On the difficulty of software-based attestation of embedded devices

Device attestation is an essential feature in many security protocols and applications. The lack of dedicated hardware and the impossibility to physically access devices to be attested, makes attestation of embedded devices, in applications such as Wireless Sensor Networks, a prominent challenge. Several software-based attestation techniques have been proposed that either rely on tight time constraints or on the lack of free space to store malicious code. This paper investigates the shortcomings of existing software-based attestation techniques. We first present two generic attacks, one based on a return-oriented rootkit} and the other on code compression. We further describe specific attacks on two existing proposals, namely SWATT and ICE-based schemes, and argue about the difficulty of fixing them. All attacks presented in this paper were implemented and validated on commodity sensors.

[1]  L. V. Doorn,et al.  SCUBA: Secure Code Update By Attestation in sensor networks , 2006, WiSe '06.

[2]  David A. Huffman,et al.  A method for the construction of minimum-redundancy codes , 1952, Proceedings of the IRE.

[3]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[4]  Peter I. Corke,et al.  secFleck: A Public Key Technology Platform for Wireless Sensor Networks , 2009, EWSN.

[5]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[6]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[7]  Adrian Perrig,et al.  Message-in-a-bottle: user-friendly and secure key deployment for sensor nodes , 2007, SenSys '07.

[8]  Young-Geun Choi,et al.  Proactive Code Verification Protocol in Wireless Sensor Network , 2007, ICCSA.

[9]  Qijun Gu,et al.  Self-Healing Control Flow Protection in Sensor Applications , 2009, IEEE Transactions on Dependable and Secure Computing.

[10]  Kang G. Shin,et al.  Soft tamper-proofing via program integrity verification in wireless sensor networks , 2005, IEEE Transactions on Mobile Computing.

[11]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[12]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Sencun Zhu,et al.  Distributed Software-based Attestation for Node Compromise Detection in Sensor Networks , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).

[15]  Adrian Perrig,et al.  Refutation of "On the Difficulty of Software-Based Attestation o f Embedded Devices" , 2010 .

[16]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[17]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[18]  Qijun Gu,et al.  Towards self-propagate mal-packets in sensor networks , 2008, WiSec '08.

[19]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[20]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  Xuejun Yang,et al.  Eliminating the call stack to save RAM , 2009, LCTES '09.

[22]  Michael Carl Tschantz,et al.  On the ( Im ) possibility of Timed Tamper-Evident Software in ( A ) synchronous Systems , .

[23]  Yongdae Kim,et al.  Remote Software-Based Attestation for Wireless Sensors , 2005, ESAS.

[24]  J. Doug Tygar,et al.  Side Effects Are Not Sufficient to Authenticate Software , 2004, USENIX Security Symposium.

[25]  Eric Eide,et al.  Efficient memory safety for TinyOS , 2007, SenSys '07.

[26]  Adi Shamir,et al.  New Cryptographic Primitives Based on Multiword T-Functions , 2004, FSE.

[27]  Adrian Perrig,et al.  SAKE: Software attestation for key establishment in sensor networks , 2011, Ad Hoc Networks.

[28]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[29]  Gene Tsudik,et al.  Secure Code Update for Embedded Devices via Proofs of Secure Erasure , 2010, ESORICS.

[30]  Pradeep K. Khosla,et al.  Using FIRE & ICE for Detecting and Recovering Compromised Nodes in Sensor Networks , 2004 .

[31]  David Naccache,et al.  Alien vs. Quine , 2007, IEEE Security & Privacy.