ABSTRACT
Unlike traditional processors, embedded Internet of Things (IoT) devices lack resources to incorporate protection against modern sophisticated attacks resulting in critical consequences. Remote attestation (RA) is a security service to establish trust in the integrity of a remote device. While conventional RA is static and limited to detecting malicious modification to software binaries at load-time, recent research has made progress towards runtime attestation, such as attesting the control flow of an executing program. However, existing control-flow attestation schemes are inefficient and vulnerable to sophisticated data-oriented programming (DOP) attacks subvert these schemes and keep the control flow of the code intact. In this paper, we present LiteHAX, an efficient hardware-assisted remote attestation scheme for RISC-based embedded devices that enables detecting both control-flow attacks as well as DOP attacks. LiteHAX continuously tracks both the control-flow and data-flow events of a program executing on a remote device and reports them to a trusted verifying party. We implemented and evaluated LiteHAX on a RISC-V System-on-Chip (SoC) and show that it has minimal performance and area overhead.
- [1]. Control-Flow Integrity: Principles, Implementations, and Applications. ACM TISSEC, 2009.Google Scholar
- [2]. C-FLAT: Control-Flow Attestation for Embedded Systems Software. In ACM CCS, 2016.Google Scholar
- [3]. SANA: Secure and Scalable Aggregate Network Attestation. In ACM CCS, 2016.Google Scholar
- [4]. SEDA: Scalable Embedded Device Attestation. In ACM CCS, 2015.Google Scholar
- [5]. Data Space Randomization. In DIMVA, 2008.Google Scholar
- [6]. Data Randomization. Technical report, 2008.Google Scholar
- [7]. Securing Software by Enforcing Data-flow Integrity. In OSDI, 2006.Google Scholar
- [8]. Non-Control-Data Attacks Are Realistic Threats. In USENIX, 2005.Google Scholar
- [9]. . Operating System Protection through Program Evolution. Computer & Security, 1993.Google Scholar
- [10]. LO-FAT: Low-Overhead Control Flow ATtestation in Hardware. In DAC, 2017.Google Scholar
- [11]. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In ASPLOS, 2008.Google Scholar
- [12]. SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust. In NDSS, 2012.Google Scholar
- [13]. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE S&P, 2016.Google Scholar
- [14]. . Advancing exploitation: a scriptless Oday exploit against linux desktops, 2016.Google Scholar
- [15]. Detecting Code Alteration by Creating a Temporary Memory Bottleneck. IEEE TIFS, 2009.Google Scholar
- [16].Hewlett-Packard. Data Execution Prevention, 2006.Google Scholar
- [17]. On the Effectiveness of Address-space Randomization. In ACM CCS, 2004.Google Scholar
- [18].Intel. Control-flow Enforcement Technology Preview, 2016.Google Scholar
- [19]. TrustLite: A Security Architecture for Tiny Embedded Devices. In EuroSys, 2014.Google Scholar
- [20]. . Return Oriented Programming for the ARM Architecture. Master's thesis, Ruhr-University Bochum, 2009.Google Scholar
- [21]. New Results for Timing-Based Attestation. In IEEE S&P, 2012.Google Scholar
- [22]. Code-pointer Integrity. In OSDI, 2014.Google Scholar
- [23]. SoK: Automated Software Diversity. In IEEE S&P, 2014.Google Scholar
- [24]. VIPER: Verifying the Integrity of Peripherals' Firmware. In ACM CCS, 2011.Google Scholar
- [25]. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In PLDI, 2009.Google Scholar
- [26]. HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement. CoRR, 2017.Google Scholar
- [27]. SWATT: Software-based Attestation for Embedded Devices. In IEEE S&P, 2004.Google Scholar
- [28]. . The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM CCS, 2007.Google Scholar
- [29]. HDFI: Hardware-Assisted Data-Flow Isolation. In IEEE S & P, 2016.Google Scholar
- [30]. el al. SoK: Eternal War in Memory. In IEEE S& P, 2013.Google Scholar
- [31].Trusted Computing Group (TCG). Website. http://www.trustedcomputinggroup.org, 2015.Google Scholar
- [32]. A Generic Attack on Checksumming-based Software Tamper Resistance. In IEEE S&P, 2005.Google Scholar
- [33]. ATRIUM: Runtime Attestation Resilient Under Memory Attacks. In ICCAD, 2017.Google Scholar
Index Terms
- LiteHAX: Lightweight Hardware-Assisted Attestation of Program Execution
Recommendations
Hardware-assisted run-time monitoring for secure program execution on embedded processors
Embedded system security is often compromised when "trusted" software is subverted to result in unintended behavior, such as leakage of sensitive data or execution of malicious code. Several countermeasures have been proposed in the literature to ...
Speculative pre-execution assisted by compiler (SPEAR)
Special issue on parallel bioinspired algorithmsSpeculative pre-execution achieves efficient data prefetching by running additional prefetching threads on spare hardware contexts. Various implementations for speculative pre-execution have been proposed, including compiler-based static approaches and ...
Trusted Execution on Leaky Hardware?
SysTEX '18: Proceedings of the 3rd Workshop on System Software for Trusted ExecutionIn recent years, processor vendors have started offering trusted Execution Environments (TEEs), which provide semi-isolated areas for secure code execution. TEEs promise to protect the integrity and confidentiality of the computation executing within ...
Comments