SeED: Secure Non-Interactive Attestation for
Embedded Devices
Ahmad Ibrahim Ahmad-Reza Sadeghi
TU Darmstadt TU Darmstadt
[email protected]. [email protected].
de de
ABSTRACT
Remote attestation is a security service that is typically realized
by an interactive challenge-response protocol that allows a trusted
verifier to capture the state of a potentially untrusted remote device.
However, existing attestation schemes are vulnerable to Denial of
Service (DoS) attacks, which can be carried out by swamping the
targeted device with fake attestation requests.
In this paper, we propose SeED, the first non-interactive attesta-
tion protocol that mitigates DoS attacks and is highly efficient.
Designing such a protocol is not straightforward, since it relies on
a potentially malicious prover to trigger the attestation process. We
investigate the related challenges and subtleties and describe how
to address them with minimal assumptions. As evaluation results
show, our non-interactive attestation protocol is particularly suit-
able for resource-constrained embedded devices, since it is highly
efficient in terms of power consumption and communication.
ACM Reference format:
Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni. 2017. SeED:
Secure Non-Interactive Attestation for Embedded Devices. In Proceedings
of WiSec ’17 , Boston, MA, USA, July 18-20, 2017, 11 pages.
https://doi.org/10.1145/3098243.3098260
1 INTRODUCTION
Embedded devices are proliferating into numerous and diverse
aspects of everyday life. These devices are utilized in different
domains ranging from tiny personal gadgets to large industrial in-
stallations. Unlike traditional computing devices, embedded devices
are (1) limited in cost, size, energy consumption, and computing
power; (2) have limited and intermittent connectivity; and (3) lack
the resources necessary to defend themselves against attacks. As
a consequence, despite obvious benefits, enabling remote access
to such unprotected devices with limited resources poses a great
security challenge. Indeed, these devices present an attractive tar-
get for remote attackers, and a successful attack would have major
consequences compromising both privacy and safety.
Malware infestation involves modifying a device’s firmware and/or
software, and replacing benign code with a malicious one. This can
cause the destruction of physical equipment (e.g., see Stuxnet [34]),
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from [email protected].
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
© 2017 Association for Computing Machinery.
ACM ISBN 978-1-4503-5084-6/17/07. . . $15.00
https://doi.org/10.1145/3098243.3098260
Shaza Zeitouni
TU Darmstadt
[email protected].
de
or enables a more sophisticated attack threatening safety of the
users (e.g., see Jeep hack [1]).
One important defense mechanism against malware infestation,
is remote attestation. Remote attestation is a security service that
enables the detection of malware attacks on embedded devices. It is
usually realized as an interactive protocol between a trusted entity
(denoted by the verifier), and one (or multiple) untrusted remote
prover(s). The successful execution of this protocol provides assur-
ance to the verifier about the trustworthiness of (every) prover’s
software (i.e., absence of malware).
Existing attestation schemes targeting one prover can be clus-
tered into three main classes: (1) Software-based attestation relies
on time-based checksums and requires no hardware modifications
while providing weak (or no) security guarantees [14, 17, 20, 28–31];
(2) Hardware-based attestation provides stronger security guaran-
tees but requires complex and expensive hardware [4, 19, 24]; (3) Hy-
brid attestation schemes involve software/hardware co-design and
are based on identifying minimal hardware trust anchor while pro-
viding strong security guaranties. The trust anchor can be as small
as a Read-Only Memory (ROM), and a simple Memory Protection
Unit (MPU) [8, 12, 13, 18]. It is worth mentioning that such hy-
brid schemes have enabled scaling attestation protocols to large
networks of embedded devices resulting in a collective (or swarm)
attestation protocol as shown in [3, 6, 16].
All existing attestation schemes involve an interactive protocol
(i.e., initiated with a random challenge sent by the verifier), and are
vulnerable to Denial of Service (DoS) attacks. DoS attacks originate
from the use of un-authenticated challenges, and can be carried out
by sending (a large number of) fake attestation requests to a targeted
prover. DoS attacks on provers caused by maliciously invoking
attestation procedures represent a real security threat, since it may
drain the battery of a device, or preclude it from performing its
original tasks. We are aware of only two existing schemes, which
take DoS attacks against attestation protocols into consideration.
SANA [3] requires a security token (acquired from a trusted third
party) for attesting an embedded network, in order to prevent
the scaling of attestation-based DoS attacks to large embedded
networks. Howerver, SANA requires a trusted third party, and is
based on expensive public key cryptography which increases the
attestation overhead considerably. The work in [9], proposes a
DoS Mitigation technique for attestation based on authenticating
attestation requests (challenges) such that a prover has to verify
that the request is sent by a ‘trusted verifier’ before proceeding
with attestation computations. However, it also imposes additional
overhead on a resource-constrained prover without completely
preventing DoS attacks, which would still be possible, as an attacker
64
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
can simply flood the prover with bogus requests and force it to verify
them.
Goals and contributions:
In this paper, we present SeED, the first non-interactive attesta-
tion protocol that completely mitigates DoS attacks on the prover
side. Designing such a protocol is challenging, since it relies on
a potentially malicious prover to trigger the attestation process.
Therefore, we analyze the requirements for designing secure and
non-interactive attestation protocol and depict how to address them
with minimal features and assumptions. Further, we identify possi-
ble use-cases, where a non-interactive attestation protocol can be
applied. Our work brings the following three contributions:
• Non-Interactive Attestation: We present SeED– the first
Secure Non-Interactive attestation scheme that is inherently
resilient to DoS attacks. Since it is not initiated by the verifier,
SeED imposes low communication overhead and reduces
power consumption.
• Requirement Analysis: We analyze the security of non-
interactive attestation under different adverserial capabilities
and extract the minimal requirements for securing such a
protocol.
• Implementation and Evaluation: We implement SeED on
top of different security architectures for low-end embedded
devices (e.g., SMART [12] and TrustLite [18]). Evaluation re-
sults show an improvement of up to 50% in energy consump-
tion and 35% over runtime of existing attestation schemes.
We further discuss its inherent benefits and influence on
attestation of embedded networks.
Outline. We review in Section 2 existing attestation protocols,
relevant adversary models and DoS attacks on attestation. In Sec-
tion 3, we provide required preliminaries and notations, identify
the minimal requirements for secure non-interactive attestation
and describe SeED. Two prototype implementation of SeED are
then described in Section 4, its application to collective attestation
is explained in Section 5, and performance results are shown in Sec-
tion 6. Next, security of SeED is evaluated in Section 7. Related work
is summarized in Section 8 and the paper concludes in Section 9.
2 PROBLEM DESCRIPTION: INTERACTIVE
ATTESTATION & DOS ATTACKS
Remote attestation is an interactive protocol between a trusted
verifier (denoted by Vrf) and a potentially untrusted remote prover
(Prv). It provides assurance to Vrf that Prv is in a trustworthy soft-
ware state (i.e., not infested by malware). The protocol is initiated
by Vrf sending a random challenge N to Prv. N indicates Vrf’s
interest in attesting Prv, and is necessary for mitigating replay
