(), which for simplic- assumed to be physically tampered with. During protocol ityisassumedtobesynchronizedbetweenalldevices. Each execution,aso-calledleaderdevice emitsanewsecretgroup devices keeps track of the current time period t, running key, named heartbeat, that is propagated in the network. fromtimeT untilT . Intheremainderofthissection,we Obtaining this heartbeat requires a device to authenticate t t+1 assume an implementation of a function Checktime(t) that with the heartbeat of the previous time period. Therefore, returns a constant HB, iff the real time is within the time devices that are offline in an arbitrary time period T miss a periodindicatedbyparametert,i.e,T ≤T <T and the heartbeat that is propagated in T and thus are un- t clock t+1 a otherwise false. able to obtain a heartbeat in any subsequent time period Enrollment. In the enrollment phase, the network oper- Ta+1,Ta+2,.... Since any communication between devices ator O initializes the TEE of all devices with the follow- in all protocols is secured using the newest heartbeat as a ing secrets. First, devices store two initial heartbeats hb key, physically compromised devices are unable to partici- cur and hb , which function as a group secret between all pate any more. In the following, we describe the heartbeat next healthy devices. Second, each device is equipped with a transmission protocol, formalized in Figure 1, which is run device-dependent symmetric key dk , used during attesta- between two neighboring devices to transfer the heartbeat i tion to generate a device unique attest, and an asymmet- from one device to the other. rickeypair(pk ,sk ),employedtoestablishsecurechannels Heartbeat Transmission Protocol. The emission of between deviceis. Fiinally, devices record the current time the new heartbeat in every time period is initialized by periodt,theirowndeviceidentifierD ,andtheidentifierof the leader device. As soon as the leader observes that i the leader device Dmin, which is the first device D1 in the the real time Tclock has reached the start of a new time network. Table1providesasummaryofrelevantdefinitions. period (Checktime(t) returns HB), the leader first updates For explanatory reasons, we assume an initial enrollment the heartbeat of the current time period hbcur to the most of all devices. However, SCAP also allows devices to be en- recentlyexchangedheartbeathbnext. Weremarkthatheart- rolledatanypointintimebyissuingthecurrentheartbeat. beatscouldalsobeindexedbythetimeperiodinwhichthey are active in, e.g., hb ,hb , hb ,.... However, as only two 1 2 3 Acronym Usage heartbeats are relevant for any device, only these two, i.e., δ length of heartbeat period the current and next heartbeat, are stored and referenced. t current time period After updating the current heartbeat, the leader samples a Di unique device identifier new heartbeat hbnext for the subsequent period t+1 and D device identifier of the leader device increments its time pointer t by one. Consequently, the min hb current valid heartbeat time period described by the pointer is now ahead of the cur hbnext heartbeat valid in next time period realtimeTt >Tclock. Atimepointeraheadoftherealtime pk ,sk key pair for channel establishment indicates a device that it is in possession of a heartbeat for i i k ,k ,... channel keys with neighbors D ,D ,... the upcoming time period. The leader initialization code is ij ik j k dk device key for attestation with operator illustrated below. i ExecuteinTEE: Table1: OverviewofallsecretsstoredintheDi’sTEE. if Checktime(t) = HB: 4.2 HeartbeatPhase hbcur ←hbnext hb ← {0,1}n next $ Basic Idea. The heartbeat protocol is the core protocol t←t+1 of our approach. It excludes devices from the network that are offline for more than one time period and, hence, are broadcast(msgnew) NetworkOperatorO DeviceDi DevicesDj,Dk,... ts←time() msg ExecuteinTEE: msgV←AEnc(dki,ts(cid:107)n) V ts(cid:107)n←ADecOrAbort(dki,msgV) if isValidReq(ts): attest←AEnc(dki,ts) aggi←agg(attest,n) ExecuteinTEE: msg msgatt←AEnc(hbcur⊕kij,ts(cid:107)n) att ts(cid:107)n←ADecOrAbort(hbcur⊕kij,msgatt) if isValidReq(ts): attest←AEnc(dkj,tstamp) ExecuteinTEE: aggj←agg(attest,n) aggj←ADec(hbcur⊕kij,msgagg) msgagg msgagg←AEnc(hbcur⊕kij,ts) aggi←merge(aggi,aggj) ............................................................possiblymoredevices,e.g.,Dk............................................................ msg ExecuteinTEE: att aggk←ADec(hbcur⊕kik,msgagg) msgagg ... sameasaboveforDk... aggi←merge(aggi,aggk) msg res←ADecOrAbort(dki,msgres) res msgres←AEnc(dki,aggi) returnverify(ts,res) Figure2: Theattestationprotocolaftersecurechannelestablishment,i.e,alldevicesshareachannelkeyk andknowtheiridentities. Next,theleaderinformsitsneighborsaboutthenewheart- and aggregation