A Policy Enforcing Mechanism for Trusted Ad Hoc Networks

Gang Xu, C Borcea, L Iftode
2011 IEEE Transactions on Dependable and Secure Computing  
To ensure fair and secure communication in Mobile Ad hoc Networks (MANETs), the applications running in these networks must be regulated by proper communication policies. However, enforcing policies in MANETs is challenging because they lack the infrastructure and trusted entities encountered in traditional distributed systems. This paper presents the design and implementation of a policy enforcing mechanism based on Satem, a kernel-level trusted execution monitor built on top of the Trusted
more » ... tform Module. Under this mechanism, each application or protocol has an associated policy. Two instances of an application running on different nodes may engage in communication only if these nodes enforce the same set of policies for both the application and the underlying protocols used by the application. In this way, nodes can form trusted application-centric networks. Before allowing a node to join such a network, Satem verifies its trustworthiness of enforcing the required set of policies. Furthermore, Satem protects the policies and the software enforcing these policies from being tampered with. If any of them is compromised, Satem disconnects the node from the network. We demonstrate the correctness of our solution through security analysis, and its low overhead through performance evaluation of two MANET applications. Index Terms: Trusted computing, ad hoc networks, mobile computing I. INTRODUCTION With the maturity of short-range wireless technologies and proliferation of mobile computing devices, building real-life applications over mobile ad hoc networks (MANET) becomes feasible. For instance, two potential applications are traffic monitoring in vehicular networks and peer-to-peer file sharing in ad hoc networks of smart phones. A key to the success of such applications is a mechanism assuring secure communication and proper collaboration among all participant entities. To achieve this goal, communication policies Gang Xu is with the . 2 that govern the interactions between entities must be defined and enforced. For instance, in a traffic monitoring application, the policy can guarantee that a car always forwards accident alerts to cars coming behind it. Similarly, in a peer-to-peer application, the policy can guarantee that a smart phone can post a query only if it has made several contributions such as publishing files or forwarding other queries. Mechanisms to define and evaluate security policies have been well studied in traditional distributed system [1], [2]. While these methods provide sufficient expressive power to represent policies for MANET applications, the challenge is how to enforce such policies in MANETs. Most of the existing policy enforcement solutions have focused on Internet-based systems [3], [4], [5], [6]. Unfortunately, these solutions are not fit for MANET for two reasons. First, they enforce policies on trusted "choke points" (e.g., firewall or proxy), which do not exist in MANETs due to the lack of infrastructure. Furthermore, determining where to place a choke point in a MANET is almost impossible because the paths between nodes change frequently due to mobility [7] . Second, existing methods aim to protect the servers from unauthorized client accesses. In MANET, this distinction does not exist as every node can be a server and a client at the same time, and no entity can be trusted more than another. A potential solution for such a peer-to-peer environment is Law-Governed Interaction (LGI) [8], [9] . LGI governs the communication between all nodes in the network by enforcing a unified group policy on a set of middleware controllers. However, LGI requires the controllers to be trusted, but does not provide means of establishing the trust. Consequently, in practice, it can only be applicable in controlled environments where the enforcers can be deployed or elected, such as corporate intranet [10], [6] and Internet P2P [11]. McCune et al [12] advanced another step by developing a shared trusted reference monitor (Shamon) across a coalition of nodes using remote attestation. Shamon enforces communication policies at the virtual machine level and requires that each node runs multiple virtual machines (one for each application), which may not be practical for mobile devices. Additionally, Shamon does not provide enough flexibility to compose applications and policies. If an application depends on others, then all of them together with their policies must be isolated in one virtual machine. Different than enforcing policies in the network, another approach is to allow only nodes owned by trusted principals to participate in the network [13] . The method does not address the case of anonymous nodes spontaneously establishing MANETs. Furthermore, such methods provide insufficient level of security because a known-to-be-trusted node is more likely to be compromised and taken over by an attacker in MANETs than in infrastructure-based networks, due to the lack of physical protection. This paper presents the design and implementation of a policy enforcing mechanism based on a kernel-level trusted execution monitor. Under this mechanism, each MANET application or protocol has its own policy 1 . All nodes supporting a certain application and enforcing its policy form a trusted application-centric network. Since an application may depend on other applications, our policy enforcing mechanism creates a trusted multi-tier network. The member nodes in such a network must enforce the policies associated 1 In the rest of the paper, we will use the terms application and protocol interchangeably to denote a piece of software regulated by its own policy. 3 with these applications as well. For instance, a peer-to-peer file sharing application may depend on an on-demand routing protocol. In this case, the mechanism creates a two-tier trusted file sharing network. It first establishes a trusted routing tier, and hence, a trusted network for routing, comprising of all the nodes that enforce the routing policy. On top of this tier, it then creates a file sharing tier, enforcing the file sharing policy. In our policy enforcing mechanism, nodes can be members of multiple multi-tier networks simultaneously. For example, let us consider that a vehicular traffic monitoring application uses the same routing algorithm with the file sharing application. Nodes in the aforementioned file sharing network can also establish a traffic monitoring network by creating, on top of the routing tier, a separate trusted tier enforcing the traffic monitoring policy. Two nodes may communicate through an application if and only if they enforce the same application tier policy and all the underlying tier policies. Our policy enforcing mechanism allows each node to uniformly enforce the policies without assuming any prior trust with other nodes. This is similar to the method of building trusted ad hoc network we developed previously [14] . To ensure trusted policy enforcement, we augment each node with a trusted agent, which protects the policy enforcement components from being compromised. When a node joins a trusted tier, its trusted agent helps establish trust by proving the execution of a correct trusted agent, a trustworthy policy enforcing software component (referred to as policy enforcer hereafter), and the right policy. Furthermore, it ensures that the integrity of the agent, the enforcer, and the policy will not be compromised. This is possible because the trusted agent is part of the operating system kernel and guarantees the integrity of the kernel and all programs involved in policy enforcement. Therefore, it can foil attacks, including those launched by local users, to tamper with the enforcer or the policy being enforced. If any of these components is compromised, the trusted agent will disconnect the node from the trusted network. The trusted agent is built on top of Satem [15], our trusted execution monitor based on a low-end trusted hardware, Trusted Platform Module (TPM) specified by the Trusted Computing Group (TCG) [16] ). Due to its low cost and broad support by computer makers, the TCG TPM has been already integrated in many laptops. In the near future, it will also be installed on smaller mobile devices such as PDAs and mobile phones [17] , which makes our TPM-based approach feasible for MANETs. This mechanism provides a number of benefits, which make it suitable for MANETs. First, policy enforcement in the multi-tier networks is entirely distributed without relying on any central trusted choke points. Second, the trusted networks are self-organized. They can be established and managed spontaneously without requiring pre-deployed trusted entities or centralized management. Third, the multi-tier trust enables flexible enforcement of complex policies, which can be defined across various interdependent protocols and enforced independently, tier by tier. Furthermore, nodes running multiple applications can join multiple trusted networks, each enforcing policies for different applications without interfering with each other. We implemented a prototype of the policy enforcing mechanism in Linux and tested it over an IEEE 802.11-based wireless ad hoc network that is composed of TPM-enabled laptops. We also ran NS-2 [18] simulations to evaluate the performance in large scale
doi:10.1109/tdsc.2010.11 fatcat:mhfacomxtbhdpfpin66wzo5ooa