ProgressinInformatics,No.5,pp.49–64,(2008) 49 Specialissue: Thefutureofsoftwareengineeringforsecurityandprivacy Survey Paper Security software engineering in wireless sensor networks Eric PLATON1and YuichiSEI2 1NationalInstituteofInformatics 2TheUniversityofTokyo ABSTRACT Theengineeringofsecurityisanessentialdisciplineinsoftwareengineering. Itrequiresone toembraceaholisticapproach,asanyweaknessalongtheengineeringprocessofthesystem mayleadtofuturesecuritybreaches. Itisingeneraldifficulttoachieveandbecomespartic- ularlyacuteinwirelesssensornetworks,owingtothestringentlimitationsincommunication andcomputationalpower. Wesurveythecurrentstateoftheartonthistopicandset forth issuesthatrequirefurtherstudy. Theanalysisofcurrentworkcoversgeneralsecurityissues ofwirelesssensor networkresearchanddiscusses the presentachievements forengineering securitywithregardstoearliersurveysinthisdomain. Wealsocoversecuritycapabilitiesof major implementation platforms, namely TinyOS and Sun SPOTTM, and present available andrequiredmechanismsthatwillbecomeessentialforsoftwareengineers. KEYWORDS Securityengineering,wirelesssensornetworks,softwareengineering,survey 1 Introduction Securityengineeringisanessentialdisciplineofsoft- Securityisbeyonddoubtoneofthegreatchallenges wareengineeringandtheincreasingawarenessofsecu- in software systems. Mostcompanies relyextensively rity issues is widely recognized[1],[2]. Embracing a on informationsystems to supporttheir dailybusiness holistic approachon securityis bothvery difficultand activities. Themultiplicationanddiversification ofat- ofcrucialimportance,asanyweaknessintheengineer- tacks against these vital systems call for appropriate ing process and in any component of the system may protections. Beyond business, the fact that our lives lead to a security breach. Security concerns become are becoming increasingly digitized with the rise of particularly acute in applications deployed over wire- internet-basedservicesfurtheremphasizestheneedfor lesssensornetworks,owingtothestringentlimitations security(e.g.,protectingindividuals’privacy). Thead- in communication and computational power[3],[4]. ventofubiquitouscomputingandotherpervasiveplans Perrigetal.[4]expressedin2004that‘wehavetheop- to integrate computers in any object stress security is- portunity to architect security solutions into [wireless sues even more; virtually all aspects of life can be sensor] systems from the outset, since they are still in monitored, inspected, mined, and dissected in an Or- theirearlydesignandresearchstages’. wellian manner. Advances in miniaturization of hard- The present paper reports on the situation in 2007, wareandenergytechnologypermitunthinkablescenar- covering three aspects as follows. As a first broadas- ios. Therefore,wirelesssensornetworksgrowintoboth pect, we briefly review the main security concerns in a greattechnologywithnotableapplicationsandapo- wireless sensor networks (WSN) in the next section. tential threat, if security concerns are not considered For the second aspect, sections 3 and 4 report on re- appropriately. search advances in security engineering. Section 3 presentsresearchonsecuritymechanismsandsection4 ReceivedSeptember28,2007;RevisedNovember16,2007;AcceptedNovem- emphasizes research issues that are addressed insuffi- ber29,2007. cientlytoguaranteehighlevelsofsecurityengineering, 1)[email protected],http://honiden-lab.ex.nii.ac.jp/˜eric/ compared with the security objectives in WSN. Sec- 2)[email protected],http://honiden-lab.ex.nii.ac.jp/˜sei/ DOI:10.2201/NiiPi.2008.5.6 (cid:1)c2008NationalInstiuteofInformatics 50 ProgressinInformatics,No.5,pp.49–64,(2008) tion5coversthethirdaspect,namelyconcretetechnol- ditional securitysolutionsinclude encryption andpro- ogyandtoolstoengineersecurityfeaturesofsystems. tocols,whichguaranteedatahidingandconsistentpro- Itbrieflyintroducestherepresentativetechnologiesthat cessingrespectively. Encryptionoftenreliesonkeyin- serveengineeringapplicationsonWSNandfocuseson frastructurestosecurethecommunications. Keysmust the latest available platform, Sun SPOTTM from Sun be deployed on network nodes to guarantee the confi- Microsystems, Inc.TM. We present the security facili- dentialityofdata. Thephysicalattackofnodescanre- ties provided by the platform and identify the current vealsomekeys,sothatconfidentialitycannotbeguar- shortcomingsofthistechnology. anteedlocallyto theattackednode[10],[11], with po- tential risk to epidemically break protections through 2 Security Challenges in Wireless Sen- the network. Encryption is also an expensive process, sor Networks e.g. asymmetric cryptography, and a number of re- Pastsurveysonsecurityinwirelesssensornetworks searchteamsworkoncontrollingandreducingitscost report research issues and solutions that remain chal- impact[12],[13]. lenging problems despite recent achievements[3]–[6]. Protocols enforce systematic processing in the net- In this section, we review the main concerns of secu- work, so that one can assume for example that access rityinwirelesssensornetworkstoprovideupdatedin- controlisconsistentlyappliedthroughoutthenetwork. formationandintroducethebackgroundofsecurityen- WSN applications communicate using unreliable net- gineering in WSN. There are three main elements for works, where unpredictable environmental conditions information security that need to be ensured:1) con- can prevent protocols from being completed success- fidentiality, integrity, and availability[2]. Traditional fully. Protocolsarethereforecarefullycraftedandpro- techniquesforthesethreeconcernscannotbeusedoff videdegreesofresiliencetonetworkissues,butallad- theshelf,becausewirelesssensornetworkshavestrin- ditional functionalities incur computational costs that gentanddistinctivecharacteristics. First,sensornodes require time for completion. In other words, proto- areusuallydeployedinenvironmentsthatattackerscan colscannotusuallyguaranteefullconsistency,notably easily access. Sensor nodes are not usually tamper- inenvironmentswithfast-paceddynamicsasinWSN. resistant, because of hardware limitation and cost is- State-of-the-art technologies