From Wireless Sensor Networks to Wireless Body Area Networks : Formal Modeling and Verification on Security Using

Model checking has successfully been applied on verification of security protocols, but the modeling process is always tedious and proficient knowledge of formal method is also needed although the final verification could be automatic depending on specific tools. At the same time, due to the appearance of novel kind of networks, such as wireless sensor networks (WSN) and wireless body area networks (WBAN), formal modeling and verification for these domain-specific systems are quite challenging. In this paper, a specific and novel formal modeling and verification method is proposed and implemented using an expandable tool called PAT to do WSN-specific security verification. At first, an abstract modeling data structure for CSP#, which is built in PAT, is developed to support the nodemobility related specification formodeling location-based node activity.Then, the traditional DolevYao model is redefined to facilitate modeling of location-specific attack behaviors on security mechanism. A throughout formal verification application on a location-based security protocol inWSN is described in detail to show the usability and effectiveness of the proposedmethodology. Furthermore, also a novel location-based authentication security protocol inWBANcan be successfully modeled and verified directly using ourmethod, which is, to the best of our knowledge, the first effort on employingmodel checking for automatic analysis of authentication protocol for WBAN.


Introduction
Formal modeling and analysis on security protocols have gained worldwide attention in recent years, particularly with the proliferation of formal method with model checking [1] since Lowe successfully found a bug on NSPK protocol through modeling and verification using CSP model checking tool FDR [2].Recently, model checking also achieved a great success on security protocol analysis and verification for wireless sensor networks (WSN) using the Dolev-Yao attack assumption model and some specific tools [3].For example, Ballarini modeled S-MAC protocol using probabilistic model checking tool PRISM [4], and Saxena found a flaw on TinySec protocol using AVISPA model checking tool LEAP [5].
As a new kind of wireless network security protocol, some novel wireless body area networks (WBAN) authentication protocols also appeared recently, especially in pervasive healthcare applications.The sensor on human body is more quite limited than that of WSNs; therefore, authentication schemes based on symmetric key cryptography for WSNs, such as Tinysec [6], MiniSec [7], and uTESLA [8], are not suitable because of the limitations of computation, energy, and memory in WBAN nodes.Noncryptographic security schemes are then explored to be workable for authentication purpose in WBAN.For example, Cherukuri et al. are among the first to discover biometric-based authentication in wireless networks of biosensors implanted in human body [9].
The same question comes with the popularization of WBAN, that is, how to guarantee the security property of the claimed authentication protocol.Formal method such as model checking mentioned above is first of all expected for implementing automatic verification on the noncryptographic authentication protocols.However, there are many different model checking tools existing with different modeling languages, and the protocol modeling process for security verification is always rigorous and tedious that needs large professional knowledge and experience even if the final verification process could be automated using the corresponding tools.Therefore, developing some specific modeling language, as well as specific verification tool, for different application domains becomes a useful research topic and the trend of model checking technology.To the best of our knowledge, there is no research effort on formal specification and automatic verification tool specialized for security modeling and verification for both WSN and WBAN.This paper just explores the latest model checking framework tool PAT [10], which supports building its own specific model checker, to develop a formal modeling and verification method for location-based specific kind of security protocols in WSN and WBAN.The rest of sections are organized as follows.Section 2 firstly introduces PAT and its modeling languages CSP#.In next section, a new data structure especially for modeling node mobility is proposed as well as the location supported specification language which is developed by extending CSP#.A detailed application on how to model and find a bug in one location-based authentication protocol of WSNs, using the proposed method, is illustrated in Section 4, and also a novel and successful application example on WBAN is finally discussed in Section 5.

Model Checking Using PAT
2.1.Basic Architecture of PAT.PAT (Process Analysis Toolkit) is a self-contained framework to support composing, simulating, and reasoning of concurrent, real-time systems and other possible domains.The architecture design of PAT is shown in Figure 1 [11], which has four layers separating the model checking process into three steps: compilation, abstraction, and verification.The four layers are introduced in the following: (1) Modeling Layer: this layer identifies the domainspecific language syntax and well-formedness rules as well as formal operational semantics.For example, CSP# language can be used to model system in this layer.
(2) Abstraction Layer: abstract technique can be applied into systems in this layer.For instance, partial order reduction to reduce all possible interleave execution orders of parallel processing into a particular execution order is an effective abstract technique.
(3) Intermediate Representation Layer: this layer converts the input model to some form of internal representations, which is the basis of the model checking algorithms.
(4) Analysis Layer: this layer contains reusable model checking algorithms.For each intermediate representation in IRL, a set of algorithms are developed.For example, deadlock checking, reachability checking, LTL verification, and refinement checking have been developed for LTS.If the verification result is false, a counterexample can be produced, which is visualized via the simulator.
Because of the high scalability, we can abstract modeling language which can be recognized by PAT directly.The language we abstract can be converted to model language automatically.Therefore, in this paper, the modeling language specific for location-based wireless sensor networks security protocols can be proposed.As we can see, the processes described by CSP# are simple and easy to understand.The protocol employs public key system, where pk and pk are the public key of  and  and Na and Nb are the nonce produced by  and .

