SEDAT: Security Enhanced Device Attestation with TPM2.0

Remote attestation is one of the ways to verify the state of an untrusted device. Earlier research has attempted remote verification of a device’s state using hardware, software, or hybrid approaches. Majority of them have used Attestation Key as a hardware root of trust, which does not detect hardware modification or couterfiet issues. In addition, they do not have a secure communication channel between verifier and prover, which makes them susceptible to mordern security attacks. This paper presents SEDAT, a novel methodology for remote attestation of the device via a security enhanced communication channel. SEDAT performs hardware, firmware, and software attestation. SEDAT enhances the communication protocol security between verifier and prover by using the Single Packet Authorization (SPA) technique, which provides replay and Denial of Service (DoS) protection. SEDAT provides a way for verifier to get ondemand device integrity and authenticity status via a secure channel. It also enables the verifier to detect counterfeit hardware, change in firmware, and software code on the device. SEDAT validates the manufacturer’s root CA certificate, platform certificate, endorsement certificate (EK), and attributes certificates to perform platform hardware attestation. SEDAT is the first known tool that represents firmware, and Integrity Measurement Authority (IMA) event logs in the Canonical Event Logs (CEL) format (recommended by Trusted Computing Group). SEDAT is the first implementation, to the best of our knowledge, that showcases end to end hardware, firmware, and software remote attestation using Trusted Platform Module (TPM2.0) which is resilient to DoS and replay attacks. SEDAT is the first remote verifier that is capable of retrieving a TPM2.0 quote from prover and validate it after regeneration, using a software TPM2.0 quote check. All source code, tools, and kernel patches are open-sourced via BSD 2-Clause License.

[1]  Ahmad-Reza Sadeghi,et al.  DARPA: Device Attestation Resilient to Physical Attacks , 2016, WISEC.

[2]  Paul C. van Oorschot,et al.  A generic attack on checksumming-based software tamper resistance , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Bart Preneel,et al.  Remote attestation on legacy operating systems with trusted platform modules , 2008, Sci. Comput. Program..

[4]  Mauro Conti,et al.  SANA: Secure and Scalable Aggregate Network Attestation , 2016, CCS.

[5]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[7]  B. Schneier Schneier on security , 2008 .

[8]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[9]  Ahmad-Reza Sadeghi,et al.  SEDA: Scalable Embedded Device Attestation , 2015, CCS.

[10]  Howard Rosenbaum,et al.  Effects of reading proficiency on embedded stem priming in primary school children , 2021 .

[11]  Xeno Kovah,et al.  New Results for Timing-Based Attestation , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Claudio Soriente,et al.  On the difficulty of software-based attestation of embedded devices , 2009, CCS.

[13]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[14]  Ryan W. Gardner,et al.  Detecting Code Alteration by Creating a Temporary Memory Bottleneck , 2009, IEEE Transactions on Information Forensics and Security.

[15]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[16]  Gene Tsudik,et al.  A minimalist approach to Remote Attestation , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[17]  L. V. Doorn,et al.  SCUBA: Secure Code Update By Attestation in sensor networks , 2006, WiSe '06.

[18]  Ahmad-Reza Sadeghi,et al.  TyTAN: Tiny trust anchor for tiny devices , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[19]  Nabil Schear,et al.  Bootstrapping and maintaining trust in the cloud , 2016, ACSAC.

[20]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[21]  Ahmad-Reza Sadeghi,et al.  SeED: secure non-interactive attestation for embedded devices , 2017, WISEC.

[22]  Adrian Perrig,et al.  SAKE: Software attestation for key establishment in sensor networks , 2011, Ad Hoc Networks.

[23]  Karim M. El Defrawy,et al.  SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust , 2012, NDSS.

[24]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.