David Kendall

Formal modelling of a robust Wireless Sensor Network routing protocol

Because of their low cost, small size, low resources and self-organizing nature a Wireless Sensor Network (WSN) is a potential solution in hostile environments including military applications. However, the broadcasting nature of radio transmission; their limited computing, power and communication resources; unattended and potentially hostile nature of the environment they operate in make WSNs prone to Denial of Service (DoS) attacks. Although many schemes have been proposed to address DoS attacks their effectiveness is yet to be proven. The traditional methods used (i.e. visual inspection, computer simulations and hardware implementations) can only detect errors but cannot verify that the whole system is error free. Therefore, new techniques to automatically determine the worst cases and hidden errors in WSNs are much desired. After an initial investigation using a formal verification which clearly shows that Arrive routing protocol is vulnerable to different DoS attacks, this paper proposes a method for its security. The finding contradicts the claim of the developers of Arrive that it is immune to black hole attacks. Several other DoS attacks were also found to be successful in Arrive routing protocol. The formal model generates the trace to confirm how an attack is possible in the protocol. However, it was found that INA attacks are addressed by Arrive protocol. To our best knowledge the results discussed in this paper have not been presented, proved or published before.

Using Timed Automata for Response Time Analysis of Distributed Real-Time Systems

Abstract Rate Monotonic Analysis (RMA) is a well-established technique for assessing schedulability of periodic and sporadic tasks which share a processor resource using fixed priority scheduling. Adaptations of this technique have been made to perform Response Time Analysis (RTA), accounting for jitter, blocking, distributed systems and end-to end timing constraints. However, the nature of the analysis means that, while good bounds can be given for uni-processor systems with relatively little interdependency, the response times calculated for more complex systems can be very conservative. An alternative approach to analysing such systems is to build a model which represents the behaviour of the system more dynamically, taking into account the dependency between the tasks. To do this, we introduce a simple language for describing the tasks which comprise a system and the precedence relationships between them. From this a timed hybrid automaton is generated which can be analysed automatically to predict end-to-end response times. Applying this technique in practice yields promising results, with response times lower than those calculated with RTA. However, there is a trade-off to be made between thecomplexity of the hybrid automaton analysis (which suffers from the state explosion problem) and the conservatism of the more standard RTA approach.

Improving the Accuracy of Scheduling Analysis Applied toDistributed Systems Computing Minimal ResponseTimes and Reducing Jitter

A well-established approachto the verification of end-to-end response times for distributed,hard real-time systems is an integrated scheduling analysis ofboth task processing and message communication. Hitherto, publishedanalyses have been confined to the computation of worst-casebounds only and best-case response times have been ignored, assumedto be zero or treated approximately. However, there are compellingreasons for computing both upper and lower bounds on responsetimes, not only to allow the verification of best-case performancebut also to improve the accuracy of the overall analysis. Thispaper describes a precise best-case execution time analysis whichreduces jitter and extends distributed scheduling analysis toyield more accurate upper and lower bounds on system responsetimes. The analysis is combined with existing results for worst-caseresponses in a single scheduling algorithm to compute both upperand lower bounds on end-to-end response in distributed systems.A design tool has been developed to automatethe analysis and support the performance verification of diversereal-time systems composed of tasks executing on multiple processorswhich communicate using the Controller Area Network (CAN) fieldbus.

Vulnerability of insens to denial of service attacks

Wireless Sensor Networks (WSNs) may be deployed in hostile or inaccessible environments and are often unattended. In these conditions securing a WSN against malicious attacks is a particular challenge. This paper proposes to use formal methods to investigate the security of the INSENS protocol, in respect of its capability to withstand several denial of service attacks. The paper is an extension to our previous work where we proposed a formal framework to verify some wireless routing protocols. We have confirmed that the bidirectional verification employed by INSENS prevents attacks such as hello flood. However, INSENS is shown to be vulnerable to invisible node, wormhole and black hole attacks, even in a network of only a few nodes communicating over ideal channels. Packet loss in the presence of these attacks has been demonstrated and quantified using the TOSSIM wireless simulator.

Validation, verification and implementation of timed protocols using AORTA

AORTA is an implementable timed process algebra which has been proposed as a design language for hard real-time systems. In this paper we show how AORTA can be used to design and model timed protocols, illustrated by the alternating bit protocol. We also describe tools which have been developed for simulation, verification and automatic implementation of AORTA systems, and outline a relationship between the formal models which are verified and the code which is generated.

A formally based hard real-time kernel

In order to demonstrably satisfy hard real-time deadlines, a system must be predictable, and in particular the kernel must be predictable. In this paper we present and analyse a predictable kernel related to AORTA, a formal design language for hard real-time systems. The features of the kernel allow AORTA designs to be verifiably and semi-automatically implemented, and enable verified guarantees to be given about the real-time behaviour of the system.

Designing and Implementing Correct Real-Time Systems

Existing formal methods for real-time largely deal with abstract models of real-time systems, and seldom address implementation issues; they are mainly used for modelling and specification. In this paper we propose an alternative approach, in which a new timed process algebra, AORTA, is used as a design language, which can be verifiably implemented. As well as introducing and formally defining the language, methods for implementation and verification are discussed.

RAEED: A solution for hello flood attack

Hello flood attack has long been a problem in ad-hoc and wireless networks during data routing. Although numerous solutions have been proposed, they all have drawbacks. The main reason is that formal modeling techniques have not been employed to confirm whether the solutions are immune from DoS attacks. We have earlier shown how formal modeling can be utilized efficiently to detect the vulnerabilities of existing routing protocols against DoS attacks. In this paper we propose a new protocol, RAEED (Robust formally Analysed protocol for wirEless sEnsor networks Deployment), which is able to address the problem of Hello flood attacks. Using formal modeling we prove that RAEED avoids these types of attack. Finally computer simulations were carried out to support our findings. RAEED employs an improved bidirectional verification and the key exchange characteristics of the INSENS and the LEAP. RAEED preserves the security and reduces traffic. The improvements in RAEED were the less number of messages exchanged, less percentage of messages lost and reduction in time to complete key setup phase.

Practical formal development of real-time systems

The complexities of real-time systems are such that it is often thought necessary to give a formal justification of their correctness especially if they are to be used in a safety-critical environment. We describe our work on a formally based design method for real-time systems which allows the timing aspects of a concurrent system to be mathematically described and verified, as well as semi-automatically implemented. Our design language, AORTA, is a timed process algebra, with features to ensure that all designs can be implemented. A predictable real-time kernel is also described, which is used in the construction of a system from an AORTA design, and which allows the timing of the implementation to be verified.<<ETX>>

Please slow down!: the impact on tor performance from mobility

The number of mobile devices, connecting to the Internet, is predicted to surpass desktop connections by 2014. The likely growth in their mobile client base will offer an additional challenge for anonymity networks, such as Tor, in maintaining an efficient privacy service. We have conducted a simple experiment that illustrates this challenge. We have simulated the performance achieved by a mobile Tor node as it roams at varying speeds between wireless networks. The results show that the impact on performance for the mobile user, and potentially the wider Tor network, is significant when roaming, and as expected, increases with higher mobility speeds and longer recovery times. We review a range of solutions and suggest that, although the use of a lighter transport protocol and/or adaptive client throttling may reduce the performance impact of mobility, a better strategy is to provide a persistent connection to the Tor network for roaming mobile users.