Extending CSP# to Model Location Behavior
3.1.Node Mobility Specification.Considering the mobility of node, we should add the location information to the model of WSN.Therefore, a method to abstract node mobility is proposed which is based on CSP# extension.To represent the location information, a two-dimensional coordinate as a natural way is required (see Algorithm 3).
Class location contains a two-dimensional coordinate of node; CalculateDistance() function is used to compute the Euclidean distance.We assume the location information of nodes ,  is (  ,   ) and (  ,   ).The node transmission distance is represented by Trans  .If inequality is satisfied, the distance between  and  is just within an acceptable range.
In order to represent all the possible mobility, the following statement is required: The values of both  and  are between 0 and Trans  , and the total range is within a square whose length and width are Trans  .[ ] denotes value arbitrary choice, and ||| denotes processes Init and Res running interleaved.

Data Structure-Based CSP# Extension.
Using the location class, the key of node can be presented as shown in Algorithm 4.
Class key contains key information based on ID and location, where "type" denotes key type with public or private (see Algorithm 5).
Class KnowledgeSet can store message knowledge in the process of protocol execution such as the random nonce and key information.MessageUnit denotes knowledge identification and object denotes what MessageUnit contains.For example, SortedList ⟨⟨Location, ⟩, loc⟩ denotes node 's location information.
Employing location, key, and knowledge, new data structure WSNNode can be further defined which is shown in Table 1.
WSNNode denotes an abstract WSN sensor, which contains information for the protocol such as node ID, Trans  , location, knowledge, and random nonce.

On Location-Based Security Protocol for
Wireless Sensor Networks The keys used for generating the message codes actually satisfy the following equality: Therefore, we can derive the following two results:  named  and , where  acts as protocol initiator and  acts as protocol responder.We use two processes to describe them: : Initiator(senderNode, loc), information of node  as input.
To model Zhang's scheme, the finite-state machine is required to describe the state transition of the protocol.The state transition of initiator is shown in Figure 3, where the initial state -Idle is supposed to skip to state -Init automatically, then broadcasts an authentication request to all nodes in range Trans  , and then reaches state -Wait awaiting a response message from .Upon receipt of such a response,  reaches state -Check to verify whether  is in its transmission range.If it holds,  sends a confirmation message msg3 to  and reaches state -Commit.After finishing aforementioned authentication process,  reaches state Idle again.
The same process as protocol responder is shown in Figure 4. Once receiving an authentication request,  skips to state -Check1 to verify whether  is in its transmission range.If it does not hold,  returns to initial state -Idle; otherwise,  responds by a message msg2 and reaches state -Wait awaiting the response message code.If time is out,  returns back to state -Idle.Upon the receipt of ,  reaches state -Check2 to verify the message code received from .If the code is confirmed, the authentication process is finished.
According to Figures 3 and 4, the main snippet codes of model are illustrated in Algorithm 6.
Processes  and  communicate to each other through channels , , and .The statement !Node x.everyone sends a message with the values of two expressions listed to channel.

Moving-Free Adversary
Modeling.Adversary model should be the most complex part because of the node movingfree scheme.Combining Dolev-Yao model [13] and node moving-free scheme, this protocol is easy to break by an intruder  in the following way: (1)  intercepts the message sent between  and .
(2)  sends to  or  messages by pretending to be a legitimate sensor node.
(    Using the variables mentioned above, the protocol property can be described as follows: (1) Security: it requires that messages cannot be intercepted and decoded.We define formulas to ensure this property.If 1 does not hold, it implies that there is an adversary intercepted message from  to .If 2 does not hold, it implies the adversary intercepted message from  to .
(2) Internal authentication property: the underlying assumption here is that adversaries do not move out of the transmission range of legitimate sensor nodes.We define formula 3: [](nodeMoved -> <>(iniRunning -> resCommit) to ensure this property).
(3) External authentication property: the adversaries, however, might move out of the transmission range of legitimate sensor nodes and they can communicate over a high bandwidth to legitimate sensor nodes.We define formula 4: [](MoveOutRadius -> <>(iniRunning -> resCommit)) to ensure this property.It can judge adversary's legality by verifying the security key based on location.

