PADS: Practical Attestation for Highly Dynamic Swarm Topologies

Remote attestation protocols are widely used to detect device configuration (e.g., software and/or data) compromise in Internet of Things (IoT) scenarios. Unfortunately, the performances of such protocols are unsatisfactory when dealing with thousands of smart devices. Recently, researchers are focusing on addressing this limitation. The approach is to run attestation in a collective way, with the goal of reducing computation and communication. Despite these advances, current solutions for attestation are still unsatisfactory because of their complex management and strict assumptions concerning the topology (e.g., being time invariant or maintaining a fixed topology). In this paper, we propose PADS, a secure, efficient, and practical protocol for attesting potentially large networks of smart devices with unstructured or dynamic topologies. PADS builds upon the recent concept of non-interactive attestation, by reducing the collective attestation problem into a minimum consensus one. We compare PADS with a state-of-the art collective attestation protocol and validate it by using realistic simulations that show practicality and efficiency. The results confirm the suitability of PADS for low-end devices, and highly unstructured networks.Comment: Submitted to ESORICS 201

Remote Attestation for Secure Internet of Things

The Internet of things (IoT) are increasingly exposed to a wide range of security threats. Despite the enormous opportunities that IoT world offers, IoT devices are prone to many cyberattacks. One effective security mechanism to identify malicious entities in an IoT system is Remote Attestation. Remote Attestation is an interactive protocol that allows a remote trusted Verifier to assess the integrity of an untrusted device by typically checking whether the received measurement conforms to an expected legitimate configuration. In this thesis, we provide a four-fold contribution, (1) we review working mechanisms of state-of-the-art Collective Remote Attestation (CRA) techniques 2) we address the problem of device mobility during attestation and asynchronous attestation of IoT services, (3) we propose a novel configurable-hardware enabled remote attestation techniques for low-end embedded devices, and, (4) we show how remote attestation can be employed to provide security and safe operation to other traditional applications

Remote Attestation for Secure Internet of Things

The Internet of things (IoT) are increasingly exposed to a wide range of security threats. Despite the enormous opportunities that IoT world offers, IoT devices are prone to many cyberattacks. One effective security mechanism to identify malicious entities in an IoT system is Remote Attestation. Remote Attestation is an interactive protocol that allows a remote trusted Verifier to assess the integrity of an untrusted device by typically checking whether the received measurement conforms to an expected legitimate configuration. In this thesis, we provide a four-fold contribution, (1) we review working mechanisms of state-of-the-art Collective Remote Attestation (CRA) techniques 2) we address the problem of device mobility during attestation and asynchronous attestation of IoT services, (3) we propose a novel configurable-hardware enabled remote attestation techniques for low-end embedded devices, and, (4) we show how remote attestation can be employed to provide security and safe operation to other traditional applications

A Novel FPGA Architecture and Protocol for the Self-attestation of Configurable Hardware

Field-Programmable Gate Arrays or FPGAs are popular platforms for hardware-based attestation. They offer protection against physical and remote attacks by verifying if an embedded processor is running the intended application code. However, since FPGAs are configurable after deployment (thus not tamper-resistant), they are susceptible to attacks, just like microprocessors. Therefore, attesting an electronic system that uses an FPGA should be done by verifying the status of both the software and the hardware, without the availability of a dedicated tamper-resistant hardware module. Inspired by the work of Perito and Tsudik, this paper proposes a partially reconfigurable FPGA architecture and attestation protocol that enable the self-attestation of the FPGA. Through the use of our solution, the FPGA can be used as a trusted hardware module to perform hardware-based attestation of a processor. This way, an entire hardware/software system can be protected against malicious code updates

SPLIT: A Secure and Scalable RPL routing protocol for Internet of Things

Due to recent notorious security threats, like Mirai-botnet, it is challenging to perform efficient data communication and routing in low power and lossy networks (LLNs) such as Internet of Things (IoT), in which huge data collection and processing are predictable. The Routing Protocol for low power and Lossy networks (RPL) is recently standardized as a routing protocol for LLNs. However, the lack of scalability and the vulnerabilities towards various security threats still pose a significant challenge in the broader adoption of RPL in LLNs.To address these challenges, we propose SPLIT, a secure and scalable RPL routing protocol for IoT networks. SPLIT effectively uses a lightweight remote attestation technique to ensure software integrity of network nodes. To avoid additional overhead caused by attestation messages, SPLIT piggybacks attestation process on the RPL's control messages. Thus, SPLIT enjoys the low energy consumption and scalability features of RPL protocol, which are essential in resource-constrained large scale networks such as IoT. The simulation results for different IoT scenarios show the effectiveness of SPLIT compared to the state-of-the-art in presence of different types of attacks, concerning metrics such as packet delivery ratio and energy consumption

Attestation-enabled Secure and Scalable Routing protocol for IoT Networks

none4siCybercrime in the past decade has experienced an all-time high due to the inclusion of so-called smart devices in our daily lives. These tiny devices with brittle security features are often dubbed as the Internet of Things (IoT). Their inclusion is not only limited to our daily lives but also in different fields, for example, healthcare, smart-industries, aviation, and smart-cities. Although IoT devices make our lives easy and perform our jobs in a smart way, but their fragile security mechanisms pose a severe challenge regarding safety and privacy of its users. Attacks like Stuxnet, and Mirai-botnet are the key examples of the damages that can be caused by maliciously controlling these devices. One effective tool to identify a malicious entity at a network device is to perform Remote Attestation (RA). However, performing RA over a large, heterogeneous IoT network is difficult tasks due to resource constrain nature of these networks. To this end, we propose a novel scheme called SARP, which is an attestation-assisted secure and scalable routing protocol for IoT networks. SARP performs attestation in large scale IoT networks by using Routing Protocol for Low Power and Lossy Networks (RPL) framework and exploiting the inbuilt features of RPL. In particular, SARP uses attestation technique that not only secures the network from internal attacks, but it also provides security to RPL’s data communication process, which helps to improve the overall network performance. Moreover, SARP supports network mobility, device heterogeneity, and network scalability, while it does not sacrifice the key requirements of IoT networks such as low energy and memory consumption, and low network overhead. The simulation results obtained in different IoT scenarios in presence of various types of attacks show the effectiveness of SARP, concerning energy consumption, packet delivery ratio, network overhead, data integrity, and communication security.noneMauro Conti, Pallavi Kaliyar, Md Masoom Rabbani, Silvio RaniseConti, Mauro; Kaliyar, Pallavi; Masoom Rabbani, Md; Ranise, Silvi

SHeLA: Scalable Heterogeneous Layered Attestation

status: publishe

PROVE:Provable remote attestation for public verifiability

The expanding attack surface of Internet of Things (IoT) systems calls for innovative security approaches to verify the reliability of IoT devices. To this end, Remote Attestation (RA) serves as a key mechanism that remotely detects the presence of malware in IoT devices. Typically, RA allows a centralized trusted Verifier to retrieve reliable evidence about the software integrity of an untrusted Prover. Existing RA schemes generally rely on the assumption that the Verifier and the Prover know each other and have pre-shared cryptographic keys during the bootstrap phase. However, these assumptions are not realistic to employ over commonly used event-driven IoT networks, in which the interacting parties do not know each other and do not communicate directly. This paper proposes PROVE, a novel protocol that allows many Verifiers to attest one or more Provers without pre-shared key material and without using public-key cryptography which is often not suitable for resource-constraint IoT devices. In particular, PROVE considers a realistic IoT system where devices adopt the publish/subscribe communication paradigm. In PROVE, the subscribers act as untrusted Verifiers and attest not only the firmware integrity of the publishers that act as untrusted Provers but also the authenticity of the received data originated from these publishers. We simulate PROVE on the Contiki emulator and demonstrate the scalability of the solution. We also validate PROVE through two hardware proof-of-concept implementations: PROVE and PROVE+, which rely on different cryptographic cores. The results show that a complete execution of the protocol takes 4605 ns and 324 ns for PROVE and PROVE+, respectively.</p