期刊文献+

基于MQTT协议扩展的IoT设备完整性监控 被引量:4

Integrity Monitoring for IoT Device Based on MQTT Protocol Extension
下载PDF
导出
摘要 随着物联网飞速发展,设备数量呈指数级增长,随之而来的IoT安全问题也受到了越来越多的关注.通常IoT设备完整性认证采用软件证明方法实现设备完整性校验,以便及时检测出设备中恶意软件执行所导致的系统完整性篡改.但现有IoT软件证明存在海量设备同步证明性能低、通用IoT通信协议难以扩展等问题.针对这些问题,本文提供一种轻量级的异步完整性监控方案,在通用MQTT协议上扩展软件证明安全认证消息,异步推送设备完整性信息,在保障IoT系统高安全性的同时,提高了设备完整性证明验证效率.我们的方案实现了以下3方面安全功能:以内核模块方式实现设备完整性度量功能,基于MQTT的设备身份和完整性轻量级认证扩展,基于MQTT扩展协议的异步完整性监控.本方案能够抵抗常见的软件证明和MQTT协议攻击,具有轻量级异步软件证明、通用MQTT安全扩展等特点.最后在基于MQTT的IoT认证原型系统的实验结果表明,IoT节点的完整性度量、MQTT协议连接认证、PUBLISH报文消息认证性能较高,都能满足海量IoT设备完整性监控的应用需求. With the rapid development of the Internet of Things(IoT),the number of IoT devices has grown exponentially,which is accompanied by the increasing attention to IoT security.Generally,IoT devices adopt software attestation to verify the integrity of the software environment,so that system integrity tampering caused by the execution of malicious software can be detected timely.However,the existing software attestation suffers from poor performance in the synchronous attestation of massive IoT devices and the difficulty in extending the general IoT communication protocol.To address these problems,this study proposes a lightweight asynchronous integrity monitoring scheme.The scheme extends the security authentication message of software attestation on the general message queuing telemetry transport(MQTT)protocol and asynchronously pushes the integrity information of devices.It improves not only the security of IoT systems but also the efficiency of integrity attestation and verification.The following three security functions are realized:device integrity measurement in a kernel module;lightweight authentication extension of device identity and integrity based on MQTT;asynchronous integrity monitoring based on MQTT extension protocol.This scheme can resist common software attestation attacks and MQTT protocol attacks and has the characteristics of lightweight asynchronous software attestation and general MQTT security extension.The experimental results of the prototype system of IoT authentication based on MQTT show the high performance of the integrity measurement of IoT nodes,MQTT protocol connection authentication and PUBLISH message authentication,which can meet the application requirements of integrity monitoring of massive IoT devices.
作者 齐兵 秦宇 李敏虹 谢宏 尚科彤 冯伟 李为 QI Bing;QIN Yu;LI Min-Hong;XIE Hong;SHANG Ke-Tong;FENG Wei;LI Wei(University of Chinese Academy of Sciences,Beijing 100049,China;Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;Shenzhen Power Supply Co.Ltd.,Shenzhen 518028,China)
出处 《计算机系统应用》 2022年第11期68-78,共11页 Computer Systems & Applications
基金 国家重点研发计划(2020YFE0200600) 国家自然科学基金(61872343) 中国科学院青年创新促进会
关键词 物联网安全 完整性度量 MQTT协议安全扩展 软件证明 可信计算 IoT security integrity measurement message queuing telemetry transport(MQTT)protocol security extension software attestation trusted computing
  • 相关文献

参考文献3

二级参考文献13

  • 1Trusted Computing Group. TCG PC client specific implementation specification for conventional bios version 1.2, July 2005.
  • 2Apvrille A, Gordon D, Hallyn S, Pourzandi M, and Roy V. DigSig: Run-time authentication of binaries at kernel Level[C]. Proceedings of LISA '04 Eighteenth Systems Administration Conference. Atlanta, GA, USENIX Association November, 2004: 59-66.
  • 3Petroni N Jr and Fraser T, et al.. Copilot - A coprocessor -based kernel runtime integrity monitor[C]. Proceedings of the 13th conference on USENIX Security Symposium. San Diego, CA, 2004, Vol. 13: 13-13.
  • 4Sailer R, Zhang Xiao-lan, Jaeger T, and Van Doorn L. Design and implementation of a TCG-based integrity : architecture[C]. Proceedings of USENIX Security Symposium. Lake Tahoe, California, USA, ACM Press, Aug. 2004: 223-238.
  • 5Jaeger T, Sailer R, and Shankar U. PRIMA: Policy-reduced integrity t architecture[C]. Proceedings of the eleventh ACM symposium on Access control models and technologies. Lake Tahoe, California, USA, 2006: 19-28.
  • 6Shi E, Perrig A, and Van Doorn L. BIND: A fine-grained attestation service for secure distributed systems[C]. Proceeding of the IEEE Symposium on Security and Privacy. Oakland, CA, USA, IEEE Press, 2005: 154-168.
  • 7Loscocco P A, Wilson P W, Pendergrass J A, and McDonell C D. Linux kernel integrity measurement using contextual inspection[C]. Proceedings of the 2007 ACM workshop on Scalable trusted computing. Alexandria, Virginia, USA, 2007 21-29.
  • 8Thober M and Pendergrass J A. McDonell C D: Improving coherency of runtime integrity measurement[C]. Conference on Computer and Communications Security Proceedings of the 3rd ACM workshop on Scalable trusted computing. Alexandria, Virginia, USA, 2008: 51-60.
  • 9Gu Liang, Ding Xu-hua, Deng R H, Xie Bing, and Mei Hong. Remote attestation on program execution[C]. Conference on Computer and Communications Security Proceedings of the 3rd ACM workshop on Scalable trusted computing. Alexandria, Virginia, USA, 2008: 11-20.
  • 10Wu Yong-dong, Zhao Zhi-gang, and Chui Tian-wei. An attack on SMC-based software protection[M]. Springer Berlin / Heidelberg. 2007: 232-248.

共引文献71

同被引文献35

引证文献4

二级引证文献2

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部