of attestation reports along the spanning beat with a message msg . For simplicity, we henceforth tree to O. SCAP supports two variants of attestation. The new assume that two neighboring devices have already estab- first variant allows to attest the overall network state and lishedasharedsecretk byperformingakeyexchangeusing issecureagainstanadversarywhocompromisesallbutone ij their public keys authenticated with the current heartbeat. device. However, it only outputs a Boolean result, namely Onreceivingmsg fromanydeviceD ,adeviceD will whether all devices are healthy or not. The second variant new i j enter its TEE and check whether the next time period has precisely identifies compromised devices by id and in this been reached. If this is the case, D will update its current way increases the protocol’s robustness and applicability in j heartbeattothepreviouslycommunicatedone. Afterwards, practice. Yet,itrequiresmorethanhalfofalldevicesinthe D encryptsafixedstring,e.g.,’0’,underthecurrentheart- network to be healthy. j beathb XOR-edwiththechannelkeyk sharedbyboth cur ij devicesandsendstheresulttoDi. WerefertothisXOR-ed Attestation protocol. The protocol is formalized in Fig- key, as the session key. A healthy Di can decrypt the mes- ure 2. The operator O initially connects to a device Di in sagebyalsocomputingthesessionkey. Asuccessfuldecryp- the network and emits an attestation request. The request tionprovesthatDj isinpossessionofthecurrentheartbeat contains the concatenation of a current timestamp ts and (and the channel key) and is therefore eligible for the next the number of devices n in the network, encrypted under heartbeat. Then, Di answers with a message msghb con- the device’s key dki, which is only shared between Di and taining the next heartbeat hbnext, also encrypted with the O. By verifying the authenticity and timeliness of the re- session key. On successful decryption, device Dj stores the quest (isValidReq(ts)), denial of service attacks through re- newheartbeatashbnext. AfterwardsDj incrementsitstime plays can be prevented. Next, the attestation request, con- periodpointerandthenannouncesthisnewheartbeattoits sisting of the concatenation of ts and n, is propagated by neighbors with msg . Figure 3a illustrates the heartbeat D to its neighboring devices. This and all following com- new i transmissionphaseinanetworkwith6healthydevicesand munication between two devices is secured with the pair- oneadversarialdeviceDA thatwasphysicallycompromised wise session key, i.e., the current heartbeat XOR-ed with in time period t=2. the channel key. Any device that receives an attestation We note, that the heartbeat protocol relies on the avail- request first verifies the request and then also propagates abilityoftheleaderdevice, whichconstitutesasinglepoint the request to its neighboring devices. These steps are re- of failure. In § 5.1 we present an extension that makes the peated until the attestation request reaches devices, whose heartbeatprotocolmorerobustagainstdeviceoutages,net- neighbors already have received the request. In this way, a work partitioning, or targeted denial of service attacks. spanningtreeisconstructed. Leafdevicesthatcannotprop- agatetherequestanyfurtherreturnanattestationreportto 4.3 AttestationPhase theirparentdevicefromwhichtheyinitiallyobtainedtheat- Basic idea. The attestation protocol allows the operator testationrequest. Theattestationreportcontainstheirown O to check the state of all devices in the network. For this attest, which consists of ts encrypted under their own de- purpose, O issues an attestation request that is answered vice key. Every non leaf device merges its own attest (and by all devices with an attestation report. Propagating the identifier) with all received attestation reports and propa- attestationrequestthroughthenetworkarrangesaspanning gates the merged report to its parent device. Eventually, tree whose root is O. This enables an efficient transmission D mergesafinalreportthatcontainsallhealthydevicesin i communication link msgnew secure channel (hbc u r ⊕k) hb1 DA D1 attestation report DA D1 hb 2 = hbcur msgreq hb 3 = hbcur hb 3 = hbnext D D D D D D 5 3 2 5 3 2 healthy: msgnew 1,2,3 msgreq 4,5,6 o D D D D 6 msghb 4 6 4 (a) Heartbeat protocol. (b) Attestation protocol. Figure 3: In Fig 3a the heartbeat protocol is illustrated for 7 devices in time period t=2. All devices store the initial heartbeat hb1 thatwasusedtosecuretheexchangeofhb2. Subsequently,hb2 isusedtoexchangethenextheartbeathb3 fortheupcomingtimeperiod t=3. SuchanexchangeisillustratedbetweenD4 andD6. WeobservethatDA wasphysicallycompromisedintimeperiodt=2and thusdidnotreceivehb2. Hence,DA isalsounabletoobtainhb3 oranyfollowingheartbeat. InFig3b,thesamenetworkisillustrated intimeperiodt=3,whileansweringanattestationrequestbyO. Thisrequestwasforwardedtoalldevicesthatwereinpossessionof thecurrentheartbeathb3. Consequently,DA’sattestisnotincludedintheattestationreport,asitisexcludedfromallcommunication intheattestationprotocol. Usingaspanningtreetopology,attestationreportsarepropagatedbacktoO andaggregatedineachhop. the network. This final report is encrypted under dk and Moreover,aninformative secureattestationprotocolallows i transmitted to O, who verifies the report, as described in Otodistinguishbetweenhealthyandcompromiseddevices. the next paragraph. WefollowtheideaofAsokanetal.