De Benedictis, Alessandra (2013) Change to survive: a Moving Target Defense approach to secure resource-constrained distributed devices. [Tesi di dottorato]

Anteprima

Testo De Benedictis_ PhD Thesis.pdf Download (2MB) | Anteprima

Abstract

This doctoral thesis has been developed with the aim of defining a design methodology for monitoring architectures composed of resource-constrained devices (sensor nodes, FPGAs, smartphones...), able to take into account both functional and non-functional requirements. Even if our primary focus was on security, our activity was aimed at identifying a holistic approach able to meet even other quality requirements, such as performance and energy consumption, as they are fundamental in real world applications. Security, performance and energy consumption requirements are closely related to one another and are often conflicting, and typically in complex real-world scenarios they change over time, thus requiring the ability to adapt dynamically. These features make the definition of a comprehensive approach very challenging in constrained networks, and require the introduction of a more flexible strategy to achieve security while preserving the overall quality of the system. In order to cope with these issues, we proposed a reconfiguration approach based on the Moving Target Defense paradigm, an emergent technique aimed at continuously changing a system's attack surface for thwarting attacks. Such mechanisms increase the uncertainty, complexity, and cost for attackers, limit the exposure of vulnerabilities, and ultimately increase overall resiliency, with the result of decreasing the attack probability. We defined a reconfiguration model for a generic embedded node, identifying some of the possible reconfigurable parameters -- namely the firmware, the APIs and the cryptosystem adopted to secure exchanged data -- and characterized a reconfiguration strategy, aimed at choosing the new configuration to activate based on given requirements. In order to do that, we introduced a coverage-based security metric to quantitatively measure the level of security provided by each system configuration; such metric, along with the commonly adopted performance metrics, is used by the reconfiguration strategy to identify the configuration to activate in the system that best meets the current requirements. In order to show the feasibility of our approach in real applications, we considered a Wireless Sensor Networks (WSNs) case study. We defined a reconfiguration model characterized by two different cryptosystems, based on Elliptic Curve Cryptography (ECC), at the security layer, and two different firmware versions at the physical layer. We developed and implemented two ad-hoc reconfiguration mechanisms to perform security-level and physical-level reconfiguration, and conducted specific analyses on the security layer to show how reconfiguration can help increase, or at least control, the security level provided by a system. At this aim, we first analyzed the performance, consumption and intrinsic security level provided by the two considered cryptosystems, and then conducted theoretical and experimental evaluations to show that reconfiguration is effective in increasing the complexity for the attacker. Current MTD designs lack quantitative metrics to measure the effectiveness of the proposed mechanisms in terms of enhanced security. We adopted the attack probability to indirectly measure the level of security provided by each configuration and show that our approach is capable of reducing the probability of successful attacks, compared to a baseline scenario where configurations are static.

Downloads

Actions (login required)

Modifica documento