An On-Demand Secure Byzantine Routing Protocol
description
Transcript of An On-Demand Secure Byzantine Routing Protocol
An On-Demand Secure An On-Demand Secure Byzantine Routing Byzantine Routing
ProtocolProtocol
David HolmerDavid Holmer
Department of Computer ScienceDepartment of Computer Science
Presentation OutlinePresentation Outline
IntroductionIntroduction Attacks & Byzantine BehaviorAttacks & Byzantine Behavior ODSBRODSBR ResultsResults
Feel Free to Ask Questions Throughout the Presentation
Mobile Ad Hoc Wireless NetworksMobile Ad Hoc Wireless Networks
Non-centralized architecture - All nodes pass trafficNon-centralized architecture - All nodes pass traffic AdvantagesAdvantages
Increased Coverage (overall range & less gaps)Increased Coverage (overall range & less gaps) Reduced Deployment Cost (less wired connectivity)Reduced Deployment Cost (less wired connectivity) Rapid Deployment (self configuring & self healing)Rapid Deployment (self configuring & self healing)
Security ChallengesSecurity Challenges Collaborative natureCollaborative nature
All nodes participate in routing - can we trust them?All nodes participate in routing - can we trust them? Lack of physical securityLack of physical security
Wireless broadcast medium - anyone can eavesdropWireless broadcast medium - anyone can eavesdrop Mobile devices highly susceptible to theft and tamperingMobile devices highly susceptible to theft and tampering
Security is a Vital Component!Security is a Vital Component!
PublicationsPublications WiSE 2002 –WiSE 2002 – “An On-Demand Secure “An On-Demand Secure
Routing Protocol Resilient to Byzantine Routing Protocol Resilient to Byzantine Failures”Failures”
MILCOM 2004MILCOM 2004 – – “The Pulse Protocol: “The Pulse Protocol: Sensor Network Routing and Power Saving”Sensor Network Routing and Power Saving”
INFOCOM 2004INFOCOM 2004 – – “The Pulse Protocol: “The Pulse Protocol: Energy Efficient Infrastructure Access”Energy Efficient Infrastructure Access”
WONS 2004WONS 2004 – – “High Throughput Route “High Throughput Route Selection in Multi-rate Wireless Networks”Selection in Multi-rate Wireless Networks”
IZS 2004IZS 2004 – – “Swarm Intelligence Routing “Swarm Intelligence Routing Resilient to Byzantine Adversaries”Resilient to Byzantine Adversaries”
WONS 2005 –WONS 2005 – “The Pulse Protocol: “The Pulse Protocol: Mobile Ad hoc Network Performance Mobile Ad hoc Network Performance Evaluation”Evaluation”
SECURECOM 2005 –SECURECOM 2005 – “On the “On the Survivability of Routing Protocols in Ad Hoc Survivability of Routing Protocols in Ad Hoc Wireless Networks”Wireless Networks”
NDSS 2005 –NDSS 2005 – “Secure Multi-hop “Secure Multi-hop Infrastructure Access”Infrastructure Access”
INFOCOM 2005 –INFOCOM 2005 – “Provably Competitive “Provably Competitive Adaptive Routing”Adaptive Routing”
MONET Journal 2006 –MONET Journal 2006 – “The Medium “The Medium Time Metric: High Throughput Route Time Metric: High Throughput Route Selection in Multi-rate Wireless Networks” Selection in Multi-rate Wireless Networks”
ESAS 2006 –ESAS 2006 – “Dynamics of Learning “Dynamics of Learning Algorithms for the On-Demand Secure Algorithms for the On-Demand Secure Byzantine Routing Protocol”Byzantine Routing Protocol”
Most relevant to this talk Other work
Basic ProblemBasic Problem
Source Destination
Trusted Node Correct Node Adversarial Node
Shortest PathShortest Path Fault Free PathFault Free Path
Presentation OutlinePresentation Outline
IntroductionIntroduction Attacks & Byzantine BehaviorAttacks & Byzantine Behavior ODSBRODSBR ResultsResults
Feel Free to Ask Questions Throughout the Presentation
Strong AttacksStrong Attacks Adversarial PropertiesAdversarial Properties
Single ~ MajoritySingle ~ Majority External ~ Byzantine / InsiderExternal ~ Byzantine / Insider Individual ~ ColludingIndividual ~ Colluding
AttacksAttacks Insertion/ModificationInsertion/Modification Black holeBlack hole WormholeWormhole Flood RushingFlood Rushing Denial of serviceDenial of service
Black hole Wormhole
Byzantine BehaviorByzantine Behavior Significant research to protect against external Significant research to protect against external
adversaries (traditional secret based exclusion)adversaries (traditional secret based exclusion) However, authenticity and integrity do not provide However, authenticity and integrity do not provide
any guarantee about the legitimacy of actions any guarantee about the legitimacy of actions taken by authenticated / insider nodestaken by authenticated / insider nodes