[7]andprovethesecurity We note that the attestation must be completed in time ofourprotocolbyanadversarialexperimentSECATTn,c(k). Adv t orOhastoperiodicallycheckthepresenceofD dur- In this experiment, the adversary Adv is given access to a attack i ing attestation. Otherwise, Adv can physically tamper with network of n initialized devices Net that execute the heart- D to extract an aggregate and induce attests of physically beat and attestation protocol. Adv can interact with all i compromised devices. Figure 3b illustrates the attestation devices according to the attacker model presented in § 3. phaseinanetworkwith6healthydevicesandoneadversary Moreover, we assume any adversary Adv to be computa- device D that was physically compromised. tionallybound(PPT).Hence,Advisabletointeractapoly- A Report Aggregation and Merging. An aggregated at- nomial number of times k with devices in the network (and testationreportconsistsoftwoparts. Thefirstpartcontains the authenticated encryption scheme). Furthermore, Adv is a description of all device identifiers that are in the aggre- allowed to trigger and observe attestations by O. After at gate.Thesecondpartconsistsoftheaggregatedattests. For mostkinteractions,afinalattestationisinitiatedbyO. The asmallnumberofdevices,thedescriptionisalistofdevice output of SECATTnAd,cv(k) is then a bit vector returned by O identifiers,elseitisann-bitvector,whereaoneatpositionk afterverificationofthefinalrequest. Abitvectorwithonly indicatesthatD iscontainedintheaggregate. Theattests zeros indicates a compromised network, whereas every bit k themselvesareaggregatedbyXOR-ingallindividualattests. set to one indicates a healthy device, cf. § 4.3. We cap- Multipleattestationreportsareaggregatedbymergingtheir ture the intuitive idea of secure attestation in the following device descriptions and XOR-ing their aggregated attests. definition. When attesting the overall network state, the attestation Definition 1. Secure Attestation Scheme. An net- report consists of only the aggregate, as a device identifica- work attestation scheme for n devices is secure if tion is not required. This decreases the size of the report significantly (§ 6.2). Therefore, to increase efficiency, it is Pr[SECATTn,c(k)=1n]≤negl(k) Adv useful to run the attestation with precise device identifica- for any PPT Adv and 0<c<n, where c is the number of tiononly,ifanattestationoftheoverallnetworkstatefails. compromised devices. An attestation scheme is informative Report Verification. Given a device description, O re- and secure if computes the attests for all devices, whose id is contained in the description. Given no description, O recomputes the Pr[SECATTnAd,cv(k)[j]=1]≤negl(k) attests for all devices. If the recomputed aggregate equals for any PPT Adv and every compromised device D , where j the reported aggregate and if at least n/2 attests are in- [j] is the j’th bit in the result vector and the total number of cludedinthereport,thenthereportisassumedtobevalid. compromised devices c is less than n/2. Only then, all attested devices are assumed to be healthy and the verification returns a bit vector, where a zero/one Notethatthedefinitionofanon-informativesecureattesta- at position k indicates that D is compromised/healthy. tionschemeissimilartothedefinitiongivenin[7],whichis k defined without device identification in mind. 4.4 SecurityAnalysis Security of SCAP. The security of SCAP is summarized Intuitively,anattestationprotocolissecure,whenthenet- in Theorem 1. work operator O will testify a healthy system state, if not a single device has physically been compromised. We re- Theorem 1. SCAP is an informative and secure attes- fertosuchanattestationschemeasnon-informative secure. tation protocol when the length of a heartbeat period δ is at most t /2, assuming security of the PRNG and au- beingabletobreaktheIND-CPAsecurityoftheencryption attack thenticated encryption scheme that guarantees confidential- scheme. Yet, to win SECATTn,c, Adv has to report at least Adv ity (IND-CPA) and authenticity (INT-CTXT). n/2(informative)orn(non-informative)validattests,while being allowed to only compromise up to c < n/2 or c < n