1,740 research outputs found
C-FLAT: Control-FLow ATtestation for Embedded Systems Software
Remote attestation is a crucial security service particularly relevant to
increasingly popular IoT (and other embedded) devices. It allows a trusted
party (verifier) to learn the state of a remote, and potentially
malware-infected, device (prover). Most existing approaches are static in
nature and only check whether benign software is initially loaded on the
prover. However, they are vulnerable to run-time attacks that hijack the
application's control or data flow, e.g., via return-oriented programming or
data-oriented exploits. As a concrete step towards more comprehensive run-time
remote attestation, we present the design and implementation of Control- FLow
ATtestation (C-FLAT) that enables remote attestation of an application's
control-flow path, without requiring the source code. We describe a full
prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone
hardware security extensions. We evaluate C-FLAT's performance using a
real-world embedded (cyber-physical) application, and demonstrate its efficacy
against control-flow hijacking attacks.Comment: Extended version of article to appear in CCS '16 Proceedings of the
23rd ACM Conference on Computer and Communications Securit
On Making Emerging Trusted Execution Environments Accessible to Developers
New types of Trusted Execution Environment (TEE) architectures like TrustLite
and Intel Software Guard Extensions (SGX) are emerging. They bring new features
that can lead to innovative security and privacy solutions. But each new TEE
environment comes with its own set of interfaces and programming paradigms,
thus raising the barrier for entry for developers who want to make use of these
TEEs. In this paper, we motivate the need for realizing standard TEE interfaces
on such emerging TEE architectures and show that this exercise is not
straightforward. We report on our on-going work in mapping GlobalPlatform
standard interfaces to TrustLite and SGX.Comment: Author's version of article to appear in 8th Internation Conference
of Trust & Trustworthy Computing, TRUST 2015, Heraklion, Crete, Greece,
August 24-26, 201
The Lazarus Effect: Healing Compromised Devices in the Internet of Small Things
We live in a time when billions of IoT devices are being deployed and
increasingly relied upon. This makes ensuring their availability and
recoverability in case of a compromise a paramount goal. The large and rapidly
growing number of deployed IoT devices make manual recovery impractical,
especially if the devices are dispersed over a large area. Thus, there is a
need for a reliable and scalable remote recovery mechanism that works even
after attackers have taken full control over devices, possibly misusing them or
trying to render them useless.
To tackle this problem, we present Lazarus, a system that enables the remote
recovery of compromised IoT devices. With Lazarus, an IoT administrator can
remotely control the code running on IoT devices unconditionally and within a
guaranteed time bound. This makes recovery possible even in case of severe
corruption of the devices' software stack. We impose only minimal hardware
requirements, making Lazarus applicable even for low-end constrained
off-the-shelf IoT devices. We isolate Lazarus's minimal recovery trusted
computing base from untrusted software both in time and by using a trusted
execution environment. The temporal isolation prevents secrets from being
leaked through side-channels to untrusted software. Inside the trusted
execution environment, we place minimal functionality that constrains untrusted
software at runtime.
We implement Lazarus on an ARM Cortex-M33-based microcontroller in a full
setup with an IoT hub, device provisioning and secure update functionality. Our
prototype can recover compromised embedded OSs and bare-metal applications and
prevents attackers from bricking devices, for example, through flash wear out.
We show this at the example of FreeRTOS, which requires no modifications but
only a single additional task. Our evaluation shows negligible runtime
performance impact and moderate memory requirements.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS 20
Trusted Hart for Mobile RISC-V Security
The majority of mobile devices today are based on Arm architecture that
supports the hosting of trusted applications in Trusted Execution Environment
(TEE). RISC-V is a relatively new open-source instruction set architecture that
was engineered to fit many uses. In one potential RISC-V usage scenario, mobile
devices could be based on RISC-V hardware.
We consider the implications of porting the mobile security stack on top of a
RISC-V system on a chip, identify the gaps in the open-source Keystone
framework for building custom TEEs, and propose a security architecture that,
among other things, supports the GlobalPlatform TEE API specification for
trusted applications. In addition to Keystone enclaves the architecture
includes a Trusted Hart -- a normal core that runs a trusted operating system
and is dedicated for security functions, like control of the device's keystore
and the management of secure peripherals.
The proposed security architecture for RISC-V platform is verified
experimentally using the HiFive Unleashed RISC-V development board.Comment: This is an extended version of a paper that has been published in
Proceedings of TrustCom 202
- …