Attacks where the adversary hasAttacks where the adversary has full control full control of anof an authenticated device authenticated device and can and can perform arbitrary perform arbitrary actions to disrupt the networkactions to disrupt the network
Byzantine Generals problem [Lamport – ’82]Byzantine Generals problem [Lamport – ’82]
Related WorkRelated Work Byzantine robustness for Wired Link State routingByzantine robustness for Wired Link State routing: [Perlman – ’88]: [Perlman – ’88] Authentication and integrityAuthentication and integrity:: [Zhou, Haas – ’99][Zhou, Haas – ’99]
[Hubaux, Buttyan, Capkun – ’01][Hubaux, Buttyan, Capkun – ’01][Dahill, Levine, Shields, Royer – ’02][Dahill, Levine, Shields, Royer – ’02][Hu, Perrig, Johnson – ‘02, ’01][Hu, Perrig, Johnson – ‘02, ’01]
BlackholeBlackhole:: [Marti, Giuli, Lai, Baker - ‘00][Marti, Giuli, Lai, Baker - ‘00][Papadimitratos, Haas - ’03][Papadimitratos, Haas - ’03]
WormholeWormhole:: [Hu, Perrig, Johnson – ’03][Hu, Perrig, Johnson – ’03][Hu, Evans – ’04][Hu, Evans – ’04]
Flood rushingFlood rushing: [Hu, Perrig, Johnson – ‘03]: [Hu, Perrig, Johnson – ‘03]
Majority do not address the Byzantine adversarial modelMajority do not address the Byzantine adversarial model Focus on individual attacks - Focus on individual attacks - no comprehensive solutions!no comprehensive solutions!
Presentation OutlinePresentation Outline
IntroductionIntroduction Attacks & Byzantine BehaviorAttacks & Byzantine Behavior ODSBRODSBR ResultsResults
Feel Free to Ask Questions Throughout the Presentation
OOn-n-DDemand emand SSecure ecure BByzantine yzantine RRoutingouting Provides Provides SurvivableSurvivable routing in a Byzantine environment routing in a Byzantine environment Original version published in WiSe 2002 (>25 cites)Original version published in WiSe 2002 (>25 cites) Trust modelTrust model
SourceSource and and DestinationDestination are are trustedtrusted IntermediateIntermediate nodes are authenticated (PKI & Symmetric keys) nodes are authenticated (PKI & Symmetric keys)
but but not fully trustednot fully trusted Adversarial modelAdversarial model
MajorityMajority of of colluding byzantinecolluding byzantine adversaries adversaries All routing attacksAll routing attacks except - eavesdropping, resource except - eavesdropping, resource
consumption, wormhole creation, other layersconsumption, wormhole creation, other layers Our solutionOur solution
An on-demand routing protocolAn on-demand routing protocol Link based reliability metricLink based reliability metric Bounded losses as long as there exists a Bounded losses as long as there exists a fault-free pathfault-free path Avoids the need for Byzantine Agreement (costly & less Avoids the need for Byzantine Agreement (costly & less
capable)capable)
ODSBR Protocol OverviewODSBR Protocol Overview
Route Discoverywith Fault Avoidance
Link WeightManagement
Byzantine FaultDetection
Discovered Path
Weight List Faulty Link
ODSBR Protocol OverviewODSBR Protocol Overview
Route Discoverywith Fault Avoidance
Link WeightManagement
Byzantine FaultDetection
Discovered Path
Weight List Faulty Link
Route DiscoveryRoute Discovery On-demand protocolOn-demand protocol
Finds a least weight pathFinds a least weight path Request floodRequest flood
Request includes weight list and signatureRequest includes weight list and signature Signature verified at every hopSignature verified at every hop Prevents un-authorized route requestsPrevents un-authorized route requests
Route Discovery (cont.)Route Discovery (cont.) Response floodResponse flood
Prevents response block attackPrevents response block attack Path and weight accumulated hop by hopPath and weight accumulated hop by hop
Appends signature to responseAppends signature to response Lower cost updates are re-broadcastLower cost updates are re-broadcast Every hops Every hops verifies the entire pathverifies the entire path Prevents flood rushing/blocking attackPrevents flood rushing/blocking attack
A min-weight path is always establishedA min-weight path is always established Path is not guaranteed to be fault freePath is not guaranteed to be fault free
Fault Detection PhaseFault Detection Phase
Route Discoverywith Fault Avoidance
Link WeightManagement
Byzantine FaultDetection
Discovered Path
Weight List Faulty Link
Probing technique using authenticated Probing technique using authenticated acknowledgementsacknowledgements
Naïve probing techniqueNaïve probing technique
Too much overheadToo much overhead per data packet! per data packet!