In the following paragraphs, we sketch a proof to show devices. Consequently,sinceAdvisunabletoforgeanattest thatSCAPisaninformativesecureattestationscheme. The forahealthydevicewithnon-negligibleprobability,Advhas sketch is split in two parts. First, we sketch a proof for to merge the attests of compromised devices with attests Theorem 2, which formalizes the security of the heartbeat created by healthy devices. protocol, before arguing the security of the full protocol. During the actual attestation protocol, two cases can be distinguished. First, the device D that O approaches for i Theorem 2. Any PPT Adv is unable to gain access to the attestation is compromised. In this case, Adv can cre- any heartbeat hbt, which is used to secure the communica- ate an attestation report for all compromised device. How- tion in time period t, before time period t+1, assuming ever, without access to a valid heartbeat and thus session δ < tattack/2, security of the PRNG, secure channels be- key,Advcanonlycreateavalidattestationrequestmessage tween devices and an authenticated encryption scheme that msg with non-negligible probability, when breaking the att guarantees IND-CPA and INT-CTXT. INT-CTXT security of the encryption scheme. Hence, no healthydevicewillcontributeanattest. Similar,inthesec- Intuitively, the security of the heartbeat protocol is ond case, where O first approaches a healthy device, Adv achieved by using an interactive protocol that requires is, for the same argument as described above, unable to the receiving device to prove its knowledge about the cur- decipher or induce any message in the attestation proto- rent heartbeat to the sending device. Only then, the next col between healthy device. Furthermore, the security of a heartbeat is exchanged. This active participation makes XORaggregationscheme,asusedhere,isshownin[23]and it impossible for offline devices to follow the continuous consequently, SCAP is non-informative secure, when only ‘stream’ of heartbeats. accepting a complete aggregation report that includes the Proof Sketch - Heartbeat. We observe that no two attests of all devices. Furthermore, it is informative secure, heartbeats are linked. Hence, it is impossible to derive any when accepting reports with at least n/2 attests, because hb fromhb ,hb ,...,hb withoutbreakingthesecurityof attests can be attributed towards their device id. Finally, t 1 2 t−1 the PRNG. Moreover, assuming synchronized clocks, every we remark that the ‘honest majority’ assumption c < n/2 healthydevicestoresatmosttwoheartbeatsinanytimepe- is required, as otherwise a dishonest majority could fake a riodt,namelyhb ,hb orhb ,hb . Whencompromising healthy systems state. t−1 t t t+1 asingledeviceintimeperiodtandassuminganattacktime of t ≥ 2·δ, the attack will be successful not earlier 5. PROTOCOLEXTENSIONS attack than in time period t+2. The TEE of the compromised In the following, we present three significant extensions device will then leak at most heartbeat hbt+1, but no later to SCAP. First, we make the heartbeat transmission phase heartbeats,asthesearenotpresentintheTEE. Weobserve morerobustagainstfailures(§5.1). Next,weextendSCAP that withanyattack time tattack <2·δ, Advwouldbe able to verify the integrity of the software on all devices in the to compromise a device without missing a single heartbeat network (§ 5.2). Finally, we propose an extension that al- period, and thus render the protocol insecure. lows efficient attestation in highly dynamic and disruptive We show that Adv is unable to gain access to the cur- network topologies (§ 5.3). rent heartbeat by interacting with healthy devices with- out breaking the security of the authenticated encryption 5.1 LeaderElectionProtocol scheme. During the heartbeat exchange, all messages sent The leader election phase extends the heartbeat trans- between two devices D and D are encrypted with a ses- i j mission phase, to make it more robust against failures. In sion key that is the XOR of the pairwise channel key k ij particular,devicesthatfailtoreceivethecurrentheartbeat and the current heartbeat hb at time t. Thus, the session t electanewleaderdevicethattakesoverthetasksofthepre- key is only known to D and D at time t. We observe that i j vious leader, i.e., the periodic emission of a new heartbeat. with access to only one (or none) of the two keys, Adv is In this way, the heartbeat protocol is able to recover from unabletocreateortodecryptamessagethatisacceptedby device outages, network partitioning, or targeted denial of D or D without breaking the INT-CTXT and IND-CPA i j service attacks. security of the encryption scheme. Hence, even when com- The leader election protocol is initiated by every device promising further devices and extracting (past) heartbeats, that