Reliable Telemetry in White Spaces usingRemote Attestation Omid Fatemieh, Michael D. LeMay, Carl A. Gunter University of Illinois at Urbana-Champaign Annual Computer Security Applications Conference (ACSAC) Dec 9, 2011
Opportunistic Spectrum Access • Spectrum crunch • Increased demand • Limited supply • Inefficiencies of fixed and long term spectrum assignment (licenses) • Emerging solution: opportunistic access to unused portions of licensed bands
Opportunistic Spectrum Access • Spectrum crunch • Increased demand • Limited supply • Inefficiencies of fixed and long term spectrum assignment (licenses) • Emerging solution: opportunistic access to WHITE SPACES • Cognitive Radio: A radio that interacts with the environment and changes its transmitter parameters accordingly Primary Transmitter Primary Receiver Secondary Transmitter/Receiver(Cognitive Radio)
White Space Networks • Allowed by FCC in Nov 2008 (and Sep 2010) • TV White Spaces: unused TV channels 2-51 (54 MHz-698MHz) • Much spectrum freed up in transition to Digital Television (DTV) in 2009 • Excellent penetration and range properties • Applications • Super Wi-Fi • Campus-wide Internet • Rural broadband(e.g. Claudville, VA) • Advanced Meter Infrastructure (AMI) [FatemiehCG – ISRCS ‘10]
How to Identify Unused Spectrum? • Spectrum Sensing – Energy Detection • Requires sensing-capable devices -> cognitive radios • Signal is variable due to terrain, shadowing and fading • Sensing is challenging at low thresholds • Central aggregation of spectrum measurement data • Base station (e.g. IEEE 802.22) • Spectrum availability database (required by the FCC) No-talk Region for Primary Transmitter Collaborative Sensing
Malicious Misreporting Attacks • Malicious misreporting attacks • Exploitation: falsely declare a frequency occupied • Vandalism: falsely declare a frequency free • Why challenging to detect? • Spatial variations of primary signal due to signal attenuation • Natural differences due toshadow-fading, etc. • Temporal variations of primary • Compromised nodes may colludeand employ smart strategies to hide under legitimate variations • How to defend against such coordinated/omniscient attackers? Compromised Secondary – Vandalism Compromised Secondary – Exploitation
Limitations of Previous Work • Initially assume all sensors are equal • Rely only on comparing measurements • Shadow-fading correlation filters for abnormality detection [MinSH – ICNP ‘09] • Model-based (statistical) outlier detection [FatemiehCG – DySPAN ‘10] • Data-based (classification) attacker detection [FatemiehFCG – NDSS ‘11] • Resulting drawback: attacker penetration has to be significantly limited for solutions to work • What if we can have a subset of “super-nodes"?
A Subset of Trusted Nodes • Remote attestation: A technique to provide certified information about software, firmware, or configuration to a remote party • Detect compromise • Establish trust • Root of trust for remote attestation • Trusted hardware: TPM on PCs or MTM on mobile devices • Software on chip [LeMayG - ESORICS ‘09] • Why a subset? • Low penetration among volunteer nodes • Cost: manufacturing, energy, time, bandwidth (see paper for numbers) Nonce Attestation-Capable System Remote Server Signed[Nonce || System State]
Key Observations • Goal: obtain an estimate of signal power in any cell to compare to threshold • Cell A: Safety or precision? • Cells B and C: How many regular nodes to include? Which ones? • Steps • A systematic strategy to determine when there is enough data • If we need additional data, which ones to add to aggregation pool? • Ensure pool not attacker-dominated Regular Node Attested Node A C B
Intra-cell Node Selection • Sequential intra-cell node selection • Include all attested nodes • Include regular nodes until a precision goal is met • Precision goal: Ensure margin of errorfor aggregate smaller than requirements (e.g. 3dB) with high confidence (e.g. 95%) (unknown distribution) • Mean: Asymptotically efficient Chow-Robbins sequential procedure: • Median: Find a and b (order statistics):
Classification-based inter-cell detection • Last step: Classification-basedinter-cell attacker detection • If detected: only use attested data in E • Median as aggregate: • (+) Less vulnerable to legitimate variations or minority attackers • (-) Achieving the required precisionrequires more data • (-) Majority attackers can move median while being less ‘abnormal’ • Aggregate: median when attested majority, and mean otherwise
Evaluation • Hilly Southwest Pennsylvania • TV transmitter data from FCC • Terrain data from NASA • Ground truth: predicted signal propagation using empirical Longley-Rice model • Takes into account: • Transmitter power, location, height, frequency • Terrain and distance • Added aggressive log-normal shadow-fading variations • Used data to build classifier and evaluate protection against attacks
Results Attack Deterrence Rate(Attested fraction ≈ .25) False Outcome Rate
Conclusions and Future Work • Showed how to use a small subset attestation-capable nodes to improve trustworthiness of distributed sensing results. • Proposed methods: • Provide quantifiably precise results. • Provide effective protection against attacks with small fraction of attested nodes. • Can lower attestation costs for real deployment. • Future direction: Developing a framework for formulating costs associated with including regular and attested nodes, and systematically striking a balance between the costs (from spectrum data aggregation and remote attestation) and obtaining precise aggregation results.