Research ArticleUAV-Undertaker Securely Verifiable RemoteErasure Scheme with a Countdown-Concept for UAV viaRandomized Data Synchronization
Sieun Kim 1 Taek-Young Youn 2 Daeseon Choi 3 and Ki-Woong Park 4
1 SysCore Lab Sejong University Seoul Republic of Korea2Electronics and Telecommunications Research Institute Deajeon Republic of Korea3Dept of Medical Information Kongju National University Kongju Republic of Korea4Dept of Computer and Information Security Sejong University Seoul Republic of Korea
Correspondence should be addressed to Ki-Woong Park woongbaksejongackr
Received 31 January 2019 Revised 28 March 2019 Accepted 22 April 2019 Published 16 May 2019
Academic Editor Ilsun You
Copyright copy 2019 Sieun Kim et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Unmanned aerial vehicles (UAVs) play an increasingly core role in modern warfare with powerful but tiny embedded computingsystems actively applied in the military field Confidential data such as military secrets may be stored inside military devices suchas UAVs and the capture or loss of such data could cause significant damage to national security Therefore the developmentof securely verifiable remote erasure techniques for military devices is considered a core technology In this study we devised averifiable remote erasure scheme with a countdown-concept using randomized data synchronization to satisfy securely verifiableremote erasure technology The scheme allows the GCS (Ground Control Station) to remotely erase data stored in the UAV evenon loss of communication and returns proof of erasure to GCS after erasure Our approach classifies the accumulated data storedin the UAV as a new data type and applies the characteristics of that data type to generate the proof of erasure We select a small-volume data sample (rather than all of the data) and perform prior learning only on that sample in this way we can obtain theprobative power of the evidence of erasure with a relatively small amount of traffic When we want to erase data of 100 Mbytes ofremote device 100 Mbytes of data transfer is required for related work whereas our system has data transfer according to the ratioof amount of randomly selected data By doing this communication stability can be acquired even in unstable communicationsituations where the maximum traffic can change or not be predicted Furthermore when the UAV sends the proof of erasure tothe GCS the UAV does its best to perform the erasure operation given its situation
1 Introduction
In 2011 the USmilitary lost control of an American LockheedMartin RQ-170 Sentinel unmanned aerial vehicle (UAV)during amission over AfghanistanTheUAVwas captured byIranian forces [1] which successfully extracted informationreleased a video obtained from the captured UAV andsubsequently constructed a copy of the RQ-170 the Saegheh[2] As demonstrated by this episode the theft of militaryUAVs causes significant damage including the loss of secretdata such as collected information [3] Consequently it isindispensable to assure the security of the UAV [4ndash6]
Erasing data as needed can safeguard confidential infor-mation stored on remote devices Generally if a user sendsan erasure request the remote device receives it and performsthe erasure However UAVs remotely performing a missioncannot always receive the signal [7ndash9] As such techniquesare needed to completely erase the data stored in remoteUAVs following a loss
Recognition that sensitive information has been leaked(ie the erasure process has not been performed) is criticaland so confirmation of erasure must be performed in averifiable manner (verifiable erasure) Verifying the result ofthe erasure operation as 1-bit response has low reliability [10]
HindawiWireless Communications and Mobile ComputingVolume 2019 Article ID 8913910 11 pageshttpsdoiorg10115520198913910
2 Wireless Communications and Mobile Computing
Blocking Erasure Request
GCSUAV Attacker
Unverifiable Erasure
GCSAttacker
UAV
Performing Erasure Despite Loss of Control and Sending Proof of Erasure
Proof of
Erasure GCSUAV Attacker
GCS
Attack
Attacker
eraseresponse
GCS
Erasure Request
Erasure Request
False Result
(a) (b)
(e)
(d)
(c)
response
erase
receive
Figure 1Three situations faced by unmanned aerial vehicles (UAVs) after attack or capture (a)UAVon a flightmission (b)UAVs performinga flight mission is captured by an attacker (c) receiving unverifiable result of erasure (d) blocked erasure requests by attackers and (e)performing erasure operation and transmitting proof of erasure following capture
Obvious proof of erasure must be presented and there mustbe nomechanism by whichmalicious users can generate falseevidence
Figure 1 indicates three situations that UAVsmay be facedwith after attack or capture In conventional remote erasuresystems [11 12] a Ground Control Station (GCS that isthe control center that provides human control of UAVs)can erase data by sending an erasure signal to a lost UAVHowever when communication is cut conventional remoteerasure is not available We devised counter-based erasurewhich can erase data in an uncontrollable environment Thisstudy is an extension of our previous work [13 14] in whichwe focused on the system design of trustworthy remoteerasure for UAVs However our objective here was to devisea mechanism to select random seed data using accumulateddata and develop a method for trustworthy remote erasureThe devised scheme has a count value which decrementsvalue one by one and erases data when the counter valuereaches zero The GCS can retain stored data only throughperiodically sending the specific value to the UAV If the GCSdoes not send the specific value to the remote UAV and thecounter reaches zero the UAV erases the data In terms ofverification most existing mechanisms provide nothing oronly a simple response (erase or not erase) Our remote era-sure system provides relatively complex but verifiable proofof erasure through randomized data synchronization Upona process of erasure of data the remote UAV continuously
generates a proof of erasure until the UAV is completelystopped this proof is repeatedly sent to the GCS The GCSchecks that the proof has been received and verifies thatremote data are erased
The remainder of this paper is organized as followsSection 2 reviews the related works of verifiable remote dataerasure Section 3 describes the materials and gives detailsof our mechanism UAV-Undertaker Section 4 describes twoexperiment results about overhead in terms of communi-cation and computation This paper ends in Section 5 withconclusion on our work