attacks. Upon receipt of the challenge, the trust anchor on Prv cre-
ates a measurement h of its software (e.g., a hash of its binary). h is
attached to N and is usually authenticated via a symmetric shared
key (katt ), then sent back to Vrf. As shown in Figure 1, two different
strategies can be followed by Vrf to determine the attestation time,
i.e., the time at which it initiates the attestation protocol:
• Strategy #1 (Suspicion): Vrf initiates attestation of a cer-
tain Prv based on some event, e.g., when Prv is suspected of
65
Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni
being compromised. This approach is usually adopted when
attestation is triggered by some detection mechanism, e.g.,
intrusion detection techniques, which are known to generate
false positives.
• Strategy #2 (Maintenance): In other scenarios, attestation
is used as a standalone method for monitoring untrusted
devices and detecting malware infestation. In these scenarios,
Vrf decides when to attest Prv(s) to determine whether they
are infested by malware.
In both strategies, Vrf is required to initiate the attestation proto-
col. However, we claim that strategy #2 corresponds to the most
vibrant use of attestation, especially in the case of standalone de-
vices, where detection techniques (such as intrusion detection) do
not apply. Therefore, providing the necessary hardware features
(see Section 3), the trust anchor on Prv that is entitled of the gener-
ation and authentication of software measurements, can be trusted
to initiate the attestation protocol and generate timely responses.
2.1 Adversary Models
We cluster attackers on attestation into three classes based on their
capabilities and/or attack strategies. Our classification is inspired
by the taxonomy in [2]. Note that, these three classes fall under the
software-only advesary model assumed in all existing attestation
schemes [8, 9, 12, 13, 18]. However, the distinction between different
capabilities/strategies is only required to extract and motivate our
protocol construction and its underlying hardware features.
Communication Adversary. ADVcom has full control over all
communication channels; it is capable of injecting its own packets
and eavesdropping on, modifying, delaying, and dropping packets
exchanged between Vrf and Prv.
Software Adversary. ADVsoft exploits software vulnerabilities
to infect Prv, read its unprotected memory regions, and manipulate
its software state (e.g., by injecting malware in Prv).
Mobile Adversary. In addition to ADVsoft capabilities, ADVmob
is also capable of erasing all traces of its previous presence on Prv
(e.g., removing malware from Prv). ADVmob follows a sophisti-
cated attack strategy in order to evade detection by the attestation
protocol. The attack is executed in two phases:
• Phase #1: ADVmob compromises Prv by installing mal-
ware (i.e., introducing malicious code)
• Phase #2: Right before the execution of attestation protocol,
ADVmob leaves Prv, i.e., it erases its traces by removing
the introduced malware, and restoring Prv to its original
benign state
Note that, executing such a sophisticated attack requires the knowl-
edge of the exact execution time of attestation.
2.2 DoS Attack on Attestation Protocols
Denial of Service attacks on attestation protocols impose a seri-
ous security threat, especially when targeting low-end embedded
devices, as such attacks can dissipate their limited resources and
cause them to shut down. DoS attack can be carried out through
the repeated un-authorized invocation of attestation functionality
on Prv, i.e., by replaying or fabricating bogus attestation requests.
SeED: Secure Non-Interactive Attestation for
Embedded Devices
Figure 1: Non-Interactive protocol and Vrf’s strategies
As a countermeasure, authors of [9] propose using MACs to au-
thenticate attestation requests such that Prv has to verify that the
request is coming from the trusted verifier before proceeding with
the attestation. The freshness of the request is guarnteed using
timestamps (assuming that both, Vrf and Prv, have synchronized
clocks). However, even when such countermeasure is applied, an
attacker, who can eavesdrop on communications between Vrf and
Prv could still replay authenticated requests, causing Prv to repeat-
edly invoke the verification process before dropping the incoming
request (due to timestamps’ staleness). Based on public key cryptog-
raphy, SANA [3] adopts the same solution to prevent DoS attacks
on collective attestation. Since verifying a digital signature is more
expensive than verifying a MAC, SANA is considered more prune
to the DoS attack described above.
3 SECURE NON-INTERACTIVE
ATTESTATION
As shown in Figure 1, a non-interactive attestation protocol between
a verifier Vrf and a prover Prv is composed of a single response
message sent from Prv to Vrf. This brings a number of benefits to
Prv that we list below:
Resiliency to DoS Attacks. Non-interactive attestation is inher-
ently secure against DoS attacks on Prv. In fact, it completely solves
the DoS problem on the prover of an attestation protocol, without
imposing the additional overhead of authenticating attestation re-
quests [9]. The reason for this is that Prv has no incoming traffic
for the attestation protocol.
Low Communication Overhead. It is self-evident that a non-
interactive attestation protocol has lower communication overhead
than interactive attestation. In fact, by dropping the challenge, the
communication overhead can be reduced by up to 50% (depending
on the hash function used). This reduction is particularly significant
for battery-operated low-end embedded devices, since, on such
devices, the energy consumption required for communicating 1-bit
of data, can be as high as for executing 800 − 1000 instructions [15].
Low Network Congestion. Non-interactive attestation induces
lower latency and energy consumption when combined with ex-
isting collective attestation schemes (e.g., SEDA [6]). On the other
66
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
hand, due to its low communication overhead and random attesta-
tion times (see Section 3), Non-interactive attestation also causes
lower network congestion and end-to-end delay when multiple
provers are attested individually.
3.1 Preliminaries and Notation
Let |M | denotes the number of elements in a finite set M. Further-
more, let {0, 1} ℓ be the set of all bit-strings of length ℓ. If E is some
event (e.g., the result of a security experiment), then Pr[E] denotes
the probability that E occurs. Probability ϵ(ℓ) is called negligible if,
for all polynomials f , ϵ(ℓ) ≤ 1/f (ℓ) for all sufficiently large ℓ ∈ N.
Message Authentication Code. Message authentication code (MAC)
is defined as a tuple of (probabilistic polynomial time) algorithms
(genkeymac, mac, vermac). k ← genkeymac(1ℓmac ) outputs a se-
cret key k with security parameter ℓmac ∈ N. µ ← mac(k; m) out-
puts a MAC digest µ on input of m and k. vermac(k; m, µ) ∈ {0, 1}
verifies µ on input of m and k.
Pseudorandom Number Generator. A pseudorandom number
generator (PRNG) is a (probabilistic polynomial time) algorithm
gen. {σi , θ i } ← gen(σi−1 ) outputs internal state σi ∈ {0, 1} ℓσ and
random output θ i ∈ {0, 1} ℓθ on input of previous internal state
σi−1 .
A summary of all variables, parameters and procedures used
in the description and evaluation of our proposed protocol, in the
following sections, is available in Table 1.
3.2 Requirements Identification
For the sake of simplicity, we gradually identify the requirments for
designing a secure non-interactive attestation protocol. We start
with the following assumption: Prv performs attestation periodi-
const . We assess this assumption under
cally at fixed time interval tatt
different attackers from different adverserial classes to extract the
minimal requirments in order to assure security of non-interactive
attestation.
At Prv side, attestation procedure starts at Tatt by generating re-
sponse message; a MAC digest µ based on the attestation key katt
(pre-shared with Vrf) over: a measurement h of the current soft-
ware state of Prv, and a monotonic counter C (to prevent replay
WiSec ’17 , July 18-20, 2017, Boston, MA, USA Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni

Table 1: Variables, parameters and procedures that, the common assumption in such attacks is that Vrf is unaware
when to expect an attestation response.
Entities
• Delay Attacks: The simplest way to avoid detection of
Vrf Verifier ADVcom , during the execution of an attack, is to delay
Prv Prover the attestation response sent by Prv until ADVcom is done
EN Embedded Network executing the attack and has achieved its goal
Prvi Prv i in EN • Dropping Attacks: Since Vrf detects compromised Prv
ADV Adversary only when receiving an attestation response showing a mea-
ADVcom Communication Adversary surement of a malicious software. ADVcom may drop every
ADVsoft Software Adversary attestation response which doesn’t indicate a benign soft-
ADVmob Mobile Adversary ware state
Protocol parameters • Record and Play Attacks: The ultimate attack would in-
volve recording and dropping benign attestation responses
katt Secret Attestation Key and later replaying them during an attack to convince the
satt Secret Random Seed Vrf that Prv is in a benign state
n Number of Devices in EN
N Random Nonce Mitigation. To mitigate such attacks, Vrf and Prv should have
h Software Measurement of Prv synchronized clocks that indicate attestation times for both entities.
b Benign Software Measurement of Prv When Vrf does not receive an attestation response within the
µ A MAC based on katt expected time limits, it assumes that Prv has been compromised.
r Attestation Result (1 indicates success and 0 Note that, since synchronized clocks are identified as a requirement
indicates failure) for non-interactive attestation, timestamps can replace monotonic
σ Internal State of PRNG counters.
Security under ADVsoft . Based on purely remote software
Time parameters
techniques, ADVsoft may perform the following attacks:
Trec Time of receiving an attestation response
Tatt Attestation time • Fake Measurements: ADVsoft can intercept and modify
tatt Random time interval before the next attesta- the process responsible for measuring the software state.
tion Thus, enabling the generation of a benign attestation re-
Max
tatt Maximum time period between two consecu- sponse which is independent of the actual software state on
tive attestations Prv
const
tatt Fixed time interval between two consecutive • Forged Measurements: Relying on software techniques,
attestations ADVsoft can extract the key katt used for authenticating
ttr Maximum time required to communicate a re- attestation results. Having katt , ADVsoft would be capable
sponse between Vrf and Prv of forging any attestation response at anytime regardless of
δt Maximum clock skew between Vrf and Prv Prv’s state
tmal Time period during which Prv is compromised • Pre-Generated Measurements: By manipulating Prv’s clock,
C Monotonic Counter ADVsoft can trick Prv to generate future measurements of
current benign software. These measurements can be stored
Procedures for later use as attestation responses sent to Vrf during the
time( ) Returns current time execution of an attack
timeout(tatt ) Sets timer to expire after tatt period of time
Mitigation. To tackle these attacks, the integrity of the measure-
getSoftMeas( ) Returns a measurement of the current software
ment process, the confidentiality of katt , and the integrity of Prv’s
of Prv
clock must all be protected by leveraging hardware assistance.
Security under ADVmob . Knowing the exact time interval
between attestation measurments tatt const , ADV
attacks). After receiving a message from Prv, Vrf determines the mob can evade de-
trustworthiness of Prv by: (1) checking the message’s authenticity, tection, by following the strategy described in Section 2.1. More
i.e., verifying µ; (2) checking its freshness, i.e., checking whether particularly, ADVmob observes Prv for some period of time to
const . Then, ADV
figure out tatt
the value of received counter C is higher than its locally-stored mob infects Prv (i.e., by installing
value; and (3) checking whether the contained measurement h malware) at the end of a successful attestation. Directly before
corresponds to a benign software state. Vrf outputs its decision the consequent execution of the attestation protocol, ADVmob
r indicating whether Prv is in a benign or malicious state (0 for restores the original benign software. By executing this process re-
malicious and 1 for benign). peatedly, ADVmob can evade detection while keeping Prv infected
Security under ADVcom . Having full control over commu- for the longest time possible.
nication channels between Vrf and Prv, ADVcom can perform Mitigation. A key aspect of the attack described above is the previ-
several attacks. In the following, we outline some of them. Note ous knowledge of the exact attestation time. Consequently, securing
67
SeED: Secure Non-Interactive Attestation for
Embedded Devices
non-interactive attestation, requires hiding the exact attestation
times from ADV. This is achieved in two steps:
(1) Randomization: Attestation should be executed at random
times, that are not predictable by ADV. However, as men-
tioned above, these times should be known to both Vrf and
Prv. For this reason, we propose using pseudorandom num-
bers. Consequently, Vrf and Prv are required to at least share
the seed for a Pseudorandom Number Generator (PRNG)
(2) Confidential Trigger Time: The attestation time should not
be readable by the code responsible for triggering the at-
testation process (e.g., scheduler). This can be either done
(1) in software, using polling; or (2) in hardware, based on
non-maskable interrupt (NMI)
3.3 SeED: Protocol Description
Taking into consideration all previously mentioned requirements,
and assuming that Vrf and Prv share two secrets: (1) the attestation
