Mark Luk

SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits. Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

MiniSec: a secure sensor network communication architecture

Secure sensor network communication protocols need to provide three basic properties: data secrecy, authentication, and replay protection. Secure sensor network link layer protocols such as Tiny- Sec (C. Karlof et al., 2004) and ZigBee (2005) enjoy significant attention in the community. However, TinySec achieves low energy consumption by reducing the level of security provided. In contrast, ZigBee enjoys high security, but suffers from high energy consumption. MiniSec is a secure network layer that obtains the best of both worlds: low energy consumption and high security. MiniSec has two operating modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication. The latter does not require per-sender state for replay protection and thus scales to large networks. We present a publicly available implementation of MiniSec for the Telos platform, and experimental results demonstrate our low energy utilization.

Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems

We propose a primitive, called Pioneer, as a first step towards verifiable code execution on untrusted legacy hosts. Pioneer does not require any hardware support such as secure co-processors or CPU-architecture extensions. We implement Pioneer on an Intel Pentium IV Xeon processor. Pioneer can be used as a basic building block to build security systems. We demonstrate this by building a kernel rootkit detector.

SCUBA: Secure Code Update By Attestation in sensor networks

This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revoke the compromised nodes. The SCUBA protocol represents a promising approach for designing secure sensor networks by proposing a first approach for automatic recovery of compromised sensor nodes. The SCUBA protocol is based on ICE (Indisputable Code Execution), a primitive we introduce to dynamically establish a trusted code base on a remote, untrusted sensor node.

Seven cardinal properties of sensor network broadcast authentication

We investigate the design space of sensor network broadcast authentication. We show that prior approaches can be organized based on a taxonomy of seven fundamental proprieties, such that each approach can satisfy at most six of the seven proprieties. An empirical study of the design space reveals possibilities of new approaches, which we present in the following two new authentication protocols: RPT and LEA. Based on this taxonomy, we offer guidance in selecting the most appropriate protocol based on an applications desired proprieties. Finally, we pose the open challenge for the research community to devise a protocol simultaneously providing all seven properties.

Using clustering information for sensor network localization

Sensor network localization continues to be an important research challenge. The goal of localization is to assign geographic coordinates to each node in the sensor network. Localization schemes for sensor network systems should work with inexpensive off-the-shelf hardware, scale to large networks, and also achieve good accuracy in the presence of irregularities and obstacles in the deployment area. We present a novel approach for localization that can satisfy all of these desired properties. Recent developments in sensor network clustering algorithms have resulted in distributed algorithms that produce highly regular clusters. We propose to make use of this regularity to inform our localization algorithm. The main advantages of our approach are that our protocol requires only three randomly-placed nodes that know their geographic coordinates, and does not require any ranging or positioning equipment (i.e., no signal strength measurement, ultrasound ranging, or directional antennas are needed). So far, only the DV-Hop localization mechanism worked with the same assumptions [1]. We show that our proposed approach may outperform DV-Hop in certain scenarios, in particular when there exist large obstacles in the deployment field, or when the deployment area is free of obstacles but the number of anchors is limited.

SAKE: Software Attestation for Key Establishment in Sensor Networks

This paper presents a protocol called SAKE (Software Attestation for Key Establishment), for establishing a shared key between any two neighboring nodes of a sensor network. SAKE guarantees the secrecy and authenticity of the key that is established, without requiring any prior authentic or secret information in either node. In other words, the attacker can read and modify the entire memory contents of both nodes before SAKE executes. Further, to the best of our knowledge, SAKE is the only protocol that can perform key re-establishment after sensor nodes are compromised, because the presence of the attackers code in the memory of either protocol participant does not compromise the security of SAKE. Also, the attacker can perform any active or passive attack using an arbitrary number of malicious, colluding nodes. SAKE does not require any hardware modification to the sensor nodes, human mediation, or secure side channels. However, we do assume the setting of a computationally-limited attacker that does not introduce its own computationally powerful nodes into the sensor network. SAKE is based on ICE (Indisputable Code Execution), a primitive we introduce in previous work to dynamically establish a trusted execution environment on a remote, untrusted sensor node.

Message-in-a-bottle: user-friendly and secure key deployment for sensor nodes

Existing protocols for secure key establishment all rely on an unspecified mechanism for initially deploying secrets to sensor nodes. However, no commercially viable and secure mechanism exists for initial setup. Without a guarantee of secure key deployment, the traffic over a sensor network cannot be presumed secure. To address this problem, we present a user-friendly protocol for the secure deployment of cryptographic keys in sensor networks. We propose a collection of five techniques to prevent an attacker from eavesdropping on key deployment. To demonstrate feasibility for real-world use, we implement our protocol on Telos motes and conduct a user study.

Secure sensor network routing: a clean-slate approach

The deployment of sensor networks in security- and safety-critical environments requires secure communication primitives. In this paper, we design, implement, and evaluate a new secure routing protocol for sensor networks. Our protocol requires no special hardware and provides message delivery even in an environment with active adversaries. We adopt a clean-slate approach and design a new sensor network routing protocol with security and efficiency as central design parameters. Our protocol is efficient yet highly resilient to active attacks. We demonstrate the performance of our algorithms with simulation results as well as an implementation on Telos sensor nodes.

Efficient mechanisms to provide convoy member and vehicle sequence authentication in VANETs

Vehicular Ad hoc Networks (VANETs) are on the verge of deployment. In the near future, wireless vehicle-to-vehicle and vehicle-to-infrastructure communication will enable numerous safety, convenience, and business applications. Security is a necessary pre-requisite for adoption of these technologies. As we demonstrate in this paper, VANETs require two new security properties: Convoy Member Authentication (CMA) and Vehicle Sequence Authentication (VSA). These security properties detect a range of VANET attacks. We propose novel protocols that provide CMA and VSA. We analyze and evaluate our protocols and conclude that they represent an important step towards enhancing VANET security.