Software attestation has become a popular and challenging research topic at many established security conferences with an expected strong impact in practice. It aims at verifying the software integrity of (typically) resource-constrained embedded devices. However, for practical reasons, software attestation cannot rely on stored cryptographic secrets or dedicated trusted hardware. Instead, it exploits side-channel information, such as the time that the underlying device needs for a specific computation. As traditional cryptographic solutions and arguments are not applicable, novel approaches for the design and analysis are necessary. This is certainly one of the main reasons why the security goals, properties and underlying assumptions of existing software attestation schemes have been only vaguely discussed so far, limiting the confidence in their security claims. Thus, putting software attestation on a solid ground and having a founded approach for designing secure software attestation schemes is still an important open problem.
INTRODUCTION
Embedded systems are increasingly permeating our information society, being more and more used also in securityand safety-critical applications. This generates an increasing need for enabling technologies that can validate and verify the integrity of a system's software state against malicious code. In this context, software attestation has become a popular research topic at many established security conferences with a large body of literature [15, 24, 26, 11, 23, 25, 22, 9, 21, 20, 3, 10, 14, 17, 19, 16, 29] .
Software attestation is a trust establishment mechanism that allows a system, the verifier, to check the integrity of the program memory content of another system, the prover, against modification, e.g., by malicious code. As it mainly targets resource-constrained embedded systems (such as Atmel tinyAVR [2] microcontrollers), software attestation aims to work without any security hardware at the prover. Software attestation deploys the common approach of challengeresponse protocols, where the verifier challenges the prover with respect to the expected memory content. However, cryptographic challenge-response protocols typically rely on secret values that should be unknown to malicious provers. This cannot be assumed for software attestation, where the provers are resource-constrained embedded systems that typically cannot afford secure hardware (such as a TPM) [28, 18, 27, 5, 16] . Hence, the adversary may get full control of the prover and its cryptographic secrets, rendering classical cryptographic primitives and protocols useless, a fact that demands for keyless security solutions.
Therefore software attestation follows a radically different approach than most conventional security mechanisms: It exploits the intrinsic physical constraints of the underlying hardware and side-channel information, typically the computation time required by the prover to complete the attestation protocol. More detailed, software attestation schemes are typically designed to temporarily utilize all the computing and memory resources of the prover, aiming at ensuring that the prover can only give the correct responses in time if the memory state is genuine. Of course this requires that the verifier can authenticate the device characteristics of the prover using an out-of-band channel, such as visual authentication, which clearly distinguishes software attestation from other approaches like remote attestation.
Without question, this requires completely different forms of security reasoning and likewise demands for other security assumptions on the underlying core functionalities and system properties, representing a highly challenging task. This may be the main reason that, despite its popularity and practical relevance, software attestation has not received any formal treatment yet but is still subject to ambiguities. To start with, there exist no common adversary model and no precise formalization of the security goals so far, hindering a founded security analysis and making it difficult or even impossible to compare existing schemes.
Likewise the underlying security properties and assumptions have been only vaguely discussed, limiting the confidence in the security claims. In fact, current proposals often combine weak PRNGs and ad-hoc checksum function designs with unclear and possibly insufficient security properties. As a result, checksum collisions have been exploited directly to hide code modifications [24] and indirectly to manipulate the location of the measured code in the memory (memory copy attack [3] ). Some works even propose to simply XOR consecutive memory blocks [32] , leading to obvious collision attacks that were only indirectly considered in subsequent work [1] . Likewise, although several works consider the problem of free memory, i.e., unused sections of the memory, code compression attacks [3] have been ignored in recent works [17, 31] and considered as impractical [16] without giving any arguments.
Contribution.
In this paper, we make a first step towards putting software attestation on a solid ground. Our contributions are:
Security framework: We describe the first formal security framework for software attestation. This includes an adversary model that, interestingly, fundamentally deviates from classical cryptographic adversary models. Typically, the adversary is modelled by a polynomially bounded algorithm that aims to achieve a certain goal without having certain knowledge (e.g., cryptographic keys). In contrast, an adversary against a software attestation scheme can be unbounded in principle and has complete knowledge of the prover device configuration and state. However, during the attack it has to specify (or program) a malicious prover device with tight resource constraints. The goal is that this malicious prover can cheat in the attestation protocol within the strict time bound with reasonable success probability but without any interaction with the adversary. In other words, the adversary has unbound resources for preparing the attack but only a tight time-bound and limited computational and memory resources for executing the attack. Moreover we provide precise definitions for the security and the correctness of software attestation schemes and propose a formal system model that aims to balance between expressiveness and applicability. This allows a founded and comparable treatment of current and coming schemes and should help to avoid ambiguities in the future.
Generic software attestation scheme: We present a generic software attestation scheme that covers most existing software attestation protocols in the literature. Moreover, we identify and formalize several system parameters of software attestation and provide an upper bound of the success probability of a malicious prover against the generic scheme as a function of these parameters. The derived upper bound of the success probability implies sufficient conditions on the system parameters. Although some of these aspects have been implicitly assumed and informally discussed in the literature, we present their first formal treatment. Moreover, our approach provides new insights on how these parameters impact the security of the underlying software attestation scheme, which has never been analyzed before. This result allows to argue on the security of software attestation schemes by mapping the generic scheme and properties to the concrete scheme and by examining whether the properties are fulfilled. Moreover the generic scheme may serve as a blueprint for future schemes.
Argumentation techniques: The security treatment of the generic scheme required to use novel types of arguments. Since the common cryptographic proof technique of reducing the security of the scheme to a hard problem is not possible anymore, we had to argue directly that any attack strategy that is possible within the given time-bound fails with a certain probability. We conjecture that our approach may be of independent interest. For example, we expect that the security of concrete schemes that are not directly covered by the generic scheme may be argued using similar techniques.
New insights: Furthermore, our investigations yield new insights with respect to the cryptographic properties of the underlying primitives. Our work shows that cryptographic primitives can be used that are similar to established primitives, such as pseudo-random number generators or hash functions, but that differ in subtleties: Some cryptographic assumptions can be relaxed while others need to be strengthened. Such observations are relevant with respect to concrete realizations of secure software attestation schemes. We see our work as a first step paving the way for a founded treatment of secure software attestation schemes. We expect that such a consolidating work allows for a meaningful security analysis of existing schemes and supports the design of arguably secure software attestation schemes and will inspire new research in this area.
Outline.
We give an overview of the related work in Section 2 and introduce our system model in Section 3. We present the formal framework for software attestation in Section 4, describe the generic software attestation scheme and its requirements in Section 5 and formally analyze its security in Section 6. Finally, we discuss our results and conclude in Section 7.
RELATED WORK
The existing literature on software attestation focuses on the design of checksum functions for different platform architectures and countering platform-specific attacks [24, 23, 9, 22, 17] . Several works consider the strengthening of checksum algorithms and their implementations against unintended modifications by either limiting the memory available to the prover during attestation [10, 29] or by using self-modifying and/or obfuscated attestation algorithms [25, 11] . Many works investigate the suitability and extension of software attestation to a variety of computing platforms, including sensors, peripherals and voting machines [21, 17, 9, 23, 16] . Furthermore, software attestation has been proposed as a key establishment mechanism [21] .
Software attestation is different from remote attestation which has the goal to verify the integrity of remote provers, e.g., over a network. Specifically, remote attestation usually relies on secrets shared between the verifier and the honest prover, which is fundamentally different from software attestation that cannot rely on cryptographic secrets and instead typically assumes that the verifier can authenticate the prover using an out-of-band channel, such as visual authentication. Several works consider how to combine software attestation with hardware trust anchors such as TPMs and SIM-cards [20, 16, 14] or intrinsic hardware characteristics such as code execution side-effects [15, 24, 26] and Physically Unclonable Functions [19] . Interestingly, most proposed implementations employ hash functions and PRNGs that are not cryptographically secure. Further, works that use cryptographically secure algorithms do not consider whether these algorithms maintain their security properties in the "keyless" software attestation scenario where the underlying secrets, such as the PRNG states, are known to the adversary. This is the reason why existing analysis papers on remote attestation, such as [4, 8] , cannot be applied to software-based attestation, as they assume trusted hardware or software components. In this respect, our formal analysis provides a fundamental first step towards a deeper and more comprehensive understanding of software attestation.
An approach [13, 12] related to software attestation uses Quines. The basic idea is that the device outputs the whole content of its memory such that the verifier can compare it to the expected memory content. In contrast, software attestation aims to use short outputs only for practical reasons. In that sense, both approaches can be seen as special instantiations of proof-of-knowledge schemes where the proof either includes the knowledge itself (Quines) or responses depending on the knowledge (software attestation). A further difference is that, to reduce the impact of network jitter, software attestation typically minimizes the interaction between the prover and the verifier. In contrast the Quine-schemes in [13, 12] require significant interaction between the verifier and the device.
Similar to software attestation protocols, proofs of work schemes challenge the prover with computationally expensive or memory-bound tasks [6, 7] . However, while the goal of these schemes is to mitigate denial-of-service attacks and Spam by imposing artificial load on the service requester, the goal of software attestation schemes is using all of the prover's resources to prevent it from executing malicious code within a certain time frame. Hence, proofs of work are in general not suitable for software attestation since they are usually less efficient and not designed to achieve the optimality requirements of software attestation algorithms.
PRELIMINARIES
Notation. Let X, Y be two sets and x ∈ X and y ∈ Y be an element of each set. We denote with f : X → Y a function f that maps the set X to set Y . Further f : x → y means that function f maps an element x to an element y. Let A and B be arbitrary algorithms. Then y ← A(x) means that on input x, A assigns its output to y. The expression A B means that A has black-box access to B. We denote with A B an algorithm A that does not access an algorithm B. Let D be a probability distribution over the set X, then the term x D ← X means the event of assigning an element of X to variable x that has been chosen according to D. Further, we define D(x) := Pr x|x D ← X for each x ∈ X and denote with U the uniform distribution.
System Model. Software attestation is a protocol between a verifier V and a (potentially malicious) prover P where the latter belongs to a class of devices with clearly specified characteristics. That is, whenever we speak about a prover P, we refer to a device that belongs to this class. Typically a prover P is a low-end embedded system that consists of memory and a computing engine (CE). The memory is composed of primary memory (PM), such as CPU registers and cache, and secondary memory (SM), such as RAM and Flash memory. We assume that the memory is divided into memory words and denote by Σ := {0, 1} ls the set of all possible memory words (e.g., ls = 8 if words are bytes). Let s and p be the number of memory words that can be stored in SM and PM, respectively. An important notion is the state of a prover:
Definition 1 (State). Let P be a prover, i.e., a device that belongs to the specified class of devices. The state State(P) = S of P are the memory words stored in the secondary memory (SM) of P.
Note that S includes the program code of P and hence specifies the algorithms executed by P.
The computing engine (CE) comprises an arithmetics and logic unit that can perform computations on the data in primary memory (PM) and alter the program flow. For performance reasons, PM is typically fast but also expensive. Hence, the size of PM is usually much smaller than the size of SM. To make use of SM, CE includes the Read instruction to transfer data from SM to PM and the Write instruction to write data from PM to SM. More precisely, Read(S, a, b) takes as input a memory address a of SM and a memory address b of PM and copies the data word x stored at address a in SM to the data word at address b in PM. For convenience, we write Read(S, a) instead of Read(S, a, b) whenever the address b of PM is not relevant. Note that Read(S, a, b) overwrites the content y of PM at address b. Hence, in case y should not be lost, it must be first copied to SM using Write or copied to another location in PM before Read is performed. It is important to stress that, whenever CE should perform some computation on some value x stored in SM, it is mandatory that x is copied to PM before CE can perform the computation. Further, since SM is typically much slower than PM, Read and Write incur a certain time overhead and delay computations on x. We denote the time required by CE to perform some instruction or algorithm Ins with Time(Ins). Note that we only consider provers as described above while the verifier V can be an arbitrary computing platform that may interact with P.
Remark 1: Platform Architecture. Note that we focus on embedded microcontrollers since these are commonly targeted by software attestation. We explicitly exclude provers that are high-end computing platforms with multiple CPUs and/or Direct Memory Access (DMA) since these are typically equipped with secure hardware (such as TPMs) and hence could support common cryptographic solutions based on secrets. Further, their memory architectures are usually more complex than in our system model. In particular, such platforms usually feature additional hardware to predict and fetch memory blocks in advance, making the time-bounded approach much more difficult and its realization highly dependent on the concrete system.
SECURE SOFTWARE ATTESTATION
Secure software attestation enables the verifier V to gain assurance that the state of a prover P is equal to a particular state S. If this is the case, we say that P is in state S, i.e., formally State(P) = S. Consequently, a prover P is called honest (with respect to some state S) if State(P) = S, otherwise it is considered to be malicious.
Remark 2: Distance between Honest and Malicious Prover State. Observe that a prover P is already considered to be malicious even if its state differs by only one state entry (memory word) from S. This is a necessary consequence of the goal of having a definition of honest and malicious provers that is as generic as possible.
The common approach of software attestation is to validate the prover's state by requesting N random samples of the prover memory content. Hence, the Hamming distance λ between the state S of an honest prover and the state S of a malicious prover P directly affects a malicious prover's success probability. As far as we know, we are the first to formally take into account the impact of λ on the security of software attestation schemes (cf. λ in Theorem 1).
Ideal Approach. Ideally, V could disable the computing engine (CE) of P and directly read and verify the state S stored in the secondary memory (SM) of P. However, exposing CE and SM of P to V in such a way requires hardware extensions 1 on P, which contradicts the goal of software attestation to work with no hardware modifications.
Practical Approach. As the ideal approach is not feasible in practice, the common approach in the literature is that V and P engage in a challenge-response protocol Attest where P must answer to a challenge of V with a response that depends on S. In the following, whenever we refer to a software attestation scheme we actually mean the corresponding challenge-response protocol Attest. Observe that Attest needs to include a description of the algorithm that processes the verifier's challenge and computes the prover's response.
In general, software attestation aims to figure out whether the original state S of a device has been replaced by the adversary with a malicious state S = S. Observe that although S is different from S, we cannot exclude that S may depend on S. This implies an important difference to common cryptographic scenarios: Software attestation cannot rely on any secrets since the adversary has access to the same information as the honest prover P. Therefore software attestation follows a fundamentally different approach 1 Note that existing testing interfaces such as JTAG cannot be used since they are typically disabled on consumer devices to prevent damage to the device and unintended reverseengineering.
and leverages side-channel information, typically the time δ the prover takes to compute the response. A basic requirement of this approach is that S specifies a practically optimal implementation of the algorithm that processes the challenge according to Attest. This means that it should be hard to find any other implementation of this algorithm that can be executed by a prover P in significantly less time than δ. Otherwise, a malicious prover could use a faster implementation and exploit the time difference to perform additional computations, e.g., to lie about its state.
Furthermore, the communication time jitter between V and P is typically much higher than the time needed by the computing engine of P to perform a few instructions. Hence, to ensure that V can measure also slight changes to the prover's code (that could be exploited by a malicious prover to lie about its state), V needs to amplify the effect of such changes. The most promising approach to realize this in practice is designing the attestation protocol as an iterative algorithm with a large number of rounds.
Further, since showing the optimality of complex implementations is a hard problem and since P must compute the response in a reasonable amount of time, it is paramount that the individual rounds are simple and efficient. As a result, cryptographically secure hash functions and complex Pseudo-Random Number Generators (PRNGs) are not a viable option. Hence, several previous works deployed lightweight ad-hoc designs of compression functions and PRNGs, however, without analyzing the underlying requirements on these components and their interaction. In contrast, we identify concrete sufficient requirements.
Adversary Model and Security Definition.
In the following, we provide the first formal specification of the adversary model and the security of a software attestation scheme Attest based on a security experiment Exp A Attest that involves an adversary A. The experiment is divided into two phases and works as follows:
Preparation Phase: At the beginning, the adversary A receives as input a state S and a time-bound δ. It outputs a (possibly) malicious prover P by specifying its state S, i.e., State( P) = S.
Execution Phase: The prover P specified in the previous phase receives a challenge c and returns a "guess" r for the correct response r .
The result of the experiment is accept if P responded within time δ and r = r , and reject otherwise. Based on this experiment we define correctness and soundness. Correctness is defined analogously to the common meaning of correctness of challenge-response protocols: In case State( P) = S, that is P is in the state expected by V, the prover P should always succeed, i.e., the result of the experiment should always be accept. Soundness means that in case State( P) = S, the probability that the result of the experiment is accept should be below a certain threshold.
Definition 2 (Correctness and Soundness). Consider a software attestation scheme Attest and a state S. For a given adversary A we denote by EqualState the event that the output of A during the experiment is a prover P with State( P) = S.
The software attestation scheme Attest is correct if for all adversaries A it holds that
Attest is ε-secure if for all adversaries A it holds that
Remark 3: Power of A. The security of software attention significantly differs from common cryptographic models, where the time effort of the adversary is typically bounded (often polynomially bounded in some security parameter). More detailed, in the preparation phase, A can be any unrestricted probabilistic algorithm. However, A has no influence anymore once Attest is executed between P and V in the execution phase. As P is a device with the same characteristics as an honest prover, P has to comply to the same restrictions as P. In other words, the adversary has unbounded resources for preparing the attack but only a tight time-bound and limited resources for executing the attack.
Observe that this reflects the strongest possible adversary model, which in principle could be relaxed by imposing bounds during the preparation phase.
Remark 4: Difference to Remote Attestation. The goal of remote attestation is to verify the integrity of remote provers, e.g., over a network. In particular, in practice a verifier V usually cannot exclude that a malicous prover may have more computational power than the honest prover. Therefore, remote attestation schemes usually rely on secrets shared between the verifier and the honest prover. This is fundamentally different from software attestation which cannot rely on cryptographic secrets to authenticate the prover device to V. Hence, as already elaborated, existing works on software attestation typically assume that V can authenticate the prover hardware using an out-of-band channel, such as visual authentication.
GENERIC SOFTWARE ATTESTATION
In this section, we formalize a generic software attestation scheme that captures most existing schemes in the literature. In particular, we formally define several aspects and assumptions, most of them being only informally discussed or implicitly defined so far.
Protocol Specification
The main components of our generic attestation scheme (cf. Figure 1) are two deterministic algorithms:
• Memory address generator:
• Compression function:
Here lg, la and lr are the bit length of the state g of Gen, the memory addresses a and the attestation response r , respectively, and Σ is the set of possible state entries (memory words). Both algorithms are iteratively applied within the scheme over N ∈ N rounds. For the sake of readability, we provide an iterative definition of Chk N : For some r0 ∈ {0, 1} lr and s := (s1, . . . , sN ), we define rN ← Chk N (c, s) as ri := Chk(ri−1, si) for i = 1, . . . , N .
Figure 1: The Generic Attestation Scheme Attest
The protocol works as follows: The verifier V sends a random attestation challenge (g0, r0) to the prover P, which is used as seed for Gen and Chk. Specifically, P iteratively generates a sequence of memory addresses (a1, . . . , aN ) based on g0 using Gen. For each i ∈ {1, . . . , N }, P reads the state entry si = Read(S, ai) at address ai and iteratively computes r i = Chk(r i−1 , si) using r 0 = r0. Finally, P sends r N to V, which executes exactly the same computations 2 as P using the state S and compares the final result with the response r N from P. Eventually, V accepts iff r N = rN and P responded in time ≤ δ := N (δ Gen + δ Read + δ Chk ), where δ Gen , δ Read and δ Chk are upper time-bounds for running Gen, Read and Chk, respectively, on a genuine and honest prover.
In practice the delay for submitting and receiving messages needs to be considered. The common approach is to choose N , the number of rounds, big enough such that this delay is small compared to the runtime of the protocol. For simplicity, we assume that this is the case in the following and hence ignore the time for sending messages.
Remark 5: Correctness. Observe that an honest prover P always makes an honest verifier V accept since both perform exactly the same computations on the same inputs and the honest prover by assumption requires at most time δ.
Remark 6: Generality of the Protocol. Note that the basic concept of our generic scheme and several instantiations of this concept for specific platforms can be found in the literature on software attestation (cf. Section 2). However, we aim at abstracting from the particularities of individual platforms and instead design and analyze a construction that is as generic as possible. Further, some existing software attestation schemes also use the memory addresses ai and/or the index i as input to the checksum function Chk. However, since there is a clear dependence between the index i, the memory address ai and the memory block si = Read(S, ai) and since the use of simple components is a primary goal of software attestation, we restrict to the case where only the memory blocks are used as input to the checksum function.
Design Criteria and Properties
Next, we discuss the design criteria of the underlying algorithms and formally define their properties required later in the security analysis. Note that, although some of these properties have been informally discussed or implicitly made in prior work, they have never been formally specified and analyzed before.
Implementation of the Core Functionalities
The generic protocol deploys three core functionalities: Read, Gen and Chk, which of the execution time is of paramount importance for the security of software attestation. Hence, we make the following assumptions that are strongly dependent on the concrete implementation and prover hardware and are hard to cover in a generic formal framework:
1. Optimality: There is no implementation of Read, Gen and Chk (or their combination) that is more efficient (with respect to time and/or memory) than the implementation used by the honest prover in state S.
2. Atomicity: It is not possible to execute Read, Gen and Chk only partially, e.g., by omitting some of the underlying instructions.
We formally cover these assumptions by modelling Read, Gen and Chk as oracles. That is, whenever P wants, e.g., to execute Read(State(P), a), P sends a to the Read-oracle and receives the corresponding result s. While sending and receiving messages between P and the oracles are modelled to take no time, the determination of the response does. More precisely when P invokes one of these oracles, it takes a certain amount of time before P gets the result. Within this time period P is inactive and cannot perform any computations. We denote the response time of the Read, Gen and Chk-oracle by δ Read , δ Gen and δ Chk , respectively. Moreover the inputs to and the outputs of the oracles need to be stored in the primary memory of P.
Remark 7: Order of Computations. A consequence of this modelling approach is that a malicious prover P can compute the outputs of Gen and Chk only in the correct order. For instance, before P can determine si it must first determine si−1. Given that concrete instantiations of the generic scheme are iteratively executed, the limited size of the primary memory (PM) (see below) and the fact that accessing the secondary memory requires significantly more time than accessing PM, we consider this assumption to be reasonable for most practical instantiations.
System-Level Properties
The size and utilization of the primary memory (PM) plays a fundamental role for assessing the optimality of a software attestation scheme with regard to the resources used by a prover P. Therefore, a common assumption is that PM is just big enough to honestly execute Attest, i.e., there is no free PM that could be used otherwise.
3
Another crucial assumption of any software attestation scheme not explicitly made in most previous works is that the state S should not be compressible into PM. For instance, consider the extreme case where all entries of S contain the same value s. In this case a malicious prover P could easily determine the correct attestation response by simply storing s in PM while having a different state State( P) = S. Hence, we require that P should not be able to determine a randomly selected state entry si of S without accessing the secondary memory with better probability than guessing: Definition 3 (State Incompressibility). For a state S, let DS denote the probability distribution of S in the following sense: For any state entry x ∈ Σ it holds that
S is called incompressible if for any algorithm Alg Read that can be executed by the prover P and that does not invoke Read, it holds that
Cryptographic Properties
Although it is quite obvious that the security of the software attestation scheme depends on the cryptographic properties of Gen and Chk, these requirements have not been systematically analyzed and formally specified before. While it would be straightforward to model these functions as pseudorandom number generators (PRNGs) and hash functions (or even random oracles), respectively, there are some subtle differences to the common cryptographic scenario which must be carefully considered. As we elaborate below, Gen needs to meet a property which is stronger than the common security definition of cryptographic PRNGs while for Chk a significantly weaker condition than the classical security properties of hash functions is sufficient.
Pseudo-Randomness of the Outputs of Gen. To prevent a malicious prover P from using pre-computed attestation responses, the memory addresses ai generated by Gen should be "sufficiently random". Ideally, all combinations should be possible for (a1, . . . , aN ). While this is impossible from an information-theoretic point of view, the best one may ask for is that the memory addresses ai generated by Gen should be computationally indistinguishable from uniformly random values within a certain time-bound t:
Definition 4 (Time-Bounded Pseudo-Randomness of Gen). Gen : {0, 1} lg → {0, 1} lg +la is called (t, )-pseudo-random if for any algorithm Alg that can be executed by P in Time(Alg) ≤ t it holds that
Observe that this definition requires that Alg does not know the seed g0 of Gen, which is not given in the generic software attestation scheme. In principle nothing prevents a malicious prover P from using g0 to compute the addresses (a1, . . . , aN ) on its own, making them easily distinguishable from random values. The best we can do is to require that P cannot derive any meaningful information about ai+1 from gi without investing a certain minimum amount of time. Specifically, we assume that an algorithm with input g that does not execute Gen cannot distinguish (g , a ) = Gen(g) from uniformly random values. Formally:
Definition 5 (Time-Bounded Unpredictability of Gen). Gen : {0, 1} lg → {0, 1} lg × {0, 1} la is ν Gen -unpredictable if for any algorithm Alg Gen that can be executed by P and that does not execute Gen, it holds that
Weakened Pre-image Resistance of Chk. The purpose of the compression function Chk N is to map the state S of the prover P to a smaller attestation response rN , which reduces the amount of data to be sent from P to the verifier V. Observe that the output of Chk N depends also on the challenge sent by the verifier to avoid simple replay attacks and the pre-computation of attestation responses. A necessary security requirement on Chk is that it should be hard for a malicious prover P to replace the correct input s = (s1, . . . , sN ) to Chk with some other value s = s that yields the same attestation response rN as s. This is similar to the common notion of second pre-image resistance of cryptographic hash functions. However, due to the time-bound of the software attestation scheme it is sufficient that Chk N fulfills only a much weaker form of second pre-image resistance since we need to consider only "blind" adversaries who (in contrast to the classical definition of second pre-image resistance) do not know the correct response rN to the verifier's challenge (g0, r0). The reason is that, as soon as P knows the correct response rN , he could send it to V and would not bother to determine a second pre-image. Hence, we introduce the definition of blind second pre-image resistance which concerns algorithms that are given only part of the input s of Chk N and that have to determine the correct output of Chk N (r0, s):
lr is ω-blind second pre-image resistant with respect to the distribution DS (cf. Definition 3) if for any N ∈ N, any subset of indices J {1, . . . , N } and for any algorithm Alg that can be executed by P, it holds that
In addition we require (similar to Definition 5) that P cannot determine any information on rN = Chk N (r0, s1, . . . , sN ) without executing Chk N :
lr is ν Chk -unpredictable with respect to the distribution DS (cf. Definition 3) if for any algorithm Alg
Chk N that can be executed by P and that does not execute Chk N , it holds that N (r0, s1, . . . , sN , r ) ≤ ν Chk .
SECURITY OF THE SCHEME
In this section we derive an upper bound for the success probability of a malicious prover P to make the verifier V accept. This bound depends on the parameters defined in Section 5.2 which provide a sufficient condition to prove the generic attestation scheme secure. The bound is as follows:
Theorem 1 (Generic Upper Bound). Let S be an incompressible state (Definition 3). Consider the generic attestation scheme in Figure 1 with the components Read, Gen and Chk such that
and ν Gen -unpredictable (Definition 5), 2. Chk is ω-blind second pre-image resistant (Definition 6) and ν Chk -unpredictable (Definition 7).
Consider an arbitrary prover P as in Section 3 with state State( P) = S that can store p memory words in its primary memory and s memory words in its secondary memory (cf. Section 3). Let λ := a ∈ {0, 1} la |Read( S, a) = Read(S, a) · 2 −la , denote the fraction of state entries that are different in S and S. Then the probability of P to win the security experiment Exp A Attest (Definition 2) is upper bounded by
where
and ops denotes the number of instructions P can execute in time δ Read + δ Gen .
This result implies that a software attestation scheme is ε-secure if the expression in Equation 1 is ≤ ε, yielding a sufficient condition for security. For example if a user aims for ε-security for a prover device with fixed system parameters, he may choose the number of rounds N in dependence of an expected value of λ accordingly (cf. Appendix B).
Note that the bound given in Equation 1 gives new insights on the impact of the distribution of the state entries in S (expressed by γ) and the similarity between the expected prover state S and the actual state S of the prover (expressed by λ) on the security of the scheme. Both aspects have been either neglected or have been considered only informally in previous work (cf. Section 7). To provide a better intuition and to show the general applicability of Theorem 1, we compute and discuss the bound for several concrete parameters that are typical for the systems considered in the literature on software attestation in Appendix B.
Proof of Theorem 1. Let Win denote the event that a malicious prover P wins the security experiment Exp A Attest , i.e., Win means that Exp A Attest (S, l) = accept. We are interested in an upper bound for Pr [Win] . To this end we consider several sub-cases. Let Precomp denote the event that the verifier V sends a challenge (g0, r0) to P for which P has precomputed and stored the correct response rN in its memory (primary and/or secondary). 4 Then we have 
where π(N, x) and ops are as in Theorem 1.
Taking these bounds together concludes the proof.
Proof of Claim 1
We now prove Claim 1 used in the proof of Theorem 1. That is we show the claimed upper bound of Pr [Correct] , which is the probability that a malicious prover P with state S := State( P) = S correctly determines all state entries (s1, . . . , sN ) in the security experiment Exp A Attest (Definition 2) under the assumption that the response for the requested challenge has not been precomputed. 4 More precisely, A has precomputed this value during the preparation phase and stored the response as part of S.
Observe that P may decide to deviate from the protocol specification, e.g., skipping some instructions with respect to one round i (probably accepting a lower success probability for determining si) to save some time that could be spent on the determination of another state entry sj with i = j (probably aiming for a higher probability to determine sj). Hence the challenge is to show that for any of these approaches the success probability does not exceed a certain (non-trivial) bound, which cannot be done by a reduction to a single assumption.
We base our proof on a sequence of games played by P and an oracle O that has access to S. All these games are divided into two phases: A setup phase and a challenge phase. In the setup phase O generates all addresses (a1, . . . , aN ) and determines the corresponding state entries si = Read(S, ai). Afterwards, in the challenge phase, P and O exchange several messages. In particular P must submit its guesses xi for the state entries si to O. P wins the game only if all guesses are correct, i.e., xi = si for all i = 1, . . . , N .
The differences between the games lie in the possibilities of P to deviate from the protocol specification. While these possibilities are quite limited in the first game (Game 0), P gets more and more control with each subsequent game and thus can to perform more powerful attacks. For each transformation between two consecutive games, we show how the success probability of P changes. In most cases it turns out that the previous game represents a subset of the possible attack strategies of the current game. Note that O formally represents the honest execution of certain parts of the protocol and should not be confused with a real party. Consequently, we assume that transferring messages between P and O takes no time.
Observe that the intention of O is to have an elegant method for ignoring all computations of P which are honestly executed by assumption. Hence to exclude artificial attacks where P uses the time and/or memory gained by outsourcing the computation to O, we restrict the time-bound and the size of the primary memory of P to what is necessary for honestly executing those computations that are outsourced to O.
Game 0: Randomly Sampling Addresses in Regular Time Intervals.
Game Description. The purpose of this game is to investigate provers P which (1) do not exploit any aspects related to the execution of Gen and (2) that are forced to use exactly time δ Read for the determination of each state entry si. This is captured by modelling the game as follows: Within the setup phase, O samples pairwise independent and uniform addresses (a1, . . . , aN ) and sets si := Read(S, ai) for all i ∈ {1, . . . , N }. In the challenge phase, O iteratively queries P with ai and P returns some response xi.
Hereby, P can access the Read oracle, which on input a returns s = Read( S, a) after time δ Read . Since this is the only operation expected from an honest prover, the size of the primary memory only allows to store an address a and a state entry s. Moreover the total time-bound is limited to N · δ Read , meaning that P automatically fails if it needs more time in total than this bound.
Observe that O ensures that P cannot change the order of the memory addresses, i.e., O only sends ai to P after ai−1 has been sent. 5 We denote with round i the time-frame between the point in time where P receives ai and the point in time where P receives ai+1 for i ∈ {1, . . . , N − 1}. With round N we denote the time-frame between the point in time where P receives aN and the point in time where P sends the last response xN to O. P wins the game if (1) xi = si for all i ∈ {1, . . . , N } and (2) each round took at most time δ Read . Otherwise P looses the game. Success Probability. We are interested in an upper bound for the probability Pr [Win0] that P wins Game 0. Since P looses for sure when he uses more time than δ Read to respond to ai in at least one round i, it is sufficient to restrict to provers that take at most time δ Read in each round. To this end, we derive an upper bound which allows to treat the individual rounds separately. We start with the final round N and distinguish between two cases.
In Case 1 the response xN is the direct result of a query to the Read oracle, i.e., xN = Read( S, a) for some address a. If a = aN the probability of xN := Read( S, aN ) = sN := Read(S, aN ) is λ (cf. Theorem 1) since aN is sampled uniformly and independently from the previous addresses. Now consider that a = aN . Since xN = Read( S, a) and due to the fact that P must respond with xN in time δ Read after receiving aN , P has no time left to perform any other instructions than Read during round N . In particular a could not be chosen in dependence of aN , hence being independent of aN . Then xN = sN happens with probability of at most γ (cf. Definition 3). It follows that in Case 1 the probability Pr [Win0] is upper bounded by max {λ, γ}
Next we consider Case 2, where xN is not the result of a query to the Read oracle. It follows from the incompressibility of S (Definition 3) and the fact that aN has been sampled uniformly and independent of all previous addresses ai with i < N , that the probability of xN = Read(S, aN ) is upper bounded by γ. Hence, Game 1: Prover Controls the Address Generation Time.
Game Description. In this game we increase the power of the malicious prover P and allow him to freely choose how much time he devotes to determine each value si, as long as the total time for determining (s1, . . . , sN ) does not exceed N · δ Read . This reflects the fact that in the attestation protocol, a malicious prover P may generate the memory addresses (a1, . . . , aN ) on its own whenever it wants to. Formally, this is captured by introducing a req protocol message which P needs to send to O for receiving the next address ai during the challenge phase. More precisely, O sends ai to P only when P sent the i-th request req to O.
Since each round may take a different time period, the winning conditions are relaxed by replacing the time restriction on the individual rounds by an overall time-bound for the entire challenge phase. This means that P wins Game 1 if (1) xi = si for all i ∈ {1, . . . , N } and (2) the duration of the challenge phase does not exceed the time N · δ Read . The size of the primary memory remains as in Game 0. Success Probability. We now upper bound the probability Pr [Win1] that P wins Game 1. To this end, we divide the number of rounds into four distinct sets. Let N coll denote the number of rounds where the address sampled by O is equal to an address of some previous round by coincidence, i.e., N coll := |{i ∈ {2, . . . , N }|∃j ∈ {1, . . . , i − 1} : ai = aj}| .
With respect to the remaining N −N coll rounds, let N equal (resp. Nmore, resp. N less ) be the number of rounds where P responds in time equal (resp. more, resp. less) than δ Read . Thus we have N = N coll + N equal + N less + Nmore.
Let Coll(N coll ) denote the event that exactly N coll of the N addresses are equal to some previous addresses. This implies that in N − N coll rounds pairwise different addresses are sampled. Moreover, since there are only 2 la different addresses, N − N coll is upper bound by 2 la . It follows that
We now derive upper bounds for Pr . This gives an upper bound
for Pr [Coll(N coll )] if max{0, N − 2 la } ≤ N coll ≤ N − 1. We now fix a value for N coll and aim for an upper bound for the probability Pr [Win1|Coll(N coll )]. We do so by giving separate upper bounds on the success probability for the four different types of rounds. Let ops = ops(δ Read ) be the number of instructions that can be executed by the computing engine of P in time δ Read . Since we are interested in an upper bound of P's success probability, we make several assumptions in favor of P: (1) For rounds where P invested more time than δ Read , we use the trivial upper bound of 1 even if the time period exceeded δ Read only by the time required to execute one single instruction. (2) For rounds where the requested address coincides with an address previously asked, we likewise use the bound of 1. Moreover we assume that these rounds take no time at all and the ops instructions saved can be used in ops other rounds. (3) In rounds that take less time than δ Read , it follows from the incompressibility of S (Definition 3) and the fact that all addresses are pairwise distinct that xi = si with probability ≤ γ. Again, we assume that these rounds take no time at all and that the ops instructions saved can be used in ops other rounds. (4) In a round that takes exactly time δ Read P succeeds at most with probability max{λ, γ} (cf. Game 0).
While these assumptions strongly exaggerate the possibilities of P, they allow to identify optimum strategies. More precisely for each round where P uses less time than δ Read or where a previously asked address is requested again, the best approach is to spend the ops saved instructions in ops other rounds such that for each of these rounds the probability of correctly determining si is equal to 1. It follows that Nmore = ops · (N coll + N less ) and hence N = N coll + N equal + N less + Nmore = N equal + (ops + 1) · (N coll + N less ). Hence, we have
where the last equation is shown in Appendix A. This shows that π (N, ops(δ Read )) is an upper bound for the probability Pr [Win1], where π(n, x) is defined as in Equation 2. Observe that for any fixed value of N coll , the probability of having N coll collisions (Equation 3) increases with N (as long as N coll ≥ max{0, N − 2 la }) while the probability to determine the values (s1, . . . , sN ) (Equation 4) decreases for N .
Game 2: Skipping Address Generation.
Game Description. So far we covered only provers P that honestly generate all addresses (a1, . . . , aN ). Now we change the game such that P may decide in each round i to skip the generation of address ai. This allows P to "buy" more time for determining the values si but at the "cost" of not knowing ai. Formally this is captured by defining a second message skip besides req. Specifically, in each round i of the challenge phase, P either sends req or skip. In case of req, O behaves as in Game 1 and sends the next ai to P. However, when P sends skip then O does not send ai to P and extends the time-bound by δ Gen . That is, at the beginning of the challenge phase, the winning conditions are that (1) all responses ( x1, . . . , xN ) of P are correct, i.e., xi = si ∀i ∈ {1, . . . , N } and (2) the challenge phase does not take more time than N · δ Read . However each time P sends a skip message to O, the time-bound is extended by δ Gen . Success Probability. We now determine the probability Pr [Win2] that P wins Game 2. To this end we follow the same line of arguments as in Game 1. The only difference is that rounds where collisions in the addresses took place or where either Read or Gen have been skipped take no time at all and free ops(δ Read + δ Gen ) instructions for other rounds. That is we get a bound with the same structure as in Game 1 but where ops(δ Read ) is replaced by ops(δ Read + δ Gen ), i.e., Pr [Win2] ≤ π (N, ops(δ Read + δ Gen )).
Game 3: Replacing the Random Sampling with Gen .
Game Description. Now we consider a variant of Game 2 with the only difference being that the addresses (a1, . . . , aN ) are generated by Gen instead of being randomly sampled by O. That is, during the setup phase O randomly samples g0 and generates (a1, . . . , aN ) using Gen. Game 4: Giving Access to Gen.
Game Description. In the final game O no longer generates (a1, . . . , aN ) for P. Instead P now queries the Gen oracle, which on input gi returns (gi, ai) = Gen(gi−1) after time δ Gen . To this end, O samples g0 in the setup phase and gives this value to P.
Observe that the size of the primary memory of P is increased to additionally store a value g. Further, the timebound of the challenge phase is increased to N · (δ Gen + δ Read ).
Success Probability. The only difference between Game 4 and Game 3 is that P now knows g0 and can query the Gen oracle. Recall that g0 is used by Gen for computing (a1, . . . , aN ). Hence P may decide to skip the generation of one or more addresses and save the time and memory for other computations. However, since Gen is assumed to be ν Gen -unpredictable (Definition 5), P cannot derive any information on ai+1 or gi+1 from gi without querying Gen. Thus if P never queries Gen with some value gi it cannot distinguish the subsequent values (gi+1, . . . , gN ) with a probability better than (N − i) · ν Gen . Therefore we can restrict to provers that compute (a1, g1), . . . , (aM , gM ) and that skip (aM+1, gM+1), . . . , (aN , gN ) 
With respect to Pr [Win4(M )], observe that for the first M rounds the situation is as in Game 3. Hence the success probability for the first M rounds is upper bounded by π (M, ops(δ Read + δ Gen )) + . For the remaining N − M rounds, O uses uniformly sampled values (aM+1, . . . , aN ) that are unknown to P. Hence the probability of P deriving (sM+1, . . . , sN ) correctly is upper bounded by γ
DISCUSSION AND CONCLUSION
We presented the first formal security framework for software attestation and precisely defined various of the underlying system and design parameters. Moreover we presented a generic software attestation protocol that encompasses most existing schemes in the literature. For this generic scheme we derived an upper bound on the success probability of a malicious prover that depends on the formalized parameters. We see the generic scheme and its proof as blueprints that can be adapted to concrete instantiations.
One lesson learned is the impact of these parameters on the security of the generic scheme. For example, it has been observed before that free memory should be filled with pseudo-random data [24] and a later code-compression attack [3] indicated that code redundancy also impacts security. However, the attack was dismissed as impractical [16] and ignored in later works [17, 29] . In contrast, we consider the general probability distribution of the state (code and data) in Definition 3 and directly connect it to the adversary advantage. As a result, one can directly evaluate the honest prover state and determine whether additional measures to achieve state incompressibility, such as filling free memory with pseudo-random data, are required to prevent memory copy and code compression attacks.
Our results also show that traditional cryptographic assumptions are partially too strong (second pre-image resistance) and partially too weak (pseudo-randomness). Further, we identified new (sufficient) conditions on the core functionalities of software attestation. Most previous works require the software attestation algorithm to iterate over all memory words of the secondary memory without giving any formal justification. Our bound allows to identify lower values for N (if the other parameters are known), enabling more efficient solutions that provide a tradeoff between the number of iterations N and the success probability of a malicious prover. Thus our work represents the first step towards efficient and provably secure software attestation schemes.
Still, several open questions remain for future work. One being to relax the presented conditions or to derive necessary conditions. A further task is to determine concrete instantiations. While Gen and Chk could be easily realized on devices that provide hardware-assisted cryptographic functions, such as block cipher implementations in hardware similar to the AES instructions in modern CPUs [30] , this becomes more challenging on other platforms.
We are currently working on the following aspects: (1) a practical instantiation of the generic software attestation scheme and its evaluation and (2) the evaluation of existing software attestation schemes in our framework. 
B. EXAMPLE FOR UPPER BOUND
To get a better intuition of the upper bound (Equation 1) given in Theorem 1, especially on the impact of the similarity of the malicious prover's state to the honest prover's state expressed by λ and the number of rounds N , we provide some concrete examples in this section.
At first we have to fix various parameters. To this end, we consider typical parameters for lg and lr that can be found in the literature on software attestation. Moreover, we assume that all cryptographic primitives are perfectly secure and that the values in S are uniformly distributed: Recall that the value ops has been defined as the number of operations a prover can perform in time δ Read + δ Gen . It was used in the proof to tackle the following question: If an attacker decides to skip one round, for how many other rounds can he increase his probability of success? While ops certainly expresses an upper bound on this number (the adversary has to spend at least one instruction per round), it certainly is an overestimation of the adversary's capabilities. Hence, we set ops = 2 to get more meaningful results. This represents an adversary who can win two rounds if he skips another round.
Recall that λ expresses the fraction of state entries where the state of the malicious prover matches with the state S of the honest prover. We exemplarily use λ ∈ {0.2, . . . , 0.8}. As shown in Figure 2 , for small values of λ (i.e., for malicious provers with a state that is quite different from the honest prover's state), a relatively low number of rounds is sufficient to achieve a reasonably low adversary advantage. However, for large values of λ more rounds are required. Further, for the chosen system parameters, the advantage seems to converge to a minimal adversary advantage of 10 −48 . Observe that in the literature, it is often suggested to use N = log(s)·s rounds. Interestingly, our experiments indicate that significantly less rounds can be sufficient.
