TRACES: TEE-based Runtime Auditing for Commodity Embedded Systems
Learn about TRACES, a TEE-based runtime auditing system for commodity embedded devices that enhances security by providing control flow attestation. Explore the concepts of Remote Attestation, Control Flow Attestation, and the challenges in ensuring the integrity of embedded devices.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
TRACES: TEE-based Runtime Auditing for Commodity Embedded Systems Adam I. Caulfield+ , Antonio Joia Neto+ , Norrathep Rattanavipanon*, Ivan De OIiveira Nunes+ +Rochester Institute of Technology; *Prince of Songkla University, Phuket Campus 1
1. Introduction 2. Background Remote Attestation Control Flow Attestation Runtime Auditing 3. TRACES 4. Evaluation 5. Conclusion 2
Embedded devices Low-cost, energy efficient MCUs Limited processing power, memory size , memory protection, etc .. Resource constrained impact security features Execute safety-critical tasks in modern systems 3
Remote Attestation (RA) A security mechanism designed to verify the integrity of embedded devices. Verifier Prover (1) Challenge Ensures that the device's software state is untampered and operating as expected. How it works : (2) Perform authenticated measurement A trusted verifier (e.g., server or monitoring system) requests evidence of the device's integrity. (3) Response (4) Verify response The device (prover) generates a cryptographic response based on its current software state. The verifier checks the response to confirm the device is secure. 4
2. Bacground Control Flow Attestation (CFA) CFA extends RA to provide proof of runtime behavior of the application Verifier Prover (1) Challenge Prover records a trace of the control flow transfers (branches) during execution (2) Execute & trace; Then, perform authenticated measurement (3) Response (4) Verify response The trace and memory are measured to obtain proof about both static and runtime states 5
Control Flow Attestation (CFA) auth = 0 A Secure Memory Region A B C D if (auth) do else function2() end def function1(){ } def function2(){ } function1(); B C Proof of Control Flow Execution (Evidence) CFA E A C F D F E F D 6
A challenge with attestation Attestation is a passive technique Verifier Prover Challenge Compromised Prover may not participate in the protool X No response detect compromise No Response Ignores challenge but Cannot obtain proof of the exact malicious behavior 8
After detection How to resolve compromises? Usually: Shut down! Reboot X Not guaranteed since adversary Detected compromise Now what? Physical intervention I can t hear you! 9
Runtime auditing Guarantees runtime evidence is accurate/authentic Guarantee eventual delivery of runtime evidence to Vrf Assuming eventual communication Remotely intervene after compromise detection 10
Current Models: Achieve Runtime Audition with hardware modifications Our Contribution: First design realizing secure runtime auditing on off-the-shelf MCUs o Can be deployed in devices that are currently In the market 11
System Model Prover Device Secure World Non-Secure World Application TRACES MCU Adversary has total control over the Non-Secure World (including access to privilege mode, interrupt triggers, peripheral configurations) 12
TrustZone in ARM Cortex-M Security extension for ARM Cortex-M and -A profiles Splits memory into two security states Secure and Non-Secure Peripherals and Memory can be assigned as Secure or Non-Secure by code executing in Secure state Non-Secure state cannot access or execute resources assigned to Secure state. Secure World always initialize before Non Secure World 13
TRACES: Key Idea 1. Have a Secure World framework to achieve runtime auditing of the Non-Secure World application. a. Manage the execution and attestation of applications in the Non-Secure world b. Enforce Trigger generation/transmission of evidence from the Secure World. c. Implement heal function in Secure World, and execute after Vrf responds. 14
TRACES Workflow: Verifier Offline phase Control Flow Attestation Instrumentation : App source Binary analysis on the Application during compilation time Instrument Application with additional instructions to track its execution control flow Static Analysis Instrumented Application is deployed in the Non-Secure World Instrumented App 15
TRACES Workflow: Online phase Three modules: Non-Secure Secure 1. Supervisor: Boot Core NVIC Configurations & communication TRACES Supervisor SYSCFG 2. CFA Engine: Instrumented App CFV Resolver SAU Logging and report generation CFA Engine 3. CFV Resolver: MPU Configurable healing action Runtime Report 16
TRACES Workflow: Online phase Upon startup, Supervisor configures the system Non-Secure Secure Boot Core NVIC TRACES Configures secure timer through NVIC as watchdog timer Supervisor SYSCFG Instrumented App CFV Resolver SAU CFA Engine MPU RUntime Report 17
TRACES Workflow: Online phase Upon startup, Supervisor configures the system Non-Secure Secure Boot Configures MPU so that: App data is non-executable App code is immutable Core NVIC TRACES Supervisor SYSCFG Revokes access to MPU through SYSCFG and SAU Instrumented App CFV Resolver SAU Deactivate interrrupts in the Non Secure World CFA Engine MPU Measures state of App (hash) Hap p CFLog ? ? Waits for an attestation request 18
TRACES Workflow: Online phase With these configurations, compromised Non-Secure World cannot tamper with: Non-Secure Secure Boot Core NVIC 1. The secure watchdog TRACES 2. Binary of the Instrumented App Supervisor SYSCFG Instrumented App CFV Resolver SAU 3. Non Secure Interrupts CFA Engine MPU Hap p CFLog ? ? 19
TRACES Workflow: Online phase Upon receiving an authentic challenge, the Supervisor starts running App Non-Secure Secure Boot Core NVIC TRACES Supervisor SYSCFG Instrumented App CFV Resolver SAU CFA Engine MPU Hap p CFLog ? ? 20
TRACES Workflow: Online phase Upon receiving an authentic challenge, the Supervisor starts running App Non-Secure Secure Boot Core NVIC TRACES Instrumented instructions in App call CFA Engine at branches Supervisor SYSCFG Instrumented App CFV Resolver SAU CFA Engine writes the destination address of the branch to the CFLog CFA Engine MPU Hap p CFLog ? ? 21
TRACES Workflow: Online phase During App execution, a new report is generated when Non-Secure Secure Boot Core NVIC THIS ARE THE THINGS TO ACHIEVE AUDITING active root of trust TRACES Supervisor SYSCFG Instrumented App Timeout has been reached CFV Resolver SAU CFLog reaches maximum size CFA Engine App has concluded MPU Runtime Report 22
TRACES Workflow: Online phase CFA Engine generates report by computing a MAC (? ?) over: Non-Secure Secure Boot CFLog, Happ, and challenge Core NVIC TRACES Supervisor SYSCFG Instrumented App CFV Resolver SAU CFA Engine MPU Hap p CFLog ? ? 23
TRACES Workflow: Online phase CFA Engine generates report by computing a MAC (? ?) over: Non-Secure Secure Boot CFLog, Happ, and challenge Core NVIC TRACES Supervisor SYSCFG Once ? ? is generated, CFA Engine invokes Supervisor to transmit report Instrumented App CFV Resolver SAU CFA Engine MPU Hap p CFLog ? ? 24
TRACES Workflow: Online phase CFA Engine generates report by computing a MAC (? ?) over: Non-Secure Secure Boot CFLog, Happ, and challenge Core NVIC TRACES Supervisor SYSCFG Once ? ? is generated, CFA Engine invokes Supervisor to transmit report Instrumented App CFV Resolver SAU CFA Engine MPU Supervisor waits in an idle state until receiving an authentic message back from Vrf Hap p CFLog ? ? 25
TRACES Workflow: Online phase After receiving an authentic message back from Vrf, the Supervisor: Non-Secure Secure Boot Invokes CFV Resolver to execute the configured remediation action Core NVIC TRACES Supervisor Resumes App SYSCFG Instrumented App CFV Resolver SAU Ends App and waits for next request CFA Engine MPU Hap p CFLog ? ? 26
TRACES Workflow: Online phase If Adversary causes a reboot during the attestation: Non-Secure Secure Boot Core NVIC Supervisor generates a new report And send to verifier before executing anything else TRACES Supervisor SYSCFG Instrumented App CFV Resolver SAU CFA Engine MPU Hap p CFLog ? ? 27
TRACES: End-to-end timing results End-to-end runtime of TRACES compared to (best-effort) CFA for one report ~2.2 ms additional runtime 28
TRACES: End-to-end timing results End-to-end runtime as maximum storage for CFLogdecreases 29
Conclusion Contribution: TRACES achieves runtime auditing for off-the-shelf MCUs Limitations: Trade-offs in overheads Requires App instrumentation Small CFLogstorage less memory, but more latency Large CFLogstorage more memory, but less latency 30
Thank you https://github.com/RIT-CHAOS-SEC/TRACES 31
2. Background Remote Attestation (RA) How it works: Verifier: device operator/owner Prover: remotely deployed MCU Verifier Prover (1) Challenge Root of trust measures Prover s internal state Computes authenticated integrity- ensuring function (2) Perform authenticated measurement (3) Response (4) Verify response 32