2 Related Works
To resolve problem of erasure of remotely stored data withverifiability the researchers have devised approaches whichgenerate a provable value of erasure operation We analyzedseveral of them and identified the limiting factors in applyinga verifiable erasure for UAVs
Perito and Tsudik [15] use a PoSE (Proof of SecureErasure) for secure code updates on embedded devices byverifying the erasure of memory A verifier sends verifier-selected randomness of the size of memory to a prover andthe proverrsquos memory is filled with the received value Theprover returns the very same randomness written on thememory to the verifier As both the verifier and the proversend a random value of memory size to each other this
Wireless Communications and Mobile Computing 3
UpdateIdle
If receive msg
Performed per interval
Aer sending
msg Send Msg
Authenti-cation
FailSuccess
Verify Proof
ReceiveProof
If receive proof
Aer receiving
proof
Aer update
GCS
Communication Protocol Erasure Protocol
Aer di
(a) (b)
Figure 2 Overall process of the proposed remote erasure system (a) Unmanned aerial vehicle (UAV)-Undertaker from the Ground ControlStation (GCS) viewpoint (b) UAV-Undertaker from the UAV viewpoint If the count value becomes zero the UAV erases data and repeatedlysends the proof of erasure to the user (ie the GCS)
protocol has a huge overhead concerning communicationIn our system as shown in Figure 9 of Section 4 when asmall amount of data (ie 120572 =2) is selected as a seed andtransmitted the instantaneous amount of transferred data issignificantly lower than when live tracking all data (ie 120572=100) In other words our system shares the burden of therequired data transfer amount to verify the erasure operationTherefore our system can significantly reduce instantaneousamount of transferred data which is a limitation of theabove study Dziembowski et al [16] proposed a scheme thatreduces the communication complexity of PoSE A verifiersends a seed to a proverThe prover performs a hash functionusing the seed and retains the sizable result value using allof the proverrsquos memory The calculated hash value can onlybe generated once because it uses a secret key stored inthe memory and so it can be proof of erasure Howeverwhile this scheme reduces the communication overhead ofPoSE a huge calculative overhead arises Ammar et al [17]introduced SPEED which guarantees erasure on embeddedsystem The protocol is implemented in isolated memoryusing the Trusted Software Module A verifierrsquos distance ismeasured by the Distance Bounding (DB) protocol whichestablishes an upper bound on the physical distance betweena verifier and a prover The prover authenticates the verifierthrough the DB protocol and erases data if verification ispassed successfully To verify erasure the prover sends theproof as the message authentication code value of the entirememory However the scheme is limited in terms of distanceand so is not applicable for UAVs
Our approach solves verifiable erasure through proof oferasure [15ndash18] that only the user can identify as in theabove studies However our approach creates a proof oferasure in such a way that the memory blocks each havea dependency on the block which guarantees more robustevidence Furthermore in contrast to past studies which didnot consider losses in the communication environment weaimed to achieve remote erasure of UAVs after hijack loss
andor disconnection Also the sensor system in cloud is sim-ilar to our system in that it collects data from remote devicesand processes them to achieve specific goals However in thecase of the cloud sensor system the collected information islimited to the sensor data and ismerely used for providing themonitoring to the user In the case of our system the collectedinformation is the memory information of the remote deviceIt can be seen that there is a difference from the cloud sensorsystem in that it verifies whether or not the erasure operationis performed by utilizing this
3 Proposed System Architecture
Our UAV-Undertaker consists of two parts the communi-cation protocol and verifiable erasure protocol We confirmwhether or not control of the UAV is lost by communicatingwith the UAV Therefore it is important to verify that amessage originates from the stated sender (ie authenticcommunication) and has not been changed This authenti-cation role is implemented as the communication protocolusing a hash chain mechanism [19] We also implement theverifiable erasure protocol which generates proof of erasureto verify that the erasure operation was really performed Weclassify the data region according to the number of timesthe data will be written in order to increase the probativepower of proof of erasure with just a small amount of data(thus improving efficiency) The operation result value iscreated by accurately performing the implemented erasureoperation Therefore a cryptographic accelerator such as theTPM (Trusted Platform Module) must be used in order tomake the results of the computation trustworthy
Figure 2 shows the overall process of our approach fromboth the GCS andUAVviewpoints From the GCS viewpointthe GCS sends an authentication request message to the UAVat intervals and then waits for a message from the UAV Ifthe GCS receives a message from the UAV it verifies thatthe message is authentic if so it updates the value to be
4 Wireless Communications and Mobile Computing
Table 1 Notations of the entity and messages
Definition of the Entity SymbolsGCS Ground Control StationUAV Unmanned Aerial VehicleDenotationmsg = 120572 120573 Message contains two contexts (120572 and 120573)msg = 120572 (120573) Message always contains 120572 context but 120573 context is optionally containedDefinition of the Message Symbols119870119909119910 A symmetric key shared between 119909 and 119910119864119870 119861 Encrypt 119861 with key119870119909 Value to compute with hash function119899 Number of hash function calculations119903 Retransmission bit119894 Authentication countℎ(119909) Result of 119909 in the hash function119873119900119899119888119890 Generated random data against replay attacksℎ119897 Address of hot data modified after previous authentication119886119897 Address of accumulated data modified after previous authenticationℎV Set containing the addresses of hot data randomly selected and the values of those data119886V Set containing the addresses of accumulated data randomly selected and the values of those data119875119900119864 Proof of ErasureDefinition of the Greek Symbols120572 Ratio of amount of randomly selected data in accumulated data region120573 Ratio of amount of randomly selected data in hot data region120574 Number of re-authentication permits120575 Initial value of the counter