fails to receive the heartbeat within a time δ that is hb Adv is unable to decrypt any past or future communication shorter than the heartbeat period δ (δ < δ). Devices ex- hb between D and D , as Adv is missing the pairwise channel i j ecute the leader election protocol inside their TEE and use key k . Similarly, after compromising a device and gaining ij the remaining leader election time δ = δ−δ to deter- le hb access to all channel keys, Adv is still missing the current mine the device with the smallest id, which then becomes heartbeat to construct the session key, required to interact the new leader device (bully algorithm). For this purpose, with neighboring devices. The same arguments hold for all devices initially generate their own heartbeat and then an- messages sent between devices in the aggregation protocol, nounce this heartbeat together with their device id to all since they are all encrypted using the pairwise session key. neighboring devices. Devices store the smallest device id ProofSketch-Attestation. Theattestofasingledevice that they received in the leader election phase, including D istheencryptionofthetimestampts,issuedbyO,under the corresponding heartbeat. Whenever a device updates i D ’s device key dk . Thus, Adv is only able to forge an itssmallestreceivedidandheartbeat,itbroadcastsbothto i i attestforahealthyD withnon-negligibleprobabilitywhen their neighboring devices. Thus, the new smallest id and i heartbeat are quickly propagated in the network. A device and O can obtain the attestation result from an arbitrary recognizes itself as the new leader device, if it only receives device in the network. messagesfromdeviceswithhigherdeviceids.Notethatthe Toreducethecommunicationcomplexity,anaggregation original leader has the smallest id in the entire network, scheme for the above mentioned approach must allow to hence, the protocol also tolerates a return of the original merge multiple reports with intersecting attests into one. leader. In Appendix A.1, we formalize the leader election Thisrequirementrenderstheaggregationfunctiondescribed protocol, describe it inmore detail, and demonstrate its se- in§4.3inapplicable,becauseitsXORoperationrisksthere- curity. movalofintersectionsofattestsfromtheaggregate. Because of this and following the analysis of aggregation protocols 5.2 AttestationofSoftwareIntegrity in § 2, we present a novel aggregation scheme for dynamic Inordertoattestthecorrectandsafeoperationofallde- networksthatisparticularlytailoredtotheapplicationsce- vices in the network, it is crucial to ensure that devices are nario. in a trustworthy software state, free from malicious or bro- Secure & Efficient Attestation Report Aggregation. kensoftware. Forthispurpose,weproposethatthenetwork The here proposed scheme achieves statistical security and operator O defines a set of trustworthy software states tss is slightly less powerful than the spanning tree aggregation in the attestation request, when initiating an attestation of scheme, as it allows an adversary to compromise at most the network. Tss specifies all software configurations that c<n/2−s devices, with 2−s being the statistical security arepermittedbyO,e.g.,becausetheyrepresentthecorrect level. In our scheme, an attestation report also consists of andmostrecentsoftwarestates. Whendevicesperformthe twoparts,namelythedevicedescriptionandthesecureag- attestationprotocol,theyinvoketheexecutionofasoftware gregateitself. Thedevicedescriptionisan-bitvectorwhere integritymeasurementfunctionintheirTEE. Thisfunction a bit is set for every device included in the aggregate. The measures the integrity of installed software and compares aggregate consists of an n = (n+s)-bit vector, where a s these measurements to the reference values specified in tss. single bit indicates the attest of a device. A device D that i Inthisway, eachdevicedetermineswhetheritisinatrust- receives an attestation request with timestamp ts, creates worthyoruntrustworthysoftwarestate. Devicesbeinginan its own attest using a collision resistant cryptographic hash untrustworthysoftwarestateimmediatelyaborttheattesta- function H by computing a=H(dk ||ts) in its TEE. Subse- i tionphaseandinsteadexecutearecoveryroutinethatallows quently,D setsabitatpositioniinthedeviceidentifieras i the device to restore a trustworthy software state, e.g., via well as a bit at offset compress(a) in the secure aggregate, secure code updates [24]. Since untrustworthy devices do wherecompressisafunctionthatreducesthehashvalueto not participate in the execution of the attestation protocol, avalueoflengthn bits. Notethatcompressdoesnotneed s O receives a report which exclusively contains devices that tobecryptographicallysecure,butitshouldachieveaclose