1 Introduction
2 Background
2.1 UPPAAL
-
a set of nodes (named locations);
-
one initial location;
-
a set of invariant conditions, labeling locations;
-
a set of edges between locations;
-
a set of actions, labeling edges;
-
a set of clocks;
-
a set of constraints, labeling edges (guards).
state
must be executed (for example an edge that changes the variable involved in the invariant or an edge that changes the current location); if such an edge is not executable the timed automaton ends up in a deadlock meaning that the system is not well defined.(?)
for input synchronizations, and exclamation marks (!)
for output synchronizations, respectively. A timed automaton executing an output action, synchronizes with one or more timed automata executing input actions, and vice versa. Synchronizations can be blocking or not blocking, depending on the type of channel connecting the automata. For example, broadcast channels are not blocking and the output action can synchronize with many input ones.on
and off
, a local clock variable clk
, used to specify the invariant of the on
location and the guard clk<= 12
in the upper edge. Finally the two automata synchronize on two different channels channel1
and channel2
( for example channel1
is the output channel for the automaton 1 and the input channel for the automaton 2) . The initial locations of the two automata are complementary, i.e. automaton 1 is initially in the on
location and automaton 2 is initially in the off
, and they simultaneously switch from one location to the other every 12 time units, resetting the local clock clk
every time the automaton moves from off
to on
.2.2 Attack simulation framework
2.2.1 Attack Description Language
-
destroy(nodeID, t)
, removes nodenodeID
from the network at timet
. -
disable(nodeID, moduleID, t)
, disables the modulemoduleID
of the nodenodeID
at timet
. -
deceive(nodeID, sensorID, t, val)
, imposes valueval
to all the readings of sensorsensorID
of nodenodeID
, starting from timet
. -
move(nodeID, t, pos)
, moves the nodenodeID
to positionpos
at timet
.
-
retrive(dst, pkt, pktFld)
, copies the content of fieldpktFld
of packetpkt
into the variabledst
. -
change(pktFld, pkt, src)
, copies the content of variablesrc
into fieldpktFld
of packetpkt
. -
drop(pkt)
, discards the packetpkt
. -
create(pkt, type, fld, val, ...)
, creates a new packetpkt
of typetype
, and fills the fieldfld
with valueval
. The type is in the formatlayer.protocol
, e.g.LINK.TMAC
, that specifies a link-layer TMAC packet. The user can specify the content of multiple fields of the packet. -
clone(dstPkt, srcPkt)
, creates the packetdstPkt
as exact copy of the packetsrcPkt
. -
put(pkt, dstNode, TX|RX)
, puts packetpkt
either in the transmission (TX) or reception (RX) buffer of nodesdstNodes
.
P
, starting from time T
.
T
, each target node in the list applies the filter
condition on all the packets flowing through its communication stack. If the packet satisfies the filter
condition, the list of events takes place.
packet.layer.field
is used to access the field field
, on layer layer
, of packet packet
. As a consequence, the user has to be aware of both i) the network protocols running on each communication layer; and ii) the structures of such protocols’ packets.
2.2.2 Attack Simulator
3 Proposed approach and related framework
3.1 UPPAAL/ASF integration workflow
system
tag, using annotations, i.e. comments having the format: //@<Annotation>
. UPPAAL does not take into account such annotations at all, since they are written as comments in system description source code. As an example, the following code shows the annotation of the position of Node 1.
3.2 Implementation of the integration framework
3.2.1 UPPAAL model annotations
-
the position is the only parameter that cannot be automatically inferred from the UPPAAL abstract model;
-
the UPPAAL model involves the application-layer only, bottom layers are omitted;
-
Castalia provides a set of ready-to-use modules for implementing the whole communication stack;
-
modules’ physical parameters of bottom layers can be tuned after integration.
system
of the enriched XML file related to the system topology depicted in Fig. 8. Nodes are positioned accordingly to Castalia’s coordinate reference system.