Fault Detection StrategyFault Detection Strategy
Trusted Node
Intermediate Node
Secure Adaptive ProbingSecure Adaptive ProbingSource Destination
Success
Successful Probe
Failed Probe
Successful Interval
Faulty Interval
Fault 3
Fault 2
Fault 1
Fault 4
Binary search = identified in Binary search = identified in log nlog n faults faults
Probe & Ack PropertiesProbe & Ack Properties ProbesProbes
Inseparable from data - listed on all packetsInseparable from data - listed on all packets Integrity checked at each probe - HMACIntegrity checked at each probe - HMAC Enforces path order - reverse ordered HMAC listEnforces path order - reverse ordered HMAC list
AcksAcks Authenticated - HMACAuthenticated - HMAC Single combined ack packet - individual HMAC Single combined ack packet - individual HMAC
of entire ack packet so far added at each probeof entire ack packet so far added at each probe Adversary can’t selectively drop some of the acksAdversary can’t selectively drop some of the acks
Staggered timeouts - restarts ack packetStaggered timeouts - restarts ack packet A node can’t incriminate any link but its ownA node can’t incriminate any link but its own
Fault IdentificationFault Identification Fault DefinitionFault Definition
Packet loss rate violates a fixed thresholdPacket loss rate violates a fixed threshold Excessive delay also causes packet lossExcessive delay also causes packet loss
Identifies faulty links Identifies faulty links regardless of reasonregardless of reason Malicious behaviorMalicious behavior Non-malicious malfunctionNon-malicious malfunction Adverse network behaviorAdverse network behavior
CongestionCongestion Intermittent connectivityIntermittent connectivity
Link Weight Management PhaseLink Weight Management Phase
Route Discoverywith Fault Avoidance
Link WeightManagement
Byzantine FaultDetection
Discovered Path
Weight List Faulty Link
Link Weight ManagementLink Weight Management Maintains a weight list of identified linksMaintains a weight list of identified links Faulty links have their weight doubledFaulty links have their weight doubled Resets link weightsResets link weights
Timed by successful transmissionsTimed by successful transmissions Bounds average loss rateBounds average loss rate
Weight scheme provides “soft” avoidanceWeight scheme provides “soft” avoidance Minimal penalty for false positivesMinimal penalty for false positives Network is never partitionedNetwork is never partitioned Allows use of aggressive fault thresholdsAllows use of aggressive fault thresholds
Presentation OutlinePresentation Outline
IntroductionIntroduction Attacks & Byzantine BehaviorAttacks & Byzantine Behavior ODSBRODSBR ResultsResults
Feel Free to Ask Questions Throughout the Presentation
ODSBR Attack MitigationODSBR Attack Mitigation InjectingInjecting, , modifyingmodifying packets – HMAC packets – HMAC ReplayReplay attack – use of nonces attack – use of nonces Flood rushingFlood rushing – protocol relies on the – protocol relies on the
metric, and not on timing informationmetric, and not on timing information Black holeBlack hole – unreliable links are avoided – unreliable links are avoided
using metricusing metric WormholeWormhole – creation is not prevented, but – creation is not prevented, but
it is avoided using metricit is avoided using metric
Loss Bound AnalysisLoss Bound Analysis Network of n nodes of which k are Network of n nodes of which k are
adversariesadversaries Assume a fault free path existsAssume a fault free path exists
Protocol Protocol bounds the number of packets bounds the number of packets lostlost communicating with the destination communicating with the destination
lknbqq 2log
Byzantine Attack SimulationByzantine Attack Simulation Simulated attacks:Simulated attacks:
Black HoleBlack Hole WormholeWormhole Super-WormholeSuper-Wormhole Flood RushingFlood Rushing
Random & StrategicRandom & StrategicAdversary PlacementsAdversary Placements
AODV Simulation SummeryAODV Simulation Summery
0