areinatrustworthysoftwareanduncompromisedhardware touniformoutputdistributionforuniformlydistributedin- state. InAppendixA.2,weextensivelyexplainchangesthat put. All other bits in both vectors are set to 0. In order to needtobedonetotheenrollmentphaseandtheattestation merge multiple attestation reports, a device computes the protocol to enable such a hybrid attestation. Furthermore, bit-wiseORofallattestationreports. Thiscanbedonevery we discuss the security of the extension. efficientlyandallowstoaggregatereportswithintersections of devices. Both the secure aggregate and the list of device 5.3 AttestationofDynamicNetworks identifiercouldbecompressed,forinstance,byusingarun- Approach. The attestation protocol in SCAP (§ 4.3) ar- length encoding. Nevertheless, even without compression, ranges a spanning tree, which allows for an efficient aggre- a very short attestation report is achieved with a length of gationandtransmissionoftheattestationreporttothenet- only2n+sbits,e.g.,266bytesfor1000devicesandasecu- workoperatorO. Thisapproachworksefficientlyaslongas rity level of s=128 bit, which is a significant improvement thenetworktopologystaysstaticduringattestation,forin- overana¨ıveconcatenationofatteststhatrequiresmorethan stance,asdevicesinthenetworkonlymoveasawhole(herd 16k bytes. Even though, Adv has a good chance to guess a mobility) or within local limits (micro-mobility). However, smallnumberofattestscorrectly,thesecurityofthescheme in dynamic network topologies with highly mobile devices is based on the hardness to guess (at least) s attests cor- and frequent link disruptions, it is impractical to maintain rectly. A detailed security analysis of this scheme is given aspanningtreetopology. Insuchnetworks,communication in Appendix A.3. with a parent device could introduce a significant delay or become highly inefficient, as the parent device could move 6. EVALUATION away. Even worse, the parent device may be temporarily Next, we evaluate SCAP (§ 4) and its three protocol ex- out of range and thus be disconnected from the network. tensions(§5). In§6.1,wedescribeoursetup,givedetailsof Therefore, instead of routing the attestation along a vir- the implementation, and present our measurements. Then, tual topology, we propose a distributed (greedy) aggrega- we report on our network simulation results for both static tion,whereattestationreportsarecollectedandaggregated (§ 6.2) and dynamic network topologies (§ 6.3). by all devices in the network. Thus, after O initiates the attestation protocol, each device first generates its own at- 6.1 Implementation&Measurements testation report, stores this report, and broadcasts it to all neighboring devices. When a device receives an attestation Setup. We implemented our protocol on Stellaris EK- report, it merges this report with its stored report. On ob- LM4F120XL microcontrollers. The Stellaris is a low-cost serving new attests, the device broadcasts the updated re- embedded system from Texas Instrument which features port to all its neighboring devices. In this way, all devices an 80 MHz ARM Cortex-M4F microprocessor and 256 kB in the network eventually store the same attestation report of Flash memory. To enable wireless mesh connectivity Algorithm Function Runtime 5 ed25519 genKey() 18 ms keyExchange() 48 ms 4 AES-128-GCM encrypt(16 bytes) 0.1 ms e (s) 3 m encrypt(1024 bytes) 1.8 ms nti decrypt(16 bytes) 0.1 ms Ru 2 decrypt(1024 bytes) 1.8 ms 2-ary tree + ke 1 8-ary tree SHA-512 hash(16 bytes) 0.4 ms 4-ary tree 2-ary tree hash(1024 bytes) 3.1 ms 0 0 100000 200000 300000 400000 500000 hash(30720 bytes) 81.9 ms Number of devices in network Table2: CryptoRuntimePerformanceontheStellaris. Figure4: Heartbeatprotocolruntimesprotocolruntimesinvar- ious static topologies. The dotted line shows the runtime of the firstheartbeatwiththeinitiallyneededkeyexchanges. based on the ZigBee standard, we equipped the Stellaris microcontrollers with Anaren’s CC2530 BoosterPacks. and at most n/4+16 bytes of temporary storage. Cryptographic Runtime Measurements. We imple- mentedthehashfunctionusingSHA-512andemployedAES 6.2 SimulationResultsforStaticNetworks in Galois/Counter Mode (AES-GCM) as an authenticated encryption scheme. For the key exchange, we used Ellip- Setup. We first evaluated our protocol in static network ticCurveDiffie-Hellman(ECDH)withCurve25519[9]. Ta- topologies, where all devices are connected and stationary. ble 2 shows an excerpt of our cryptographic runtime mea- Thus, there are no link breaks or abrupt delays in the net- surements on the Stellaris microcontroller. work communication. We used ns 3.25 [1] to simulate a We would like to stress that our implementation is based homogeneous network with ten to multiple million Stellaris onplatformindependentandunoptimizedCcode.3 