such as Network Access sues[7],[8]. Hence,attackerscangetsensornodes,ex- Control (NAC)—currently in active development— tract stored keys, and then can insert malicious code. aretailoredfornetworkswithsignificantresourcesand This node compromising is one of the main issues in thecaseofWSNisnotyetconsideredasviableinvest- wireless sensor networks. Second, sensor nodes are ment,thusleavingroomforsignificantresearch. limited in their energy and computation abilities. We Multi-levelsecurityisanothermechanismrelatedto brieflyreviewconfidentiality,integrity,andavailability confidentiality butchallenging on WSN. It allowsdif- for wirelesssensor networks considering these two is- ferent users with different rights to use network data. sues. For example, super-users can have full access with maximumresolutiononthedatawhereassimpleusers 2.1 Confidentiality can only access limited data with a low sample rate. Thechallengeagainstemsfromphysicalissues: com- Theprotectionofdataassetsandprivacyaredifficult putationpowerandeavesdropping.Eavesdroppingmay requirements to fulfill on WSN but necessary to guar- break a multi-level security scheme by letting simple antee reasonable degrees of confidentiality. Network users access more data ‘by accident’. In addition, the nodesare easy to capture and compromise, thus, frac- schememustbeconsistentthroughoutthenetwork:for tions of assets can steadily be stolen from the system allnetworkpositions, a user musthave the same level withoutappropriateprotectionagainstattackingnodes. ofaccessrights. Atrustednetworkcanalsofailtoensureprivacyifau- Most research efforts address these challenges with thentication and access control are not enforced con- particularfocusoncryptographyandkeyestablishment sistently: queries to the network from different loca- strategies. tions or with different credentials could deliver differ- Cryptography. Traditional cryptography mecha- entaccesslevelswithoutadequatemanagement. WSN nisms have been difficult to apply to WSN, owing are therefore vulnerable to Sybil attacks[9], distance- to their limited computation and memory[14],[15]. bounding attacks (masquerading nodes in some loca- Recent improvements in cryptographic primitives and tions),andlocationleaks. power of network nodes allow their usage in practice Confidentialityrequiresdedicatedmechanisms. Tra- (see section 5), but they still require significant re- sources. 1)Pleaserefertothediscussionin2.4fortheirrelationtootherimportanttopics, Keyestablishment. Keyestablishmentreferstothe suchasauthenticationandfreshness. Securitysoftwareengineeringinwirelesssensornetworks 51 deployment of a key infrastructure (KI) on a WSN. promise remainsanissue, asthedestructionorlossof Much work focuses on the challenge to settle keys control of nodes unilaterally reduces availability met- on ‘free’ nodes at the system initialization phase[16], rics. but also at run-time when nodes must be added or re- Second, the broadcasting communication model of placed[17]–[19]. The difficulties in these challenges WSN is sensitive to denial-of-service attacks, includ- aretocopewithcompromisednodes,astheythwartKI inghigh-energyandjammingattacks[23]–[25]. Tradi- playingitsintendedprotectiverole. tionalattackslikemessagedroppingaremanagedwith standard approaches, such as multiple routing of the 2.2 Integrity same message, but the resource limitations clearly re- Integrity is a well-known issue in wiredandmobile stricttheirviability. phone networks. WSN can therefore rely on a sig- nificant amount of models and techniques. WSN in- 2.4 Discussion troduce additional challenges because of their limited ChallengesinWSNremainnumerous,especiallyrel- resources. Despite the increase in available resources ative to the background of existing awareness for se- with latest hardware, physical constraints clearly pre- curity in distributed and mobile systems. The impor- vent from comparing capacities on WSN with full- tance of the holistic approach is salient due to the di- fledged notebooks or even low-end mobile phones, as rectexposureofthesystemtoexternal,environmental, WSN nodes tend to be even smaller[20]. Cryptogra- andmaliciousthreats. Onedifficultyinthisissueisto phy is among the main techniques to ensure integrity, findabalancebetweenthesoftwarecontribution,which anditremainsachallengewithregardstoenergyman- consumesenergybutispotentiallyrobustagainstintru- agementanddecentralizedapproaches. sions,andhardwareorhumancontributions,whichcan Locating data sources poses acute integrity issues bettercontrolenergy,evenrenewit,butemphasizeex- in WSN. Forensics and network administrators will posure. Securityengineeringhastocopewiththisbal- need to track data back to their sources in some cir- ance. cumstances (when possible, owing to destructive in- Inadditiontomainsecurityproperties,theliterature networkaggregation). Thelocationofsourcesrequires referstoissueslikequalityofservice,freshness,orau- thatdataisnotalteredwhenitmigratestothesink,so thentication. Qualityofserviceextendsavailabilityand thatintegrityisanecessarycondition. ischallenging,too.Datafreshnessreferstoproblemsof The network infrastructures also differ significantly inappropriate message duplicates (intentional or acci- fromothersystems,sothatexistingworkmaynotadapt dental)andissourceofproblemsofintegrityandavail- to WSN modelsappropriately. In particular, the num- ability.Authenticationaimsatguaranteeingtheidentity berofsensornodesperbasestationisverylarge,com- of principals and is therefore a precondition to confi- pared to mobile phone or wireless broadband connec- dentiality. Thetwoissuesoffreshnessandauthentica- tions.Theseconditionsstressthelimitationsofexisting tionareaddressedinthissurveywithinthecorrespond- techniques,whicharefurthermoreexasperatedwiththe ingmainpropertiestheyrelateto. higher risk of node compromise. Routers are usually trustworthynetworkcomponents,butsensornodesplay 3 Existing security solutions the role of routers in WSN, so that we cannot reason- Inthissection, wereviewsomerepresentativework ably trust them because of compromise[21],[22]. In- toaddresstheaforementionedsecuritychallenges. We