sent next If communication with the UAV is cut off and theUAV performs the erasure operation and the GCS repeatedlyreceives the proof of erasure from the UAV and verifies itFrom the UAV viewpoint after decrementing the counter byone the UAV waits for a message from the GCS (idle state)A UAV that has successfully authenticated a GCS updateof the hash value for the next authentication initializes thedecreasing count value to 120575 (ie the initial value of thecounter) and waits for the message to be received again(idle state) If the UAV does not receive a message from theGCS before the count value reaches a certain value the UAVrepeatedly erases stored data and repetitively sends proof oferasure through a low frequency
31 Communication Protocol To allow the sender of eachmessage to be authenticated hash chains and messageencryption are used in the communication protocol Toencrypt a message the UAV must share the symmetric keysecurely offline with the GCS before departure Our approachis designed to execute the erasure protocol after 120574 times ofrequests for reauthentication because the UAV may be con-fronted with a mere transient communication failure where120574 can be set freely according to the circumstances of missionTable 1 defines the entity symbols and the message symbols
Figure 3 shows the message flow when communicationbetween the UAV and the GCS is performed without prob-lems First the GCS encrypts the number of hash function
calculations (119899) and the value to compute with hash function(119909) using a symmetric key already shared between the GCSand the UAV it then sends an initialization request message(Message 1-1) containing that encrypted value to the UAVWhen the value is received from the GCS the UAV computesℎ119899(119909) encrypts it and sends an initialization response mes-sage (Message 1-2) to the GCS The GCS confirms that theUAV received the correct 119909 and 119899 The GCS and the UAVwho have verified each other start exchanging authenticationmessages using a hash chain The GCS sends messages tothe UAV at regular intervals When the maximum countvalue is 120575 (seconds) and the number of reauthenticationtimes is 120574 the interval is calculated using (1) The constantldquo1rdquo in (1) is added because GCS waits for the interval andthen sends the next message The constant ldquo2rdquo in (1) ismultiplied to prevent the timer from being initialized duringthe maximum authentication latency that can occur on oursystem
119894119899119905119890119903V119886119897 =120575
2 (1 + 120574)(119904119890119888119900119899119889119904) (1)
After the UAV receives a message (Message 1-3) contain-ing the hash value from the GCS the UAV calculates thehash value of the received value and compares the valuewith the previously stored value If two values are equalthe UAV initializes the count value to 120575 and updates thestored value with the hash value received from the GCS
Wireless Communications and Mobile Computing 5
UAVGCS
Initiate Timer4 Verify Msg 1-2
6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV
8 Verify Msg 1-4
hellip
n ndash i + 1
0 0
Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E
Hash Value Stored in UAV
n
n ndash i
hellip
hellip
GCS
hellip
Number of Hash Function Calculations
Stored in UAV
intervali
intervali
1 Initialization Request Msg(1-1)
3 Initialization Response Msg(1-2)2 Calculate ℎ
n(x)
ℎn(x)
ℎnminusi+1
(x)
ℎnminusi
(x)
KGCSUAV x n NonceGCSKGCSUAV ℎ
n(x) NonceGCS
KGCSUAV ℎnminusi
(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)
5 ith Authentication Response Msg(1-3)
7 ith Authentication Request Msg(1-4)
Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems
After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2
Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit
recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Wireless Communications and Mobile Computing
Blocking Erasure Request
GCSUAV Attacker
Unverifiable Erasure
GCSAttacker
UAV
Performing Erasure Despite Loss of Control and Sending Proof of Erasure
Proof of
Erasure GCSUAV Attacker
GCS
Attack
Attacker
eraseresponse
GCS
Erasure Request
Erasure Request
False Result
(a) (b)
(e)
(d)
(c)
response
erase
receive
Figure 1Three situations faced by unmanned aerial vehicles (UAVs) after attack or capture (a)UAVon a flightmission (b)UAVs performinga flight mission is captured by an attacker (c) receiving unverifiable result of erasure (d) blocked erasure requests by attackers and (e)performing erasure operation and transmitting proof of erasure following capture
Obvious proof of erasure must be presented and there mustbe nomechanism by whichmalicious users can generate falseevidence
Figure 1 indicates three situations that UAVsmay be facedwith after attack or capture In conventional remote erasuresystems [11 12] a Ground Control Station (GCS that isthe control center that provides human control of UAVs)can erase data by sending an erasure signal to a lost UAVHowever when communication is cut conventional remoteerasure is not available We devised counter-based erasurewhich can erase data in an uncontrollable environment Thisstudy is an extension of our previous work [13 14] in whichwe focused on the system design of trustworthy remoteerasure for UAVs However our objective here was to devisea mechanism to select random seed data using accumulateddata and develop a method for trustworthy remote erasureThe devised scheme has a count value which decrementsvalue one by one and erases data when the counter valuereaches zero The GCS can retain stored data only throughperiodically sending the specific value to the UAV If the GCSdoes not send the specific value to the remote UAV and thecounter reaches zero the UAV erases the data In terms ofverification most existing mechanisms provide nothing oronly a simple response (erase or not erase) Our remote era-sure system provides relatively complex but verifiable proofof erasure through randomized data synchronization Upona process of erasure of data the remote UAV continuously
generates a proof of erasure until the UAV is completelystopped this proof is repeatedly sent to the GCS The GCSchecks that the proof has been received and verifies thatremote data are erased