Assem- devices. Following the typical evaluation methodology in bler optimized code for low-end embedded systems can im- scalableattestationprotocols[5,7,22],weimplementedour provetheperformanceofcryptographicoperationsbyorders protocol on the application layer and used computational ofmagnitudes[17,38].Wepresumethatsimilarperformance and network delays based on our measurements (see § 6.1). improvements are also possible on the Stellaris. Heartbeat Protocol Runtime. We simulated the run- Network Runtime Measurements. For unicast mes- time of the heartbeat protocol in various topologies. Fig- sagesbetweentwoneighboringdevicesinthemeshnetwork, ure 4 shows the runtime for a binary, 4-ary, and 8-ary tree wemeasuredanaveragethroughputof35.0kbpsontheap- topology with up to 550.000 devices, where the heartbeat plicationlayer. Althoughthetheoreticalmaximumthrough- leader device is located at the root of the tree. The figure putinZigBeenetworksis250kbps,otherperformanceeval- demonstrates that in tree network topologies, protocol run- uations revealed similar performance losses in reality [12]. timeincreaseslogarithmicallywiththenumberofdevicesin In addition, we measured an average end-to-end delay be- the network. Under these conditions, the heartbeat proto- tween two neighboring devices of 13.5 ms with the smallest colachievesanoutstandingperformance,requiringlessthan message size and 18.5 ms with the biggest message size. 2.3secondstoreach500.000devicesinan8-ary-treeandless MemoryCosts. Inourimplementation,devicesstoretheir than 1.7 seconds in a binary tree topology. Even with mul- own ECDH key pair (64 bytes), the current and the next tiple million devices, runtime remains below 2 seconds in a heartbeat (each 16 bytes), the leader device id (4 bytes), binary-ary tree topology. Only the first run of the heart- k secure channel keys and device ids (each 20 bytes), and a beatprotocolinthenetworkrequireslittlemoretime,since timestamp(4bytes). Thenumberkofstoredsecurechannel neighboring devices initially need to exchange public keys keyscanbeadjustedtotheparticularmemoryrequirements, andperformkeyexchangestoestablishsharedsecrets. Yet, since devices can establish channel keys right away by per- evenwiththeadditionalkeyexchangesruntimeremainsbe- forming an ECDH key exchange with a neighboring device low 5.1 seconds for more than 500.000 devices. (§4.2). Additionally,devicesneedtotemporarilystoredata: Attestation Protocol Runtime. We configured the at- thepublickeyofaneighboringdevice(32bytes)duringkey testation protocol to use the software attestation extension exchange, a session key (16 bytes) during heartbeat trans- (§ 5.2) and thus to attest the hardware and software state mission, and the attestation report during attestation. The of all devices in the network. To verify the integrity of in- sizeoftheattestationreportisdependentonthenumbernof stalledsoftware,devicescomputeaSHA512digestovera30 devices and the usage of the dynamic network extension. If kB software and compare the digest to an expected value itisusedwithasecuritylevelof128bit,thereportamounts that is specified in the attestation request. For attestation to n/4+16 bytes, if not, to n/8+16 bytes. However, as we used the spanning tree attestation approach (§ 4.3). reports can be compressed using run-length encoding, their Figure 5 shows the runtime for a binary and 8-ary tree actualsizeismuchlowerformostdevicesinthenetwork. In topologywithupto550.000devices,wherethenetworkop- total,devicesrequire104+k·20bytesofpermanentstorage erator is located at the root of the tree. Additionally, we 3We used SUPERCOP’s ed25519 implementation (https:// varied the type of the attestation report, containing either ed25519.cr.yp.to/software.html)andSharedAES-GCM(https:// thepreciseidsofhealthydevices(solidlines)orthestateof github.com/mko-x/SharedAES-GCM). theoverallnetwork(dashedlines). Thefiguredemonstrates 128 3 false positive(s) 64 ays) 200 12 ffaallssee ppoossiittiivvee((ss)) me (s) 13 628 82--aarryy ttrreeee wwiitthh iiddss ositives (d 150 boxplot 1 false positive(s) Runti 4 82--aarryy ttrreeee nnoo iiddss alse p 100 2 o f 1 me t 50 0.5 Ti 0.25 0 0 100000 200000 300000 400000 500000 20 30 40 50 60 70 80 90 100 Number of devices in network Number of devices in network Figure 5: Attestation protocol runtimes in two static topologies Figure6: Heartbeatprotocolaverageruntimeinadynamictopol- withandwithoutsendingdeviceidentifiersintheaggregate. ogyuntilfalsepositivesoccur. Theboxplotshowsthedistribution ofsimulationresultsforthesinglefalsepositivecase. that reporting precise device identifier introduces a notable overhead. When reporting the overall network state, attes- micallywithn. Nevertheless,incontrastto[22],SCAPalso tationruntimeincreasesbarelywiththenumberofdevicesin allowstodeterminetheidsofcompromiseddeviceswithlow the network, remaining below 2 seconds even for networks overhead even in larger networks. with multiple million devices in almost any tree topology. 