10
20
30
40
50
60
70
80
90
100
0 2 4 6 8 10
Number of Adversaries
Del
iver
y R
atio
(%)
Black Hole
Wormhole Random
Black Hole Rushing
Super-Wormhole Random
Wormhole Random Rushing
Super-Wormhole RandomRushingCentral Wormhole
Central Wormhole Rushing
Cross of Death Wormhole
Cross of Death WormholeRushingComplete Coverage
Complete Coverage Rushing
ODSBR Simulation SummeryODSBR Simulation Summery
0
10
20
30
40
50
60
70
80
90
100
0 2 4 6 8 10
Number of Adversaries
Del
iver
y R
atio
(%)
Black Hole
Black Hole Rushing
Wormhole Random
Wormhole Random Rushing
Super-Wormhole Random
Super-Wormhole RandomRushingCentral Wormhole
Central Wormhole Rushing
Cross of Death Wormhole
Cross of Death WormholeRushingComplete Coverage
Complete Coverage Rushing
ConclusionConclusion On-demand routing protocol On-demand routing protocol resilient to a resilient to a
wide range of colluding byzantine attackswide range of colluding byzantine attacks Adaptive probing scheme identifies faulty Adaptive probing scheme identifies faulty
link location without Byzantine Agreementlink location without Byzantine Agreement Bounded long term loss rate = Bounded long term loss rate =
guaranteed correctness in any networkguaranteed correctness in any network Excellent performance in a myriad of Excellent performance in a myriad of
practical scenariospractical scenarios
Experimental Lessons LearnedExperimental Lessons Learned
Most important factors:Most important factors: Flood rushingFlood rushing Strategic positioningStrategic positioning
Quantify the relative strength of different attacksQuantify the relative strength of different attacks ODSBRODSBR
able to mitigate wide range of Byzantine attacksable to mitigate wide range of Byzantine attacks not significantly affected by flood rushingnot significantly affected by flood rushing performance decreased when a large number of performance decreased when a large number of
adversarial links existsadversarial links exists
ODSBR - simulationODSBR - simulation
Implementation + simulation:Implementation + simulation:NS2 network simulatorNS2 network simulator
50 nodes randomly placed within a 1000 x 1000 50 nodes randomly placed within a 1000 x 1000 meter square areameter square area
In addition, 0 to 10 adversarial nodes were In addition, 0 to 10 adversarial nodes were addedadded
Random way-point mobility modelRandom way-point mobility model A traffic load of 10 CBR flowsA traffic load of 10 CBR flows ODSBR vs. AODVODSBR vs. AODV
[ACHR - SecureComm05]
Black HoleBlack HoleAttackAttack An attacker lies along the selected pathAn attacker lies along the selected path The attacker passes routing control traffic The attacker passes routing control traffic
correctly (route request, response, acks, etc.)correctly (route request, response, acks, etc.) However it drops or corrupts data trafficHowever it drops or corrupts data traffic Strong variants may do this adaptively to avoid Strong variants may do this adaptively to avoid
detectiondetection
Source Destination
Black HoleBlack HoleODSBR DefenseODSBR Defense Secured acks detect ANY damage of data flowSecured acks detect ANY damage of data flow Adaptive probing localizes the damage to one of Adaptive probing localizes the damage to one of
the adversaries linksthe adversaries links Weight of adversarial link is increased allowing Weight of adversarial link is increased allowing
correct path to be foundcorrect path to be found
Source Destination
Black hole attack + Flood RushingBlack hole attack + Flood Rushing
20
30
40
50
60
70
80
90
100
0 2 4 6 8 10
Number of Adversaries
Del
iver
y R
atio
(%)
AODV 0 m/s 1 m/s 5 m/s 10 m/sODSBR 0 m/s 1 m/s 5 m/s 10 m/s
Worm HoleWorm HoleAttackAttack Two attackers establish a path and tunnel Two attackers establish a path and tunnel
packets from one to the otherpackets from one to the other The worm hole turns many hops into one virtual The worm hole turns many hops into one virtual