The remainder of this paper is organized as followsSection 2 reviews the related works of verifiable remote dataerasure Section 3 describes the materials and gives detailsof our mechanism UAV-Undertaker Section 4 describes twoexperiment results about overhead in terms of communi-cation and computation This paper ends in Section 5 withconclusion on our work
2 Related Works
To resolve problem of erasure of remotely stored data withverifiability the researchers have devised approaches whichgenerate a provable value of erasure operation We analyzedseveral of them and identified the limiting factors in applyinga verifiable erasure for UAVs
Perito and Tsudik [15] use a PoSE (Proof of SecureErasure) for secure code updates on embedded devices byverifying the erasure of memory A verifier sends verifier-selected randomness of the size of memory to a prover andthe proverrsquos memory is filled with the received value Theprover returns the very same randomness written on thememory to the verifier As both the verifier and the proversend a random value of memory size to each other this
Wireless Communications and Mobile Computing 3
UpdateIdle
If receive msg
Performed per interval
Aer sending
msg Send Msg
Authenti-cation
FailSuccess
Verify Proof
ReceiveProof
If receive proof
Aer receiving
proof
Aer update
GCS
Communication Protocol Erasure Protocol
Aer di
(a) (b)
Figure 2 Overall process of the proposed remote erasure system (a) Unmanned aerial vehicle (UAV)-Undertaker from the Ground ControlStation (GCS) viewpoint (b) UAV-Undertaker from the UAV viewpoint If the count value becomes zero the UAV erases data and repeatedlysends the proof of erasure to the user (ie the GCS)
protocol has a huge overhead concerning communicationIn our system as shown in Figure 9 of Section 4 when asmall amount of data (ie 120572 =2) is selected as a seed andtransmitted the instantaneous amount of transferred data issignificantly lower than when live tracking all data (ie 120572=100) In other words our system shares the burden of therequired data transfer amount to verify the erasure operationTherefore our system can significantly reduce instantaneousamount of transferred data which is a limitation of theabove study Dziembowski et al [16] proposed a scheme thatreduces the communication complexity of PoSE A verifiersends a seed to a proverThe prover performs a hash functionusing the seed and retains the sizable result value using allof the proverrsquos memory The calculated hash value can onlybe generated once because it uses a secret key stored inthe memory and so it can be proof of erasure Howeverwhile this scheme reduces the communication overhead ofPoSE a huge calculative overhead arises Ammar et al [17]introduced SPEED which guarantees erasure on embeddedsystem The protocol is implemented in isolated memoryusing the Trusted Software Module A verifierrsquos distance ismeasured by the Distance Bounding (DB) protocol whichestablishes an upper bound on the physical distance betweena verifier and a prover The prover authenticates the verifierthrough the DB protocol and erases data if verification ispassed successfully To verify erasure the prover sends theproof as the message authentication code value of the entirememory However the scheme is limited in terms of distanceand so is not applicable for UAVs
Our approach solves verifiable erasure through proof oferasure [15ndash18] that only the user can identify as in theabove studies However our approach creates a proof oferasure in such a way that the memory blocks each havea dependency on the block which guarantees more robustevidence Furthermore in contrast to past studies which didnot consider losses in the communication environment weaimed to achieve remote erasure of UAVs after hijack loss
andor disconnection Also the sensor system in cloud is sim-ilar to our system in that it collects data from remote devicesand processes them to achieve specific goals However in thecase of the cloud sensor system the collected information islimited to the sensor data and ismerely used for providing themonitoring to the user In the case of our system the collectedinformation is the memory information of the remote deviceIt can be seen that there is a difference from the cloud sensorsystem in that it verifies whether or not the erasure operationis performed by utilizing this
3 Proposed System Architecture
Our UAV-Undertaker consists of two parts the communi-cation protocol and verifiable erasure protocol We confirmwhether or not control of the UAV is lost by communicatingwith the UAV Therefore it is important to verify that amessage originates from the stated sender (ie authenticcommunication) and has not been changed This authenti-cation role is implemented as the communication protocolusing a hash chain mechanism [19] We also implement theverifiable erasure protocol which generates proof of erasureto verify that the erasure operation was really performed Weclassify the data region according to the number of timesthe data will be written in order to increase the probativepower of proof of erasure with just a small amount of data(thus improving efficiency) The operation result value iscreated by accurately performing the implemented erasureoperation Therefore a cryptographic accelerator such as theTPM (Trusted Platform Module) must be used in order tomake the results of the computation trustworthy
Figure 2 shows the overall process of our approach fromboth the GCS andUAVviewpoints From the GCS viewpointthe GCS sends an authentication request message to the UAVat intervals and then waits for a message from the UAV Ifthe GCS receives a message from the UAV it verifies thatthe message is authentic if so it updates the value to be
4 Wireless Communications and Mobile Computing
Table 1 Notations of the entity and messages
Definition of the Entity SymbolsGCS Ground Control StationUAV Unmanned Aerial VehicleDenotationmsg = 120572 120573 Message contains two contexts (120572 and 120573)msg = 120572 (120573) Message always contains 120572 context but 120573 context is optionally containedDefinition of the Message Symbols119870119909119910 A symmetric key shared between 119909 and 119910119864119870 119861 Encrypt 119861 with key119870119909 Value to compute with hash function119899 Number of hash function calculations119903 Retransmission bit119894 Authentication countℎ(119909) Result of 119909 in the hash function119873119900119899119888119890 Generated random data against replay attacksℎ119897 Address of hot data modified after previous authentication119886119897 Address of accumulated data modified after previous authenticationℎV Set containing the addresses of hot data randomly selected and the values of those data119886V Set containing the addresses of accumulated data randomly selected and the values of those data119875119900119864 Proof of ErasureDefinition of the Greek Symbols120572 Ratio of amount of randomly selected data in accumulated data region120573 Ratio of amount of randomly selected data in hot data region120574 Number of re-authentication permits120575 Initial value of the counter