3.2.2 Parser and Interpreter
omnetpp.ini
, which is extracted from the XML tag system
. Such a file defines the number of nodes, the positioning of them, and the applications running on each layer of their communication stacks. Moreover, it contains all the network’s physical parameters, like the latency of the channel, the transmission power of nodes’ antennas, the nodes’ internal clock, and many others. By tuning such parameters, it is possible to generate several different configurations of the same network, without re-building the Simulator.declaration
. Such data and types are stored in the file UppaalGlobal.h
, which will be imported by all the classes using global data or types.declaration
. In detail, the Interpreter stores the NED description of the packet structure in the file UppaalPacket.msg
. Such a file will be used during the build of the simulator, for producing the files UppaalPacket_m.h
and UppaalPacket_m.cc
, which contains the C++ model of the packet itself. The header UppaalPacket_m.h
will be imported by all the classes sending and receiving application-layer packets.template
. Each node of the network runs a certain application, namely template, in its application-layer simple module. From a general point of view, an application is made by:-
one NED description of the simple module executing the application;
-
a set of C/C++ files implementing the application itself.
template
:-
each
location
accounts for one FSM’ state; -
each
transition
accounts for one FSM’s transition.
checkGuard
, doSynchronization
, and doAssignments
implement the UPPAAL transition’s guard, synchronization and assignments, respectively.message[0]!
, results in the broadcast of a UppaalApplication packet, as shown in the following code: After the packet is broadcasted, it is received by all nodes positioned inside the sender’s transmission range.
message[0]?
, it results in the scanning of the reception buffer, looking for the first UppaalPacket received from Node 0. If the target UppaalPacket is found, then the transition is executed. Otherwise, the FSM does not evolve in the current clock frame.4 Case study
4.1 Application model in UPPAAL
id
. In general, leaving out initialization and final states, network nodes have only one main state from which a set of outgoing transitions starts. Such transitions account for the reception/transmission of packets from/to other network nodes.chnl
indexed by the type node_t
, which defines the size of the array itself. Similarly, we model the messages exchanged between network nodes through the global array bmessages
indexed by node_t
. Moreover, we assume that the timestamp uniquely identifies every message. Therefore, we use the global declarations that follow, where the variable NODES
represents the number of network nodes: In the following, we refer to a WSN made up of five nodes i) one source node; and ii) four relay nodes. The detailed model of such nodes is described in Sect. 4.1.1.
NODES
edges for receiving a message from every other node. In the specific topology considered in this case study there are:-
five edges execute the input actions
chnl[0]?
\(\cdots \)chnl[4]?
; -
one edge executes the output action
chnl[id]!
.
chnl[i]?
is the action executed by a node for receiving a message from the node i
. Similarly, the output action chnl[i]!bmessages[i]
represents the action executed by node i
to broadcast the message bmessages[i]
.chnl[id]!
is enabled only if the global variable bmessages[id]
contains at least one message to send, i.e. if n> 0
. It is relevant to point out that n
represents the number of messages to be forwarded, whereas buffer[0]
represents the messages stored in the head of the local buffer of the node id
, which is the FIFO buffer that contains all the messages to be forwarded. When a message is sent, it is stored into the global array bmessages
, i.e. bmessages[id] = buffer[0]
, then the function update()
is executed for updating node’s local data structures, as described in Sect. 4.1.1.chnl[i]?
is always enabled. However, messages broadcasted by node i
are received by node id
only if nodes i
and id
are neighbors. The function receive(id, i)
implements the receiving of messages from neighbors, as described in Sect. 4.1.1.4.1.1 Flooding protocol
MSGS
represents the number of messages sent by the base station; TS
stores the most recent timestamp of received messages; buffer
is a FIFO buffer that stores messages waiting to be forwarded; and, finally, the buffer logger
stores the already broadcasted messages. The latter buffer will be used to check the Property P.
receive
and update
of the timed automaton depicted in Fig. 7 can be specialized as follows.
n
and m
represent the current number of elements stored in buffer
and logger
, respectively. In detail, the test bmessages[j]> TS
in the function receive
evaluates false
when the node id
receives either an old or an already received message. In such cases, the received message is not stored into buffer
and is dropped. Moreover, after broadcasting a message, the function update()
executes a backward one-position shift of buffer
.receive(id, i)
of relay nodes is tailored on such network parameters, and returns true
if the nodes id
and i
are one-hop neighbors, false
otherwise. As an example, receive(4, 2)
returns true
, since Node 2 is a one-hop neighbor of Node 4. Conversely, receive(4, 3)
returns false
, since Node 3 is two-hops far away from Node 4.
clk
units. Messages sent by Source node are incrementally timestamped, from 1
to MSGS
, which is the last message sent. After sending MSGS
messages, the Source node stops transmitting.
source
and relay(id)
represent the templates for the Source node and the Relay nodes, respectively. The Property P of the flooding protocol, which was previously described, can be checked via UPPAAL by exploiting the formulas that follow.
