Diversify sensor nodes to improve resilience against node compromise

Abstract

A great challenge in securing sensor networks is that sensor nodes can be physically compromised. Once a node is compromised, attackers can retrieve secret information (e.g. keys) from the node. In most of the key pre-distribution schemes, the compromise of secret information on one node can have substantial impact on other nodes because secrets are shared by more than one node in those schemes. Although tamper-resistant hardware can help protect those secrets, it is still impractical for sensor networks.Having observed that most sensor network applications and key pre-distribution schemes can tolerate the compromise of a small number of sensors, we propose to use diversity to protect the secret keys in sensor networks. Our scheme consists of two steps. First, we obfuscate the data and the code for each sensor, such that, when attackers have compromised a sensor node, they need to spend a substantial amount of time to find the secrets from the obfuscated code (e.g., by reverse engineering or code analysis). This first line of defense raises the bar of difficulty for a successful attack on one single node. Second, for different nodes, we make sure that the data and code obfuscation methods are different. This way, even if the attacks have successfully derived the location of the secrets, they cannot use the same location for another node, because for different nodes, their secrets are stored in different ways and in different places. Such diversity makes it a daunting job to derive the secret information from a large number of compromised nodes. We have implemented our scheme for Mica2 motes, and we present the results in this paper.