sent next If communication with the UAV is cut off and theUAV performs the erasure operation and the GCS repeatedlyreceives the proof of erasure from the UAV and verifies itFrom the UAV viewpoint after decrementing the counter byone the UAV waits for a message from the GCS (idle state)A UAV that has successfully authenticated a GCS updateof the hash value for the next authentication initializes thedecreasing count value to 120575 (ie the initial value of thecounter) and waits for the message to be received again(idle state) If the UAV does not receive a message from theGCS before the count value reaches a certain value the UAVrepeatedly erases stored data and repetitively sends proof oferasure through a low frequency
31 Communication Protocol To allow the sender of eachmessage to be authenticated hash chains and messageencryption are used in the communication protocol Toencrypt a message the UAV must share the symmetric keysecurely offline with the GCS before departure Our approachis designed to execute the erasure protocol after 120574 times ofrequests for reauthentication because the UAV may be con-fronted with a mere transient communication failure where120574 can be set freely according to the circumstances of missionTable 1 defines the entity symbols and the message symbols
Figure 3 shows the message flow when communicationbetween the UAV and the GCS is performed without prob-lems First the GCS encrypts the number of hash function
calculations (119899) and the value to compute with hash function(119909) using a symmetric key already shared between the GCSand the UAV it then sends an initialization request message(Message 1-1) containing that encrypted value to the UAVWhen the value is received from the GCS the UAV computesℎ119899(119909) encrypts it and sends an initialization response mes-sage (Message 1-2) to the GCS The GCS confirms that theUAV received the correct 119909 and 119899 The GCS and the UAVwho have verified each other start exchanging authenticationmessages using a hash chain The GCS sends messages tothe UAV at regular intervals When the maximum countvalue is 120575 (seconds) and the number of reauthenticationtimes is 120574 the interval is calculated using (1) The constantldquo1rdquo in (1) is added because GCS waits for the interval andthen sends the next message The constant ldquo2rdquo in (1) ismultiplied to prevent the timer from being initialized duringthe maximum authentication latency that can occur on oursystem
119894119899119905119890119903V119886119897 =120575
2 (1 + 120574)(119904119890119888119900119899119889119904) (1)
After the UAV receives a message (Message 1-3) contain-ing the hash value from the GCS the UAV calculates thehash value of the received value and compares the valuewith the previously stored value If two values are equalthe UAV initializes the count value to 120575 and updates thestored value with the hash value received from the GCS
Wireless Communications and Mobile Computing 5
UAVGCS
Initiate Timer4 Verify Msg 1-2
6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV
8 Verify Msg 1-4
hellip
n ndash i + 1
0 0
Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E
Hash Value Stored in UAV
n
n ndash i
hellip
hellip
GCS
hellip
Number of Hash Function Calculations
Stored in UAV
intervali
intervali
1 Initialization Request Msg(1-1)
3 Initialization Response Msg(1-2)2 Calculate ℎ
n(x)
ℎn(x)
ℎnminusi+1
(x)
ℎnminusi
(x)
KGCSUAV x n NonceGCSKGCSUAV ℎ
n(x) NonceGCS
KGCSUAV ℎnminusi
(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)
5 ith Authentication Response Msg(1-3)
7 ith Authentication Request Msg(1-4)
Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems
After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2
Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit
recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 3
UpdateIdle
If receive msg
Performed per interval
Aer sending
msg Send Msg
Authenti-cation
FailSuccess
Verify Proof
ReceiveProof
If receive proof
Aer receiving
proof
Aer update
GCS
Communication Protocol Erasure Protocol
Aer di
(a) (b)
Figure 2 Overall process of the proposed remote erasure system (a) Unmanned aerial vehicle (UAV)-Undertaker from the Ground ControlStation (GCS) viewpoint (b) UAV-Undertaker from the UAV viewpoint If the count value becomes zero the UAV erases data and repeatedlysends the proof of erasure to the user (ie the GCS)
protocol has a huge overhead concerning communicationIn our system as shown in Figure 9 of Section 4 when asmall amount of data (ie 120572 =2) is selected as a seed andtransmitted the instantaneous amount of transferred data issignificantly lower than when live tracking all data (ie 120572=100) In other words our system shares the burden of therequired data transfer amount to verify the erasure operationTherefore our system can significantly reduce instantaneousamount of transferred data which is a limitation of theabove study Dziembowski et al [16] proposed a scheme thatreduces the communication complexity of PoSE A verifiersends a seed to a proverThe prover performs a hash functionusing the seed and retains the sizable result value using allof the proverrsquos memory The calculated hash value can onlybe generated once because it uses a secret key stored inthe memory and so it can be proof of erasure Howeverwhile this scheme reduces the communication overhead ofPoSE a huge calculative overhead arises Ammar et al [17]introduced SPEED which guarantees erasure on embeddedsystem The protocol is implemented in isolated memoryusing the Trusted Software Module A verifierrsquos distance ismeasured by the Distance Bounding (DB) protocol whichestablishes an upper bound on the physical distance betweena verifier and a prover The prover authenticates the verifierthrough the DB protocol and erases data if verification ispassed successfully To verify erasure the prover sends theproof as the message authentication code value of the entirememory However the scheme is limited in terms of distanceand so is not applicable for UAVs