key katt used for authenticating the attestation response, and (2) the
random seed satt used by the Pseudorandom Number Generator
(PRNG) to generate a random attestation time (timer) that triggers
the next attestation process at Tatt . We now describe a secure non-
interactive attestation protocol – SeED. As shown in Figure 2, at
attestation time Tatt , Prv generates a measurement h of its software,
attaches it to the current time attestation time Tatt , authenticates it
with a MAC based on katt , and send it to Vrf. Vrf, in turn, expects
to receive an attestation response at any time between Tatt − δ t and
Tatt +δ t + ttr (i.e., Tatt −δ t < Trec < Tatt +δ t + ttr ), where Tatt is the
expected attestation time, δ t is the maximum clock skew between
Vrf and Prv, and ttr is the maximum time required to transmit
the response between Vrf and Prv. If a response is received at
Trec , Vrf checks (1) its authenticity, by verifying the MAC µ; (2) its
freshness, by checking whether the attached time corresponds to
the present Tatt ; and (3) Prv’s trustworthiness, by checking whether
the measurement h corresponds to a benign software state b. If all
checks succeed, Vrf concludes that Prv is in a trustworthy state,
setting r to 1. On the other hand, if no attestation response was
received when expected, or any if the three checks failed, Vrf
concludes that Prv is malicious (i.e., infested by malware) and sets
r to 0.
3.4 Requirements Implementation
Securing non-interactive attestation, as discussed above, requires
leveraging hardware assistance to: (1) have synchronized clocks
between Prv and Vrf; (2) assure integrity of both, the clock and
the measurement process on Prv side; and (3) securely provision
Prv with katt and satt . This can be achieved by having the following
features:
• Read-Only Memory (ROM): The integrity of the code used
to perform measurement should be protected. This can be
done by storing the code itself in ROM (e.g., SMART [12]),
or verifying its integrity through a secure boot procedure,
whose code is stored in ROM (e.g., TrustLite [18])
• Memory Protection Unit (MPU): In order to preserve the
confidentiality of the attestation key katt and attestation
times (generated from the seed satt ), a simple MPU is re-
quired. MPU provides read-only access to these secrets to
68
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
the protocol code only. MPU has been identified as a minimal
requirement for secure remote attestation in [8, 12, 13, 18]
• Real-Time Clock (RTC): A measurement of Prv’s soft-
ware should be tied to its generation time. Therefore, a real-
time write-protected clock, which is not modifiable by a
software-only adversary, is required. RTC enforces the gen-
eration of attestation responses on-time and prohibts the
generation of responses over old software measurements.
RTC has already been used to detect physical attacks in [16]
and to mitigate DoS attacks on attestation in [9]
• Attestation Trigger: In a secure non-interactive attestation
scheme, the attestation time should not even be known to
the entity triggering the attestation process (i.e., operating
system). For this reason, a dedicated timeout circuit is re-
quired. This timeout circuit, simply updates and monitors
the value of a timer stored in a secure register. It also triggers
a non-maskable interrupt (NMI) upon the expiry of the timer
Note that, all of the aforementioned hardware features, except
for the attestation trigger, have already been either required for
enabling secure remote attestation (i.e., ROM and MPU), or for
mitigating DoS attacks on Prv (i.e., RTC).
4 PROTOTYPE AND IMPLEMENTATION
We implemented SeED on top of two recent security architectures
for attestation on low-end embedded devices: SMART [12] and
TrustLite [18]. In the following we describe these implementations.
4.1 SMART and TrustLite
SMART. SMART [12] provides secure remote attestation for low-
end embedded devices based on minimal hardware assumptions.
The two main components of SMART are: (1) a read-only mem-
ory (ROM) storing the attestation code (denoted by ROM code)
and the attestation key katt ; and (2) a simple Memory Protection
Unit (MPU), that restricts access to ROM, where katt is stored, to
the software entitled to access it. Both ROM and MPU represent
minimal hardware requirement for secure remote attestation and
they are simple and inexpensive to realize. The basic idea is that
ADVsoft is unable to modify any code stored in ROM. Thus en-
suring the integrity of attestation code. On the other hand, MPU
grants exclusive access to katt to ROM code. This is done by check-
ing whether the program counter is within the ROM address space
whenever katt is to be accessed. As a result, only genuine attestation
code has access to katt .
We implement our protocol on a slightly modified version of
SMART, as shown in Figure 3. We extend MPU rules to control
access to a small portion of the re-writable memory. This preserved
memory, with restricted access, is required to store protocol’s inter-
mediate data. Mainly, it is used to store the internal state of PRNG
σ , and the timer tatt .
TrustLite. TrustLite [18] is a security architecture for embedded
systems, that enables isolated execution of software components
(e.g., SeED’s code). Similar to SMART, a simple MPU ensures that
data can be accessed only by the code of the component that owns
that data. Access rules are enforced based on the value of the pro-
gram counter (PC). and is hereby called execution-aware memory
protection unit (EA-MPU). Finally, authenticity and confidentiality
WiSec ’17 , July 18-20, 2017, Boston, MA, USA Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni

Verifier Vrf Prover Prv

katt , satt , b, δt , ttr katt , satt

{σi , θi } ← gen(σi−1 )
Max
tatt ← θi mod tatt

timeout(tatt )

Tatt ← Tatt + tatt

h ← getSoftMeas( )

µ ← mac(katt ; hkTatt )
µ

{σi , θi } ← gen(σi−1 )
Max
tatt ← θi mod tatt

Tatt ← Tatt + tatt

if vermac(katt ; bkTatt , µ) then

Trec ← time( )

if Tatt − δt < Trec < Tatt + δt + ttr then

r ←1

end if

end if

Figure 2: Protocol SeED

Memory Memory
CPU Clock System CPU Clock System
ROM ROM
OS OS
Program Memory Program Memory
RTC Timeout 𝑅0 Counter (PC) Address
RTC Timeout
𝑅0
Counter (PC) Address σx Secure Boot 𝑅2 SeED
SeED
MPU 𝑅2 Tatt satt
𝐌𝐚𝐱
𝐓𝐚𝐭𝐭 MPU katt
satt 𝑅1 kplatform
𝑅1
Code Region Memory Region Permissions
tatt
Code Region Memory Region Permissions 𝑅3 σx
katt
R0 R1 r R0 R1 r Tatt
Max
R0 R2 r&w SW 1 R0 R2 r Tatt
R2 R3 r&w tatt

SeEDadditional HW Features SMART HW Features Microcontroller HW Components

SW 2 SW
SeEDadditional HW Features TrustLite HW Features µC HW Components

Figure 3: Implementation of SeED based on SMART [12] Figure 4: Implementation of SeED based on TrustLite [18]

