ACFA: Secure Runtime Auditing & Guaranteed Device Healing via Active Control Flow Attestation

Low-end embedded devices are increasingly used in various smart applications and spaces. They are implemented under strict cost and energy budgets, using microcontroller units (MCUs) that lack security features available in general-purpose processors. In this context, Remote Attestation (RA) was proposed as an inexpensive security service to enable a verifier (Vrf) to remotely detect illegal modifications to a software binary installed on a low-end prover MCU (Prv). Since attacks that hijack the software's control flow can evade RA, Control Flow Attestation (CFA) augments RA with information about the exact order in which instructions in the binary are executed, enabling detection of control flow attacks. We observe that current CFA architectures can not guarantee that Vrf ever receives control flow reports in case of attacks. In turn, while they support exploit detection, they provide no means to pinpoint the exploit origin. Furthermore, existing CFA requires either binary instrumentation, incurring significant runtime overhead and code size increase, or relatively expensive hardware support, such as hash engines. In addition, current techniques are neither continuous (only meant to attest self-contained operations) nor active (offer no secure means to remotely remediate detected compromises). To jointly address these challenges, we propose ACFA: a hybrid (hardware/software) architecture for Active CFA. ACFA enables continuous monitoring of all control flow transfers in the MCU and does not require binary instrumentation. It also leverages the recently proposed concept of Active Roots-of-Trust to enable secure auditing of vulnerability sources and guaranteed remediation when a compromise is detected. We provide an open-source reference implementation of ACFA on top of a commodity low-end MCU (TI MSP430) and evaluate it to demonstrate its security and cost-effectiveness

Sanctorum: A lightweight security monitor for secure enclaves

Enclaves have emerged as a particularly compelling primitive to implement trusted execution environments: strongly isolated sensitive user-mode processes in a largely untrusted software environment. While the threat models employed by various enclave systems differ, the high-level guarantees they offer are essentially the same: attestation of an enclave's initial state, as well as a guarantee of enclave integrity and privacy in the presence of an adversary. This work describes Sanctorum, a small trusted code base (TCB), consisting of a generic enclave-capable system, which is sufficient to implement secure enclaves akin to the primitive offered by Intel's SGX. While enclaves may be implemented via unconditionally trusted hardware and microcode, as it is the case in SGX, we employ a smaller TCB principally consisting of authenticated, privileged software, which may be replaced or patched as needed. Sanctorum implements a formally verified specification for generic enclaves on an in-order multiprocessor system meeting baseline security requirements, e.g., the MIT Sanctum processor and the Keystone enclave framework. Sanctorum requires trustworthy hardware including a random number generator, a private cryptographic key pair derived via a secure bootstrapping protocol, and a robust isolation primitive to safeguard sensitive information. Sanctorum's threat model is informed by the threat model of the isolation primitive, and is suitable for adding enclaves to a variety of processor systems.Comment: 6 page

Malware tolerance: Distributing trust over multiple devices

Current security solutions try to keep the adversary out of the computer infrastructure. However, with zero-day exploits and certain rootkit attacks, the assumption that attacks can be blocked does not hold any more. This work presents the concept of malware tolerance accepting that every device might be compromised at some point in time. The concept aims to distribute trust over several devices so that no single device is able to compromise security features by itself. I create three malware-tolerant techniques to demonstrate the feasibility of the concept. This thesis introduces a trusted input system which delivers keystrokes securely from the keyboard to a recipient even if one of its components is compromised. The second approach is the design of a self-healing Industrial Control System, a sensor-actuator network to securely control a physical system. If an adversary manages to compromise one of the components, it remains secure and can even recover from attacks. Lastly, this thesis proposes a mesh network architecture aimed at smart-home networks without assuming any device in the network invulnerable to attacks applying isolation mechanisms to otherwise flat mesh networks. This thesis gives formal security proofs with protocol verifier ProVerif. The proof scripts are open-source