Our approach solves verifiable erasure through proof oferasure [15ndash18] that only the user can identify as in theabove studies However our approach creates a proof oferasure in such a way that the memory blocks each havea dependency on the block which guarantees more robustevidence Furthermore in contrast to past studies which didnot consider losses in the communication environment weaimed to achieve remote erasure of UAVs after hijack loss
andor disconnection Also the sensor system in cloud is sim-ilar to our system in that it collects data from remote devicesand processes them to achieve specific goals However in thecase of the cloud sensor system the collected information islimited to the sensor data and ismerely used for providing themonitoring to the user In the case of our system the collectedinformation is the memory information of the remote deviceIt can be seen that there is a difference from the cloud sensorsystem in that it verifies whether or not the erasure operationis performed by utilizing this
3 Proposed System Architecture
Our UAV-Undertaker consists of two parts the communi-cation protocol and verifiable erasure protocol We confirmwhether or not control of the UAV is lost by communicatingwith the UAV Therefore it is important to verify that amessage originates from the stated sender (ie authenticcommunication) and has not been changed This authenti-cation role is implemented as the communication protocolusing a hash chain mechanism [19] We also implement theverifiable erasure protocol which generates proof of erasureto verify that the erasure operation was really performed Weclassify the data region according to the number of timesthe data will be written in order to increase the probativepower of proof of erasure with just a small amount of data(thus improving efficiency) The operation result value iscreated by accurately performing the implemented erasureoperation Therefore a cryptographic accelerator such as theTPM (Trusted Platform Module) must be used in order tomake the results of the computation trustworthy
Figure 2 shows the overall process of our approach fromboth the GCS andUAVviewpoints From the GCS viewpointthe GCS sends an authentication request message to the UAVat intervals and then waits for a message from the UAV Ifthe GCS receives a message from the UAV it verifies thatthe message is authentic if so it updates the value to be
4 Wireless Communications and Mobile Computing
Table 1 Notations of the entity and messages
Definition of the Entity SymbolsGCS Ground Control StationUAV Unmanned Aerial VehicleDenotationmsg = 120572 120573 Message contains two contexts (120572 and 120573)msg = 120572 (120573) Message always contains 120572 context but 120573 context is optionally containedDefinition of the Message Symbols119870119909119910 A symmetric key shared between 119909 and 119910119864119870 119861 Encrypt 119861 with key119870119909 Value to compute with hash function119899 Number of hash function calculations119903 Retransmission bit119894 Authentication countℎ(119909) Result of 119909 in the hash function119873119900119899119888119890 Generated random data against replay attacksℎ119897 Address of hot data modified after previous authentication119886119897 Address of accumulated data modified after previous authenticationℎV Set containing the addresses of hot data randomly selected and the values of those data119886V Set containing the addresses of accumulated data randomly selected and the values of those data119875119900119864 Proof of ErasureDefinition of the Greek Symbols120572 Ratio of amount of randomly selected data in accumulated data region120573 Ratio of amount of randomly selected data in hot data region120574 Number of re-authentication permits120575 Initial value of the counter
sent next If communication with the UAV is cut off and theUAV performs the erasure operation and the GCS repeatedlyreceives the proof of erasure from the UAV and verifies itFrom the UAV viewpoint after decrementing the counter byone the UAV waits for a message from the GCS (idle state)A UAV that has successfully authenticated a GCS updateof the hash value for the next authentication initializes thedecreasing count value to 120575 (ie the initial value of thecounter) and waits for the message to be received again(idle state) If the UAV does not receive a message from theGCS before the count value reaches a certain value the UAVrepeatedly erases stored data and repetitively sends proof oferasure through a low frequency
31 Communication Protocol To allow the sender of eachmessage to be authenticated hash chains and messageencryption are used in the communication protocol Toencrypt a message the UAV must share the symmetric keysecurely offline with the GCS before departure Our approachis designed to execute the erasure protocol after 120574 times ofrequests for reauthentication because the UAV may be con-fronted with a mere transient communication failure where120574 can be set freely according to the circumstances of missionTable 1 defines the entity symbols and the message symbols
Figure 3 shows the message flow when communicationbetween the UAV and the GCS is performed without prob-lems First the GCS encrypts the number of hash function
calculations (119899) and the value to compute with hash function(119909) using a symmetric key already shared between the GCSand the UAV it then sends an initialization request message(Message 1-1) containing that encrypted value to the UAVWhen the value is received from the GCS the UAV computesℎ119899(119909) encrypts it and sends an initialization response mes-sage (Message 1-2) to the GCS The GCS confirms that theUAV received the correct 119909 and 119899 The GCS and the UAVwho have verified each other start exchanging authenticationmessages using a hash chain The GCS sends messages tothe UAV at regular intervals When the maximum countvalue is 120575 (seconds) and the number of reauthenticationtimes is 120574 the interval is calculated using (1) The constantldquo1rdquo in (1) is added because GCS waits for the interval andthen sends the next message The constant ldquo2rdquo in (1) ismultiplied to prevent the timer from being initialized duringthe maximum authentication latency that can occur on oursystem
119894119899119905119890119903V119886119897 =120575
2 (1 + 120574)(119904119890119888119900119899119889119904) (1)
After the UAV receives a message (Message 1-3) contain-ing the hash value from the GCS the UAV calculates thehash value of the received value and compares the valuewith the previously stored value If two values are equalthe UAV initializes the count value to 120575 and updates thestored value with the hash value received from the GCS
