Visible to the public SecuPAN: A Security Scheme to Mitigate Fragmentation-Based Network Attacks in 6LoWPAN

TitleSecuPAN: A Security Scheme to Mitigate Fragmentation-Based Network Attacks in 6LoWPAN
Publication TypeConference Paper
Year of Publication2018
AuthorsHossain, Mahmud, Karim, Yasser, Hasan, Ragib
Conference NameProceedings of the Eighth ACM Conference on Data and Application Security and Privacy
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5632-9
Keywords6LoWPAN, adversary, Attack, composability, Fragmentation, Internet of Things, pubcrawl, Resiliency, security service, Threat
Abstract6LoWPAN is a widely used protocol for communication over IPV6 Low-power Wireless Personal Area Networks. Unfortunately, the 6LoWPAN packet fragmentation mechanism possesses vulnerabilities that adversaries can exploit to perform network attacks. Lack of fragment authentication, payload integrity verification, and sender IP address validation lead to fabrication, duplication, and impersonation attacks. Moreover, adversaries can abuse the poor reassembly buffer management technique of the 6LoWPAN layer to perform buffer exhaustion and selective forwarding attacks. In this paper, we propose SecuPAN - a security scheme for mitigating fragmentation-based network attacks in 6LoWPAN networks and devices. We propose a Message Authentication Code based per-fragment integrity and authenticity verification scheme to defend against fabrication and duplication attacks. We also present a mechanism for computing datagram-tag and IPv6 address cryptographically to mitigate impersonation attacks. Additionally, our reputation-based buffer management scheme protects 6LoWPAN devices from buffer reservation attacks. We provide an extensive security analysis of SecuPAN to demonstrate that SecuPAN is secure against strong adversarial scenarios. We also implemented a prototype of SecuPAN on Contiki enabled IoT devices and provided a performance analysis of our proposed scheme.
Citation Keyhossain_secupan:_2018