Cyber Defense Laboratory

 

 

Seluge: Secure and DoS-Resistant Code Dissemination in Wireless Sensor Networks (Version 0.1)

Released on 9/10/08.

Introduction

Seluge [1] is an efficient, secure, robust, and DoS-resistant code dissemination system. It is an extension to Deluge [3], an open souce code dissemination system included in TinyOS distributions. Seluge provides security protection for code dissemination, including the integrity protection of code images and resistance to the following three classes of DoS attacks: (1) DoS attacks against signature packets; (2) DoS attacks against code dissemination packets; and (3) DoS attacks against maintenance packets. To the best of our knowledge, these are all the DoS attacks that manipulate code dissemination protocols.

The key contribution of Seluge is a novel way to organize the packets used to distribute new code images. By carefully arranging code dissemination data items and their hash images in packets, Seluge provides immediate authentication of each packet upon receipt, without disrupting the efficient propagation mechanisms used by Deluge. Thus, it can defeat the DoS attacks exploiting authentication delays.

Seluge properly authenticates advertisement and SNACK packets. As a result, it can prevent DoS attacks exploiting the Deluge epidemic propagation and suppression mechanisms.

Seluge uses a signature to bootstrap the authentication of a new code image. However, unlike the previous attempts, Seluge uses a weak authentication along with the signature. This weak authentication mechanism has nice properties: It can be efficiently verified by a regular sensor node, but it takes a computationally powerful attacker a substantial amount of time to forge a weak authenticator. Moreover, it cannot be pre-computed. Thus, this weak authentication mechanism provides an effective filter of forged signatures. As a result, Seluge is not subject to the same DoS attacks against signature verifications as the previous approaches.

For questions please contact An Liu at aliu3 (at) ncsu.edu.

Contributors

Platform

Scheduled Next Release

  • We have developed software for secure remote management of the distributed code images (e.g., reboot and erase). This new extension is named Seluge-ImageMan; it will be included in the next release of Seluge later this fall.

Related Software

Download

  • Click here to download.

How to Use

  • Please check README for details.

Performance

We evaluted Seluge in the WiSeNeT testbed deployed on the second floor of Engineering Building II at NC State University. The testbed contained 65 MicaZ motes as Figure 1 shows. The blue star is the source node with new code image. Two performance metrics are used in our evaluation: Propagation delay and communication overhead. The propagation delay is the time required to finish disseminating a code image to all the nodes in the network. The communication overhead is measured as the total number of packets transmitted by all the nodes during a code dissemination. We run the same experiment and inject code image with 10K, 20K, 30K, and 40K bytes code size for Deluge, Seluge, Colorado approach [5], and Berkeley [4] scheme and compare their results.

testbedFigure 1: The testbed (65 MicaZ motes; 152.5 feet × 97 feet).

Both Figure 2 and Figure 3 show that Seluge outperforms all other secure extensions to Deluge. For the same packet payload size, Seluge has the smallest propagation delay and communication overhead among all secure schemes. Deluge has the smallest propagation delay and communication overhead, because it has no security mechanism in it. For more details about evaluation, please refer to [1].

propagation delay

Figure 2: Propagation delay.

communication overhead

Figure 3: Communication overhead.

Copyright and Disclaimer

All new code in this distribution is Copyright 2008 by North Carolina State University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this entire copyright notice is duplicated in all such copies, and that any documentation, announcements, and other materials related to such distribution and use acknowledge that the software was developed at North Carolina State University, Raleigh, NC. No charge may be made for copies, derivations, or distributions of this material without the express written consent of the copyright holder. Neither the name of the University nor the name of the author may be used to endorse or promote products derived from this material without specific prior written permission.

IN NO EVENT SHALL THE NORTH CAROLINA STATE UNIVERSITY BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE NORTH CAROLINA STATE UNIVERSITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE NORTH CAROLINA STATE UNIVERSITY HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS."

References

[1] Sangwon Hyun, Peng Ning, An Liu, Wenliang Du, "Seluge: Secure and DoS-Resistant Code Dissemination in Wireless Sensor Networks," in Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN 2008), IP Track, pages 445--456, April 2008.

[2] An Liu, Young-Hyun Oh, Peng Ning, "Secure and DoS-Resistant Code Dissemination in Wireless Sensor Networks Using Seluge (Demo Abstract)," in Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN 2008), pages 561--562, April 2008.

[3] J. W. Hui and D. Culler. "The dynamic behavior of a data dissemination protocol for network programming at scale," In Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems (SenSys 2004), November 2004.

[4] J. Deng, R. Han, and S. Mishra. "Secure code distribution in dynamically programmable wireless sensor networks," In Proceedings of the Fifth International Conference on Information Processing in Sensor Networks (IPSN 2006), April 2006.

[5] P. K. Dutta, J.W. Hui, D. C. Chu, and D. E. Culler. "Securing the deluge network programming system," In Proceedings of the Fifth International Conference on Information Processing in Sensor Networks (IPSN ’06), April 2006.

Sponsors

This project has been generously supported by

NSF
ARO

This maerial is based upon work supported by the National Science Foundation (NSF) under grants CNS-0721424 and CAREER-0447761, and by US Army Research Office (ARO) under grant W911NF-05-1-0247. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF or the ARO.

 
 
©2008 Peng Ning. Last Updated September 10, 2008 .