hop creating shortcuts in the networkhop creating shortcuts in the network This allows a group of adversaries to easily draw This allows a group of adversaries to easily draw
in packets and drop themin packets and drop them
Source Destination
Worm HoleWorm HoleODSBR DefenseODSBR Defense Worm hole creation is not preventedWorm hole creation is not prevented
Impossible without assumptions about links and/or Impossible without assumptions about links and/or additional non-standard hardware/informationadditional non-standard hardware/information
Worm holes are “benign” unless they disrupt Worm holes are “benign” unless they disrupt data flowdata flow
Worm hole “link” can be identified and avoidedWorm hole “link” can be identified and avoided
Source Destination
Wormhole attack: random placementWormhole attack: random placement
20
30
40
50
60
70
80
90
100
0 2 4 6 8 10
Number of Adversaries
Del
iver
y R
atio
(%)
AODV 0 m/s 1 m/s 5 m/s 10 m/sODSBR 0 m/s 1 m/s 5 m/s 10 m/s
Central wormhole simulationCentral wormhole simulation
20
30
40
50
60
70
80
90
100
0 1 2 3 4 5 6 7 8 9 10
Speed (m/s)
Del
iver
y R
atio
(%)
AODV-normal AODV-worm AODV-worm-rushODSBR-normal ODSBR-worm ODSBR-worm-rush
Complete Coverage simulationComplete Coverage simulation
20
30
40
50
60
70
80
90
100
0 1 2 3 4 5 6 7 8 9 10
Speed (m/s)
Del
iver
y R
atio
(%)
AODV-normal AODV-worm AODV-worm-rushODSBR-normal ODSBR-worm ODSBR-worm-rush
Flood Rushing AttackFlood Rushing Attack
exploits flood duplicate suppressionexploits flood duplicate suppression authentication doesn’t helpauthentication doesn’t help can result in many adversarial controlled pathscan result in many adversarial controlled paths
ODSBR Defense:ODSBR Defense: hop-by-hop authenticationhop-by-hop authentication process all duplicate flood packets and rebroadcast process all duplicate flood packets and rebroadcast
lower metric valid flood packetslower metric valid flood packets
Byzantine Wormhole attackByzantine Wormhole attack
• ODSBR Defense:– wormhole formation is not prevented– wormhole will be detected and avoided
Source Destination
Adversary Adversary
wormhole
Super-WormholeSuper-Wormhole
a more general (and stronger) variant of the a more general (and stronger) variant of the wormhole attackwormhole attack
several adversaries collude and form an overlay several adversaries collude and form an overlay of Byzantine wormholesof Byzantine wormholes
for for nn adversaries, it is equivalent to adversaries, it is equivalent to nn22 wormholeswormholes
ODSBR - continuedODSBR - continued
Fault = any disruption that causes significant Fault = any disruption that causes significant loss or delay in the networkloss or delay in the network
End-to-end ACKsEnd-to-end ACKs Reliability metric based on past historyReliability metric based on past history Faulty links are identified using an adaptive Faulty links are identified using an adaptive
probing technique, and avoided during the probing technique, and avoided during the secure route discoverysecure route discovery
Maximum damage that can be caused by Maximum damage that can be caused by adversaries is bounded:adversaries is bounded:
qq-- - - q q++ b b kn kn log log22nn
Black Hole + Flood RushingBlack Hole + Flood Rushing Black Hole = Adversary selectively drops Black Hole = Adversary selectively drops
only only data packetsdata packets, but still participates in the , but still participates in the routing protocol correctlyrouting protocol correctly
Flood Rushing = takes advantage of the Flood Rushing = takes advantage of the flood suppressionflood suppression mechanism mechanism
Simulation:Simulation: Black hole: drop all data packetsBlack hole: drop all data packets Flood rushing: ignore broadcast delaysFlood rushing: ignore broadcast delays
Overhead – non-adversarial scenarioOverhead – non-adversarial scenario
0
10
20
30
40
50
60
0 1 2 3 4 5 6 7 8 9 10
Speed (m/s)
Ove
rhea
d (p
acke
ts /
seco
nd)AODV ODSBR
Overhead – attack scenarioOverhead – attack scenario
0
5
10
15
20
25
0 2 4 6 8 10
Number of Adversaries
