Skip to main content

Sluice: Secure Software Upgrades in Sensor Networks

Researchers: Priya Narasimhan, Michael Chuang

Research Area: Next Generation Secure and Available Networks | Mobility


Existing network reprogramming (or code-update) protocols target the efficient, reliable, multi-hop dissemination of new program images in sensor networks, but assume correct or fail-stop behavior from participating sensors. Compromised nodes can subvert such protocols to result in the propagation and remote installation of malicious code. Sluice aims for the progressive, resource-sensitive verification of updates in sensor networks to ensure that malicious/unauthenticated updates are not disseminated or installed, while trusted updates continue to be efficiently disseminated. Our verification mechanism aims to provide authenticity and integrity through a hash-chain construction that amortizes the cost of a single digital signature over an entire program image, rather than using multiple digital signatures per image or sacrificing existing efficiency mechanisms. We propose to integrate Sluice with an existing network programming protocol and to empirically evaluate its effectiveness both in a real sensor test bed and through simulation.

There is an increasing need to be able to debug/upgrade the software for wireless sensor networks. A number of protocols have been developed to facilitate over-the-air software updates. For the most part, these protocols tends to assume well-behaved or correct sensors, and are primarily tolerant to fail-stop-nodes and packet losses. A malicious sensor node can cause serious disruptions to the code update process. Efficient network reprogramming mechanisms such as pipelining (i.e. a piece-wise dissemination where sensors need not wait to receive the entire program image but can start to forward image fragments to other sensors) are clearly susceptible to abuse since both correct and malicious nodes can exploit them. While a correct node can quickly propagate its updates through the system so can the malicious node. An adversary who is able to inject packets into the network can hijack the update mechanism for the widespread, rapid installation of corrupt code, but also drain energy and bandwidth - highly valuable in resource-constrained sensor networks.

The primary focus of Sluice is to address the following research question: How do we enable the progressive, resource-sensitive verification of code updates in sensor networks so that malicious/corrupt updates are not propagated or installed, while correct updates can continue to exploit the efficiency mechanisms?