tegrity relies then on the ability to detect this kind of complement this review with the presentation of inte- attacks and their origins, which bothremain challeng- gratedprojectsthataddressseveralsecurityissuesinto ingissues. asingleapproach. Thesectionendswithamappingof this review on the standard waterfall-like software de- 2.3 Availability velopmentprocesstoshowthepresentstateofresearch Availability also becomes a critical matter in WSN. onsecurityengineering. Thereasonsaretwofoldandsignificantlyconstraining. First, limited energy supplies put an ultimate limit on 3.1 Confidentiality,integrity,availability networkavailability. Largesystemscanrelyonhuman Cryptography. Cryptography constitutes the main intervention and renewable energy solutionsare under theoreticalconcept,alongwithkeyinfrastructures,un- development,butitisnotablethatthesoftwarecontri- derlyingapproachesthatensureintegrityandconfiden- butiontoavailabilityisboundedandthatsecurityengi- tiality.Ellipticcurvecryptography(ECC[26])hasbeen neering cannot rely exclusively on software solutions. recognized as a viable approach for WSN, despite the Holisticmeasuresinvolvinghardwareandhumaninter- absence of a formal proof for this technology as of ventions are required in some conditions. Node com- 2007. Nevertheless,ECCisgainingmomentumwitha 52 ProgressinInformatics,No.5,pp.49–64,(2008) majorcompanyissuinganofficialtechnologyadoption come a primary issue. Some approaches allow nodes statementin2005,andtheAmericanNationalSecurity to deliver data, while protecting location information Agency adding the approach to its official Suite B for withpseudonyms,sincetrackingadatasourcewithout digitalsignatures[27],[28]. ECC is a promising alter- itsrealidentityismoredifficult[49]. Otherapproaches nativetoRSA-basedalgorithms[29],asthetypicalsize achievesimilargoalswithphysicalmeasurements[50]. ofECCkeysismuchshorterforthesamelevelofsecu- Fake location information causes security breaches, rity. Gaubatz etal. reportonpublic-key cryptography sinceanattackercanmasqueradeanodewherethereis in sensornetworksin moredetail[30], andUhsadelet none and become a data black-hole. Several research al. proposeanefficientimplementationofECC[31]. endeavors focus on the distance bounding attacks to The SPINS project shows that the security cost en- copewiththisissue,asreferredin[51]. tailed by cryptography (among other computations) Securedprotocols. SecuredprotocolsprotectWSN bearsmoreoncommunicationoverheadperpacketthan against attacksand misbehaviorsthatthwartthe avail- on computationaldemand[7]. Despite this result, sig- ability of nodes and services. In the representative nificantworkaimsatimprovingtheexecutionofECC work, Wood et al. conducted a survey on denial-of- algorithms with hardware support[32], or elaborate serviceattacks,andtheyproposedanapproachagainst newalgorithmsforefficientmultiplication[33],[34],as radio jamming attacks[52],[53]. Karlof and Wagner it is a very common and costly operation in public- expose a number of (successful) attacks against exist- key cryptography. Other approaches also exploit spe- ingroutingprotocolsforsensornetworksandsuggests cific hardware for improving confidentiality, for ex- countermeasures[54].Therapidresourceexhaustionof ample with tamper-resistant chips that prevent attacks networknodesmotivatestheresearchagainstsuchkind from revealing cryptographic keys[35], to the cost of of attacks, andseveralendeavorsintegrateappropriate increasingthepriceofhardwareunits. defenses[55],[56]. Keyinfrastructures. Keyinfrastructuresdrawpar- Misbehaviors result from compromised nodes and ticular attention from the research community for the insiders. TheworkofLeeandChoidealsforexample concernsofconfidentialityandintegrity[36]–[41]. The with malicious nodes dropping packets[57],[58]. On managementofkeysiscritical,attherootofthesecu- the other hand, Ye et al. propose statistical means to ritydefensesofthesystem. KeysinWSN havea life- recognizetheinsertionoffalsedata[21],[59],whileSei cycle thatemphasizes the deployment, protection, and andHonidenrelyonakeymanagementschemetode- revocationphases. Thesetupofkeyinfrastructuresof- tectfalseinformationwhenanumberofnodesarecom- tenreliesonpre-distributionschemes[40],[42]. Ghosh promised[22]. The area of intrusion detection is also demonstratesthatsuchapproachesarevalidifthenet- wellrepresentedinWSN,sincethecaptureofnodesis worktopologyverifiesstructuralpropertiesliketheab- potentiallyeasier.Kraußetal.showhowtodetectcom- sence ofbottlenecknodesundersomeconditions[43]. promised cluster heads (distinguished nodes equipped Protection of keys is achieved either by specific hard- withadditionalfunctionalities)usingattestationproto- ware,asintroducedabove,orbysecurityprotocolsthat cols[60]. Buttya´n et al. locate wormholes using two managethelife-cycleofkeys. Forexample,regularre- statistical values, namely the change of the number of vocationofkeysisrecommendedtorefreshtheinfras- neighbors of a node and the decrease of the length of tructureandprotectagainststolenkeys[44]. allshortestpaths[61]. Integrity and in-network processing. Integrity Recovery. Even though sensor nodes usually have concernsarealsothesubjectofadditionalresearchrel- a short life, it might be a turbulent one, not only in ative to secure in-network aggregation technique. In- terms of the data they sense but also in terms of the networkaggregationaimsatprocessingsensordataas- softwareinstalled. Theremightbeaninherentneedto setswhiletheymigratetowardthesinknode,typically patchthecodeofanodeforasecurityupdate—ideally for computing averages or sums. It is an important without removing the sensor node from its location technique to use node energy in more efficient ways but via wireless communication. Such a code update in WSN. Severalexistingaggregationapproacheslack hastomeetcertainrequirementsintermsofefficiency security guarantees, such that subsequent research en- and security. SCUBA is a challenge-response proto- deavorsproposesecureschemes[45]–[47]. col, which allows to repair compromised or damaged Location