Secure Code Update for Embedded Devices via Proofs of Secure Erasure

Abstract. Remote attestation is the process of verifying internal state of a remote embedded device. It is an important component of many security protocols and applications. Although previously proposed re-mote attestation techniques assisted by specialized secure hardware are effective, they not yet viable for low-cost embedded devices. One no-table alternative is software-based attestation, that is both less costly and more efficient. However, recent results identified weaknesses in some proposed software-based methods, thus showing that security of remote software attestation remains a challenge. Inspired by these developments, this paper explores an approach that relies neither on secure hardware nor on tight timing constraints typi-cal of software-based technqiques. By taking advantage of the bounded memory/storage model of low-cost embedded devices and assuming a small amount of read-only memory (ROM), our approach involves a new primitive – Proofs of Secure Erasure (PoSE-s). We also show that, even though it is effective and provably secure, PoSE-based attestation is not cheap. However, it is particularly well-suited and practical for two other related tasks: secure code update and secure memory/storage erasure. We consider several flavors of PoSE-based protocols and demonstrate their feasibility in the context of existing commodity embedded devices.

Secure Remote Attestation

More than ten years ago, a devastating data substitution attack was shown to successfully compromise all previously proposed remote attestation techniques. In fact, the authors went further than simply attacking previously proposed methods: they called into question whether it is theoretically possible for remote attestation methods to exist in face of their attack. Subsequently, it has been shown that it is possible, by relying on self-modifying code. We show that it is possible to create remote attestation that is secure against all data substitution attacks, without relying on self-modifying code. Our proposed method relies on a construction of the checksum process that forces frequent L2 cache overflows if any data substitution attack takes place

VoteBox Nano: A smaller, stronger FPGA-based voting machine

This thesis describes a minimal implementation of a cryptographically secure direct recording electronic (DRE) voting system, built with a low-cost Xilinx FPGA board. Our system, called VoteBox Nano, follows the same design principles as the VoteBox, a full-featured electronic voting system. The votes are encrypted using El-gamal homomorphic encryption and the correctness of the system can be challenged by real voters during an ongoing election. In order to fit within the limits of a minimal FPGA, VoteBox Nano eliminates VoteBox's sophisticated network replication mechanism and full-color bitmap graphics system. In return, VoteBox Nano runs without any operating or language runtime system and interacts with the voter using simple character graphics, radically shrinking the implementation complexity. VoteBox Nano also integrates a true random number generator (TRNG), providing improved security. In order to deter hardware tampering, we used FPGA's native JTAG interface coupled with TRNG. At boot-time, the proper FPGA configuration displays a random number on the built-in display. Any interaction with the JTAG interface will change this random number, allowing the poll workers to detect election-day tampering, simply by observing whether the number has changed

Prova de conceito de ataque trusting-trust

Monografia (graduação)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2013.Em 1984, Kenneth Thompson descreveu um método de subversão de código que se baseava no uso de um compilador, corrompendo o código de programas quando do processo de compilação. Dada a importância e o aspecto difundido dos compiladores, subversões de tal tipo mostram-se capazes de atingir virtualmente qualquer classe de sistema computacional. Essas subversões são hoje comumente referidas como ataques trusting trust, e exploram o fato de que o compilador costuma ser visto como um artefato de software idôneo em sua execução. Considerado o caráter global da informatização e o contexto de espionagem/ciberguerra que hora se configura, ataques trusting trust mostram-se como um importante armamental, munido de amplo alcance, árdua detecção e considerável simplicidade. O presente trabalho visa demonstrar, adotando uma postura de responsible disclosure, o processo de construção de um ataque trusting trust visando o compilador GCC e lastreado em uma vulnerabilidade real, mais precisamente o caso Debian/OpenSSL ocorrido em 2006. Durante a exposição busca-se ressaltar a importância do cuidado com artefatos de software fornecidos de terceiros e, principalmente, a importância do cuidado com os próprios terceiros que os fornecem. __________________________________________________________________________ ABSTRACTIn 1984, Kenneth Thompson described a method of code corruption proceeded by means of a compiler, surreptitiously subverting programs during compilation process. Given the importance and broad usage of compilers, corruptions of this kind are capable of a ecting virtually any class of computer system. Code modifications of this nature are today commonly refered to as trusting trust attacks, and they explore the fact that a compiler is usually seen as a software artifact disproved of any ill intent. Considering how widespread informational systems are and also given the current context of espionage/cy- berwar, trusting trust attacks show up as important cyber weaponry, loaded with a broad range of effect, complex detection and considerable simplicity in its creation. Respecting a responsible disclosure approach, this work tries to explore the process of construction of a trusting trust attack aimed at the GCC compiler and based on a real vulnerability, more precisely the Debian/OpenSSL case occurred in 2006. During the exposition, emphasis is given to the importance of adopting a careful approach towards software artifacts ob- tained from third parties, and, mainly, the importance of being cautious with the very third parties that provide them

Actes des Cinquièmes journées nationales du Groupement De Recherche CNRS du Génie de la Programmation et du Logiciel

National audienceCe document contient les actes des Cinquièmes journées nationales du Groupement De Recherche CNRS du Gé}nie de la Programmation et du Logiciel (GDR GPL) s'étant déroulées à Nancy du 3 au 5 avril 2013. Les contributions présentées dans ce document ont été sélectionnées par les différents groupes de travail du GDR. Il s'agit de résumés, de nouvelles versions, de posters et de démonstrations qui correspondent à des travaux qui ont déjà été validés par les comités de programmes d'autres conférences et revues et dont les droits appartiennent exclusivement à leurs auteurs