of both code and data of isolated components are ensured via means
of secure boot. On the other hand, the integrity of secure boot code
is protected by storing it in ROM.
Keys and Variables. Our implementation of SeED is illustrated
in Figure 3 and Figure 4. The secret attestation key katt and the
secret random seed satt , are both read- and write-protected by ROM
and/or by an MPU rule. This rule ensures that SeED’s code has
exclusive read access to these two secrets. On the other hand, SeED’s
intermediate data (i.e., timer, and internal state of PRNG) are stored
in writable memory, and are both read- and write-protected through
an MPU rule. This rule provides exclusive read and write access to
69
this data to SeED’s code only. Finally, the integrity of SeED’s code is
protected via ROM (on SMART) or secure boot (on TrustLite). Also,
run-time threats on the protocol code are reduced by limiting code
entry points [12], and leveraging control flow integrity (CFI) [5].
Real-Time Clock. As discussed in Section 3, enabling secure non-
interactive attestation requires a Real-Time Clock (RTC), that is not
modifiable by software. In addition to being write-protected, RTC
should have a very large counter, that does not wrap around during
Prv’s lifetime. Indeed, using a 64-bit register solves this problem, as
it would need 73, 117 years to wrap around on an 8 MHz SMART,
even when incremented at every clock cycle. However, since SeED
SeED: Secure Non-Interactive Attestation for
Embedded Devices
does not require such a granular time input, a 32-bit register would
suffice, if it is incremented every 100, 000 cycle (i.e., providing a
resolution of 13 ms), as it would wrap around in about 2 years. On a
24 MHz TrustLite, on the other hand, a 64-bit register would wrap
around in 24, 372 years, and a 32-bit register would wrap around
in 3 years, if incremented every 500, 000 cycle (i.e., providing a
resolution of 21 ms).
5 APPLICATION TO COLLECTIVE
ATTESTATION
Securing embedded networks is a challenging problem. A number
of research work has been conducted that aims at scaling existing
remote attestation protocol to large networks [3, 6, 16] (denoted
by swarm/collective attestation). Existing collective attestation pro-
tocols can also be realized as non-interactive protocols.1 This is
done by sharing the same random seed between all n provers (Prv1
through Prvn ) in a network EN, making them all report within a
very short time interval from each other, and then aggregating the
reports based on the protocol in [6].
On the other hand, SeED can also be extended to support a more
efficient individual attestation of Prv’s in EN. In this extension, Prv’s
are made to report at different times, by giving them different secret
random seeds. Consequently, bursty network traffic is avoided by
spreading reporting over a large time window. In the following we
describe this extension.
Initialization. Each prover Prvi in EN is initialized by Vrf with the
cryptographic secrets required for non-interactive attestation, i.e.,
i used for authenticating attestation responses,
an attestation key katt
i , used for generating random attestation
and a random seed satt
times.
i , and
Attestation. Each prover Prvi waits until attestation time Tatt
then generates an attestation response formed of a MAC µ i over
its current software measurement hi and the attestation time Tatt i ,
i
based on katt shared with Vrf. On the other hand, for each prover
Prvi , Vrf awaits an attestation response to be received within the
i − δ , T i + δ + t ]. When a response is received, Vrf
interval [Tatt
t att t tr
verifies its authenticity, freshness, and trustworthiness. If all checks
succeed, Vrf concludes that Prvi is benign. Otherwise, if one check
fails or no response was received within the expected interval, Vrf
concludes that Prvi is malicious. If all provers in EN are benign, Vrf
outputs r = 1. Otherwise, it outputs r = 0.
In addition to lower communication overhead, non-interactive
collective attestation offers lower network congestion compared
to naively attesting individual devices at the same time. It also
normalizes Vrf’s overhead and stretches it over a longer period of
time. Leading to a shorter end-to-end delay (i.e., time between the
initiation of the protocol and identification of a prover’s infection).
6 PERFORMANCE EVALUATION
6.1 SeED: Single-Device Attestation
Software Complexity. In our implementation on SMART [12] and
TrustLite [18], we use HMAC-DRBG [7] based on SHA-1 as a Pseu-
dorandom Number Generator (PRNG). Consequently, no additional
1 We assume that the spanning tree is already constructed following the protocol in
[6].
70
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
cryptographic primitives are required to be implemented. We only
need to add the code required for: (1) generating random attesta-
tion time, and writing it to I/O mapped memory; and (2) requesting
and including a timestamp in the attestation response. These mod-
ification incurs only few additional Lines-of-Code (LoCs), which
corresponds to less than 200 bytes increase in code size.
Hardware Costs. The implemented hardware components include
a real-time clock, a timeout circuit and MPU rules required to con-
trol access to sensitive data in the memory. We compare the hard-
ware cost of our implementation of SeED to that of TrustLite [18]
and DoS-Resilient attestation from [9], in terms of required registers
and Look-up Tables (LUT).
Table 2: Hardware cost of SeED
Register Look-up Table
TrustLite [18] 6038 15142
DoS-Resilient [9] 6186 15356
SeED 6335 15580
As shown in Table 2, the DoS-Resilient attestation described in
[9] imposes an increase of 2.45% and 1.41% over the original cost
of TrustLite (in terms of the required registers and LUTs). This is
due to the cost of the clock, and the additional MPU rule required
to protect the clock. SeED has only an additional cost of 4.92% and
2.9% compared to TrustLite.
Overhead. In the following we quantify the memory, computa-
tional, and communication costs of SeED:
• Memory: Prv in SeED needs to store a 20-byte secret key
and a 20-byte secret random seed in ROM which should be
read-protected. Also, Prv stores a 4-byte protocol constant
Max , a 4-byte timer t , and a 20-byte internal state σ of
tatt
att
PRNG on write-protected memory. Overall, SeED requires
additional 20 bytes of ROM, and 28 bytes of Random Access
Memory (RAM) or flash on SMART and 48 bytes of Random
Access Memory (RAM) or flash on TrustLite.
• Computation: Most of the computational cost in SeED is due
to cryptographic operations. For every generated attestation
response, SeED needs to generate 32 random bits, and one
MAC, and calculate a hash over the amount of memory
to be attested. The additional computation cost imposed
over traditional attestation is only due to random number
generation.
• Communication: In SeED, each Prv is only required to send
a 20 bytes MAC to Vrf for each run of the protocol. In tradi-
tional attestation protocols, Prv is also required to receive a
random challenge of at least 20 bytes. As mentioned earlier,
on low-end devices the energy consumption of communicat-
ing 1-bit of data is equivalnet to that of executing 800 − 1000
instructions [15].
Energy costs. Based on previous studies, that reported energy
consumption for cryptographic operations and communication in
sensor networks [11], we estimate energy consumption of SeED,
WiSec ’17 , July 18-20, 2017, Boston, MA, USA Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni

0.7 0.9
0.6 0.8
Traditional
DoS-protected 0.7
0.5
SeED 0.6
Runtime (s)

Runtime (s)
0.4 0.5
0.3 0.4
Traditional
0.3 DoS-protected
0.2 SeED
0.2
0.1 0.1
0 0
2 4 6 8 10 12 14 16 18 20 50 100 150 200 250 300
Number of hops Software size (KB)

Figure 5: Attestation runtime as function of number of hops Figure 6: Attestation runtime as function of attested soft-
ware size
and compare it to traditional and DoS-Resilient attestation schemes.
Our estimation excludes the energy required to generate the soft- 12

ware measurement which is the same in all cases. The results are 10
SEDA(MICAz)
shown in Table 3. As shown in the table, the additional energy SEDA(telosB)

Energy (mJ)
8 SeED(MICAz)
consumption required by DoS-protected attestation is almost 70% SeED(telosB)
of that of traditional attestation (for both TelosB and MICAz sensor 6

nodes). On the other hand, SeED, which is inherently secure against 4

DoS attacks, saves about 50% of Prv’s energy when compared to
2
traditional attestation.
2 4 6 8 10 12
Number of neighbors
Table 3: Energy consumption of SeED (mJ)
Figure 7: Energy consumption of SeED vs. SEDA
TelosB MICAz