problems. Locating data sources is a code[62],andStrasserandVogtpresentalgorithmsfor dilemma between verifying that a data source is a distributednode recovery[63]. Itshouldbe notedthat trusted party and protecting privacy. Capkun et al. automaticupdateapproachesinWSN,suchasnetwork introduce a secure positioning scheme using standard reprogramming[64], are usually not secured schemes. Manchester encoding to address the first aspect of lo- Delugeisanexamplewhereasecuredversionhasbeen cating nodes[48]. On the other hand, privacy has be- implementedafterwards[65],[66]. Securitysoftwareengineeringinwirelesssensornetworks 53 3.2 IntegratedsecuritysolutionsinWSN theprotocol,withalowoverheadof8bytesperpacket Therichbodyofresearchachievementspresentedso (orderinkilobyteforotherapproaches). farcontributetothesecurityconcernsinarather‘local’ SPINS exemplifies how different security measures way, focusing on a very specific issue. In the follow- canbeintegratedinthecaseofWSN,andthistypically ing,wepresentfiveapproaches,namelyLEAP,SPINS, showsthatusualapproachescannotbetriviallyassem- TinySecandMiniSec,andTinyPEDS,toshowtheex- bledforsecurityengineering. tent of some representative approaches on security in WSN. 3.2.3 TinySec&MiniSec Karlofetal. introducedTinySec,alinklayersecurity 3.2.1 LEAP architecture,whichintroducesanoverheadcostofless The Localized Encryption and Authentication Pro- than10%[12]. TinySecisthusclaimedappropriatefor tocol (LEAP) is a key management protocol designed use in WSN, and it has been adopted as a standardli- to also support in-network processing[8]. Multiple brary in TinyOS. TinySec provides fully-implemented symmetric keying mechanisms are supported, namely protocolsandmakesreasonabletradeoffsbetweenper- individual keys (shared with the base station), group formance and security. TinySec exploits the idea that, keys (shared completely), cluster keys (shared with a even though sensor nodes are very restricted in com- selected group of nearby nodes), and pairwise shared putationalandcommunicationpower, evena powerful keys. It aims at “restricting the security impact of a adversary suffers from low bandwidth in WSN. Mes- nodecompromisetotheimmediatenetworkneighbor- sageauthenticityandintegrityareguaranteedbyusing hoodofthecompromisednode”[8]. Usingthisgranu- a MAC2) with each packet(included in the overhead), larapproach,storagerequirementpernodeiscompeti- andconfidentialityisensuredbyencryptionwithsym- tive. metriccryptographyprimitives. MiniSec is a recent improvement and extension of 3.2.2 SPINS TinySec’s functionalities for node-to-node security in SPINSstandsfor‘SecurityProtocolsforSensorNet- WSN[13]. ItismoreefficientthanTinyOSintermsof works’[7]. It is an economical security scheme with energy consumption (5.6% more efficient in the pub- low overhead. SPINS consists of two components lishedevaluation),anditprovidesanadditionalprotec- calledµTESLAandSNEP. tionagainstreplayattacks(maliciousmessageduplica- µTESLA is a specialization of the ‘Timed, Effi- tion).Replayattacksarealreadymanagedbyprotocols cient, Streaming, Loss-tolerant Authentication’ proto- suchasZigBee,butMiniSecisanalternativewithsig- col for WSN[67]. Its purpose is to provide authen- nificant performance improvements that maintain the ticated broadcast, since this communication mode is levelofsecuritywithoutsacrificingenergy(workingin thestandardinWSN.TheproblemsolvedbyµTESLA thedatalinklayer). is thatauthenticated broadcast requires a costly asym- The mechanismsexploited in TinySec and MiniSec metricmechanismthatsensornodescannotaffordusu- exemplify deployable security measures that address ally. Theprotocolemulatesasymmetrybysendingen- severalissuesinviablewaysforWSN.Itisnotablethat crypted messages and key information independently. thesetwoapproachesexplicitlyidentifydatalinklayer The sender first computes a key-chain with a random securityasfundamentalinWSN,becauseoftheobser- key Kn and public one-way function. It then encrypts vationthatin-networkcomputationsuchasaggregation message packets using the key-chain in reverse order. iscrucialinordertoprolongthenetwork’slifetime. If A single keyis usedforallpacketsthatcanbe sentin astandardend-to-endsecurityschemeisapplied,these a predefined time frame. The sender sends encrypted computationsbecomeveryintricateduetothepossible datapacketsaccordingtothetimeframeanddelaysthe aggregationschemes. sendingof keys. The receiver gets(securely)onlythe lastkeyK0 ofthekey-chain. Itgetsencryptedpackets 3.2.4 TinyPEDS and,oncethekeyarrives,itcanauthenticatesthepacket TinyPEDS (Tiny Persistent Encrypted Data Stor- iftheone-wayfunctionappliedtothekeyresultsinK0 age) is a secured data store for WSN[69]. It aims at (the function is applied as many times as the time in- protecting data assets collected by the sensors, both terval frame number). Luk et al. show subsequently for transient and long-term storages. TinyDB demon- howtoauthenticatebroadcastandaddressesthisprob- strated the use of in-network aggregation for pro- leminamoregeneralway[68].Thesecondcomponent cessing SQL queries, without security measures[70]. SNEP (Secure Network Encryption Protocol) ensures TinyPEDS elaborates on this approach by encrypting data confidentiality, data authentication between two- parties,datafreshness,andprotectionagainstreplayin 2)MessageAuthenticationCode 54 ProgressinInformatics,No.5,pp.49–64,(2008) transientstorageforaggregationprocessingwithsym- 4 Issues in engineering security solu- metrickeys,whichrequestreasonableresources. Long- tions lasting storage is protected with an asymmetric key Existing work addresses several aspects of security scheme however, owing to the need for stronger pro- concerns along the software engineering process, but tection. Sensornodesonlyreceivepublickeysandthe the previous review shows that engineers cannot rely compromise of node does not reveal signing keys. A onpresentachievementstoconductaholisticapproach high-endnode, typicallyasinkcomputerconnectedto onsecurity. Thespecific concernswith WSN, namely the WSN, owns the signing keys and performs costly node exposure and limited