Remote Software-based Attestation Remote Software-based Attestation for Wireless Sensorsfor Wireless Sensors

July 13, 2005July 13, 2005Mark Shaneck, Karthikeyan MahadevanMark Shaneck, Karthikeyan Mahadevan

Vishal Kher, Yongdae KimVishal Kher, Yongdae Kim

Department of Computer ScienceDepartment of Computer Science

University of MinnesotaUniversity of Minnesota

2

IntroductionIntroduction

• Securing sensors in critical applications is Securing sensors in critical applications is importantimportant• E.g. military applicationsE.g. military applications

• Compromise of a sensor can enable attacker to Compromise of a sensor can enable attacker to inject false sensing informationinject false sensing information

• Compromise of shared keys can enable attacker to Compromise of shared keys can enable attacker to compromise secure communicationscompromise secure communications

3

AttestationAttestation

• How to detect compromise? Attest!How to detect compromise? Attest!

• Ensure that the contents of the memory are Ensure that the contents of the memory are unchangedunchanged• Detects sensor compromise that involves a Detects sensor compromise that involves a

modification of the program memorymodification of the program memory• Compute a checksum of the memory contentsCompute a checksum of the memory contents

4

Naïve Attestation ModelNaïve Attestation Model

• Attestation routine reads memory and computes a Attestation routine reads memory and computes a checksumchecksum

• Attacker must offset memory reads to avoid detectionAttacker must offset memory reads to avoid detection• Offsets incur measurable delay in executionOffsets incur measurable delay in execution• Attester can measure execution time to detect compromiseAttester can measure execution time to detect compromise

MalcodeAttest

UnmodifiedCopyOf

Original

Program Memory of Sensor

5

LimitationsLimitations

• Suitable for directly connected devicesSuitable for directly connected devices• Slight execution delays can be accurately measuredSlight execution delays can be accurately measured

• What about remote attestation?What about remote attestation?• Code is located on device - attacker can use static Code is located on device - attacker can use static

analysis to analyze the code offline and insert analysis to analyze the code offline and insert conditional offsetsconditional offsets

• Slight execution delays cannot be accurately measured Slight execution delays cannot be accurately measured - overshadowed by unpredictable network latency- overshadowed by unpredictable network latency

6

Remote AttestationRemote Attestation

• How can we adapt the attestation model to work in How can we adapt the attestation model to work in a remote setting?a remote setting?

• Prevent attacker from analyzing attestation code Prevent attacker from analyzing attestation code offlineoffline• Send the attestation routine to the sensorSend the attestation routine to the sensor• Make it different each timeMake it different each time

• Prevent attacker from modifying attestation codePrevent attacker from modifying attestation code• Use techniques to make it difficult to statically analyze Use techniques to make it difficult to statically analyze

7

Why Remote Attestation?Why Remote Attestation?

• Is remote attestation really necessary?Is remote attestation really necessary?

• Physical access to the sensors is not always Physical access to the sensors is not always feasiblefeasible• Military setting - sensors are located in hostile, Military setting - sensors are located in hostile,

enemy territoryenemy territory• Building monitoring - sensors could be located Building monitoring - sensors could be located

in dangerous/inaccessible locationsin dangerous/inaccessible locations

8

OutlineOutline

• Problem ScopeProblem Scope

• Building BlocksBuilding Blocks

• Attestation Procedure ConstructionAttestation Procedure Construction

• Discussion/ConclusionDiscussion/Conclusion

9

AssumptionsAssumptions

• Base Station is secureBase Station is secure• Base Station to sensor communication is Base Station to sensor communication is

encrypted/authenticated using a pairwise shared keyencrypted/authenticated using a pairwise shared key• Base Station has an exact memory image of each Base Station has an exact memory image of each

sensorsensor

• Sensors do not have virtual memorySensors do not have virtual memory• Sensors can receive and execute binary codeSensors can receive and execute binary code

10

Threat ModelThreat Model

• Attacker can perform any software based Attacker can perform any software based attack on the attestation routineattack on the attestation routine

• Attacker cannot tamper with hardwareAttacker cannot tamper with hardware

• Impersonation and DoS attacks are out of Impersonation and DoS attacks are out of scopescope

11

RequirementsRequirements

• Resistance toResistance to• ReplayReplay• PredictionPrediction• Static AnalysisStatic Analysis

• Loose dependence on execution timeLoose dependence on execution time• Complete memory coverageComplete memory coverage• Efficient constructionEfficient construction

12

Building BlocksBuilding Blocks

• RandomizationRandomization• EncryptionEncryption• Self-Modifying CodeSelf-Modifying Code• ObfuscationObfuscation

• Opaque Predicates/Pointer AliasingOpaque Predicates/Pointer Aliasing• Junk InstructionsJunk Instructions

