Ermanno Battista

Advancing WSN physical security adopting TPM-based architectures

Cyber Physical Systems typically operate unattended in hostile outdoor environments. A lot of effort has has been made to protect the communication between sensing nodes and the processing infrastructure. However, with regards to physical protection of a node, assessing the integrity of its hardware/software is a challenging issue. In this paper, we propose and evaluate a node architecture which makes use of Trusted Platform Module (TPM) to perform cryptographic operations in a trustworthy manner. TPM builds a chain of trust which enforces a trustability relationship among the nodes components. In such context, the node will function only if all the hardware and software configurations have been verified by means of cryptographic operations. Moreover, using tamper resistant hardware we will ensure that the cryptographic keys do not leave a secure perimeter.

A hardware accelerator for data classification within the sensing infrastructure

Cyber Physical Systems are typically deployed using simple sensing nodes and communicate with a complex elaboration and management infrastructure through the internet. The new trend in the design of such systems is to implement significant part of the data elaboration within the sensing infrastructure. Due to the scarce computing capabilities of the nodes and tight performance constrains, it is necessary to equip the nodes with special purpose hardware accelerators. In particular, we discuss a Decision Support System implementation in which special nodes are able to autonomously perform the data classification task. In this paper, we present a node architecture equipped with a special purpose co-processors to perform data classification trough decision tree visiting algorithm, and we discuss its suitability for the WSN domain.

Testing 90 nm microcontroller SRAM PUF quality

In digital systems, Static Random Access Memories (SRAMs) play an important role since they are available in almost every digital devices and are able to realize Physically Unclonable Functions (PUFs), which can enable security primitives over a wide range of devices without needing additional hardware resources. Indeed, each SRAM presents an unpredictable and unique pattern, established when they are powered-up, which can be useful as key generator and for authentication mechanisms. Before exploiting SRAMs as PUFs, they have to be qualified in terms of stability since the pattern behavior of SRAMs might be heavily influenced by a wide variety of working conditions, such as temperature and applied voltage. In this paper we present the result of an experimental campaign, conducted over real 90nm SRAMs, which aim is to deeply investigate the power-up pattern behavior under different power supply strategies through the PUF quality analysis. In particular we show the reliability, uniqueness and uniformity for SRAMs embedded in STM32F3 and STM32F4 microcontrollers for more than 50 devices.

A deception based approach for defeating OS and service fingerprinting

Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting critical information about the target system, including information about network topology, services, operating systems, and unpatched vulnerabilities. Specifically, operating system fingerprinting aims at determining the operating system of a remote host in either a passive way, through sniffing and traffic analysis, or an active way, through probing. Similarly, service fingerprinting aims at determining what services are running on a remote host. In this paper, we propose an approach to defeat an attackers fingerprinting effort through deception. To defeat OS fingerprinting, we manipulate outgoing traffic so that it resembles traffic generated by a host with a different operating system. Similarly, to defeat service fingerprinting, we modify the service banner by intercepting and manipulating certain packets before they leave the host or network. Experimental results show that our approach can efficiently and effectively deceive an attacker.

Next-generation technologies for preventing accidental death of children trapped in parked vehicles

Integration of computational and physical elements into cyber-physical systems is increasingly finding application in a number of different domains, including smart power grids, medical technologies, and building automation. In this paper, we study how the notion of cyber-physical integration can be applied to the design of the next generation of safety devices for saving the life of children inadvertently left into parked vehicles. In the United States alone, an average 38 children die from heatstroke after being left into parked vehicles by their caregivers. To be effective, next-generation safety devices will need to have the capability of sensing the environment in and around the vehicle, integrating and processing data from an array of different sensors, assessing the risk in real time, and triggering appropriate corrective actions aimed at removing or mitigating the risk factors for the child.

