1946 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012 DiCode: DoS-Resistant and Distributed Code Dissemination in Wireless Sensor Networks Daojing He, Student Member, IEEE, Chun Chen, Member, IEEE, Sammy Chan, Member, IEEE, and Jiajun Bu, Member, IEEE Abstract—Code dissemination in a wireless sensor network (WSN) is the process of propagating a new program image or relevant commands to sensor nodes. As a WSN is usually deployed in hostile environments, secure code dissemination is and will continue to be a major concern. Most code dissemination protocols are based on the centralized approach in which only the base station has the authority to initiate code dissemination. However, it is desirable and sometimes necessary to disseminate code images in a distributed manner which allows multiple authorized network users to simultaneously and directly update code images on different nodes without involving the base station. Motivated by this consideration, we develop a secure and distributed code dissemination protocol named DiCode.A salient feature of DiCode is its ability to resist denial-of-service attacks which have severe consequences on network availability. Further, the security properties of our protocol are demonstrated by theoretical analysis. To verify the efficiency of the proposed approach in practice, we also implement the proposed mechanism in a network of resource-constrained sensor nodes. Index Terms—Sensor networks, code dissemination, security, denial-of-service, user privilege. I. I NTRODUCTION C ODE dissemination is the process of propagating a new program image 1 or relevant commands to sensor nodes through wireless links after a wireless sensor network (WSN) is deployed. Due to the need of removing bugs and adding new functionalities, code dissemination is an important operation function of WSNs. As a WSN is usually deployed in hostile environments such as the battlefield, an adversary may exploit the code dissemination mechanism to launch various attacks. For example, the adversary may inject bogus code images to take over the control of the whole WSN. Thus, secure code dissemination is and will continue to be a major concern. Several code dissemination protocols have been proposed to propagate new code images in WSNs (e.g., [1]–[4]). Manuscript received October 15, 2011; revised December 31, 2011; ac- cepted February 5, 2012. The associate editor coordinating the review of this paper and approving it for publication was Z. Han. This work was supported by Scholarship Award for Excellent Doctoral Student granted by Ministry of Education, National Science Foundation of China (Grant No. 61070155), the Program for New Century Excellent Talents in University (NCET-09-0685), and a grant from the Research Grants Council of the Hong Kong SAR, China [Project No. City U 111208]. D. He, C. Chen, and J. Bu are with the National Engineering Research Cen- ter for Intelligent Train, College of Computer Science, Zhejiang University, P.R. China (e-mail: hedaojinghit@gmail.com). S. Chan is with the Department of Electronic Engineering, City University of Hong Kong, Hong Kong SAR, P.R. China (e-mail: eeschan@cityu.edu.hk). Digital Object Identifier 10.1109/TWC.2012.030812.111857 1 Note that “program image” and “code image” will be used interchangeably throughout this paper. Among these protocols, Deluge [2] is included in the TinyOS distributions [5]. However, since the design of Deluge did not take security into consideration, there have been several extensions to Deluge to provide security protection for code dissemination [6]–[12]. Among them, Seluge [12] enjoys both strong security and high efficiency. However, all these code dissemination protocols ( [2]–[4], [6]–[12]) are based on the centralized approach which assumes the existence of a base station and only the base station has the authority to reprogram sensor nodes. As shown in Fig. 1(a), when the base station wants to disseminate a new code image, it broadcasts the signed code image and each sensor node only accepts code images signed by it. Unfortunately, there are WSNs having no base station at all. Examples of such networks include a military WSN in a battlefield to monitor enemy activity (e.g., troop movements), a WSN deployed along an international border to monitor weapons smuggling or human trafficking, and a WSN situated in a remote area of a national park monitoring illegal activities (e.g., firearm discharge, illicit crop cultivation). Having a base station in these WSNs introduces a single point of failure and a very attractive attack target. Obviously, the centralized approach is not applicable to such WSNs. Also, the centralized approach is inefficient, weakly scalable (i.e., inefficient for supporting a large number of sensor nodes and users), and vulnerable to some potential attacks along the long communication path. Alternatively, a distributed approach can be employed for code dissemination in WSNs. It allows multiple authorized network users to simultaneously and directly update code images on different nodes without involving the base station. Another advantage of distributed code dissemination is that different authorized users may be assigned different privileges of reprogramming sensor nodes. This is especially important in large scale WSNs owned by an owner and used by different users from both public and private sectors [13], [14]. Distributed service protocol in WSNs (e.g., decentralized sensing [15]) is a research field that is getting increasingly more attention. Very recently, an identity-based signature scheme to achieve secure and distributed code dissemination is proposed [16]. In this paper, we further extend this scheme in three important aspects. Firstly, we consider denial-of-service (DoS) attacks on code dissemination, which have severe consequences on network availability, as well as propose and implement two approaches to defeat DoS attacks. Secondly, the proposed code dissemination protocol is based on a secure and efficient proxy signature by warrant (PSW) technique, 1536-1276/12$31.00 c  2012 IEEE