Section: New Results
Security in infrastructure-less and constrained networks
Authenticated Message Aggregation in Wireless Sensor Networks
Wireless sensor networks (WSNs) are ad-hoc networks composed of tiny devices with limited computation and energy capacities. For such devices, data transmission is a very energy-consuming operation. It thus becomes essential to the lifetime of a WSN to minimize the number of bits sent by each device. One well-known approach is to aggregate sensor data (e.g., by adding) along the path from sensors to the sink. Aggregation becomes especially challenging if end-to-end privacy between sensors and the sink is required.
We developped in the last years a simple additively homomorphic stream cipher that allows efficient aggregation of encrypted data. The new cipher only uses modular additions (with very small moduli) and is therefore very well suited for CPU-constrained devices.
In data aggregation, multiple source nodes send their data to a sink along a concast tree with aggregation done en route so that the sink can obtain the aggregate (which could be the sum, average, etc.) of all these data. End-to-end privacy and aggregate integrity are the two main goals of secure data aggregation. While the privacy goal has been studied and some solutions proposed, providing end-to-end aggregate integrity in the presence of possibly compromised aggregating nodes remains largely an open problem. Message Authentication Codes (MAC) are commonly used to provide end-to-end data integrity in two party settings. Natural extensions of MAC for the data aggregation scenario are considered. It is shown that a straightforward and intuitive refinement of the MAC security model (for the data aggregation setting) is not achievable. A weaker security notion is proposed; This analysis and model is described in  .
During this past year, we also designed a novel secure data aggregation protocol that provides security and integrity for sensor networks using inexpensive cryptographic tools. Our scheme protects against both internal and external attackers and balances message size, as well as energy consumption among network nodes. It provides the sink with a great amount of information, as it is able to compute mean, standard deviation, frequency distribution, etc. of the sensed values, with only one query. This scheme is described in  .
Key Pre-distribution Protocol for Multi-Phase Wireless Sensor Networks
Wireless sensor networks are usually deployed to operate for a long period of time. Because nodes are battery-operated, they eventually run out of power and new nodes need to be periodically deployed to assure network connectivity. This type of networks is referred to as Multi-phase WSN. Existing schemes are not adapted to multi-stage WSN. With these schemes, the security of the WSN degrades with time, since the proportion of corrupted links gradually increases. We proposed a new pre-distribution scheme, called RoK, adapted to multi-phase WSN. In the proposed scheme, the pre-distributed keys have limited lifetimes and are refreshed periodically. As a result, a network that is temporarily attacked (i.e. the attacker is active only during a limited amount of time) automatically self-heals, i.e. recovers its initial state when the attack stops. In contrast, with existing schemes, an attacker that corrupts a certain amount of nodes compromises a given fraction of the total number of secure channels. This ratio remains constant until the end of the network, even if the attacker stops its action. Furthermore, with our scheme, a network that is constantly attacked (i.e. the attacker regularly corrupts nodes of the network, without stopping) is much less impacted than a network that uses existing key pre-distribution protocols. With these schemes, the number of compromised links constantly increases until all the links are compromised. With our proposal, the proportion of compromised links is limited and constant. This work was presented at the SecureComm07 last year  .
During this year, the RoK was implemented under TinyOS. The research about RoK is still in progress, since several improvement are currently under investigation. A first idea is to substitute the hash chain RoK relies on, with hash tree, to reduce the storage overhead. The second idea is to enable a self-healing mechanism between newly deployed sensors and old nodes. Preliminary results encourage to keep looking on this direction.
Unattended Wireless Sensor Networks
We studied the security problems related to the Unattended Wireless Sensor Networks (UWSN for short), in which a collector-sink is available to collect sensed data at unpredictable and irregular time intervals. During its absence, sensors must locally store data collected from the environment until next sink visit. We addressed several problems related to UWSN. In a first paper  ,  , we envisaged and addressed the survivability of a sensible data on UWSNs operating in hostile settings where the adversary's goals and abilities are tailored to the unattended nature of the network. While the previous work focus on countermeasures that do not use any kind of cryptography, in a sequent paper  we propose cryptographic defenses for coping with a focused mobile adversary in UWSNs. Another problem that has been addressed is the data authentication in UWSNs  : namely to give the sink an effective and efficient way to establish that data gathered from the UWSN were not forged or modified by an adversary. Despite the simple network model, the issues raised in our works can pave the way for further research. This is why in future work, we plan to introduce new assumptions and variables such as communication and storage overhead, as well as new adversarial models. Moreover, the research of efficient way to detect and isolate compromised nodes seems to be an interesting and promising challenge.
Code Injection in Sensor Networks
Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. We show, with a practical example on the Micaz, the feasibility of remote code injection on Harvard architecture devices. This is achieved by using techniques like return oriented programming and fake stack injection in a Micaz node. We evaluate both the threat it poses to networked embedded systems (worms, botnets...) and the possible counter measures. A preliminary version of this work was presented at SSTIC  . The full version was presented at the ACM CCS conference  .
Software-based program code attestation in wireless sensor networks
Code attestation in wireless sensor networks is challenging issue due to the lack of trusted hardware and the impossibility of physical access to the device. Nevertheless, without the assurance that sensors are running authentic code, reported measurements can not be trusted. Previous, software-based solutions are based on a challenge-response paradigm where the verifier challenges the sensor, to compute a checksum of its code. As the verifier knows the code running on a sensor, it compares the received checksum with a locally computed one, in order to verify the authenticity of the sensor code. Nevertheless, if a sensor running malicious code is storing the original one in its memory, a valid checksum could be still computed whenever verification is required. Proposed technique to guarantee that a compromised sensor is not storing copy of the original code, either rely on unrealistic assumptions or they just fail to take into account a broad range of malicious behaviors that a compromise node could adopt in order to deceive the verifier. Our basic idea is to verify the contents of all memories available to the sensor and to make sure that the latter has no space left where to store any code. The goal of this project is to formalize and analyze this approach and later demonstrate feasibility through implementation. Results are expected to be presented in a conference paper.
RFID Private Identification
We have been participating in the ANR RFID-AP project, and working on contactless card security and the security of embedded, low-cost cryptographic algorithms. We have been working with the community-driven OpenPCD contactless reader (for which we have submitted some patches).
We have collaborated with Karsten Nohl (University of Virginia) to break the Mifare contactless card's embedded cryptographic primitive using SAT solvers - a paper is being reviewed on this attack. We have also broken a proposed RFID private authentication protocol by Molva and Di Pietro and published a paper about this break RFIDSec 2008  . We have been developing a tool to analyse and possibly break shift-register based cryptographic algorithms.
Analysis and study of botnets
We have started an activity on Cybercriminality. We have started by studying several peer-to-peer Botnets. A botnet is a network of compromised hosts on the Internet under the control of an attacker. Botnets are considered one of the biggest threat to the proper functioning of the Internet and account for more than 90% of all spam sent everyday. We have studied a particular botnet, so called Storm. Storm uses a peer-to-peer protocol in order to coordinate the bots (the infected hosts) in the botnet Our study, led to a great understanding of the inner workings of this botnet: how it is controlled, what kind of illegal activities are conducted with it, etc. This activity is still active and should expand during the last years.