Traditional 0.253 0.241 number hops of between Vrf and Prv, and (4) the size of the mea-
DoS-Resilient [9] 0.418 0.408 sured software. Figure 5 and Figure 6 show the runtime of SeED
on TrustLite as function of the number of hops and the size of the
SeED 0.129 0.152 attested software respectively. Figures for SMART are omitted due
to space constraints.
Runtime. We also measure the runtime of SeED and compare it
to both traditional and DoS-Resilient attestation schemes. We base
6.2 SeED: Collective Attestation
our measurements on the 20-kbps minimum communication rate We evaluated the energy consumption and runtime of a collective
of ZigBee2 . non-interactive attestation protocol based on SEDA [6] in compari-
son to the original implementation of the protocol.
Table 4: Runtime of SeED (ms) Energy costs. Figure 7 shows estimations of the energy consump-
tion on each individual device after one execution of the protocol.
These estimations are also based on previously reported energy
SMART [12] TrustLite [18]
consumption for cryptographic operations and communication in
Traditional 948 288 sensor networks [11]. As can be seen in Figure 7, the energy con-
sumption of both protocols is linear in the number of neighbors
DoS-Resilient [9] 1, 150 394 per device. However, SeED shows a considerably lower energy con-
SeED 692 187 sumption on both MICAz and TelosB sensor nodes, when applied to
a collective attestation protocol like SEDA. The reduction in energy
consumption comes mainly from a lower communication overhead
As shown in Table 4, SeED leads to an improvement of 27% (and induced by SeED. This reduction increases linearly with the number
35%) over the runtime of traditional attestation, and that of 40% of neighbors per device. It can be as low as 0.6 mJ (40% of the over-
(and 53%) over runtime of DoS-Resilient attestation on SMART all energy consumption) in networks with 1 neighboring MICAz
(and TrustLite respectively). These measurements assume that Vrf devices, and up to 5 mJ (45% of the overall energy consumption) in
and Prv are 10 hops away, and that the size of the software to be networks with 12 neighboring telosB device.
measured is 50-kilobytes. Note that, the improvement percentage Runtime. We used OMNeT++ [23] event simulator to evaluate the
depends on different factors including: (1) the bandwidth of the performance of the non-interactive collective attestation protocol
communication channel, (2) devices’ computational power, (3) the based on SEDA [6]. Similar to previous work [3, 6, 16], we simulate
2 ZigBee is a common communication protocol for IoT devices. cryptographic operations as delays based on real measurements
71
SeED: Secure Non-Interactive Attestation for
Embedded Devices
1.2
1
Runtime (s)
0.8
0.6
SEDA
0.4
SeED
0.2
0
0 200000 400000 600000 800000 1e+06
Network size
Figure 8: Attestation runtime of SeED vs. SEDA
from SMART [12] and TrustLite [18]. We considered networks with
up to 1, 000, 000 devices, having different topologies, and variable
number of neighbors. However, due to limited space, we only show
the results for binary trees. We assume that each device has 50 KB
of software to be attested. As shown in Figure 8, the runtime of both
SeED and SEDA is logarithmic in the size of the network. However,
SeED shows a considerably better performance than SEDA. The
significance of the performance improvement increases with the
size of the network. It can be as low as 5% (27-milliseconds) in
networks of only 3 devices, and as high as 28% (346-milliseconds)
in networks of 1, 000, 000 devices. Note that, SeED shows more
improvement over SEDA in linear topologies, as communication
in such topolgies plays a more significant role. However, we only
show performance results for tree topology, since it presents the
most interesting use case for collective attestation in general.
7 SECURITY ANALYSIS
The goal of a non-interactive attestation protocol is to enable Vrf
to detect modifications to Prv’s software (e.g., malware infesta-
tion). We formalize this based on a security experiment Exp A D V ,
where an adversary ADV interacts with Prv and Vrf. Recall that,
ADV can eavesdrop on, delete, and modify any message between
Prv and Vrf. It can also send arbitrary messages to Prv and Vrf
(ADVcom ). Furthermore, ADV can modify Prv’s software by
injecting malware (ADVsoft ). It can also erase all traces of its pres-
ence, i.e., erasing malware and restoring Prv to its original benign
state (ADVmob ). During the experiment, ADV attacks Prv and
modifies its software. In order to achieve its goal, the attack should
last for a non-negligible amount of time tmal > tattMax , during which
ADV can restore Prv to its original state within a negligible pe-
riod of time. After a polynomial number (in terms of the security
parameters ℓmac , ℓhash , ℓclock , and ℓgen ) of steps by ADV, Vrf
outputs its decision bit b = 1 indicating that it considers Prv to be
benign, or b = 0 if otherwise. The result is defined as the output
of Vrf, i.e., Exp A D V = b. A secure non-interactive attestation
scheme is defined as:
Definition 1 (Secure non-interactive  attestation). A non- 
interactive attestation scheme is secure if Pr b = 1|Exp A D V (1ℓ ) = b
is negligible in value of ℓ = f (ℓmac , ℓhash , ℓclock , ℓgen ), where func-
tion f is polynomial in ℓmac , ℓhash , ℓclock , and ℓgen .
Theorem 1 (Security of SeED). SeED is a secure non-interactive
attestation scheme (Definition 1) if the underlying MAC scheme is
72
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
selective forgery resistant, the hash function is collision resistant, and
the pseudorandom number generator is cryptographically secure.
Proof sketch of Theorem 1. Vrf returns b = 1, only if (1) no
attestation responses were expected during the time of the attack;
or (2) attestation response(s) was received in the expected time, and
it passed Vrf’s checks (i.e., the response is fresh, authentic, and
corresponds to a benign software). We distinguish among three
cases:
• Communication Attacks: Given full control over commu-
nication channels between Vrf and Prv, ADVcom either
completely drops, or delays the attestation response till the