6.3 SimulationResultsforDynamicNetworks Yet,whenreportingprecisedeviceids,runtimeincreasesto more than 152 seconds for 500.000 devices due to the large Setup. We further evaluated our protocol in highly dy- size of the attestation report, which increases proportion- namic and disruptive networks to investigate its robustness ally with the network size. Nevertheless, we consider that in complex scenarios. To model device mobility, we ran- 2.5 minutes is an acceptable timeframe to obtain a report domlydeployeddevicesina1000mx1000msquareareaand thatpreciselylistswhichdevicesareinacompromisedstate. applied a random waypoint mobility model, which is com- Communication Costs. During heartbeat transmission, monlyusedinliteratureonabsencedetection[14,16]. Con- all devices, except for the leader device, receive msg sequently,eachdevicerepeatedlyselectsarandomspeedas new (1 byte), send msg (17 bytes), and receive msg (17 wellasarandomdestinationwithintheareaandthenmoves req hb bytes) to obtain the newest heartbeat, using a one byte towards the destination at the selected speed. The random message identifier. If devices need to (re-)establish a secure devicemovementcausesthenetworktobeconstantlyparti- channel key, they need to mutually exchange their public tioned,especiallyforsparsenetworks. Inordertoinvestigate keys, which causes an additional message overhead of 32 effectslikelinkdisruptions,varyingnetworkdelays,andsig- bytes. Forinstance,inabinarytreetopology,devicestrans- nalinterferencethatemergeduetothemovementofdevices, mit in total 104 bytes, or 296 bytes with the initial key wemodeledan802.15.4physicalandmediumaccesscontrol exchange, in each heartbeat transmission period. layer using the ns-3.25 lr-wpan module. Modeling both During the execution of the attestation protocol, all de- layers as well as device mobility requires a lot of computa- vicesreceiveonemsg (17bytes)ormsg (17bytes). Also, tionalpower. ThisisaknownissueinMANETsimulations, V att devices send a msg to all neighbor devices that have not whichleadstohugesimulationruntimes[10]. Fortheserea- att yet received msg and afterwards receive a msg from sons, we were only able to run simulations with a few hun- att agg them (≤ n/8+16 bytes). If the device’s software integrity dred devices. Nevertheless, as we will show in this section, isattested(§5.2),msg andmsg containthesetoftrust- the main hurdle of our protocol is to perform well in sparse V att worthy software states tss, in our evaluation a 64 bytes networks. Scalability of our approach in dense networks, hash digest. In short, assuming a binary tree topology and where all devices are permanently interconnected, is shown n = 1000 devices, during a run of the attestation protocol, intheprevioussection. Inadditiontotheabovementioned each non-leaf device transmits at most 666 bytes and each simulation parameters, we set the wireless communication leaf device 222 bytes. range to 50m (50% of the distance specified in the ZigBee Summary. We demonstrated that our protocol is highly standard), the device speed to a random value between 5 efficient in static network topologies. In comparison to the and 15 m/s, and the heartbeat as well as the leader elec- previously best attestation protocol that is secure against tion period to 2.5 minutes (detecting physical attacks that physical attacks [22], we reduce the number of transmitted require more than 10 minutes). messages per time period from O(n2) to O(n). To illus- Heartbeat Protocol Robustness. We investigated the tratethisadvantage,inbinary-treetopologiesourapproach robustness of the heartbeat protocol in worst cases, which is 27 times faster with 2000 devices and 3800 times faster are highly dynamic and disruptive network topologies. In with 500,000 devices when interpolating their results. The particular, we examined the time until the protocol pro- comparison already considers the fastest variant presented duces false positives, i.e., healthy devices that are regarded in [22], which requires each device to store and manage n asphysicallycompromised,becausetheydidnotreceivethe symmetrickeys. Inourprotocol,devicesmustonlystorethe heartbeat on time. Figure 6 illustrates the average runtime keysofneighboringdevices,e.g.,3inabinarytreetopology. oftheheartbeatprotocoluntilacertainamountoffalsepos- Whenattestingthestateoftheentirenetwork,bothpro- itives occur. The figure shows that the number of devices tocols([22]andSCAP)showaruntimethatscaleslogarith- inthenetworkhasavitalinfluenceontherobustnessofthe

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.