Reliable Telemetry in White Spaces using Remote Attestation Omid Fatemieh, Michael D. LeMay, Carl A....
-
Upload
bennett-jefferson -
Category
Documents
-
view
214 -
download
1
Transcript of Reliable Telemetry in White Spaces using Remote Attestation Omid Fatemieh, Michael D. LeMay, Carl A....
Reliable Telemetry in White Spaces usingRemote Attestation
Omid Fatemieh, Michael D. LeMay, Carl A. Gunter
University of Illinois at Urbana-Champaign
Annual Computer Security Applications Conference (ACSAC)Dec 9, 2011
• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)
• Emerging solution: opportunistic access to unused portions of licensed bands
Opportunistic Spectrum Access
2
• Spectrum crunch– Increased demand– Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses)
• Emerging solution: opportunistic access to WHITE SPACES
• Cognitive Radio: A radio that interacts with the environment and changes its transmitter parameters accordingly
Opportunistic Spectrum Access
3
Primary TransmitterPrimary ReceiverSecondary Transmitter/Receiver(Cognitive Radio)
• Allowed by FCC in Nov 2008 (and Sep 2010)– TV White Spaces: unused TV channels 2-51 (54 MHz-698MHz)– Much spectrum freed up in transition to Digital Television (DTV) in 2009– Excellent penetration and range properties
• Applications– Super Wi-Fi– Campus-wide Internet– Rural broadband
(e.g. Claudville, VA)– Advanced Meter
Infrastructure (AMI) [FatemiehCG – ISRCS ‘10]
White Space Networks
4
• Spectrum Sensing – Energy Detection– Requires sensing-capable devices -> cognitive radios– Signal is variable due to terrain, shadowing and fading– Sensing is challenging at low thresholds
• Central aggregation of spectrum measurement data– Base station (e.g. IEEE 802.22)– Spectrum availability database (required by the FCC)
How to Identify Unused Spectrum?
No-talk Region for Primary Transmitter
5
Collaborative Sensing
• Malicious misreporting attacks– Exploitation: falsely declare a frequency occupied – Vandalism: falsely declare a frequency free
• Why challenging to detect?– Spatial variations of primary
signal due to signal attenuation– Natural differences due to
shadow-fading, etc.– Temporal variations of primary– Compromised nodes may collude
and employ smart strategies to hide under legitimate variations
• How to defend against such coordinated/omniscient attackers?
Malicious Misreporting Attacks
6
Compromised Secondary – Vandalism Compromised Secondary – Exploitation
Limitations of Previous Work
7
• Initially assume all sensors are equal• Rely only on comparing measurements
• Shadow-fading correlation filters for abnormality detection [MinSH – ICNP ‘09]• Model-based (statistical) outlier detection [FatemiehCG – DySPAN ‘10]• Data-based (classification) attacker detection [FatemiehFCG – NDSS ‘11]
• Resulting drawback: attacker penetration has to be significantly limited for solutions to work
• What if we can have a subset of “super-nodes"?
A Subset of Trusted Nodes
8
• Remote attestation: A technique to provide certified information about software, firmware, or configuration to a remote party– Detect compromise– Establish trust
• Root of trust for remote attestation– Trusted hardware: TPM on PCs or MTM on mobile devices– Software on chip [LeMayG - ESORICS ‘09]
• Why a subset?– Low penetration among volunteer nodes– Cost: manufacturing, energy, time, bandwidth (see paper for numbers)
Attestation-Capable System
Remote Server
Nonce
Signed[Nonce || System State]
• Goal: obtain an estimate of signal power in any cell to compare to threshold
• Cell A: Safety or precision?• Cells B and C: How many regular
nodes to include? Which ones?• Steps
1. A systematic strategy to determine when there is enough data
2. If we need additional data, which ones to add to aggregation pool?
3. Ensure pool not attacker-dominated
Key Observations
9
A B C
Attested Node Regular Node
• Sequential intra-cell node selection– Include all attested nodes– Include regular nodes until a
precision goal is met
• Precision goal: Ensure margin of error for aggregate smaller than requirements (e.g. 3dB) with high confidence (e.g. 95%) (unknown distribution)– Mean: Asymptotically efficient
Chow-Robbins sequential procedure:– Median: Find a and b (order statistics):
Intra-cell Node Selection
10
• Last step: Classification-basedinter-cell attacker detection– If detected: only use attested data in E
• Median as aggregate:– (+) Less vulnerable to legitimate
variations or minority attackers– (-) Achieving the required precision
requires more data– (-) Majority attackers can move
median while being less ‘abnormal’
• Aggregate: median when attested majority, and mean otherwise
Classification-based inter-cell detection
11
Evaluation
12
• Hilly Southwest Pennsylvania • TV transmitter data from FCC• Terrain data from NASA • Ground truth: predicted signal
propagation using empirical Longley-Rice model
• Takes into account:– Transmitter power, location,
height, frequency– Terrain and distance
• Added aggressive log-normal shadow-fading variations• Used data to build classifier and evaluate protection against attacks
Results
13
False Outcome Rate Attack Deterrence Rate(Attested fraction ≈ .25)
• Showed how to use a small subset attestation-capable nodes to improve trustworthiness of distributed sensing results.
• Proposed methods:– Provide quantifiably precise results.– Provide effective protection against attacks with small fraction of attested nodes.– Can lower attestation costs for real deployment.
• Future direction: Developing a framework for formulating costs associated with including regular and attested nodes, and systematically striking a balance between the costs (from spectrum data aggregation and remote attestation) and obtaining precise aggregation results.
Conclusions and Future Work
14