Verification Results and Analysis.
We have performed this verification in model checking tool PAT using two legitimate processes, adversary process and LTL formulae as input.The results of 1 and 2 are true, but results of 3 and 4 are false.The counterexample of 3 and 4 is generated in Figure 5.
The counterexample illustrated in Figure 5 shows that the process stops when  sends the first message with location (3,3).By comparing the initial location of  calls (0, 0), it is clear that node  cannot authenticate  because of the location change of .Therefore, there is a bug in this location-based compromise-tolerant security mechanism so that it does not support the authentication when the node moves off.

Towards Authentication Protocol for
Wireless Body Area Networks 5.1.Novel Authentication Scheme for WBAN.As we know, security in WBAN is the most important requirement to guarantee and protect the personal body parameters.Existing authentication schemes in WBAN typically use a single antenna, which are susceptible to environments.Recently, Chitra proposed SeAK, a light-weight secure device pairing protocol based on RSS obtained by dual-antenna transceivers [14].The mechanism assumes there is one CU and one or more sensor devices to be authenticated.The CU, equipped with two antennas 1 and 2, is the only device to authenticate other devices by its two spatially separated antennas.
The formalizing description of this protocol is as follows: (1) CU → : The analysis steps of the protocol are introduced as below.
(1) The CU sends a probe packet Probe[] to the device E to be authenticated from antenna 1, including sending power  CU , the location of CU  CU , and a random number  CU .
(2) After receiving the packet sent by CU, device  measures the RSS indicator (RSSI) of the packet and sends a response packet Resp[0] to CU.The computational formula of RSSI is Here,   denotes the distance between CU and device  and  denotes an index of energy.
(4) The average RSSI difference RD avg is calculated as follows: = {1, 2, . . .} ,  denotes the minimum of  and . ( (5) The CU compares RD avg with threshold RD th .If RD avg is greater than RD th , the device is confirmed as legitimate.Then, CU sends AssocResp[ACCEPT] message to the device.
Figure 6 shows the layout of CU and sensor devices.Node  denotes the attack node while node  denotes legitimate node.The distances between  and CU's two antennas are  1 and  2 .As we can see, the difference between  1 and  2 is far smaller than  1 and  2 , because legitimate node  is closer to CU than node .

Protocol Specification.
As we can see from Figure 6, the two antennas 1 and 2 of CU are separated by  cm.The two antennas are responsible for capturing the radio signals and then calculating the received power ratio   which makes up the RSS value.As for devices  and , the RSS values measured by 1 and 2 will result in a large difference as device  is placed at a distance of  1 which is much closer than device .
In the protocol, the RSS value is dependent only on the two distances between device and CU's two antennas.The RSS value difference is big when the device is nearby to CU, in contrast to similar RSS value difference when device is far away from CU.This allows legitimate nearby devices to be distinguished from attacker faraway devices.

Attack Model.
In the attack model, we assume an attacker can easily vary its transmission power to get authenticated as a legitimate device.In addition, the location of an attacker is removable.This makes the attack model be the most complex part.By extending Dolev-Yao model [9], this protocol is easy to break by an intruder  using the following way: (1)  increases the transmission power, so CU will consider it as an in-range node.(2)  moves into the transmission range of CU; the RSS value difference will be smaller than that out of the range.
(3)  intercepts the message sent between CU and device .
(4)  sends to CU messages by pretending to be a legitimate sensor node.
The attack model can be divided into two parts; one is to intercept the message from the channel, and the other is to send messages to the channel which may be generated with intercepted knowledge.Here, we use the abstract modeling data structure WSNNode too (see Algorithm 8).lCU 1 and lCU 2 are two spatially separated antennas 1 and 2.The distance between 1 and 2 is 1 cm.lE denotes the initial location information of attacker.Function enum() is used to enumerate all the ID information  knows.RadiusCU denotes the legitimate transmission range of CU.Radius denotes the available transmission range of intruder.
The behavior of intruder is uncertain, so the intrusion process may be actually an infinite loop.The key code of adversary model is as in Algorithm 9.
Here, RandLoc() is a function to enumerate all the Location information  knows.ID is the ID who sends the message.Loc  and Loc  are the location information of sender node.CU 1 and CU 2 denote the ID of two spatially separated antennas 1 and 2.If formula  results in True, it denotes that the intruder moves into the legitimate range of CU and has been authenticated with CU.