13

Self Modifying CodeSelf Modifying Code

nop1: 0xFFF6

2: 0xFFF7

3: 0xFFF8

4: 0xFFF9

5: 0xFFFA

6: 0xFFFB

7: 0xFFFC

8: 0xFFFD

9: 0xFFFE

10: 0xFFFF

nop

mov $0x05, %eax

inc %eax

xor %eax, %eax

test %eax, %eax

jnz 0xFFFF

mov 0x40, 0xFFFA

jmp 0xFFF9

nop

inc %eax

0x40 = “inc %eax”

14

Opaque PredicatesOpaque Predicates

• Conditions that always evaluate to true or Conditions that always evaluate to true or always evaluate to falsealways evaluate to false• Evaluation result is not obvious from static Evaluation result is not obvious from static

analysisanalysis

• Can be formed through pointer aliasing Can be formed through pointer aliasing • known to be an NP-hard problemknown to be an NP-hard problem

15

Opaque PredicatesOpaque PredicatesB

A

B

A Does A == B ?

16

Junk InstructionsJunk Instructions

• Full or partial machine code instructionsFull or partial machine code instructions

• Full - distract analysisFull - distract analysis

• Partial - confuse analysisPartial - confuse analysis

17

CompareResults

MeasureResponse Time

Generate AttestationRoutine

Precompute Result

Attestation ProtocolAttestation Protocol

Base

Attestation Routine

Checksum Result

Execute Attestation

RoutineSensor

18

Attestation Routine OverviewAttestation Routine Overview

• Randomly step through program memory, Randomly step through program memory, adding values to the checksum resultadding values to the checksum result

• Loop repeats Loop repeats O(n log n)O(n log n) times to ensure times to ensure complete coverage of the memorycomplete coverage of the memory

• Routine will incorporate the building blocks Routine will incorporate the building blocks to prevent attacks on the routine itselfto prevent attacks on the routine itself

19

Attestation RoutineAttestation Routine

EncryptedCode

DecryptionRoutine

Main Attestation

Loop

SeedCalculation

JunkInstructions

Jump

Memory Reads& Jump

HashCalculation

Random Number

Generator

Self ModifyingCode

JunkInstructions

JunkInstructions

JunkInstructions

Jump

Memory Reads& Jump

JunkInstructions

20

Security AnalysisSecurity Analysis

• What can the attacker do?What can the attacker do?

• Replay responseReplay response• Countered by randomization and random memory Countered by randomization and random memory

read pattern (seed)read pattern (seed)

• Attacker must attack each codeAttacker must attack each code• Goal: force attacker to do intensive computation for Goal: force attacker to do intensive computation for

each attestation procedureeach attestation procedure

21

What Attacker Must DoWhat Attacker Must Do

• Break EncryptionBreak Encryption• Find key, which is protected by opaque predicatesFind key, which is protected by opaque predicates

• Determine SeedDetermine Seed• Protected the same way as the encryption keyProtected the same way as the encryption key

• Examine self-modifying codeExamine self-modifying code• Rewrite this portion of the code to insert conditional Rewrite this portion of the code to insert conditional

offsetsoffsets

22

EmulationEmulation

• Attacker could install an emulatorAttacker could install an emulator

• Each read is directed to the appropriate offsetEach read is directed to the appropriate offset

• Computation is not I/O bound - significant Computation is not I/O bound - significant overheadoverhead• Attack will be foiled with an appropriate choice of the Attack will be foiled with an appropriate choice of the

timeout periodtimeout period

23

ExtensionExtension

• Fill sensor’s free memory space with random Fill sensor’s free memory space with random values (known to base station)values (known to base station)

• Attest entire memory contentsAttest entire memory contents

• Malicious code would be limited in size by data Malicious code would be limited in size by data memorymemory• Copy of original is forced to be located in data memoryCopy of original is forced to be located in data memory

24

Related WorkRelated Work

• SWATT (Seshadri et al.)SWATT (Seshadri et al.)• Genuinity (Kennell et al.)Genuinity (Kennell et al.)• Trusted Hardware - TPM, BIND, Copilot (Sailer Trusted Hardware - TPM, BIND, Copilot (Sailer

et al., Shi et al., N. L. P. Jr et al.)et al., Shi et al., N. L. P. Jr et al.)• Obfuscation (Collberg et al., Barak et al., etc)Obfuscation (Collberg et al., Barak et al., etc)• Program Evolution (F. Cohen)Program Evolution (F. Cohen)• Self-checksumming (Chang et al., Horne et al.)Self-checksumming (Chang et al., Horne et al.)• Integrity Verification Kernel (D. Aucsmith)Integrity Verification Kernel (D. Aucsmith)

25

Future WorkFuture Work

• ImplementationImplementation• Test and measure how lightweight/heavyweight the Test and measure how lightweight/heavyweight the

attestation procedure isattestation procedure is• Measure and test to determine appropriate timeout periodMeasure and test to determine appropriate timeout period

• Impersonation AttackImpersonation Attack• May require hardware supportMay require hardware support

• Enhance the attestation protocol to work in Enhance the attestation protocol to work in multihop settingsmultihop settings

26

Questions?Questions?