Wireless Communications and Mobile Computing 5
UAVGCS
Initiate Timer4 Verify Msg 1-2
6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV
8 Verify Msg 1-4
hellip
n ndash i + 1
0 0
Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E
Hash Value Stored in UAV
n
n ndash i
hellip
hellip
GCS
hellip
Number of Hash Function Calculations
Stored in UAV
intervali
intervali
1 Initialization Request Msg(1-1)
3 Initialization Response Msg(1-2)2 Calculate ℎ
n(x)
ℎn(x)
ℎnminusi+1
(x)
ℎnminusi
(x)
KGCSUAV x n NonceGCSKGCSUAV ℎ
n(x) NonceGCS
KGCSUAV ℎnminusi
(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)
5 ith Authentication Response Msg(1-3)
7 ith Authentication Request Msg(1-4)
Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems
After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2
Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit
recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Wireless Communications and Mobile Computing
Table 1 Notations of the entity and messages
Definition of the Entity SymbolsGCS Ground Control StationUAV Unmanned Aerial VehicleDenotationmsg = 120572 120573 Message contains two contexts (120572 and 120573)msg = 120572 (120573) Message always contains 120572 context but 120573 context is optionally containedDefinition of the Message Symbols119870119909119910 A symmetric key shared between 119909 and 119910119864119870 119861 Encrypt 119861 with key119870119909 Value to compute with hash function119899 Number of hash function calculations119903 Retransmission bit119894 Authentication countℎ(119909) Result of 119909 in the hash function119873119900119899119888119890 Generated random data against replay attacksℎ119897 Address of hot data modified after previous authentication119886119897 Address of accumulated data modified after previous authenticationℎV Set containing the addresses of hot data randomly selected and the values of those data119886V Set containing the addresses of accumulated data randomly selected and the values of those data119875119900119864 Proof of ErasureDefinition of the Greek Symbols120572 Ratio of amount of randomly selected data in accumulated data region120573 Ratio of amount of randomly selected data in hot data region120574 Number of re-authentication permits120575 Initial value of the counter
sent next If communication with the UAV is cut off and theUAV performs the erasure operation and the GCS repeatedlyreceives the proof of erasure from the UAV and verifies itFrom the UAV viewpoint after decrementing the counter byone the UAV waits for a message from the GCS (idle state)A UAV that has successfully authenticated a GCS updateof the hash value for the next authentication initializes thedecreasing count value to 120575 (ie the initial value of thecounter) and waits for the message to be received again(idle state) If the UAV does not receive a message from theGCS before the count value reaches a certain value the UAVrepeatedly erases stored data and repetitively sends proof oferasure through a low frequency
31 Communication Protocol To allow the sender of eachmessage to be authenticated hash chains and messageencryption are used in the communication protocol Toencrypt a message the UAV must share the symmetric keysecurely offline with the GCS before departure Our approachis designed to execute the erasure protocol after 120574 times ofrequests for reauthentication because the UAV may be con-fronted with a mere transient communication failure where120574 can be set freely according to the circumstances of missionTable 1 defines the entity symbols and the message symbols
Figure 3 shows the message flow when communicationbetween the UAV and the GCS is performed without prob-lems First the GCS encrypts the number of hash function
calculations (119899) and the value to compute with hash function(119909) using a symmetric key already shared between the GCSand the UAV it then sends an initialization request message(Message 1-1) containing that encrypted value to the UAVWhen the value is received from the GCS the UAV computesℎ119899(119909) encrypts it and sends an initialization response mes-sage (Message 1-2) to the GCS The GCS confirms that theUAV received the correct 119909 and 119899 The GCS and the UAVwho have verified each other start exchanging authenticationmessages using a hash chain The GCS sends messages tothe UAV at regular intervals When the maximum countvalue is 120575 (seconds) and the number of reauthenticationtimes is 120574 the interval is calculated using (1) The constantldquo1rdquo in (1) is added because GCS waits for the interval andthen sends the next message The constant ldquo2rdquo in (1) ismultiplied to prevent the timer from being initialized duringthe maximum authentication latency that can occur on oursystem
119894119899119905119890119903V119886119897 =120575
2 (1 + 120574)(119904119890119888119900119899119889119904) (1)
After the UAV receives a message (Message 1-3) contain-ing the hash value from the GCS the UAV calculates thehash value of the received value and compares the valuewith the previously stored value If two values are equalthe UAV initializes the count value to 120575 and updates thestored value with the hash value received from the GCS
Wireless Communications and Mobile Computing 5
UAVGCS
Initiate Timer4 Verify Msg 1-2
6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV
8 Verify Msg 1-4
hellip
n ndash i + 1
0 0
Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E
Hash Value Stored in UAV
n
n ndash i
hellip
hellip
GCS
hellip
Number of Hash Function Calculations
Stored in UAV
intervali
intervali
1 Initialization Request Msg(1-1)
3 Initialization Response Msg(1-2)2 Calculate ℎ
n(x)
ℎn(x)
ℎnminusi+1
(x)
ℎnminusi
(x)
KGCSUAV x n NonceGCSKGCSUAV ℎ
n(x) NonceGCS
KGCSUAV ℎnminusi
(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)
5 ith Authentication Response Msg(1-3)
7 ith Authentication Request Msg(1-4)
Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems
After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2
Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit
recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 5
UAVGCS
Initiate Timer4 Verify Msg 1-2
6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV
8 Verify Msg 1-4
hellip
n ndash i + 1
0 0
Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E
Hash Value Stored in UAV
n
n ndash i
hellip
hellip
GCS
hellip
Number of Hash Function Calculations
Stored in UAV
intervali
intervali
1 Initialization Request Msg(1-1)
3 Initialization Response Msg(1-2)2 Calculate ℎ