resources, remain indeed cryptographic computations. TinyPEDS combines se- critical throughout the different stages of building the curestoragewith areplicationprotocolto restoredata softwarelayerofWSNapplications. even with the loss of 40% of the nodes. TinyPEDS The aim of this section is to present issues in secu- showsanexampleapplicationthatintegratesadvanced rity engineering in a progressive manner according to security measures, although several aspects remain to thestandardwaterfallsoftwaredevelopmentlife-cycle. becoveredtoensurehighprotection,howeveroutofthe Theimplementation stage is postponed to section 5 to scope of the project (e.g. attacks that eliminate nodes focusonmoretechnicalmatters. byexhaustion). Some issues are not covered in the integrated ap- 4.1 Requirementsengineering proaches of this section, such as a number of attacks The engineering of security requirements relies on (e.g. resource exhaustion), node capture, and end-to- specific aspects of the target software. One usually endsecurity. Itisnotablehoweverthatcurrentachieve- expresses constraints such as the definition of access ments put together integrate complementary security rights, which usually leads to access control policies measures. intheimplementedsystem,orthesegmentationofthe systemintosecureandnon-securesub-parts. Although 3.3 Security engineeringin the software development technological choices occur relatively late in the re- process quirementengineeringstage,thechoiceforWSNtech- nologiesleadstoconsiderthesecuritylevelswithcare, Severalapproachesareavailabletosecurevariousas- notablyrelativetothesystemresiliencetonodecapture pects of sensor networks, often for a reasonable cost. andsoftware-basedattacks. Research contributes significantly to isolated issues in Requirementelicitationtechniquesareoftenneeded the engineering of security, and part of this research to better specify target security qualities, and general has focused on integrating some aspects together. A onesprovideanumberoftoolslikeextendedusecases securesystemrequireshoweverconsiderationofsecu- (which are also used in analysis and design phases). rityissuesasawhole,i.e. inallphasesofthesoftware The literature refers to abuse cases to specify system engineering development process. That is the reason usage patterns thatdesign should prevent[72],[73], to forsecurityengineering. Softwaredesignersandengi- misuse cases to relate correctand incorrect usage pat- neersareseeminglynotsupportedsufficientlyyetinthe terns[74],[75], andto securitycasestoorganizesecu- lightofthereview: Ifanefficientsolutionistobecre- rity requirements[76],[77]. WSN-based applications ated,requirementshavetobespecifiedverycarefully. requiretofocusoncasesthatshouldbecome‘standard’ The framework of Slijepcevic et al.[71], for example, issuesin a base setof requirementsforanysecurede- might assist the designers to adjust different security sign. A typical standard case is when an attacker ob- levelsdependingonthesensitivityofdata.Theunman- tainsencryptionordecryptionkeys,becausetheconse- ageablenumberofdifferentthreatsisneverthelesshard quencesofsuchascenarioaretheruptureofthesecu- todealwith. Muchresearchcoversdesignandimple- rity model. We have seen that tamper-resistant nodes mentationphasesanddescribeshowtoprotectspecific are not feasible and in many applications one cannot aspectsthough. Thereisfinallyaclearshortcomingof preventattackersfromcompromisingnodes,sothatthe studyinthetestingandverificationphases,whereen- designers must consider the loss of keys as long as gineerslacksystematictoolsorapproachestailoredfor the client does not explicitly state this being superflu- sensornetworkstocheckwhetherthespecifiedsecurity ous. Well-knowncasesinmobilephone networksand isachieved. otherwirelesstechnologiesarelikelytoinspirecasesin Theaim ofthefollowingsectionsisto elaborate on WSN,buttheinfrastructuraldifferencesjustifyfurther this result: Security engineering requires further re- work. search to counter security methodological and instru- Riskanalysismethodsprovideadditionaltoolsinen- mentalholesinthesoftwaredevelopmentprocess. gineeringsecurityrequirements. Theadvantageofrisk analysis is to establish metrics over risk criteria and Securitysoftwareengineeringinwirelesssensornetworks 55 vulnerability,thusallowingquantitativeandsystematic vice and data but by special codes, similar to GSM analysis. FTA (Fault Tree Analysis) is a risk analysis and some smartcards security schemes with PUK and methodthatidentifiesandclassifieseventsinatreeac- PUK2(PersonalUnblockingKey). Thisexampleillus- cordingtotheirlevelsofharmtothesystem[78],[79]. tratesa naiveapproach usingsecuritypatterns, butwe Therootofthetreethenreveals potentially dangerous expectthisresearchdirectiontoprovidesignificantre- events,whichthesystemmustbepreparedtodealwith. sults. Methods like FTA support the analysis of security re- quirementstothecostofbuildingandexploitingatree 4.3 Testing&verification data structure. Although this approach applieswell to Theformalorstatisticalproofthatasoftwareproduct arangeofsystems,thelargenumberofnodesinWSN complies with its requirements relies on a strong dis- (thousandsinsomescenarios)tendstopreventsuchap- cipline in the development process. Security require- proaches from scaling up, so they become less usable ments are challenging at these stages, because violat- inpractice.Theintroductionofnodecompromiserisks ingsituationsaredifficulttosimulate.WSNchallenges isalsoanotherissuethatcallsforfurtherworktocope arise for the major part from their distributed nature. withWSN. Test,validation,andverificationofdistributedsystems is intrinsically difficult due to size and complexity of 4.2 Analysis&designphase theglobalstateandthenumberofsituationsinvolving Theanalysisofsecurityrequirementsandtheirinte- unknown environmental factors (commonly called the grationinthedesignisasensitivetask,whichoftenre- ‘fallacies’ofdistributedsystems).Beyondtheseintrin- liesonspecializedprogrammingstaffinlargeprojects. sicdifficulties, WSNsufferfromtheirlargescalesand