Strategic Remote Attestation: Testbed for Internet-of-Things Devices and Stackelberg Security Game for Optimal Strategies

Internet of Things (IoT) devices and applications can have significant vulnerabilities, which may be exploited by adversaries to cause considerable harm. An important approach for mitigating this threat is remote attestation, which enables the defender to remotely verify the integrity of devices and their software. There are a number of approaches for remote attestation, and each has its unique advantages and disadvantages in terms of detection accuracy and computational cost. Further, an attestation method may be applied in multiple ways, such as various levels of software coverage. Therefore, to minimize both security risks and computational overhead, defenders need to decide strategically which attestation methods to apply and how to apply them, depending on the characteristic of the devices and the potential losses. To answer these questions, we first develop a testbed for remote attestation of IoT devices, which enables us to measure the detection accuracy and performance overhead of various attestation methods. Our testbed integrates two example IoT applications, memory-checksum based attestation, and a variety of software vulnerabilities that allow adversaries to inject arbitrary code into running applications. Second, we model the problem of finding an optimal strategy for applying remote attestation as a Stackelberg security game between a defender and an adversary. We characterize the defender’s optimal attestation strategy in a variety of special cases. Finally, building on experimental results from our testbed, we evaluate our model and show that optimal strategic attestation can lead to significantly lower losses than naïve baseline strategies.

[1]  Munir Geden,et al.  Hardware-assisted Remote Runtime Attestation for Critical Embedded Systems , 2019, 2019 17th International Conference on Privacy, Security and Trust (PST).

[2]  Prabhaker Mateti,et al.  ASLR and ROP Attack Mitigations for ARM-Based Android Devices , 2017, SSCC.

[3]  Alexandru Vulpe,et al.  Pass-IoT: A platform for studying security, privacy and trust in IoT , 2016, 2016 International Conference on Communications (COMM).

[4]  Jamal Bentahar,et al.  Resource-Aware Detection and Defense System against Multi-Type Attacks in the Cloud: Repeated Bayesian Stackelberg Game , 2019, IEEE Transactions on Dependable and Secure Computing.

[5]  Fernando Ordóñez,et al.  Building Real Stackelberg Security Games for Border Patrols , 2017, GameSec.

[6]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[7]  Ali Saman Tosun,et al.  A Testbed for Security and Privacy Analysis of IoT Devices , 2016, 2016 IEEE 13th International Conference on Mobile Ad Hoc and Sensor Systems (MASS).

[8]  Yuval Elovici,et al.  Security Testbed for Internet-of-Things Devices , 2019, IEEE Transactions on Reliability.

[9]  Bo An,et al.  Stackelberg Security Games: Looking Beyond a Decade of Success , 2018, IJCAI.

[10]  Gianluigi Ferrari,et al.  Design and Deployment of an IoT Application-Oriented Testbed , 2015, Computer.

[11]  Michael Wooldridge,et al.  Stackelberg Security Games with Multiple Uncoordinated Defenders , 2018, AAMAS.

[12]  Bin Xu,et al.  A Security Design for the Detecting of Buffer Overflow Attacks in IoT Device , 2018, IEEE Access.

[13]  Sencun Zhu,et al.  Distributed Software-based Attestation for Node Compromise Detection in Sensor Networks , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).

[14]  Emil C. Lupu,et al.  Attestation in Wireless Sensor Networks , 2016, ACM Comput. Surv..

[15]  Ahmad-Reza Sadeghi,et al.  Invited: Things, trouble, trust: On building trust in IoT systems , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[16]  Vincent Conitzer,et al.  Stackelberg vs. Nash in security games: interchangeability, equivalence, and uniqueness , 2010, AAMAS.

[17]  Alexander S. Poznyak,et al.  Adapting strategies to dynamic environments in controllable stackelberg security games , 2016, 2016 IEEE 55th Conference on Decision and Control (CDC).

[18]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[19]  Fenghua Li,et al.  A Stackelberg Security Game for Adversarial Outbreak Detection in the Internet of Things , 2020, Sensors.

[20]  Shinsaku Kiyomoto,et al.  Lightweight Attestation Scheme for Wireless Sensor Network , 2014 .

[21]  Eric Fleury,et al.  FIT IoT-LAB: A large scale open experimental IoT testbed , 2015, 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT).

[22]  Rui Li,et al.  Towards a Low-Cost Remote Memory Attestation for the Smart Grid , 2015, Sensors.

[23]  Gene Tsudik,et al.  VRASED: A Verified Hardware/Software Co-Design for Remote Attestation , 2019, USENIX Security Symposium.