CISP - cisp.csail.mit.edu

ISENet: Infrastructure for Secure Embedded Networks

As computing devices are becoming ubiquitous, two contradictory trends are appearing. On one hand embedded computing elements and sensors are becoming disseminated and unsupervised. Critical elements of our national infrastructure for power distribution, traffic management and catastrophe detection are becoming dependent on computing devices that are largely unsupervised and unprotected.

On the other hand, the cost and repercussions of security breaches is increasing as we place more responsibility on the devices that surround us. Worse, these devices, unlike Internet hosts, are exposed to more challenging kinds of attacks, such as physical and environmental attacks. In the event of such attacks, our society does not have strong guarantees of the infrastructure functioning, even at a reduced capacity.

Fortunately, these computing environments are still in their infancy and thus there is an opportunity to design embedded networks with security treated as a first-class citizen. It would be a shame if, years from now, NSF had to fund work to attempt the repair of security holes in pervasive computing platforms or sensor networks as NSF is doing for the Internet today. Worse, these security holes may wreak damage at a scale hitherto unforeseen by society.

We propose to build an infrastructure for securing embedded networks that we call ISENet (pronounced ice-net). ISENet secures devices deployed in untrustworthy or hostile environments so that they can withstand the more challenging attacks. To design, build and evaluate this infrastructure we will conduct research in six different areas: tamper-resistant hardware, OS security, network security, cryptography, privacy and policy, and application deployment. The results of ISENet will include fundamental contributions to the six areas as well as a prototype that leverages advances in each area.

The ISENet prototype consists of a new hardware platform that reliably detects physical tampering, an operating system that makes it easy to secure untrusted applications, ad-hoc wireless networks that will deliver messages as long there is a single physical path that is not controlled by the attacker, and redundant inexpensive sensors to handle environmental attacks. We will deploy the ISENet prototype in the application domains of automobile traffic networks and roof-top sensor networks. Because in these domains applications must operate continuously, the prototype will designed to be highly reliable, upgradeable in the field, and easy to use.

The advances in the six areas are important by themselves but will help the prototype as follows. Tamper-resistant hardware will protect against physical attacks in addition to software attacks. ISENet's operating system will allow users to control and isolate applications using encapsulation without having to understand the applications' security properties. ISENet's network architecture will leverage the safety properties provided by the hardware and OS to guarantee liveness for a wide range of attacks. We will develop a theory for physical security and physical obfuscation to prove security properties for ISENet. Finally, privacy policies will be articulated and mechanisms developed based on the transparency of our deployed systems -- the systems will expose privacy concerns and technologies to users allowing them to modify their behavior.