Security Property and Verification
We have performed this verification in model checking tool PAT using two legitimate processes, adversary process and LTL formulae as input.The results of  are true.The process of authentication is in Figure 7.
As we assumed before, the initial location of intruder is (0, 6) which is out-range of CU's legitimate range.However, the intruder moved to location (0, 4) which is in-range of CU.Then, the intruder is authenticated with CU by faking itself as a legitimate device.Therefore, the authentication protocol based on dual antennas for WBAN cannot support the authentication when the intruder moves off.

Conclusions
In this paper, we have proposed an abstract modeling language based on CSP# to support node moving-free behavior modeling especially for wireless sensor networks, where both abstract data structure and attack model beyond Dolev-Yao are designed and developed in PAT.Using the proposed modeling method specifically for WSNs and WBAN, the automatic verification for different kinds of location-based

Figure 1 :
Figure 1: The architecture of PAT.

Figure 3 :Figure 4 :
Figure 3: The state transition chart of initial .

4. 4 .
Protocol Goal Property Specification.Linear Temporal Logic is applied in this paper to describe various properties that WSN security protocol should hold.The following variables are defined to facilitate the property specification: #define iniRunning (req  == true), set to 1 when initial  broadcasts the authentication request.#defineiniCommit (ack 2  == true), set to 1 when responder  receives msg3.#defineresRunning (req  == true), set to 1 when  receives the authentication request.#defineresCommit (ack 2  == true), set to 1 when  receives and verifies msg3 successfully.#definenodeMoved (moved  == true || moved  == true), set to 1 when  or  is moved.#defineMoveOutRadius (outRadius  == true || outRadius  == true), set to 1 when  or  is out of the transmission range of each other.
Results.As the same to WSN, we use LTL to describe the property which WBAN authentication protocol should hold.The following variables are again defined to facilitate the property specification: #define iniRunningEU (req  == true), set to true when the intruder sends an authentication request to CU.#define resCommitEU (ack 2  == true), set to true when the intruder completed all the  communication with CU.#define MoveinRadius (outRadius == true), set to true when the intruder moves into the transmission range of CU.After defining these variables above, protocol property can be described as follows:: #assert Protocol | = [](MoveinRadius − ><> !(iniRunningEU − > resCommitEU)).
sends to : {, } pk // is the nonce produced by  and pk is the public key of .Message 2:  gets from : {, } pk // is the nonce produced by  and pk is the public key of .Message 3:  sends to : {} pk 's view: Message 1:  gets from : {, } pk Message 2:  sends to : {, } pk Message 3:  gets from : {} pk

Table 1 :
WSNNode class framework specific for WSN sensor modeling.Pick a random  ∈ Z *  as the network master secret and set  pub = .(3) Choose two cryptographic Hash functions:  1 and  1 and private key   =   ∈  * 1 .Each node  possesses its public key   =  1 (ID  ||   ) and private key   =   =  1 (ID  ||   ) denoted by ID  and   .After the initial process, any two neighboring nodes should validate each other's network membership.Figure 2 shows an instance of location-based neighborhood authentication, where node  is the neighbor of both  and , while  and  are nonneighbors of each other.Nodes  and  are taken, for example, to explain the neighborhood authentication process: (1)  → * : ID  ,   ,   , (2)  → : ID  ,   ,   , ℎ   (  ||   || 1), (3)  → : ℎ   (  ||   || 2).start, node  locally broadcasts an authentication request including its ID  , location   = ⟨  ,   ⟩, and a random nonce   .Upon receipt of such a request, node  first needs to ascertain that the claimed location   is in its transmission range by verifying if the Euclidean distance |  −   | ≤   .If the inequality does not hold, node  simply discards the authentication request; otherwise,  unicasts a reply to node  including ID  , location   , a random nonce   , and an authenticated message computed as ℎ   (  ||   || 1).Upon receiving the reply, node  also first checks if |  −   | ≤   .If the inequality is satisfied,  finally returns to  a message code computed as ℎ   (  ||   || 2).

Table 2 :
The symbol list for the abstract code.