1. Reliable Telemetry in White Spaces using Remote Attestation Omid Fatemieh, Michael D. LeMay, Carl A. Gunter University of Illinois at Urbana-Champaign Annual Computer Security Applications Conference (ACSAC) Dec 9, 2011

2. Spectrum crunch – Increased demand – Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses) Emerging solution: opportunistic access to unused portions of licensed bands Opportunistic Spectrum Access 2

3. Spectrum crunch – Increased demand – Limited supply – Inefficiencies of fixed and long term spectrum assignment (licenses) Emerging solution: opportunistic access to WHITE SPACES Cognitive Radio: A radio that interacts with the environment and changes its transmitter parameters accordingly Opportunistic Spectrum Access 3 Primary Transmitter Primary Receiver Secondary Transmitter/Receiver (Cognitive Radio)

4. Allowed by FCC in Nov 2008 (and Sep 2010) – TV White Spaces: unused TV channels 2-51 (54 MHz-698MHz) – Much spectrum freed up in transition to Digital Television (DTV) in 2009 – Excellent penetration and range properties Applications – Super Wi-Fi – Campus-wide Internet – Rural broadband (e.g. Claudville, VA) – Advanced Meter Infrastructure (AMI) [FatemiehCG – ISRCS ‘10] White Space Networks 4

5. Spectrum Sensing – Energy Detection – Requires sensing-capable devices -> cognitive radios – Signal is variable due to terrain, shadowing and fading – Sensing is challenging at low thresholds Central aggregation of spectrum measurement data – Base station (e.g. IEEE 802.22) – Spectrum availability database (required by the FCC) How to Identify Unused Spectrum? No-talk Region for Primary Transmitter 5 Collaborative Sensing

6. Malicious misreporting attacks – Exploitation: falsely declare a frequency occupied – Vandalism: falsely declare a frequency free Why challenging to detect? – Spatial variations of primary signal due to signal attenuation – Natural differences due to shadow-fading, etc. – Temporal variations of primary – Compromised nodes may collude and employ smart strategies to hide under legitimate variations How to defend against such coordinated/omniscient attackers? Malicious Misreporting Attacks 6 Compromised Secondary – Vandalism Compromised Secondary – Exploitation

7. Limitations of Previous Work 7 Initially assume all sensors are equal Rely only on comparing measurements Shadow-fading correlation filters for abnormality detection [MinSH – ICNP ‘09] Model-based (statistical) outlier detection [FatemiehCG – DySPAN ‘10] Data-based (classification) attacker detection [FatemiehFCG – NDSS ‘11] Resulting drawback: attacker penetration has to be significantly limited for solutions to work What if we can have a subset of “super-nodes"?

8. A Subset of Trusted Nodes 8 Remote attestation: A technique to provide certified information about software, firmware, or configuration to a remote party – Detect compromise – Establish trust Root of trust for remote attestation – Trusted hardware: TPM on PCs or MTM on mobile devices – Software on chip [LeMayG - ESORICS ‘09] Why a subset? – Low penetration among volunteer nodes – Cost: manufacturing, energy, time, bandwidth (see paper for numbers) Attestation- Capable System Remote Server Nonce Signed[Nonce || System State]

9. Goal: obtain an estimate of signal power in any cell to compare to threshold Cell A: Safety or precision? Cells B and C: How many regular nodes to include? Which ones? Steps 1.A systematic strategy to determine when there is enough data 2.If we need additional data, which ones to add to aggregation pool? 3.Ensure pool not attacker-dominated Key Observations 9 A B C Attested Node Regular Node

10. Sequential intra-cell node selection – Include all attested nodes – Include regular nodes until a precision goal is met Precision goal: Ensure margin of error for aggregate smaller than requirements (e.g. 3dB) with high confidence (e.g. 95%) (unknown distribution) – Mean: Asymptotically efficient Chow-Robbins sequential procedure: – Median: Find a and b (order statistics): Intra-cell Node Selection 10

11. Last step: Classification-based inter-cell attacker detection – If detected: only use attested data in E Median as aggregate: – (+) Less vulnerable to legitimate variations or minority attackers – (-) Achieving the required precision requires more data – (-) Majority attackers can move median while being less ‘abnormal’ Aggregate: median when attested majority, and mean otherwise Classification-based inter-cell detection 11

12. Evaluation 12 Hilly Southwest Pennsylvania TV transmitter data from FCC Terrain data from NASA Ground truth: predicted signal propagation using empirical Longley-Rice model Takes into account: – Transmitter power, location, height, frequency – Terrain and distance Added aggressive log-normal shadow-fading variations Used data to build classifier and evaluate protection against attacks

13. Results 13 False Outcome Rate Attack Deterrence Rate (Attested fraction ≈.25)

14. Showed how to use a small subset attestation-capable nodes to improve trustworthiness of distributed sensing results. Proposed methods: – Provide quantifiably precise results. – Provide effective protection against attacks with small fraction of attested nodes. – Can lower attestation costs for real deployment. Future direction: Developing a framework for formulating costs associated with including regular and attested nodes, and systematically striking a balance between the costs (from spectrum data aggregation and remote attestation) and obtaining precise aggregation results. Conclusions and Future Work 14