Assuch,specifictoolsthatfocusonsecurityissuessup- wirelesscommunicationinfrastructure,whichbothex- portengineersinthesephasesofthedevelopment. acerbatethestatespacestotestandverify. Securitypatternsextendthedesignpatternapproach Test methodologies based on unit tests and regres- with a set of patterns and association of patterns sions are the primary approaches to expect in WSN, to guide the developers in their engineering endeav- due to the large body of work and experience with ors[80]–[82]. Forexample,‘availablesystempatterns’ test suites. Test units are appropriate to check the (ASP) and ‘protected system patterns’ (PSP) capture compliance of the software with specifications; secu- engineering practices that have been validated in sev- rity use cases from requirement to design phases can eral implemented systems. ASP aim at facilitating be checked as well. Disciplined structure of the units the construction of systems that provide predictable intosuitesshouldprovidesignificantresultswithefforts anduninterruptedaccesstoservicesandresourcesthey concentrated on the application of existing techniques offer to users. PSP aim at protecting valuable re- tosecurityissues. Someadditionaltechniquesmaybe sources against unauthorized use, disclosure or modi- required to generate various ‘tiny test cases’ that arise fication[83]. Generalsecuritypatternsapplyto WSN, fromtherangeofsituationsfacedbynodesintheiren- butseveralissuesremaintobecataloguedandvalidated vironment.Thesoftwarelayerofthesenodesmustcon- byexperience. Forexample,patternstoguaranteethat sistentlyreacttoinputsdespitefastchanging,andpos- thecaptureofanodeandthelossofkeysdonotbreak sibly unexpected, environmentalconditions. Common the security level—or the breach can be confined—in techniques such as fuzz testing may provide grounds therestofthesystem. for such generation phase, but appropriate studies are Inthisrespect,experienceindevelopingWSNappli- necessary. cationsleadtodistinguishingseveralsituationsrelative Simulations are alternative means to check security tokeyloss, tobeaddressedbyappropriatepatterns,in properties. Attacks can be reproduced to observe the additiontospecificprotocols[10],[22],[84]: reactionsofthesystemsandprovidesomeinsightfulin- (1)theattackerhasnokey formationfromsimulationlogsforfurtheradjustment. (2)theattackerhaslessthanT keys Existingworkfromdistributedsystemresearchcanbe (3)theattackerhasmorethanT keys appliedtoWSN,butcurrentachievementsrequiresig- T is a threshold value that specifies the degree of ro- nificantinvestment in simulation design, and specifics bustnessofthesystemagainstkeyloss,i.e.,thenumber of WSN are usually nottakeninto account[85]. Such of key losses the system can tolerate without compro- investmentmaynotbepossible, andWSN particulari- mising the level of security. Taking inspiration from tiescaninvalidatesimulationattempts. Networksimu- goodpracticefordatabasesecurity,patternswoulden- latorslikens-2[86]ortheWSN-specificTOSSIM[87] surethatservicesandassetsprovidedinthesystemby showthatWSNrequirespecificcare,buttheresultsob- eachnodeareprotectedwheneverT keysarelost. The tainedfromsuchtoolsshouldserveonlyforcoarsetest- protection could be to, e.g., block any access to ser- ing,astheyusuallyassumestringentrestrictionsonthe 56 ProgressinInformatics,No.5,pp.49–64,(2008) environmentorcomputationmodelsandmayinvalidate Maintenance also refers to hardware management, theirownresults. including upgrade to new hardware, new firmware, or Verification of security properties can also be con- the necessary battery replacement which usually re- ductedformallywithappropriatemodelsandtools.Ex- quire turning off nodes temporarily. All these opera- isting work like SPIN[88], SMV[89], BLAST[90], tionsshouldbecompletedinsecurewaystoguarantee andSLAM[91]forCcodeconductmodel-checkingfor thatnoattackoccursatthesesensitivetimes. Software verifyinggeneralsafetyorlivenessproperties,butthere protectionsareusefulinsuchcases, asexemplifiedby is little work referring to such formal verification in securitysystems for, e.g., building accesscontrol, and WSNresearchandpracticetodate. Thesetoolscanbe specific protocolsforWSN applicationsshouldbede- appliedtochecksecurityproperties,providedadequate fined,withlikelystandarddefinitions. formulationofthetargetproperty. ThecaseofSLAM can be particularly interesting, as it verifies whether 4.5 Discussion programming interfaces are correctly used, which can ResearchissuesinsecurityengineeringforWSNare thenshowwhensecuritymeasures(usuallypartofthe numerous and impact each stage of the software de- API)areproperlyusedbythesoftwaredesigner. Other velopmentprocess. Existing work is often applicable, languageslikeJavawouldrelyonmodel-checkerslike but necessary adaptations or new approaches are also JPF[92],orBandera/Bogol[93](seesection5forJava necessary for the major part. The main issue on this onWSN).Language-independentverification(thusex- topicisindeedthedifficultytoreallyachieveaholistic ploitable early in the development process) are also approach on security, as it should be accomplished to available, with notable work for WSN with the real- avoid the ‘forward-propagation’ of security problems, timeMaudelanguage(notappliedtosecurityconcerns ascanbeobservedinothersoftwaresystems. Asare- todate)[94]. Shortcomingsoftheseformalmodeltools sult of the above analysis, we will present the conse- come from two main issues. First, model-checking quencesandneedsinthedevelopmentphaseforwhich does not scale when state spaces are large. The large we have postponed the study, i.e. the implementation numberofnodesandtheunpredictablenatureofWSN phase. execution environments imply very large state spaces, despitetherelativelysmallamountofcodetheyrun,so 5 Engineering technology review and thatmodel-checkingapproachesmustbeappliedtore- concrete needs of the security engi- strictedcasesandresultsmaynotprovidefullproperty neer verification(e.g. liveness). Thesecondissueoriginates Engineering the security aspect of an application inthelimitedachievementsforcheckingdistributedap- mainly relies on the availability and quality of tools. plications.Concurrencyentailsstate-spaceexplosionin