Manipulating the attacker's view of a system's attack surface

Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, and unpatched vulnerabilities. Unfortunately, when system configurations are static, attackers will always be able, given enough time, to acquire accurate knowledge about the target system and engineer effective exploits. To address this important problem, many adaptive techniques have been devised to dynamically change some aspects of a systems configuration in order to introduce uncertainty for the attacker. In this paper, we advance the state of the art in adaptive defense by looking at the problem from a control perspective and proposing a graph-based approach to manipulate the attackers view of a systems attack surface. To achieve this objective, we formalize the notion of system view and distance between views. We then define a principled approach to manipulate responses to attackers probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to different classes of problems, namely (i) inducing an external view that is at a minimum distance from the internal view while minimizing the cost for the defender; (ii) inducing an external view that maximizes the distance from the internal view, given an upper bound on the admissible cost for the defender. Experiments conducted on a prototypal implementation of the proposed algorithms confirm that our approach is efficient and effective in steering the attackers away from critical resources.

How to Manage Keys and Reconfiguration in WSNs Exploiting SRAM Based PUFs

A wide spectrum of security challenges were arose by Wireless Sensor Network (WSN) architectures and common security techniques used in traditional networks are impractical. In particular, being the sensor nodes often deployed in unattended areas, physical attacks are possible and have to be taken into account during the architecture design. Whenever an attacker enters in possession of a node, he/she can jeopardize the network by extracting cryptographic keys used for secure communication. Moreover, an attacker can also try to brute force the keys, hence they should be fully random and hard to guess. In this paper, we propose a novel solution based on generating keys from unique physical characteristics of a node integrated circuit without requiring additional hardware compared to common WSN node architectures. To this aim, we exploit the Static Random Access Memory based Physically Unclonable Functions and we show their applicability to the WSN by implementing a working prototype based on the STM32F4 microcontroller.

Deceiving Attackers by Creating a Virtual Attack Surface

Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems, and unpatched vulnerabilities. Unfortunately, when system configurations are static, attackers will always be able, given enough time, to acquire accurate knowledge about the target system through a variety of tools—including operating system and service fingerprinting—and engineer effective exploits. To address this important problem, many techniques have been devised to dynamically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. In this chapter, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which addresses several limitations of existing techniques. To achieve this objective, we formalize the notions of system view and distance between views. We then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely (1) inducing an external view that is at a minimum distance from the internal view, while minimizing the cost for the defender; (2) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint operating systems and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.

SIREN: a feasible moving target defence framework for securing resource-constrained embedded nodes

Embedded nodes are widely used in several application domains thanks to low-costs and their data acquisition and processing capabilities. In the recent years, particular emphasis was given to pervasive wireless sensor nodes that enabled innovative applications for infrastructure monitoring, crowd-source sensing and mobile cyber-physical infrastructure. Indeed, security is one of the main open challenges to face; available security solutions are not able to cope with new attack scenarios and proactive measures to protect nodes are needed. Techniques aimed at continuously changing a system configuration, recently referred to as moving target defence MTD, are emerging to improve the security level provided by the system but their feasibility in resource constrained environment should be evaluated. Starting from these considerations, in this paper, we propose a reconfiguration framework for embedded nodes that is able to enhance the performance of available reconfiguration tools and also to enable the MTD approach in battery-supplied wireless sensor nodes. We will illustrate the details of the proposed architecture, named SIREN and we will evaluate the feasibility of the proposed solution. First experimental results will show the great advantages of this proposal against available solutions.

An integrated lifetime and network quality model of large WSNs

This paper introduces a modeling approach to the design and evaluation of large wireless sensor networks against the topology of the network and the monitoring application and taking into account the performance degradation due to the power consumption. The model is built by composing Stochastic Activity Network (SAN) models of the nodes and a Markovian Agent Model (MAM) of the whole network. The SAN models are used to conduct a performance analysis of the nodes (i.e. to measure their sampling time) and evaluate their mean time to discharge. The MAM is used to compose the results of the SAN model analysis into a complex topology-aware model able to evaluate the Packet Delivery Ratio (PDR) and the power consumption of the network. The possibility to model spatially distributed interdependencies featured by the MAM makes the integrated model a concrete, scalable mean to evaluate different design choices and perform meaningful what-if analyses. The model has been validated by comparing the analysis results with real node values: specifically we present the experimental results obtained by using TelosB nodes equipped with TinyOs.