Ove
rhea
d (p
acke
ts /
seco
nd)
AODV-BH AODV-SW ODSBR-BH ODSBR-SW
AnalysisAnalysis for a good pathfor a good path# Losses – (# Gains ) X LossRate < 0# Losses – (# Gains ) X LossRate < 0
We getWe get# Losses – (# Gains ) X LossRate < delta# Losses – (# Gains ) X LossRate < delta
Delta = #nodes X # adv X log ^2 #nodesDelta = #nodes X # adv X log ^2 #nodes
Link Weight ManagementLink Weight Management Maintains a weight list of identified linksMaintains a weight list of identified links Faulty links have their weight doubledFaulty links have their weight doubled Resets link weightsResets link weights
Timed by successful transmissionsTimed by successful transmissions Bounds average loss rateBounds average loss rate
Network is never partitionedNetwork is never partitioned1 1
1
1
1
1
On-Demand vs. Proactive Routing On-Demand vs. Proactive Routing Security ConcernsSecurity Concerns
On-DemandOn-Demand Source AuthenticationSource Authentication Caching presents adversarial opportunityCaching presents adversarial opportunity
Pro-activePro-active Harder to secure since pieces of information Harder to secure since pieces of information
can not be traced back to a single source.can not be traced back to a single source.
Black Hole AttackBlack Hole AttackProblem: Adversary may delete a packetProblem: Adversary may delete a packetHow do we detect and avoid black holes ?How do we detect and avoid black holes ? Reliable node may be blamedReliable node may be blamed Detecting failing node: Consensus costs ($)Detecting failing node: Consensus costs ($)
a b cXa b cX
Worm HolesWorm Holes Two attackers establish a path and tunnel Two attackers establish a path and tunnel
packets from one to the otherpackets from one to the other The worm hole turns many adversarial hops into The worm hole turns many adversarial hops into
one virtual hop creating shortcuts in the networkone virtual hop creating shortcuts in the network This allows a group of adversaries to easily draw This allows a group of adversaries to easily draw
packets into a black hole packets into a black hole
Source Destination
Flood BlockingFlood Blocking Flood Blocking AttackFlood Blocking Attack
Adversary propagates a false short pathAdversary propagates a false short path Intermediate nodes do not forward “inferior” Intermediate nodes do not forward “inferior”
valid path informationvalid path information Source ignores the false pathSource ignores the false path No path is establishedNo path is established
Path must be verified at intermediate Path must be verified at intermediate nodesnodes
Fault Detection StrategyFault Detection Strategy Probing technique using authenticated Probing technique using authenticated
acknowledgementsacknowledgements Naïve techniqueNaïve technique
Receiving an ack from every node overly Receiving an ack from every node overly costly!costly!
D
OLD Route DiscoveryOLD Route Discovery On-demand protocolOn-demand protocol Bi-directional floodBi-directional flood
Request floodRequest flood Source includes weight list and a signatureSource includes weight list and a signature Request verified at each hopRequest verified at each hop
Request Response
OLD Probe & Ack SpecificationOLD Probe & Ack Specification ProbesProbes
List of probes attached to every packetList of probes attached to every packet Each probe is specified by an HMACEach probe is specified by an HMAC Probes listed in path orderProbes listed in path order Remainder of probe list is onion encryptedRemainder of probe list is onion encrypted
AckAck Authentication via HMACAuthentication via HMAC Collected and onion encrypted at each probe Collected and onion encrypted at each probe
pointpoint
Thank You!
Questions??
AuthorsAuthorsBaruch Awerbuch, Reza Curtmola,
David Holmer,Herbert Rubens
Johns Hopkins UniversityDepartment of Computer Science
{baruch, crix, dholmer, herb}@cs.jhu.edu
Cristina Nita-Rotaru
Purdue UniversityDepartment of Computer Science
http://www.cnds.jhu.edu/archipelago