logger
of all relay nodes. For each node, the buffer logger
stores all the messages forwarded by it. Referring to the formulas above, logger[i]
represents the (i+1)
-th message that was forwarded by a certain node.i
such as i
\(\in \) [0, MSGS)
, logger[i]
stores the timestamp i+1
. In this case, all nodes forwarded only once all the messages they received.4.1.2 Modeling attacks
-
when the adversary compromises Node 1, the Property P described in 4.1.1 is still satisfied, since Node 3 receives a copy of the dropped packet from Node 2, thanks to link redundancy;
-
when the adversary compromises Node 2, the Property P is not satisfied anymore because Node 4 does not receive a copy of the dropped packet since there is no redundancy on links connecting Node 4 with other network nodes.
-
When the adversary compromises Node 1, the Property P is not satisfied if Node 3 receives the fake packet from Node 1 before the genuine packets carrying timestamps older than the fake one from Node 2. Conversely, the Property P is satisfied if Node 3 receives from Node 2 all the genuine packets carrying timestamps older than the fake one before the fake packet from Node 1.
-
When the adversary compromises Node 2, the Property P is not satisfied anymore because Node 4, after receiving the fake packet, discards all the subsequent genuine packets received from Node 4 that carry timestamps older than the fake one.
messages
, using a newly introduced broadcast channel chnlv
. All the genuine nodes of the network synchronize on chnlv
but only the designated victim actually receives the message. Simulations done via UPPAAL show that the Property P is never affected by the packet injection attack.
4.1.3 Flooding protocol network simulation
FLOODING
carrying the value target
. The attack triggers when the packet filter intercepts a packet carrying a certain target value. The target value is chosen as a random integer value in [0, 10)
, to enforce the random occurrence time of the attack. The monotonic growing integer value contained in the application packet payload ensures that only one packet is dropped, i.e. the packet intercepted by the packet filter that carries the random target value.
fakeValue
, which is ahead in time with respect to the value target
.
target = 7
and fakeValue = 12
is:
pkt
of type Flooding
, which is intended to be processed by the application that runs on the application-layer of network nodes. The fake packet appears to be sent by Source Node, and carries zero as value
, which should not interfere with the system operations, accordingly to UPPAAL. Then, the packet, which is meant to be received by Node 2, is injected in the network by an external device. In detail, the packet does not flow through the entire communication stack of Node2, but it is directly stored in the RX
buffer of its application-layer module. However, for simulating the effects of the reception of such a packet, the Resource Manager module of Node 2 is triggered as if a genuine packet had been received by the Radio module, then decreasing the remaining battery charge, accordingly.
Energy consumption(mJ) | |
---|---|
No Attack | 40.79 |
Drop | 40.68 |
Tamper | 40.71 |
Injection 500 ms | 43.22 |
Injection 250 ms | 45.61 |
Injection 200 ms | 49.24 |
4.2 Abstract model refinement
dutyfreq
time units (see Figure 14 for the resulting model of the node with id
4). The template of the node is extended with a variable named ready
which represents the state of the node: ready == 1
implies that the node is on while ready == 0
implies that the node is off. The node can receive and send messages only if it is on (condition ready == 1
on all the guards of the transitions with a synchronization on chnl
) and the functions wakeup()
and goidle()
change the value of ready
accordingly. The invariant t<=dutyfreq
together with the guards on the wakeup()
and goidle()
transitions forces the periodic transition of the ready
variable.dutyfreq
is not a constant value: the functions wakeup()
and goidle()
can modify its value in order to obtain different balancing between radio on and radio off. For example if wakeup()
sets the value of dutyfreq
to be three times greater than the value set by the goidle()
than it is possible to achieve a 75% duty cycle.4.2.1 Attacks on refined model
receivedmessages
, which is a counter of the messages received, and a variable named links
which represents the number of reachable genuine nodes; these new variables can be used to write the following formula, where
4.2.2 Refined model network simulation
Energy consumption (mJ) | |||
---|---|---|---|
No DC | DC 75% | DC 50% | |
No attack | 40.79 | 32.49 | 24.31 |
Drop | 40.68 | 32.43 | 24.30 |
Tamper | 40.71 | 32.45 | 24.33 |
Injection 500 ms | 43.22 | 34.52 | 25.31 |
Injection 250 ms | 45.61 | 36.55 | 26.90 |
Injection 200 ms | 49.24 | 38.89 | 29.42 |