PURE: Using Verified Remote Attestation to Obtain Proofs of Update, Reset and Erasure in low-End Embedded Systems

2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD) Pub Date : 2019-11-01 DOI:10.1109/iccad45719.2019.8942118

I. O. Nunes, Karim M. El Defrawy, Norrathep Rattanavipanon, G. Tsudik

{"title":"PURE: Using Verified Remote Attestation to Obtain Proofs of Update, Reset and Erasure in low-End Embedded Systems","authors":"I. O. Nunes, Karim M. El Defrawy, Norrathep Rattanavipanon, G. Tsudik","doi":"10.1109/iccad45719.2019.8942118","DOIUrl":null,"url":null,"abstract":"Remote Attestation ($\\mathcal{R}\\mathrm{A}$) is a security service that enables a trusted verifier ($\\mathcal{V}{\\text{rf}}$) to measure current memory state of an untrusted remote prover ($\\mathcal{P}{\\text{rv}}$). If correctly implemented, $\\mathcal{R}\\mathrm{A}$ allows $\\mathcal{V}{\\text{rf}}$ to remotely detect if $\\mathcal{P}{\\text{rv}}$'s memory reflects a compromised state. However, $\\mathcal{R}{\\mathrm{A}}$ by itself offers no means of remedying the situation once $\\mathcal{P}$ rv is determined to be compromised. In this work we show how a secure $\\mathcal{R}\\mathrm{A}$ architecture can be extended to enable important and useful security services for low-end embedded devices. In particular, we extend the formally verified $\\mathcal{R}\\mathrm{A}$ architecture, VRASED, to implement provably secure software update, erasure, and system-wide resets. When (serially) composed, these features guarantee to $\\mathcal{V}{\\text{rf}}$ that a remote $\\mathcal{P}{\\text{rv}}$ has been updated to a functional and malware-free state, and was properly initialized after such process. These services are provably secure against an adversary (represented by malware) that compromises $\\mathcal{P}{\\text{rv}}$ and exerts full control of its software state. Our results demonstrate that such services incur minimal additional overhead (0.4% extra hardware footprint, and 100-s milliseconds to generate combined proofs of update, erasure, and reset), making them practical even for the lowest-end embedded devices, e.g., those based on MSP430 or AVR ATMega micro-controller units (MCUs). All changes introduced by our new services to VRASED trusted components are also formally verified.","PeriodicalId":363364,"journal":{"name":"2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)","volume":"7 2","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/iccad45719.2019.8942118","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

Remote Attestation ($\mathcal{R}\mathrm{A}$) is a security service that enables a trusted verifier ($\mathcal{V}{\text{rf}}$) to measure current memory state of an untrusted remote prover ($\mathcal{P}{\text{rv}}$). If correctly implemented, $\mathcal{R}\mathrm{A}$ allows $\mathcal{V}{\text{rf}}$ to remotely detect if $\mathcal{P}{\text{rv}}$'s memory reflects a compromised state. However, $\mathcal{R}{\mathrm{A}}$ by itself offers no means of remedying the situation once $\mathcal{P}$ rv is determined to be compromised. In this work we show how a secure $\mathcal{R}\mathrm{A}$ architecture can be extended to enable important and useful security services for low-end embedded devices. In particular, we extend the formally verified $\mathcal{R}\mathrm{A}$ architecture, VRASED, to implement provably secure software update, erasure, and system-wide resets. When (serially) composed, these features guarantee to $\mathcal{V}{\text{rf}}$ that a remote $\mathcal{P}{\text{rv}}$ has been updated to a functional and malware-free state, and was properly initialized after such process. These services are provably secure against an adversary (represented by malware) that compromises $\mathcal{P}{\text{rv}}$ and exerts full control of its software state. Our results demonstrate that such services incur minimal additional overhead (0.4% extra hardware footprint, and 100-s milliseconds to generate combined proofs of update, erasure, and reset), making them practical even for the lowest-end embedded devices, e.g., those based on MSP430 or AVR ATMega micro-controller units (MCUs). All changes introduced by our new services to VRASED trusted components are also formally verified.

查看原文本刊更多论文

PURE:在低端嵌入式系统中使用经过验证的远程认证来获取更新、重置和擦除的证明

远程证明($\mathcal{R}\ mathm {A}$)是一种安全服务，它使可信的验证者($\mathcal{V}{\text{rf}}$)能够测量不可信的远程证明者($\mathcal{P}{\text{rv}}$)的当前内存状态。如果正确实现，$\mathcal{R}\ mathm {A}$允许$\mathcal{V}{\text{rf}}$远程检测$\mathcal{P}{\text{rv}}$的内存是否反映泄露状态。然而，一旦确定$\mathcal{P}$ rv被泄露，$\mathcal{R}{\ mathm {A}}$本身并不能提供任何补救方法。在这项工作中，我们展示了如何扩展安全的$\mathcal{R}\ mathm {a}$架构，从而为低端嵌入式设备提供重要而有用的安全服务。特别地，我们扩展了正式验证的$\mathcal{R}\ mathm {A}$架构vase，以实现可证明的安全软件更新，擦除和系统范围的重置。当(串行)组合时，这些特性保证$\mathcal{V}{\text{rf}}$的远程$\mathcal{P}{\text{rv}}$已被更新为功能和无恶意软件的状态，并在此过程之后被正确初始化。这些服务对于攻击者(以恶意软件为代表)是安全的，这些攻击者会破坏$\mathcal{P}{\text{rv}}$并完全控制其软件状态。我们的结果表明，这样的服务产生最小的额外开销(0.4%的额外硬件占用，100-s毫秒生成更新，擦除和重置的组合证明)，使它们甚至适用于最低端的嵌入式设备，例如基于MSP430或AVR ATMega微控制器单元(mcu)的设备。我们的新服务对vashed可信组件引入的所有更改也都经过正式验证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

自引率

0.00%

发文量