n(x)
ℎn(x)
ℎnminusi+1
(x)
ℎnminusi
(x)
KGCSUAV x n NonceGCSKGCSUAV ℎ
n(x) NonceGCS
KGCSUAV ℎnminusi
(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)
5 ith Authentication Response Msg(1-3)
7 ith Authentication Request Msg(1-4)
Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems
After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2
Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit
recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Wireless Communications and Mobile Computing
UAVGCS
Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS
n ndash i + 1
4 Erasure Operation
hellip
interval
interval
6 Erasure Operation
hellip
Best Effort
GCS Hash Value Stored in UAV
Number of Hash Function Calculations
Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)
3 Re-authentication Request Msg(2-2)
5 Erasure Proof Msg(2-3)
7 Erasure Proof Msg(2-4)
ℎnminusi+1
(x)
KGCSUAV ℎnminusi
(x) r NonceGCSKGCSUAV ℎ
nminusi(x) r = 1 NonceUAV
PoE ℎl al
PoE
Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS
C2
Cold Data Region Accumulated Data Region Hot Data Region
Storage of UAV
C1 C3
hellip hellip Cn
A1 A2 A3 A4 A5 A6
hellip hellip hellip
hellip hellip hellip hellip hellip An
hellip hellip hellip
H2H1 H3
Hn
Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region
32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions
Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)
The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 7
C2
Cold Data Accumulated Data Hot Data
0 Addrof A3
1
Seed Block Table
Storage of UAV
helliphelliphelliphelliphellip
Addr of H41 Addr of Hn-1
tntn-1tn-2
Data generated between tn-2 and tn-1
Time
Data generated between tn-1 and tn
hellip hellip
C1 C3
hellip hellip Cn
A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6
hellip hellip hellip hellip hellip hellip
H4 hellip hellip
A k-1 A k A k+1
Hn-2 Hn-1 Hn
A 1 A 2 A 3 A 4 A 5 A 6
hellip hellip hellip A k-1 A k A k+1
hellip hellip hellip hellip hellip A n
hellip hellip hellip
H2H1 H3
H4
Hn-1Hn-2 Hn
Hn-2 Hn-1 Hn
Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs
UAVGCS
hellip
A3
tn-1
tn
Accumulated Data Hot Data
A5 H4
Verify Msg 1-4
Ak Hn-1
Random Selection of Data
Random Selection of Data
Verify Msg 1-4
in Message 1-4
hellip
in Message 1-4
GCS
Address of A3(Several Times of Authentications)
hellip
Authentication Request Msg(1-3)
Authentication Request Msg(1-3)
Authentication Response Msg(1-4)
Authentication Response Msg(1-4)
ℎ a
ℎ a
Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Wireless Communications and Mobile Computing
Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899
1015840 which is the result ofthe erasure operation of the cold data region
large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system
If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621
1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory
proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)
1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)
For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899
1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602
1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data
region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)
1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)
1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)
The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621
1015840 with the result of the XOR operation of the11986211015840 block and 119867119899
1015840 block After that the UAV wipes 11986221015840
with the result of the XOR operation of 119862110158401015840 block and 1198622
1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899
10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message
In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated
4 Experimental Results
To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 9
50000
40000
30000
20000
10000
0
Writ
e ro
ughp
ut (k
byte
s)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
tn-1 tn
(a)
00~30
30~60
60~90
90~120
120~150
150~180
180~210
Time Interval
W
(b)
50000
40000
70000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(c)
50000
40000
70000
80000
60000
30000
20000
10000
0Am
ount
of T
rans
ferr
ed D
ata (
kbyt
es)
3rd
Auth
4th
Auth
1st A
uth
5th
Auth
2nd
Auth
Order of Authentication Message
= 50
= 100
= 2
= 10
(d)
Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV
memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession
41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate
at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Wireless Communications and Mobile Computing
of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds
In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations
42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation
As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data
1G 2G 4GMemory Size (bytes)
Eras
ure L
aten
cy (s
econ
ds)
16G
400
300
200
100
0
Erasure operationTransferring proof
Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)
since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure
5 Conclusions
We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed
Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 11
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]
References
[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone
[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml
[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002
[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017
[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018
[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017
[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018
[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014
[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps
[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016
[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016
[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014
[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018
[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018
[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010
[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011
[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018
[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015
[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981
[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing
[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf
[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom