Remote Attestation (RA) is a distinct security service that allows a trusted verifier (Vrf) to measure the software state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv's memory reflects an illegal or compromised state. Although several RA approaches have been explored (including hardware-based, software-based, and hybrid) and many concrete methods have been proposed, comparatively little attention has been devoted to automated formal verification in the context of RA. In particular, thus far, there are no RA designs nor implementations that have been formally verified with respect to the necessary security properties.
Abstract-Remote Attestation (RA) is a distinct security service that allows a trusted verifier (Vrf) to measure the software state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv's memory reflects an illegal or compromised state. Although several RA approaches have been explored (including hardware-based, software-based, and hybrid) and many concrete methods have been proposed, comparatively little attention has been devoted to automated formal verification in the context of RA. In particular, thus far, there are no RA designs nor implementations that have been formally verified with respect to the necessary security properties.
In this work, we take the first step towards formal verification of RA by designing and verifying an architecture called VRASED: Verifiable Remote Attestation for Simple Embedded Devices. VRASED instantiates a hybrid (hardware/software -HW/SW) RA co-design aimed at low-end embedded systems, e.g., simple IoT devices. VRASED provides a level of security comparable to that in HW-based approaches, while relying on SW to minimize additional HW costs. Since security properties must be jointly guaranteed by HW and SW, verification of an architecture such as VRASED is a challenging task, which has never been attempted before in the context of RA. We believe that VRASED, as described in this paper, is the first formally verified RA scheme. To the best of our knowledge, our efforts also yield the first formal verification of a HW/SW implementation of any security service. To demonstrate VRASED's practicality, we instantiate and evaluate it on a commodity platform (Texas Instrument's MSP430) and make the implementation publicly available. We believe that this work represents an important advance in security of embedded systems and IoT devices by demonstrating maturity of hybrid RA and its near-readiness for practical adoption.
I. INTRODUCTION
Ever since the Morris worm [47] , preferred targets of malware were servers, general-purpose desktops and laptop computers and, later, smartphones. However, in recent years, the number and variety of special-purpose computing devices has increased dramatically. This includes all kinds of embedded devices, cyber-physical systems (CPS) and Internet-of-Things (IoT) gadgets, that are increasingly utilized in various "smart" settings, such as homes, offices, factories, automotive systems and public venues. Despite their many benefits, such devices unfortunately also represent natural and attractive attack targets for malware. This is mainly because they are numerous, connected to the Internet, and their security is either poor or non-existent.
As society becomes increasingly accustomed to being surrounded by, and dependent on, such devices, their security becomes extremely important. In the context of actuationcapable devices, malware can impact not only security but also safety, e.g., as demonstrated by Stuxnet [50] . Whereas, for sensing devices, malware can undermine privacy by obtaining ambient information. Furthermore, clever malware can turn vulnerable IoT devices into zombies that can become sources for DDoS attacks. For example, in 2016, a multitude of compromised "smart" cameras and DVRs formed the Mirai Botnet [2] which was used to mount a massive-scale DDoS attack (the largest in history).
Security is typically not the most pressing priority for lowend and medium-end device manufacturers, due to cost, size or power constraints, as well as the rush-to-market syndrome. It is thus unrealistic to expect such devices to have the means to prevent current and future malware attacks. The next best thing is detection of malware presence. This typically requires some form of Remote Attestation (RA) -a distinct security service for detecting malware on CPS, embedded and IoT devices. RA is especially applicable to low-end embedded devices that are incapable of defending themselves against malware infection. This is in contrast to more powerful devices (both embedded and general-purpose) that can avail themselves of sophisticated anti-malware protection. RA involves verification of current internal state (i.e., RAM and/or flash) of an untrusted remote hardware platform (prover or Prv) by a trusted entity (verifier or Vrf). If Vrf detects malware presence, Prv's software can be re-set or rolled back and out-of-band measures can be taken to prevent similar infections. In general, RA can help Vrf establish a static or dynamic root of trust in Prv and can also be used to construct other security services, such as software updates [44] and secure deletion [40] .
In recent years, numerous RA techniques [44] , [40] , [36] , [20] , [31] , [9] , [19] , [10] , [15] , [16] , [26] , [39] , [14] with different assumptions, security guarantees, and designs, have been proposed, first for the single-prover scenario, and, more recently, for group settings [4] , [13] , [25] , [43] . The research community's understanding of RA requirements, limitations, and challenges has matured significantly through development of, and attacks on, RA techniques. Despite this progress, a major missing aspect of RA is the high-assurance and rigor derivable from utilizing (automated) formal verification to guarantee security of the design and implementations of RA techniques. This becomes especially relevant in Hybrid RA architectures that are based on hardware/software co-designs. Hybrid RA is a promising approach for low-and mediumend embedded devices. It aims to provide the same security guarantees as (more expensive) hardware-based approaches, while minimizing modifications to the underlying hardware.
In this paper, we develop an architecture for Verifiable Remote Attestation for Simple Embedded Devices (VRASED). VRASED is the first formally verified hybrid RA architecture accompanied by a formally verified implementation. The latter -along with its security and correctness proofs -is publicly available [1] . We believe that this work represents an important advance in security of embedded systems and IoT devices, and demonstrates maturity of hybrid RA.
A. Scope
This work focuses on low-end and medium-end devices based on low-power single core microprocessors/microcontrollers with a few KBytes of program and data memory. A representative of this class of devices is the Texas Instrument's MSP430 microcontroller (MCU) family [27] . It has a 16-bit word size, resulting in ≈ 64 KBytes of addressable memory. SRAM is used as data memory and typically ranges between 4 and 16KBytes (depending on the specific MSP430 model), while the rest of the address space is used for program memory, e.g., ROM and Flash. MSP430 is a Von Neumann architecture processor with common data and code address spaces. It can perform multiple memory accesses within a single instruction; its instruction execution time can range from 1 to 6 clock cycles, and instruction length varies from 16 to 48 bits. MSP430 was designed for low-power and lowcost. MSP430 is widely used in many application domains, e.g., automotive industry, utility meters, as well as consumer devices and computer peripherals. In this paper, we use the open-source MSP430 hardware design from Open Cores [22] .
B. Goals & Contributions
The main objective of this paper is to design the first formally verified (hybrid) RA architecture suitable for lowend and medium-end devices. We believe that this represents a major advance in the area of embedded systems security, especially considering that all prior RA methods were designed in a more-or-less ad hoc manner. In fact, working on the verification of VRASED revealed that earlier work extending MSP430 [20] wrongly relied on interrupt disablement being atomic and hence opened the door to key theft in the window between initiating interrupts and the disablement actually taking effect. Automated formal verification significantly increases our confidence that no such subtle issues were overlooked. Specifically, anticipated contributions of this work are three-fold:
• We specify fundamental RA security properties expected from hardware and software and formalize them using Linear Temporal Logic (LTL). We then prove that the conjunction of such properties implies soundness and security of RA. • We design VRASED, a hybrid (HW/SW) RA architecture composed of minimal hardware and software modules. These modules jointly guarantee RA soundness and security properties and both are formally verified. We then instantiate VRASED on the commodity MSP430 microcontroller architecture. • We make VRASED publicly available as a reference implementation of formally verified RA [1] . We are not aware of any other open-source systematically designed and mechanically verified RA architecture.
Organization: Section II provides relevant background on RA and automated verification. Section III contains the details of the VRASED architecture and an overview of the verification approach. Section IV contains the formalized properties for secure RA, and then the implementation of verified components to realize such properties. Section V presents VRASED's API. Section VI discusses alternative designs to guarantee the same required properties and their trade-offs with the standard design. Section VII presents experimental results demonstrating the minimal overhead of the formally verified and synthesized components. Section VIII discusses related work. Section IX concludes with a summary of our results.
II. BACKGROUND This section overviews RA and provides some background on automated verification.
A. RA for Low-end Devices
As mentioned earlier, RA is a security service that facilitates detection of malware presence on a remote device. Specifically, it allows a trusted verifier (Vrf) to remotely measure the software state of an untrusted remote device (Prv). As shown in Figure 1 , RA is typically obtained via a simple challenge-response protocol: 1) Vrf sends an attestation request containing a challenge (Chal) to Prv. This request might also contain a token derived from a secret that allows Prv to authenticate Vrf. 2) Prv receives the attestation request and computes an authenticated integrity check over its memory and Chal. The memory region might be either pre-defined, or explicitly specified in the request. In the latter case, authentication of Vrf in step (1) The authenticated integrity check can be realized as a Message Authentication Code (MAC) over Prv's memory. However, computing a MAC requires Prv to have a unique secret key (denote by K) shared with Vrf. This K must reside in secure storage, where it is not accessible to any software running on Prv, except for attestation code. Since most RA threat models assume a fully compromised software state on Prv, secure storage implies some level of hardware support.
Prior RA approaches can be divided into three groups: software-based, hardware-based, and hybrid. Software-based (or timing-based) RA is the only viable approach for legacy devices with no hardware security features. Without hardware support, it is (currently) impossible to guarantee that K is not accessible by malware. Therefore, security of softwarebased approaches [45] , [36] is loosely attained by setting threshold communication delays between Vrf and Prv. Thus, software-based RA is unsuitable for multi-hop and jitterprone communication, or settings where a compromised Prv is aided (during attestation) by a more powerful accomplice device. It also requires strong constraints and assumptions on the hardware platform and attestation usage [32] , [35] . On the other hand, hardware-based approaches require Prv's attestation functionality to be housed entirely within dedicated hardware, e.g., SGX [28] or TrustZone [3] . Such hardware features are too expensive (in terms of physical area, energy consumption, and actual cost) for low-end devices.
While both hardware-and software-based approaches are not well-suited for settings where low-end devices communicate over the Internet (which is often the case in the IoT), hybrid RA (based on HW/SW co-design) is a more promising approach. Hybrid RA aims at providing the same security guarantees as hardware-based techniques with minimal hardware support. SMART [20] is the first hybrid RA architecture targeting low-end MCUs. In SMART , the attestation code is implemented in software. SMART 's small hardware footprint guarantees that: (1) attestation code can not be modified, (2) attestation code has exclusive access to the secret K, (3) no part of K remains in memory after attestation code terminates, and (4) RA runs atomically, i.e., from the first instruction until the last, without being interrupted. Property (4) is essential to prevent malware from relocating itself (during attestation) to evade detection. It also helps preventing Return-Oriented Programming (ROP) and similar attacks. We re-visit these properties and their corresponding requirements in Section III.
Despite much progress, a major missing aspect in RA research is high-assurance and rigor obtained by using (automated) formal methods to guarantee security of a concrete RA design and its implementation 1 . We believe that verifiability and formal security guarantees are particularly important for hybrid RA designs aimed at low-and medium-end embedded and IoT devices, as their proliferation keeps growing. This serves as the main motivation for our efforts to develop the first formally verified RA architecture.
B. Formal Verification, Model Checking & Linear Temporal Logic
Automated formal verification typically involves three basic steps. First, the system of interest (e.g., hardware, software, communication protocol) must be described using a formal model, e.g., a Finite State Machine (FSM). Second, properties that the model should satisfy are formally specified. Third, the system model is checked against formally specified properties to guarantee that the system retains such properties. This checking can be achieved via either Theorem Proving or Model Checking. In this work, we use the latter. The motivation for picking Model Checking is clarified below.
In Model Checking, properties are specified as formulae using Temporal Logic and system models are represented as FSMs. Hence, a system is represented by a triple (S, S 0 , T ), where S is a finite set of states, S 0 ⊆ S is the set of possible initial states, and T ⊆ S × S is the transition relation set, i.e., it describes the set of states that can be reached in a single step from each state. The use of Temporal Logic to specify properties allows representation of expected system behavior over time.
We apply the model checker NuSMV [17] , which can be used to verify generic HW or SW models. For digital hardware described at Register Transfer Level (RTL) -which is the case in this work -conversion from Hardware Description Language (HDL) to NuSMV model specification is simple. Furthermore, it can be automated and verified [29] . This is because the standard RTL design already relies on describing hardware as an FSM. In NuSMV, properties are specified in Linear Temporal Logic (LTL), which is particularly useful for verifying sequential systems. This is because it extends common logic statements with temporal clauses. In addition to propositional connectives, such as conjunction (∧), disjunction (∨), negation (¬), and implication (→), LTL includes temporal connectives, thus enabling sequential reasoning. In this paper, we are interested in the following temporal connectives:
• Xφ -neXt φ: holds if φ is true at the next system state.
• Fφ -Future φ: holds if there exists a future state where φ is true. • Gφ -Globally φ: holds if for all future states φ is true.
holds if there is a future state where ψ holds and φ holds for all states prior to that. This set of temporal connectives combined with propositional connectives (with their usual meanings) allows us to specify powerful rules. NuSMV works by checking LTL specifications against the system FSM for all reachable states in such FSM. In particular, all VRASED's desired security properties are specified using LTL and verified by NuSMV.
III. OVERVIEW OF VRASED
VRASED is composed of a HW module (HW-Mod) and a SW implementation (SW-Att) of Prv's behavior according to the RA protocol. HW-Mod enforces access control to K in addition to secure and atomic execution of SW-Att (these properties are discussed in detail below). HW-Mod is designed with minimality in mind. The verified FSMs contain a minimal state space, which keeps hardware cost low. SW-Att itself is responsible for computing an attestation report. As VRASED's security properties are jointly enforced by HW-Mod and SW-Att, both must be verified to ensure that the overall design conforms to the system specification.
A. Adversarial Capabilities & Verification Axioms
We consider an adversary, Adv, that can control the entire software state, code, and data of Prv. Adv can modify any writable memory and read any memory that is not explicitly protected by access control rules. For example, Adv can read anything (including secrets) stored in memory that is not explicitly protected by HW-Mod. It can also re-locate malware from one memory segment to another, in order to hide malware from being detected by attestation. Adv may also have full control over all Direct Memory Access (DMA) controllers on Prv. DMA allows a hardware controller to directly access main memory (e.g., RAM, flash or ROM) without going through the CPU.
We focus on attestation functionality of Prv; verification of the entire MCU architecture is beyond the scope of this paper. Therefore, we assume the actual MCU architecture correctly implements, and adheres to, the MCU (e.g., MSP430) specification. In particular, our verification approach relies on the following simple axioms:
• A1 -Program Counter: The program counter (P C) always contains the address of the instruction being executed in a given cycle. • A2 -Memory Address: Whenever memory is read or written, a data-address signal (D addr ) contains the address of the corresponding memory location. For a read access, a data read-enable bit (R en ) must be set, and for a write access, a data write-enable bit (W en ) must be set. • A3 -DMA: Whenever a DMA controller attempts to access main system memory, a DMA-address signal (DM A addr ) reflects the address of the memory location being accessed and a DMA-enable bit (DM A en ) must be set. DMA can not access memory when DM A en is off (logical zero). • A4 -MCU reset: At the end of a successful reset routine, all registers (including P C) are set to zero before resuming normal software execution flow. Resets are handled by the MCU in hardware; thus, reset handling routine can not be modified. • A5 -Interrupts: Interrupts modify P C to point to the corresponding interrupt handler which is at a fixed memory location. Remark: Note that Axioms A1 to A5 are satisfied by the OpenMSP430 design.
SW-Att uses the HACL* [53] HMAC-SHA256 function which is implemented and verified in F* 2 . F* can be automatically translated to C and the proof of correctness for the translation is provided in [41] . However, even though efforts have been made to build formally verified C compilers (CompCert [34] is the most prominent example), there are currently no verified compilers targeting lower-end MCUs, such as MSP430. Hence, we assume that the standard MSP430 compiler can be trusted to semantically preserve its expected behavior, especially with respect to the following:
• A6 -Callee-Saves-Register: Any register touched in a function is cleaned by default when the function returns. • A7 -Semantic Preservation: Functional correctness of the verified HMAC implementation in C, when converted to MSP430 assembly, is semantically preserved. Remark: Axioms A6 and A7 reflect the corresponding compiler specification (msp430-gcc).
Physical hardware attacks are out of scope in this paper. Specifically, Adv can not modify code stored in ROM, induce hardware faults, or retrieve Prv secrets via physical presence side-channels. Protection against physical attacks is considered orthogonal and could be supported via standard tamperresistance techniques [42] .
B. High-Level Properties of Secure Attestation
We now describe the properties required for secure RA. Most of them were originally introduced in SMART [20] and subsequently consolidated in [21] , where the completeness of this set of properties for guaranteeing secure RA is also taken into account. In section IV, we formalize these properties and provide single end-to-end definitions for RA soundness and security. Then we prove that VRASED's design satisfies the aforementioned properties and the end-to-end definitions for soundness and security. The properties, shown in Figure 2 , fall into two groups: key protection and safe execution. Secure RA requires Vrf to confirm authenticity and integrity of the result received from Prv. To this end, the secret K is used to compute an HMAC of Prv's memory. As mentioned earlier, K must not be accessible by regular software running on Prv. To guarantee that K is not leaked or modified by regular software the following features must be correctly implemented:
• P1-Access Control: K can only be accessed by SW-Att.
• P2-No Leakage: Neither K (nor any function of K other than the correctly computed HMAC) can remain in unprotected memory or registers after execution of SW-Att.
• P3-Secure Reset: Any memory tainted by K and all registers (including PC) must be erased (or be inaccessible to regular software) after MCU reset. Since a reset might be triggered during SW-Att execution, lack of this property could result in leakage of privileged information about the system state or K. Erasure of registers as part of the reset ensures that no state from a previous execution persists. Therefore, the system must return to the default initialization state.
Safe Execution:
From the key protection property, it follows that K can only be accessed by SW-Att. Safe execution refers to what is required to ensure that K is properly and securely used by SW-Att to fulfill its role in the RA protocol. Safe execution can be divided into four sub-properties:
• P4-Functional Correctness: SW-Att must implement expected behavior of Prv's role in the RA protocol. For instance, if Vrf expects a response containing an HMAC of memory in address range [A, B], SW-Att implementation should always reply accordingly. Moreover, SW-Att must always finish in finite time, regardless of the input size and other parameters. • P5-Immutability: Since SW-Att executable must be stored in Prv's memory, it must be immutable. Otherwise, malware residing in Prv could modify SW-Att, e.g., to always generate valid RA measurements or to leak K. • P6-Atomicity: SW-Att execution can not be interrupted.
The first reason for atomicity is to prevent leakage of intermediate values in registers and SW-Att's data memory (including locations that could leak functions of K) during SW-Att execution. This relates to P2 above. The second reason is to prevent roving malware from relocating itself to escape being measured by SW-Att. • P7-Controlled Invocation: SW-Att must always start from the first instruction and execute until the last instruction. Even though correct implementation of SW-Att is guaranteed by P3, isolated execution of chunks of a correctly implemented code could lead to catastrophic results. Potential ROP attacks could be constructed using gadgets of SW-Att (which, based on P1, have access to K) to compute valid attestation results. Beyond aforementioned core security properties, in some settings, Prv might need to authenticate Vrf's attestation requests in order to mitigate potential DoS attacks on Prv. This functionality is also provided (and verified) as an optional feature in the design of VRASED. The differences between the standard design and the one with support for Vrf authentication are discussed in Appendix B.
C. System Architecture
VRASED architecture is depicted in Figure 3 . VRASED is implemented by adding HW-Mod to the MCU architecture, e.g., MSP430. The MCU memory layout is extended to include Read-Only Memory (ROM) that houses SW-Att code and K used in the HMAC computation. Because K and SW-Att code are stored in ROM, we have guaranteed immutability, i.e., property P5. VRASED also reserves a fixed part the memory address space for SW-Att stack. This amounts to ≈ 3% of the address space, as discussed in Section VII 3 . Access control to dedicated memory regions, as well as SW-Att atomic execution are enforced by HW-Mod. The memory backbone is extended to support memory multiplexing of the new memory regions. HW-Mod takes 6 input signals from the MCU core: P C, D addr , R en , W en , DM A addr and DM A en . These inputs are used to determine a one-bit reset signal output, that, when set to 1, resets the MCU core immediately, i.e., before execution of the next instruction. The reset output is triggered when HW-Mod detects any violation of security properties.
D. Verification Approach
An overview of HW-Mod verification is shown in Figures 4 and 5. We start by formalizing RA properties discussed in this section using Linear Temporal Logic (LTL) to define invariants that must hold throughout the entire system execution. HW-Mod 3 A separate region in RAM is not strictly required. Alternatives and tradeoffs are discussed in Section VI is implemented as a composition of sub-modules written in the Verilog hardware description language (HDL). Each submodule implements the hardware responsible for ensuring a given subset of the LTL specifications. Each sub-module is described as an FSM in: (1) Verilog at Register Transfer Level (RTL); and (2) the Model-Checking language SMV [17] . We then use the NuSMV model checker to verify that the FSM complies with the LTL specifications. If verification fails, the sub-module is re-designed.
After individually verifying all the sub-modules, they are combined into a single Verilog design. The composition is converted to SMV using the automatic translation tool Verilog2SMV [29] . The resulting SMV is simultaneously verified against all LTL specifications to prove that the final Verilog design for HW-Mod complies with all secure RA properties.
Remark: Automatic conversion of the composition of HW-Mod from Verilog to SMV rules out the possibility of human mistakes in representing Verilog FSMs as SMV.
For the SW-Att part of VRASED, we use the formally verified SHA-256 HMAC function from the HACL* library [53] to compute an HMAC over the attested memory and Chal received from Vrf. This function is formally verified with respect to memory safety, functional correctness, and cryptographic security. However, key secrecy properties (such as clean-up of memory tainted by the key) are not formally verified in HACL*. Therefore, key secrecy must be ensured by VRASED.
As the last step in our verification effort, we prove that the conjunction of the LTL properties guaranteed by HW-Mod and SW-Att implies soundness and security of the RA architecture. RA soundness and security are formally specified in Section IV-B IV. VERIFYING VRASED In this section we formalize secure RA properties. For each property, we formalize it as a set of LTL specifications and construct an FSM that is verified to conform to such specifications. Finally, the conjunction of these FSMs is implemented in Verilog HDL and translated to NuSMV using Verilog2SMV. The generated NuSMV description for the conjunction is proved to simultaneously hold for all specifications.
A. Notation
To facilitate generic LTL specifications that represent VRASED's architecture (see Figure 3 ) we use the following:
• AR min and AR max : first and last physical addresses of the memory region to be attested; • CR min and CR max : physical addresses of first and last instructions of SW-Att in ROM; • K min and K max : first and last physical addresses of the ROM region in which K is stored; • XS min and XS max : first and last physical addresses of the RAM region reserved for SW-Att computation; • M AC addr : fixed address that stores the result of SW-Att computation (HMAC); • M AC size : size of SW-Att's HMAC result; Table I uses the above definitions and summarizes the notation used in our LTL specifications throughout the rest of this paper.
To simplify specification of defined security properties, without loss of generality, [A, B] denotes a contiguous memory region between A and B, inclusive (A ≤ B). Therefore, the following equivalence holds:
For example, expression P C ∈ CR holds when the current value of P C signal is within CR min and CR max , meaning that the MCU is currently executing an instruction in CR, i.e, a SW-Att instruction. This is because in the notation introduced above:
In this section, we introduce LTL specifications and FSMs that are formally verified to hold for such specifications. As discussed in Section III, these FSMs correspond to the Verilog hardware design of HW-Mod submodules. The FSMs are implemented as Mealy machines, where the output changes at any time as a function of both the current state and current input values 4 . Each FSM has as inputs Each FSM has only one output, reset, that indicates whether any security property was violated. For the sake of presentation we do not explicitly represent the value of the reset output for each state. Instead, we define the following implicit representation: 1) reset output is 1 whenever an FSM transitions to the Reset state; 2) reset output remains 1 until a transition leaving the Reset state is triggered; 3) reset output is 0 in all other states.
B. Formal Specifications of RA Soundness and Security
In this section we precisely define the notions of soundness and security that are provably achieved by VRASED. Intuitively RA soundness translates to computing an integrity ensuring function over memory at a given time t. In VRASED the integrity ensuring function is an HMAC computed on memory AR with a one-time key derived from K and Chal (received from Vrf to prevent replays). Since SW-Att computation is not instantaneous, RA soundness must ensure that attested memory does not change during the computation of the HMAC. This is the notion of temporal consistency in remote attestation [14] . In other words, the result of SW-Att call must reflect the entire state of the attested memory at the moment when SW-Att is called. This notion is captured in LTL by Definition 1.
where M is any arbitrary value for AR and KDF is a secure key derivation function. and Chal are the values of AR and M R. From this precondition, Definition 1 asserts that there is a time in the future when SW-Att computation finishes and, at that time, M R stores the result of HM AC(KDF (K, Chal), M ). Note that, to satisfy Definition 1, Chal and M in the resulting HMAC must be the same as the values of AR and M R when SW-Att was called.
RA security is defined using the security game presented in Figure 7 . The game models an adversary A (that is a probabilistic polynomial time, ppt, machine) that has full control of the software state of Prv (as the one described in Section III-A), being able to modify AR at will and call SW-Att a polynomial number of times in the security parameter (K and Chal bit-lengths). However, A can not modify SW-Att code, which is stored in immutable memory. The game assumes that A does not have access to K, and only learns Chal when it is provided by Vrf during an attestation request.
Assumptions: -SW-Att is immutable, and K is not known to A l is the security parameter and |K| = |Chal| = |M R| = l -AR(t) denotes the content in AR at time t -A can modify AR and M R at will; however, it loses its ability to modify them while SW-Att is running
RA-game:
1) Setup: A can make poly(l) oracle calls to SW-Att, for arbitrary values of AR and M R = Chal. 
RA Security Definition:
An RA protocol is considered secure if there is no ppt A capable of winning the game defined in 2.1 with Pr[A, RA-game] > negl(l) Fig. 7 . RA security definition for VRASED In the following sections, we define SW-Att functional correctness, LTL specifications in Equations 2-9 and formally verify that VRASED's design guarantees such LTL specifications. We define LTL specifications from the intuitive properties discussed in Section III-B and depicted in Figure 2 . In Appendix A we formally prove that the conjunction of such properties achieves soundness (Definition 1) and security (Definition 2). In the proof of security we first show that VRASED guarantees that A can never learn K, thus satisfying the assumption in the security game. We then complete the proof security via reduction, i.e., we show that the existence of an adversary that wins the game in Definition 2 implies the existence of an adversary that breaks the conjectured existential unforgeability of HMAC.
C. VRASED SW-Att
To minimize required hardware support, hybrid RA approaches implement integrity ensuring functions (e.g., HMAC) in software. VRASED's SW-Att implementation is built on top of HACL*'s HMAC implementation [53] . HACL* code is verified to be functionally correct, memory safe and secret independent. In addition, all memory is statically allocated on the stack making it predictable and deterministic.
SW-Att is simple, as depicted in Figure 8 . It first derives a new unique context-specific key (key) from the master key h a c l _ h m a c ( ( u i n t 8 _ t * ) key , ( u i n t 8 _ t * ) key , ( u i n t 3 2 _ t ) 6 4 , ( u i n t 8 _ t * ) CHALL_ADDR, ( u i n t 3 2 _ t ) 3 2 ) ; 5 h a c l _ h m a c ( ( u i n t 8 _ t * ) MAC_ADDR, ( u i n t 8 _ t * ) key , ( u i n t 3 2 _ t ) 3 2 , ( u i n t 8 _ t * ) ATTEST_DATA_ADDR, ( u i n t 3 2 _ t ) ATTEST_SIZE ) ; 6 return ( ) ; 7 } Fig. 8 . SW-Att C Implementation (K) by computing an HMAC-based key derivation function, HKDF [33] , on Chal. This key derivation can be extended to incorporate the attested memory boundaries, in the case where Vrf specifies the range to be attested (see Appendix B). Finally, it calls HACL*'s verified HMAC, using key as the HMAC key. AT T EST _DAT A_ADDR and AT T EST _SIZE specify the memory range to be attested (AR in our notation). We emphasize that SW-Att resides in ROM, which guarantees P5 under the assumption of no hardware attacks. Moreover, as discussed later in this section, HW-Mod enforces that no other software running on Prv can access memory allocated by SW-Att code, e.g., key[64] buffer allocated in line 2. HACL*'s verified HMAC is the core for guaranteeing P4 (Functional Correctness) in VRASED's design. SW-Att functional correctness means that, as long as the memory regions storing values used in SW-Att computation (CR, AR, and KR) do not change during its computation, the result of such computation is the appropriate HMAC on such values. This guarantee can be formally expressed in LTL as in Definition 3. We note that, by this definition, region M R does not need to remain the same, as it will eventually be overwritten with the result of SW-Att computation. In addition, some of HACL* properties, such as static/deterministic memory allocation are used in alternative designs of VRASED to ensure P2 -see Section VI.
Functional correctness implies that the HMAC implementation conforms to its published standard specification on all possible inputs, retaining the specification's cryptographic security. It also implies that HMAC executes in finite time. Secret independence ensures that there are no branches taken as a function of secrets, i.e., K and key in Figure 8 . This mitigates K leakage via timing side-channel attacks. Memory safety guarantees that implemented code is type safe, meaning that it never reads from, or writes to: invalid memory locations, outof-bounds memory, or unallocated memory. This is particularly important for preventing ROP attacks, as long as P7 (controlled invocation) is also preserved 5 .
Having all memory allocated statically allows us to either: (1) confine SW-Att execution to a fixed size protected memory region inaccessible to regular software (e.g., malware) running on Prv; or (2) ensure that SW-Att stack is erased before the end of execution. Note that HACL* (as well as other cryptographic libraries, such as OpenSSL and NaCl) does not provide stack erasure by default to improve performance. Therefore, P2 does not follow from HACL* implementation. This practice is common because inter-process memory isolation is usually provided by the Operating System (OS). However, erasure before SW-Att return must be guaranteed by VRASED, which targets low-end MCUs that might run applications on baremetal and thus can not rely on any OS trust assumptions. As discussed above, even though HACL* implementation guarantees P4 and storage in ROM guarantees P5, these must be combined with P6 and P7 to provide safe execution. P6 and P7 -along with the key protection properties (P1, P2, and P3) -are ensured by HW-Mod, which are described next.
D. Key Access Control (HW-Mod)
Since VRASED stores K in ROM, it can not be overwritten. However, if malware manages to read K from ROM, it can reply to Vrf with forged, yet valid, results. HW-Mod access control (AC) sub-module enforces that K can only be accessed by SW-Att (property P1).
Remark. We consider DMA implications for key access control (as well as for other properties) in Section IV-G.
1) LTL Specification:
The invariant for key access control (AC) is defined in LTL Specification (2) . It stipulates that system must transition to the Reset state whenever code from outside CR (SW-Att instructions memory region) tries to read from an address (D addr ) within the key space.
2) Verified Model: Figure 10 shows the FSM implemented by the AC sub-module which is verified to hold for LTL Specification 2. This FSM has two states: Run and Reset. It outputs reset = T RU E when the AC sub-module transitions to state Reset. This implies a hard-reset on the MCU. Once the reset process completes, the system leaves the Reset state.
E. Atomicity and Controlled Invocation (HW-Mod)
In addition to functional correctness, safe execution of attestation code requires immutability (P5), atomicity (P6), and controlled invocation (P7). P5 is achieved directly by placing SW-Att in ROM. Therefore, we only need to formalize invariants for the other two properties: atomicity and controlled execution.
1) LTL Specification: To guarantee atomic execution and controlled invocation, LTL Specifications (3) and (4) must both hold: Fig. 11 . Verified FSM for atomicity and controlled invocation.
LTL Specification (3) enforces that the only way for SW-Att execution to terminate is through its last instruction: P C = CR max . This is specified by checking current and next P C values using LTL neXt operator. In particular, if current P C value is within SW-Att region, and next P C value is out of SW-Att region, it must hold that: either current P C value is the address of the last instruction in SW-Att (CR max ), or reset is triggered in the next cycle. Also, LTL Specification (4) enforces that the only way for P C to enter SW-Att region is through the very first instruction: CR min . Together, these two invariants imply atomicity captured by P7: it is impossible to jump into the middle of SW-Att, or to leave SW-Att before reaching the last instruction.
P6 is also satisfied through LTL Specifications (3) and (4). Atomicity could be violated by interrupts. However interrupt implies changing P C to point to the interrupt handling routine. The interrupt handling routine address in OpenMSP430 is in a fixed location (Axiom A5) and, more importantly, outside CR. Therefore, if interrupts are not disabled by software running on Prv before calling SW-Att, any potential interrupt that might violate SW-Att atomicity will cause an MCU reset.
2) Verified Model: Figure 11 presents a verified model for atomicity and controlled invocation enforcement. The FSM is composed of five states. Two basic states notCR and midCR represent conditions when P C points to an address: (1) outside CR, and (2) within CR, respectively, not including the first and last instructions of SW-Att. Another two: f stCR and lstCR represent states when P C points to the first and last instructions of SW-Att, respectively. Note that the only possible path from notCR to midCR is through f stCR. Similarly, the only path from midCR to notCR is through lstCR . Any sequence of values for P C not obeying these conditions will trigger a transition to the Reset state, causing the MCU to reset.
F. Key Confidentiality (HW-Mod)
A fundamental architectural RA component is secrecy of K, captured by P2. To guarantee it, VRASED must enforce the following:
1) No leaks after attestation: any registers and memory accessible to applications must be wiped at the end of each attestation instance, i.e., before application execution resumes. 2) No leaks on reset: since a reset can be triggered during attestation execution, any registers and memory accessible to regular applications must be wiped out upon reset. In MSP430, all registers are zeroed out upon reset and at boot time: Axiom A4. Therefore, the only time when register cleanup is necessary is at the end of SW-Att. This is also guaranteed by the Callee-Saves-Register convention: Axiom A6.
Nonetheless, the leakage problem remains because of RAM allocated by SW-Att. Thus, we must guarantee that K is not leaked through "dead" memory, which could be accessed by application (possibly, malware) after SW-Att terminates. A simple and effective way of addressing this issue is by reserving a separate secure stack in RAM that is only accessible (i.e., readable and writable) by attestation code. All memory allocations by SW-Att must be done on this stack, and access control to the stack must be enforced by HW-Mod. As discussed in Section VII, the size of this stack is constant -2.3KBytes. This corresponds to ≈ 3% of MSP430 16-bit address space. We also consider several VRASED variants (that do not require a reserved stack) and trade-offs between them in Section VI.
1) LTL Specification: Recall that XS denote a contiguous secure memory region reserved for exclusive access by SW-Att. LTL Specification for the secure stack sub-module is as follows:
We also want to prevent attestation code from writing into application memory. Therefore, it is only allowed to write to the designated fixed region for the HMAC result (M R).
In summary, invariants (5) and (6) enforce that only attestation code can read from/write to the secure reserved stack and that attestation code can only write to regular memory within the space reserved for the HMAC result. If any of these conditions is violated, the system resets.
2) Verified Model: Figure 12 shows the FSM verified to comply with invariants (5) and (6) .
G. DMA Support
So far, we presented a formalization of HW-Mod submodules under the assumption that DMA is either not present or disabled on Prv. However, when present, a DMA controller can request reads and writes to arbitrary memory regions. Such memory accesses are performed concurrently in the memory backbone and without MCU intervention, while the MCU executes regular instructions.
DMA data transfer in MSP430 is performed using dedicated memory buses, e.g., DM A en and DM A addr . Hence, regular memory access control (based on monitoring D addr ) does not capture memory accesses by DMA controller. Thus, if DMA controller is compromised, it may lead to violation of properties P1 and P2 by directly reading K and values in the attestation stack, respectively. In addition, it can assist Prvresident malware to escape detection by either copying it out of the measurement range or entirely deleting it, which results in a violation of P6.
1) LTL Specification: We introduce three additional LTL Specifications to protect against aforementioned attacks. First, we enforce that DMA cannot request an access to K. This results in the following LTL Specification:
Similarly, LTL Specification for preventing DMA to access the attestation stack is defined as:
Finally, invariant (9) specifies that DMA must be always disabled while P C is in SW-Att region. This prevents DMA controller from helping malware escape during attestation.
2) Verified Model: Figure 13 shows the FSM verified to comply with invariants (7) to (9) . It is similar to those of key access control and key confidentiality. 
H. HW-Mod Composition
Thus far, we designed and verified individual HW-Mod sub-modules according to the methodology presented in Section III-D and illustrated in Figure 4 . We now follow the workflow of Figure 5 to combine the sub-modules into a single Verilog module. Since each sub-module individually guarantees a subset of properties P1-P7, the composition is simple: the system must reset whenever any sub-module reset is triggered. This is implemented by a logical OR of submodules reset signals. The composition is shown in Figure 14 .
To verify that all aforementioned LTL specifications still hold for the composition, we use Verilog2SMV [29] to translate HW-Mod to SMV and verify SMV for all of these specifications simultaneously.
I. Secure Reset (HW-Mod)
Finally, we define LTL Specification for secure reset (P3), which is a necessary property for the composition of all submodules. It guarantees that the MCU reset hardware-routine completes before the MCU reset signal turns off. At the end of reset, all registers (including P C) are set to 0, per Axiom A4. Ensuring that reset remains triggered until this point is Fig. 14. HW-Mod composition from sub-modules important because it guarantees that K does not remain in any register after a reset. While P1 guarantees that K is not leaked from ROM, exclusive stack guarantees that K cannot be accessed from RAM, and Axiom A6 guarantees that registers are erased after SW-Att terminates. LTL Specification (10) is needed to prevent K leakage when a reset signal arrives during SW-Att execution, since parts of K might still be in some registers.
1) LTL Specification: To guarantee that the reset signal is active for long enough so that the MCU reset finishes and all registers are cleaned-up, it must hold that:
Invariant (10) states: when reset signal is triggered, it can only be released after P C = 0. We note that transition from Reset state in all sub-modules presented in this section already takes this invariant into account. Thus, HW-Mod composition also verifies LTL Specification (10) .
V. VRASED API The design of VRASED ensures that any violation of secure RA properties is detected and causes the system to reset. However, besides malware, benign applications running on the MCU must comply with VRASED rules to execute successfully.
For example, suppose that a benign application receives an attestation request from Vrf. It then needs to set up MCU software state before SW-Att can start running. This includes: disabling interrupts, setting the stack pointer to the reserved secure stack, and storing the previous stack pointer, in order to restore software state after SW-Att execution completes. If the application fails to do this, even though RA security still holds, the system behavior might reach an unexpected state due to incorrect set-up before or after SW-Att execution. For example, suppose that interrupts were (erroneously) not disabled before calling SW-Att, and an interrupt occurs during SW-Att execution, thus aborting the application. Though not a violation of secure RA properties, this can clearly harm the benign application.
Furthermore, setting up execution environment for SW-Att requires knowledge of low-level architecture and assembly instructions in order to deal directly with register state. Assuming such knowledge might be unrealistic or unnecessary for a typical application developer, who codes applications using a high 1 void VRASED ( u i n t 8 _ t * c h a l l e n g e , u i n t 8 _ t * r e s p o n s e ) { 2 //Copy input challenge to MAC _ ADDR: 3 memcpy ( ( u i n t 8 _ t * )MAC_ADDR, c h a l l e n g e , 3 2 ) ; 4 5
//Disable interrupts: 6 _ _ d i n t ( ) ; 7 8
//Save current value of r5 and r6: 9 __asm__ volatile ( "push r5" "\n\t" ) ; 10 __asm__ volatile ( "push r6" "\n\t" ) ; 11 12 //Write return address of Hacl _ HMAC _ SHA2 _ 256 _ hmac _ entry 13 //to RAM: 14 __asm__ volatile ( "mov #0x000e, r6" "\n\t" ) ; 15 __asm__ volatile ( "mov #0x0300, r5" "\n\t" ) ; 16 __asm__ volatile ( "mov r0, @(r5)" "\n\t" ) ; 17 __asm__ volatile ( "add r6, @(r5)" "\n\t" ) ; 18 19 //Save the original value of the Stack Pointer (R1): 20 __asm__ volatile ( "mov r1, r5" "\n\t" ) ; 21 22 //Set the stack pointer to the base of the exclusive stack: 23 __asm__ volatile ( "mov #0x1000, r1" "\n\t" ) ; 24 25 //Call SW-Att: 26
Hacl_HMAC_SHA2_256_hmac_entry ( ) ; 27 28 //Copy retrieve the original stack pointer value: 29 __asm__ volatile ( "mov r5, r1" "\n\t" ) ; 30 31 //Restore original r5,r6 values: 32 __asm__ volatile ( "pop r6" "\n\t" ) ; 33 __asm__ volatile ( "pop r5" "\n\t" ) ; 34 35 //Enable interrupts: 36
_ _ e i n t ( ) ; 37 38 //Return the HMAC value to the application: level programming language, e.g., C. To this end, we provide an API to SW-Att that takes care of necessary configuration on the application's behalf. VRASED API implements appropriate configurations, saves the application state, calls SW-Att, and resumes the software state after SW-Att execution. This makes all VRASED specifics transparent to the application developer, making RA an easy-to-use service: a simple function call. VRASED API implementation is shown in Figure 15 . It starts by copying Vrf's Chal to the designated physical memory location that will be read by SW-Att. Next, to comply with atomicity, it disables interrupts. Before calling SW-Att, the current value of the stack pointer 6 is saved and set to point to the base of the secure stack. This is necessary to comply with the Key Confidentiality property which ensures that SW-Att can only execute on the reserved stack. With that last step, the software state is ready for SW-Att execution. After SW-Att execution, the original stack pointer value and values of the registers used to store the original stack pointer are restored and interrupts are enabled. At this point, execution of the application can continue normally and the application can reply to Vrf's request with the attestation result. Remark. VRASED API makes it easy for programmers to comply with HW-Mod requirements before calling SW-Att. The API itself does not (and should not) provide any security properties, since it is executed before and after SW-Att invocation to save and resume application execution state. Such code is not part of SW-Att and resides in regular program memory, where it is treated accordingly by HW-Mod's access control rules. In summary, it does not belong to the verified design.
VI. ALTERNATIVE DESIGNS
In this section we discuss alternative designs for VRASED that guarantee verified properties without requiring reserving a separate secure stack region for SW-Att operations. Recall that HW-Mod enforces that only SW-Att can access this stack. Since memory usage in HACL* HMAC is deterministic, the size of the separate stack can be pre-determined -it requires 2, 332bytes. Even though resulting in overall (HW and SW) design simplicity, giving up 3% of addressable memory to secure RA might not be desirable. Therefore, this section considers several alternatives. In Section VII the costs involved with these alternatives are quantified and compared to the standard design of VRASED.
A. Erasure on SW-Att
The most intuitive alternative to a reserved secure stack (which prevents accidental key leakage by SW-Att) is to encode corresponding properties into the HACL* implementation and proof. Specifically, it would require extending the HACL* implementation to zero out all allocated memory before every function return. In addition, to retain verification of P2 (in Section III-B) and ensure no leakage, HACL*verified properties must be extended to incorporate memory erasure. This is not yet supported in HACL* and doing so would incur a slight performance overhead. However, the trade-off between performance and RAM savings might be worthwhile. Furthermore, the HACL* team confirmed to us 7 that this functionality is currently under development and is expected to be available sometime in mid-2018.
At the same time, we note that, even with verified erasure as a part of SW-Att, P2 is still not guaranteed if the MCU does not guarantee erasure of the entire RAM upon boot. This is necessary because we must consider the case when Prv reboots in the middle of SW-Att execution. Without a reserved stack, K might persist in RAM, thus resulting in a possible leak. Since the memory range for SW-Att execution is not fixed, hardware support is required to bootstrap secure RAM erasure before starting any software execution on the MCU. In fact, such support is necessary for all approaches that do not have a separate secure stack. The implication is that verification of secure RAM erasure routine itself is also necessary to ensure P2.
B. Compiler-Based Clean-Up
While stack erasure in HACL* would integrate nicely with the overall proof of SW-Att, the assurance would be at the language abstraction level, and not necessarily at the machine level. The latter would require additional assumptions about the compilation tool chain. We could also consider performing stack erasure directly in the compiler. In fact, a recent proposal to do exactly that was made in zerostack [46] , an extension to Clang/LLVM. In case of VRASED, this feature could be used on unmodified HACL* (at compilation time), to add instructions to erase the stack before the return of each function enabling P2, assuming the existence of a verified RAM erasure routine upon boot. We emphasize that this approach may increase the compiler's trusted code base. Ideally, it should be implemented and formally verified as part of a verified compiler suite, such as CompCert [34] .
C. Double-HMAC Call
Finally, complete stack erasure could also be achieved directly using currently verified HACL* properties, without any further modifications. This approach involves invoking HACL* HMAC function a second time, after the computation of the actual HMAC. The second "dummy" call would use the same input data, however, instead of using K, an independent constant, such as {0} 512 , would be used as the HMAC key.
Recall that HACL* is verified to only allocate memory in a static and deterministic manner. Also, due to HACL*'s verified properties that mitigate side-channels, software flow does not change based on the specific HMAC key. Therefore, this deterministic and static allocation implies that, for inputs of the same size, any variable allocated by the first "real" HMAC call (tainted by K), would be overwritten by the corresponding variable in the second "dummy" call. Note that the same guarantee discussed in Section VI-A is provided here and secure RAM erasure at boot would still be needed for the same reasons. Admittedly, this double-HMAC approach would consume twice as many CPU cycles. Still, it might be a worthwhile trade-off, especially, if there is memory shortage and lack of previously discussed HACL* or compiler extension.
VII. EVALUATION
We now discuss implementation details and evaluate VRASED's overhead and performance. Section VII-B reports on the system's verification complexity. Section VII-C presents VRASED's performance in terms of time and space complexity as well as its hardware overhead.
A. Implementation
As mentioned earlier, we use OpenMSP430 [22] as an open core implementation of the MSP430 architecture. Open-MSP430 is written in the Verilog hardware description language (HDL) and can execute software generated by any MSP430 toolchain with near cycle accuracy. We modified the standard OpenMSP430 to implement the hardware architecture presented in Section III-C, as shown in Figure 3 . This includes adding ROM to store K and SW-Att, adding HW-Mod, and adapting the memory backbone accordingly. We use Xilinx Vivado [51] -a popular open-source logic synthesis tool -to synthesize an RTL description of HW-Mod into hardware in a Field Programmable Gate Array (FPGA). FPGA synthesized hardware consists of a number of logic cells. Each logic cell consists of Look-Up Tables (LUTs) and registers; LUTs are used to implement combinatorial boolean logic while registers are used for sequential logic elements, i.e., FSM states and data storage. We compiled SW-Att using the native msp430gcc [48] and used Linker scripts to generate software images compatible with the memory layout of Figure 3 . Finally, we evaluated VRASED on the FPGA platform targeting Artix-7 [52] class of devices.
B. Verification Results
As discussed in Section III-B, VRASED's verification consists of secure RA properties P1-P7. P5 is achieved directly by executing SW-Att from ROM. Meanwhile, HACL* HMAC verification implies P4. All other high-level properties are automatically verified using NuSMV model checker. Table III reports the verification results of VRASED's HW-Mod composition as well as results for individual sub-modules. It shows that VRASED successfully achieves all the required security properties. These results also demonstrate feasibility of our verification approach, since the verification processrunning on a commodity desktop computer -consumes only small amount of memory and time: < 14MB and 0.3sec, respectively, for all properties.
C. Performance and Hardware Cost
In this section we report on VRASED's performance considering the standard design (described in Section IV) and alternatives discussed in Section VI. We evaluate the hardware footprint, memory (ROM and secure RAM), and run-time for attestation execution. Table II summarizes the results. Hardware Footprint. The secure stack approach adds around 434 lines of code in Verilog HDL. This corresponds to around 20% of the code in the original OpenMSP430 core. In terms of synthesized hardware, it requires 64 (3.3%) and 19 (2.3%) additional LUTs and registers respectively. Overall, VRASED contains 51 logic cells more than the unmodified OpenMSP430 core, corresponding to a 2.5% increase. Memory. VRASED requires ∼4.5KB of ROM; most of which (96%) is for storing HACL* HMAC-SHA256 code. The secure stack approach has the smallest ROM size, as it does not need to perform a memory clean-up in software. However, this advantage is attained at the price of requiring 2.3KBytes of reserved RAM. This overhead corresponds to 3.5% of MSP430 16-bit address space. Attestation Run-time. Attestation run-time is dominated by the time it takes to compute the HMAC of Prv's memory. The secure stack, erasure on SW-Att and compiler-based clean-up approaches take roughly .45s to attest 4KB of RAM on an MSP430 device with a clock frequency at 8MHz. Whereas, the double MAC approach requires invoking the HMAC function twice, leading its run-time to be roughly two times slower.
Discussion.
We consider VRASED's overhead to be affordable. The introduced hardware, considering registers, logic gates and exclusive memory, resulted in only a 2-4% increase. The number of cycles required by SW-Att exhibits a linear increase with the size of attested memory. As MSP430 typically runs at 8-25MHz, attestation of the entire RAM on a typical MSP430 can be computed in less than a second. VRASED's RA is relatively cheap to the Prv. As a point of comparison we can consider a common cryptographic primitive such as the Curve25519 Elliptic-Curve Diffie-Hellman (ECDH) key exchange. A single execution of an optimized version of such protocol on MSP430 has been reported to take ≈ 9 million cycles [24] . As Table II shows, attestation of 4KBytes (typical size of RAM in some MSP430 models) can be computed three times faster.
VIII. RELATED WORK
We are unaware of any previous work that yielded a formally verified RA design. To the best of our knowledge, VRASED is the first verification of a security service implemented as HW/SW co-design. Nevertheless, formal verification has been widely used as the de facto means to guarantee that a system is free of implementation errors and bugs. In recent years, several efforts focused on verifying securitycritical systems.
In terms of cryptographic primitives, Hawblitzel et al. [23] verified new implementations of SHA, HMAC, and RSA. Beringer et al. [5] verified the Open-SSL SHA-256 implementation. Bond et al. [8] verified an assembly implementation of SHA-256, Poly1305, AES and ECDSA. More recently, Zinzindohoué, et al. [53] developed HACL*, a verified cryptographic library containing the entire cryptographic API of NaCl [6] . As discussed earlier, HACL*'s verified HMAC forms the core of VRASED's software component.
Larger security-critical systems have also been successfully verified. For example, Bhargavan [7] implemented the TLS protocol with verified cryptographic security. CompCert [34] is a C compiler that is formally verified to preserve C code semantics in generated assembly code. Klein et al. [30] designed and proved functional correctness of seL4 -the first fully verified general-purpose microkernel. More recently, Tuncay et al. verified a design for Android OS App permissions model [49] .
The importance of verifying RA has been recently acknowledged by Lugou et al. [37] , which discussed methodologies for specifically verifying HW/SW RA co-designs. A follow-on result proposed the SMASH-UP tool [38] . By modeling a hardware abstraction, SMASH-UP allows automatic conversion of assembly instructions to the effects on hardware representation. Similarly, Cabodi et al. [12] , [11] discussed the first steps towards formalizing hybrid RA properties. However, none of these results yielded a fully verified (and publicly available) RA architecture, such as VRASED.
IX. CONCLUSION
This paper presents VRASED -the first formally verified RA method that uses a verified cryptographic software implementation and combines it with a verified hardware design to guarantee correct implementation of RA security properties. VRASED is also the first verified security service implemented as a HW/SW co-design. VRASED was designed with simplicity and minimality in mind. It results in efficient computation and low hardware cost, realistic even for low-end embedded systems. VRASED's practicality is demonstrated via publicly available implementation using the low-end MSP430 platform. The design and verification methodology presented in this paper can be extended to other MCU architectures. We believe that this work represents an important and timely advance in embedded systems security, especially, with the rise of heterogeneous ecosystems of (inter-)connected IoT devices. Since most IoT devices can not afford expensive computation (typically required in traditional security services designed for higher-end computers), we claim that a formally verified reference RA design is very important.
APPENDIX A: VRASED END-TO-END SOUNDNESS AND SECURITY PROOFS A. Proof Strategy
In this section we discuss the proofs for RA soundness (as in Definition 1) and RA security (as in Definition 2). Soundness is proved entirely via LTL equivalences. In the proof of security we first show, via LTL equivalences, that VRASED guarantees that adversary A can never learn K. We then prove security of VRASED by showing a reduction from HMAC existential unforgeability to VRASED security. In other words, we show that the existence of an adversary A that breaks VRASED implies the existence of adversary HMAC-A able to break the conjectured existential unforgeability of HMAC. The full machine-checked proofs for the LTL equivalences (using Spot 2.0 [18] proof assistant) discussed in the remainder of this section are available in [1] .
B. Machine Model
To prove that VRASED's design satisfies the end-to-end definitions of soundness and security for RA, we start by formally defining (in LTL) memory and execution models corresponding to the architecture introduced in Section III. Hence, the values stored in such regions always correspond to K and the instructions of SW-Att, respectively. Finally, the memory model states that M R, CR, AR, KR, and XS are disjoint regions in the memory layout, corresponding to the architecture presented in Figure 3 .
Our execution model, in Definition 5, translates MSP430 behavior by capturing the effects on the processor signals when reading and writing from/to memory. We do not model the effects of instructions that only modify register values (e.g., ALU operations such as add and mul) because those are not necessary in our proofs.
The execution model defines that a given memory address can be modified in two cases: by a CPU instruction or by DMA. In the first case (CPU), the W en signal must be on and D addr must contain the memory address being accessed. In the 3) Interrupt → X(P C) / ∈ CR Fig. 17 . Execution model second case, DM A en signal must be on and DM A addr must contain the address being modified by DMA. The requirements for reading from a given memory address are similar, with the difference that instead of W en , R en must be on. Finally, the execution model also captures the fact that an interrupt implies transitioning P C value to point to a memory address that is necessarily outside CR.
C. RA Soundness Proof
The proof for RA soundness follows from SW-Att functional correctness (expressed by Definition 3) and LTL specifications 3, 6, and 9: Theorem 1. VRASED is sound according to Definition 1.
Proof:
The formal computer proof for Theorem 1 can be found in [1] . We here try to convey the intuition behind such proof by splitting it into two parts. First, it is easy to see that SW-Att functional correctness (Definition 3) would imply Theorem 1 if the memory regions AR, CR, KR never change during SW-Att computation. However, memory model Definitions 4.1 and 4.2 already guarantee that CR and KR can never change. Therefore, what remains to be proved is that AR does not change during SW-Att computation. This is stated in Lemma 1. In turn, Lemma 1 can be proved by:
The reasoning behind Equation 11 is as follows:
• LT L 3 prevents the CPU from stopping execution of SW-Att before its last instruction. • LT L 6 guarantees that the only memory regions written by the CPU during SW-Att execution are XS and M R, which do not overlap with AR. • LT L 9 prevents DMA from writing to memory during SW-Att execution. Therefore, there are no means for modifying AR during SW-Att execution, implying Lemma 1. As discussed above, it is easy to see that:
D. RA Security Proof Recall the definition of RA security in the game in Figure 7 . The game makes two key assumptions: 1) SW-Att call results in a temporally consistent HMAC of AR using a key derived from K and Chal. This is already proved by VRASED's soundness. 2) A never has knowledge of K. Fig. 19 . Key confidentiality -K can not be accessed directly by untrusted software (¬(P C ∈ CR)) and memory ever written by SW-Att can never be read by untrusted software By proving that VRASED's design satisfies assumptions 1 and 2, we show that the capabilities of untrusted software (any DMA or CPU software other than SW-Att) on Prv are equivalent to the capabilities of adversary A in RA-game. Therefore, we still need to prove item 2 before we can use such game to prove VRASED's security. The proof of A's inability to learn K is facilitated by A6 -Callee-Saves-Register convention stated in Section III. A6 directly implies no leakage of information through registers on the return of SW-Att. This is because, before the return of a function, registers must be restored to the same state as before the function call. Thus, untrusted software can only learn K (or any function of K) through memory. However, if untrusted software can never read memory written by SW-Att, untrusted software never learns anything about K (not even through timing side channels since SW-Att is secret independent). From this observation, it suffices to prove that VRASED untrusted software can not access K directly and that it can never read memory written by SW-Att. These conditions are stated in LTL in Lemma 2. We prove that VRASED satisfies Lemma 2 by writing a computer proof (available in [1] ) for Equation 13 . The reasoning for such proof is similar to that of RA soundness and omitted due to space constraints.
LT L2 ∧ LT L5 ∧ LT L6 ∧ LT L7 ∧ LT L8 ∧ LT L9 → Lemma 2 (13) It is worth to emphasize that Lemma 2 does not restrict reads and writes to M R, since this memory is used for inputting Chal and receiving SW-Att result. Nonetheless, the already proved RA soundness and LTL 4 (which makes it impossible to execute fractions of SW-Att) guarantee that M R will not leak anything, because at the end of SW-Att computation it will always contain an HMAC result, which does not leak information about the key used in the HMAC (K in our case). After proving Lemma 2, the capabilities of untrusted software on Prv are equivalent to the capabilities of adversary A in RAgame of Definition 2. Therefore, the last remaining piece to prove VRASED's security is to show a reduction from HMAC security according to the game in Definition 2. VRASED's security is stated and proved in Theorem 2.
Theorem 2. VRASED is secure according to Definition 2 as long as HMAC is a secure MAC.
Proof: A MAC is defined as tuple of algorithms {Gen, Mac, Vrf}. For the reduction we construct a slightly modified HMAC , which has the same Mac and Vrf algorithms as standard HMAC but Gen ← KDF (K, Chal) where Chal ← ${0, 1} l .
Since KDF function itself is implemented as a Mac call, it is easy to see that the outputs of Gen are indistinguishable from random. In other words, the security of this slightly modified construction follows from the security of HMAC itself. Assuming that there exists A such that Pr[A, RAgame] > negl(l), we show that such adversary can be used to construct HMAC-A that breaks existential unforgeability of HMAC' with probability Pr[HMAC-A,MAC-game] > negl(l). To that purpose HMAC-A behaves as follows:
1) HMAC-A selects msg to be the same M = AR as in RA-game and asks A to produce the same output used to win RA-game. 2) HMAC-A outputs the pair (msg,σ) as a response for the challenge in the standard existential unforgeability game, where σ is the output produced by A in step 1.
By construction, (msg,σ) is a valid response to a challenge in the existential unforgeability MAC game considering HMAC as defined above. Therefore, HMAC-A is able to win the existential unforgeability game with the same > negl(l) probability that A has of winning RA-game in Definition 2. ( u i n t 3 2 _ t ) 6 4 , * ( ( u i n t 8 _ t * )CHALL_ADDR) , 10
( u i n t 3 2 _ t ) 3 2 ) ; 11 12 if ( ! memcmp (VRF_AUTH, v e r i f i c a t i o n , 3 2 ) 13 { 14
h a c l _ h m a c ( ( u i n t 8 _ t * ) key , ( u i n t 8 _ t * ) key , 15 ( u i n t 3 2 _ t ) 6 4 , ( u i n t 8 _ t * ) v e r i f i c a t i o n , 16 ( u i n t 3 2 _ t ) 3 2 ) ; 17 h a c l _ h m a c ( ( u i n t 8 _ t * ) MAC_ADDR, ( u i n t 8 _ t * ) key , 18 ( u i n t 3 2 _ t ) 3 2 , ( u i n t 8 _ t * ) ATTEST_DATA_ADDR, 19 ( u i n t 3 2 _ t ) ATTEST_SIZE ) ; 20 memcpy (CTR_ADDR, CHALL_ADDR, 3 2 ) ; 21 } 22 } 23 24
return ( ) ; 25 } Fig. 20 . SW-Att Implementation with Vrf authentication Depending on the setting where Prv is deployed, authenticating the attestation request before executing SW-Att may be required. For example, if Prv is in a public network, malicious devices may exist and may try to communicate with it. These devices can impersonate Vrf and send fake attestation requests to Prv, attempting to cause denial-of-service. This is particularly relevant if Prv is a safety-critical device. If Prv receives too many attestation requests, regular (and likely honest) software running on Prv would not execute because SW-Att would run all the time. Thus, we now discuss an optional part of VRASED's design that targets such settings. It supports and formally verifies authentication of Vrf as part of SW-Att execution. Our implementation is based on the protocol discussed in [10] . Figure 20 presents an implementation of SW-Att that includes Vrf authentication. It also builds upon HACL* verified HMAC to authenticate Vrf, in addition to computing the authenticated integrity check. In this case, Vrf's request additionally contains an HMAC of the challenge computed using K. Before calling SW-Att, software running on Prv is expected to store the received challenge on a fixed address CHALL_ADDR and the corresponding received HMAC on V RF _AU T H. SW-Att discards the attestation request if (1) the received challenge is less than or equal to the latest challenge, or (2) the HMAC of the received challenge is mismatched. After that, it derives a new unique key using HKDF [33] from K and the received HMAC and uses it as the attestation key.
HW-Mod must also be slightly modified to ensure the security of Vrf's authentication. In particular, regular software must not be able modify the memory region that stores Prv's counter. Notably, the counter requires persistent and writable storage, because SW-Att needs to modify the counter at the end of each attestation execution. Therefore CT R region resides on FLASH. We denote this region as:
• CT R = [CT R min , CT R max ]; Therefore, LTL Specifications 14 and 15 must hold (in addition to the ones discussed in Section IV).
G : {DM Aen ∧ (DM A addr ∈ CT R) → reset} (15) Specification 14 ensures that regular software does not modify Prv's counter, while Specification 15 ensures that the same modification is not possible to the DMA controller. The FSMs in Figures 10 and 13 , corresponding to HW-Mod access control and DMA sub-modules, must be modified to transition into Reset state according to these new conditions. In addition, LTL Specification 6 must be relaxed to also allow SW-Att to write to CT R. The implementation and verification of the modified version of these sub-modules are also publicly available at VRASED's repository [1] as an optional part of the design.