Althoughalltoolsalongthesoftwaredevelopmentpro- additiontotheeffectsofenvironmentdynamics. Some cess contribute to supporting the engineer, program- approaches exist in general network applications[95], minglanguagesandrelatedAPI(ApplicationProgram- but they do not focus yet on WSN-like systems or on ming Interface) for the implementation are among the securityissues. mostcritical,becausetheyservetowritethefinalprod- uct and should represent all specifications expressed 4.4 Maintenance in other development stages. In fact, high-level lan- Maintenance of software in WSN is an active re- guages stemmed from the need to remove error-prone searchtopic,butthesecurityaspectislimitedinpresent programmingtasksfromthehandoftheprogrammers work. A notable example of maintenance mechanism (e.g., gotostatements, brittleassemblydesignpatterns issoftwareupdateoverthenetwork,withproposalsfor forcontrolstructures),sothattheycanfocusonthecore reprogramming(progressiveupdate)anduseofmobile tasksofthetargetbusinesslogic. agenttechnologies[96],[97].Delugeperformsnetwork The role of programming languages is essential in reprogramming and was not initially integrating secu- security engineering and the aim of this section is rity measures[65]. A later versiondid however revise twofold. The first aim is to provide a review of the the system to add security[66]. Deluge is one of the available technologies for the programmer, so as to few secured approaches for maintenance (see end of demonstratethecurrentcapabilitiesofexistingworkto section 3.1 on recovery). The security concerns are facilitateandguaranteesecurityrequirements.Thesec- howeversignificant.Attackerswhocontrolsomenodes ondaimistosetforthanumberofsupportsthatarenot canspreadmaliciouscodeandgraduallytakecontrolof available,butthatcouldleadto serioussecurityissues allthenetworkusingupdate-basedcontamination. Ap- withregardstotheresultsofoursurveyintheprevious propriatecounter-measuresinmostapproachesremain sections. openresearchissues. Tothisend,wereviewthemajorplatformsavailable, Securitysoftwareengineeringinwirelesssensornetworks 57 namely TinyOS on motes and Sun SPOTTM with re- 5.1.2 SunSPOT spectto securityengineeringcharacteristics. Thefinal Sun SPOT is a product of Sun Microsystems, Inc. part of this section presents aspects of security engi- encompassing both hardware and software[103]. The neering that should arguably be integrated in current project started in 2003 on the experience of the com- frameworksduetotheirimpactinthecontextofWSN. pany with the technologies related to Java ME, and the first release occurred in April 2007. The recent release of the platform entails that the hardware pro- 5.1 Majortechnologies videsamongthemostpowerfulsensornodes,withsim- Wireless sensor network are supported by a limited ilar size and scale factors to motes. The software part number of technologies. We briefly review the repre- is independent from the hardware and consists of the sentativeTinyOSandSunSPOT,withspecialfocuson Sun Squawk Java virtual machine[104]. Squawk is a theirsecurityengineeringfacilities. closed-source JVM that encompasses necessary oper- ating system functionalities, so that it can run directly 5.1.1 TinyOSonmotes onhardware[105]. TinyOSis anopensourceoperatingsystem tailored The technicalaspects of Squawk also aim at reduc- for low-power sensor network applications[98],[99]. ing the size and consumption of the system, similar ThesystemwasdevelopedalongWSNhardwarecalled to TinyOS, but it also seeks to bring a significant part ‘motes’,withvariouscommercialversions. Themotes of the Java modelover WSN. Squawkis hencea full- gathermicro-controller,anumberofsensorsandLEDs, fledged virtual machine that complies with the CLDC and batteries into a single package. The model of 1.1 specification. It can dynamically deploy code and TinyOS is independent from the developed hardware runseveralapplicationsconcurrently.Althoughthereis and can be adapted to various platforms. In the short no reference on real-timeissues yet, the platformpro- history of WSN technology, TinyOS has been the en- videssecurityfeaturesborrowedfromthestandardJava abling technology3), which fosters the deployment of model. WereviewthefacilitiesprovidedbySunSPOT applicationsandprototypesinvariousacademicandin- atthelowerandapplicationlevels.Thisreviewfocuses dustrialprojects. onthesoftwareandexcludeshardware-basedsecurity, ThetechnicalaspectsofTinyOSareconcentratedon as it was shown in section 3 that major issues lie in the optimization of the size and consumption of the packetmanagementandabovethedatalinklayerofthe system. The main features are a component-based ar- OSImodel. chitecture to foster code reuse and reduce the system Low-Level Security Facilities. Low-level security footprint(lessthan400bytesinitsearlierversions),an mechanismsaimatprotectingthesystemagainsterro- event-driven execution model, and integrated resource neousormaliciouscodethatexploitsweaknessesinthe and power management in the latest version 2.0. The softwarelayerstoharmorsubvertthesystem. Squawk systemanditsapplicationsarewritteninthenesClan- contains standardlow-levelsecuritymechanisms from guage[100], a variant of C providing a component- the Java model and specific extensions for WSN. The based framework and an appropriate subset of C con- use of Java first provides built-in protections against cepts sufficient for low-power hardware (e.g., there is code-based attacks that would exploit dangling point- nofunctionpointersinnesC).Thesystemdoesnotsup- ers, pointer arithmetics, pointer forging, unchecked port preemption requests (only hardware-based inter- cast,orarrayboundaries.Thevirtualmachinealsopro- ruptions), real-time scheduling, dynamic loading (ap- videsacodeverifier,whichchecksincomingcodeand plicationsarestaticallylinkedtotheTinyOScoremod- asserts compliance with the Java standards before ex- ules), butit doessupport data-link security with Tiny- ecution. These two mechanisms reflect the compati- Sec. Most notably, the system does not provide low- bilityofSquawkwiththeCLDCsecurityspecification levelprotectionsyet, such asmemoryprotection inits ofJavaME[106]. Theypreventanumberoflow-level mainstream version[102] or on-the-fly verification of security attacks, so that the system designers and pro- codedownloadedovertheairinterface. Severalexten- grammerscanfocusonothersecurityaspects. sionsofTinyOS,suchasSPINSpresentedinsection3, In addition, Sun SPOT contains implementations may however be integrated in the new releases of the of RSA and ECC (Elliptic Curve Cryptography) al- system[7],[12]. gorithms for security key management. The im- plementations have been optimized for sensor net- worknodes[107], providingprogrammers with essen- tialcryptographymechanisms. Inpractice,theaddition 3)TheReal-timeOsNucleus(TRON)washistoricallyavailablefrom1984,but ofthesealgorithmsisessentialonWSNasbasicblocks itsapplicationtowirelesssensornetworksandbroadavailabilityaredifficultto forecasttoday,despitethepotentialofthetechnology[101]. forend-to-endsecurity(seediscussioninthissection). 58 ProgressinInformatics,No.5,pp.49–64,(2008) Application-LevelSecurityFacilities. Application- work. A node can be added to the network in an ad- levelsecuritymechanismsaimatprovidingapplication hocfashion, without directhumansupport, e.g., when developers with appropriate abstractions for designing new nodes are jettisoned from an aircraft to an exist- the securityaspects ofthe target software. Java speci- inglandnetwork. Thesoftwarecontrollayermustthen fiesthesandboxmodeltocontrolhowapplicationscan providefacilitiesfordynamic authenticationwithpeer access resources and additional mechanisms to define nodes. Such introduction scenario is seemingly fre- custom security access control policies. The compati- quentenoughandcriticalinthecaseofWSNtojustify bilityofSquawkwith theCLDCspecificationguaran- theintegrationofready-to-usemechanismsfortheen- teestheavailabilityofthesemechanismstodevelopers. gineer, even though application-specific requirements The sandbox security model is complemented in may require refinement of the basic solution. This Squawk by the architecture of the virtual machine, wouldhelpincreasingtheengineerawarenessandcode whichhandlesapplicationsasJavaobjectsnamed‘iso- security. Cryptographicbricksexemplifyagaintheba- lates’[108]. Application isolation reinforces the low- sicelementforsuchasolution,butthisremainsanopen levelverificationprocessofthevirtualmachineandex- researchissuebeforeconsideringefficientimplementa- tendssecuritypolicieswithisolatemanagement. Each tionsinanAPI. isolate can then be engineered with different restric- Securecodemobility.Codemobilityplatformshave tionsonthecreation,control,andcommunicationwith permitted attractive demonstrations of sensor network otherisolates. technologies, with Agilla on top of TinyOS[97], and Sun SPOT. Squawk allows the migration of applica- 5.2 Discussion tions, which is a direct benefit of using the isolation AlthoughSunSPOTprovidesasecurityprofilecom- concept and additional mechanisms such as transitive parabletostandardJava,wearguethatthismodelwill closurestoform‘suites’ofclasses[104]. proveinsufficientwithregardstosecurityengineering. Thesecurityaspectisusuallynotdiscussedinthese WSN are inherently fragile systems dueto eavesdrop- approaches,asitisseenoutofscope.Infact,additional ping and physical threats. We believe that the appli- cryptographyfacilitiessuchasthealgorithmsprovided cation engineering facilities provided by the platform with Squawk on Sun SPOT provide the essential ele- shouldthereforegofurtherthanthecurrentmodels,de- mentstoenablesecurecodemobility. Forthesecurity spitethedifficultchallengesofstringentresourcesand engineer,itishoweversaferandmoreefficienttorelate large-scaledistribution. Extendedmodelsfostertheen- mobility and security directly in the programming in- gineeringofstrongsecuritymeasuresandavoidleaving terfaces. AsecureversionoftheSunSPOTAPIwould theprogrammerwitherror-pronetasks. thenprovideserializationmethodsovertheairinterface Ongoing work in the WSN and ubiquitous comput- thatexplicitlystatesthedesiredsecuritylevel.TheSun ingresearchcommunity,notablyovertheTinyOSplat- SPOTdevelopmentteamisindeedextendingtheradio form,hasprovedtheneedforfurtherendeavors[2],[4]. APIwithasecuredversionoftheradiostreamclassfa- In particular, end-to-end mechanisms are among the cilitytoservethisaim(informationfromtheirforumin most sensitive topics, and their absence from the core June2007[103]). CLDC specification may lack for a Java-based ap- Decentralizedsecuritypolicy.TheoriginalJavase- proach if specialized profiles are not integrated in the curity policy model was designed with applet-like de- specificationsforWSN[109]. TheadditionbytheSun ployment in mind. In this model, an applet is down- SPOTteamofthecryptographyalgorithmsprovidesthe loaded on-demand by a client and run in the sandbox basicbricksforend-to-endsecurity,butthereremainsa with appropriate access rights. This two-tier model is numberofengineeringissues. appropriate for certain applications, but it restricts the possibledeployments, notably if WSN evolveto more 5.2.1 Requiredengineeringfacilities ad-hocinfrastructures. Inaddition,changingthepolicy Secure key establishment facilities. Howdoesthe configurationofthousandsofdeployednodesisacom- engineer deploy a key infrastructure on a WSN? This pellingexampleoffunctionalitythatcallsforanevolu- question is challenging and advanced mechanisms are tionofthesecuritymodeltowardsdecentralizedpolicy available[110],[111], but it is possible to preset keys management. on nodes before deploying them. This ‘imprinting’ is Decentralization of the policy management implies necessaryinanycasetoclaimownershipofblankhard- the possibility forengineers to remotely log in to sen- ware[2], so one cannot expect simplifying or improv- sors with appropriate rights and modify their policies. ingthissecurity-criticaltasktotheengineer. We pointed out the requirements for multi-level secu- Thekeyestablishmentscenariobecomesmoreinter- rityrightsinsection2.Theremotepolicyconfiguration esting whenintroducingnew nodes in an existingnet- isatypicalexampleofsuchmechanisms. Thisworkis