end of the experiment (i.e., after Vrf outputs its decision).
However, since: (1) the attack time tmal is greater than the
maximum time between two consecutive attestations (tatt Max ),
Vrf would be expecting an attestation response before the
end of the experiment. Therefore, dropping or delaying re-
sponses will be detected by Vrf, which will output b = 0. On
the other hand, ADVcom replays previously recorded re-
sponses which correspond to benign software measurements.
However, since Vrf checks the freshness of the received re-
sponses, the probability of Vrf accepting replayed responses
and outputting b = 1 is negligible in ℓclock
• Software Attacks: Based on purely remote software tech-
niques, ADVsoft may enable the generation of fresh, au-
thentic, and benign response by: (1) modifying the process
responsible for measuring software state, (2) extracting the
authentication key katt used for authenticating attestation
responses, or (3) manipulating Prv’s clock. However, this
is not possible since: (1) the integrity of the measurement
code is protected through Read-only Memory (ROM) on
SMART [12] (and secure boot on TrustLite [18]), (2) secrecy
of katt is protected by appropriate rules in Memory Protec-
tions Unit (MPU), and (3) Prv has a Real-Time Clock (RTC),
which is not accessible by any software. Finally, ADVcom
may try to modify the software in a way that is not de-
tectable by the measurement process, or forge a MAC on
the benign measurement and a fresh timestamp, in order to
convince Vrf into outputting b = 1. However, these attacks
are negligible in ℓhash and ℓmac respectively
• Hide and Seek: A more sophisticated adversary ADVmob
may try to evade detection and convince Vrf to output b = 1,
by restoring Prv to its original benign state directly before
the execution of the attestation protocol. Since ADVmob
can restore Prv within a negligible amount of time, ADVmob
should know the exact attestation time in order for this at-
tack to succeed. However, ADVmob has no access to the
next attestation time tatt , which is protected by appropriate
rule of MPU, and the probability of predicting it is negligible
in ℓgen
This means that the probability of ADV convincing Vrf that a
compromised Prv is benign is negligible in ℓmac , ℓhash , ℓclock , and
ℓgen . 
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
8 RELATED WORK
Single-Device Attestation. Existing approaches to attestation fall
into three main categories: Software-based attestation schemes [14,
17, 20, 28–31] requires no secure hardware and does not rely on
cryptographic secrets. It enables attesting legacy and low-end em-
bedded devices under some strict assumptions. These assumptions
include: optimality of the attestation code and its implementation,
adverserial silence during the execution of the attestation protocol,
and existence of an out-of-band authentication channel. For this
reason, security of software-based attestation schemes has been
challenged [10, 32, 35], and their applicability was limited to local
attestation of legacy devices, e.g., peripherals. Co-Processor-based
attestation schemes [19, 21, 22, 25–27, 33] provide better security
guarantees. However, they are based on complex and/or expen-
sive security hardware (e.g., TPM), that are not present on low-
end embedded devices. Software/Hardware Co-design or Hybrid
schemes [8, 12, 13, 18] identify minimal hardware-based features
required for enabling secure remote attestation. Such security fea-
tures are as simple as a Read Only Memory (ROM), and a simple
Memory Protection Unit (MPU).
All existing attestation schemes are vulnerable to Denial of Ser-
vice (DoS) attacks. As a countermeasure, the work in [9] proposes
authenticating attestation challenges by the verifier. The prover has
to verify that the request is fresh and is coming from the trusted ver-
ifier before proceeding with the software measurements. However,
the mitigation proposed in [9] imposes additional overhead, and is
prone to DoS attacks based on the MAC verification procedure.
Collective Attestation. Traditional attestation schemes consider
only a single prover and verifier. Swarm/collective attestation aims
at scaling existing attestation schemes to networks of embedded
devices, by leveraging in-network verification [6], and novel cryp-
tographic primitives [3].
SEDA [6] investigates the security of swarms of embedded de-
vices. It presents the first attestation protocol for large swarm,
allowing a central verifier to assess the trustworthiness of a million-
device swarms in order of seconds. It achieves this by distributing
the attestation burden across the swarm, allowing neighbors to
attest each other, and aggregating the attestation results in a hop-
by-hop manner. SANA [3] enables low verification overhead due to
the integration of a novel Optimistic Aggregate Signatures (OAS),
which is a generalization of aggregate and multi-signatures. Finally,
DARPA [16] aims at detecting software compromise and device
capture in embedded networks. Since DoS attacks on collective
attestation are more significant, as it allows to adversary to disturb
a large network by targeting one device, SANA [3] proposes using
secure tokens obtained from a trusted third party to prohibt scaling
DoS attacks to large networks. However, SANA uses expensive
public key cryptography which imposes additional overhead on the
Prv, and is vulnerable to DoS attacks based on the digital signature
verification procedure.
SeED is the first attestation scheme, which is completely secure
against Denial of Service (DoS) attacks on the prover. It also pro-
vides better efficiency in terms of runtime and energy consumption
while bringing minimal hardware modifications to existing hybrid
schemes.
73
Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Shaza Zeitouni
9 CONCLUSIONS
In the era of Internet-of-Things (IoT), the increasing ability to con-
nect, communicate with, and remotely control networks of embed-
ded devices via the legacy internet has raised considerable security
and privacy concerns, since these devices generate/collect and pro-
cess massive volumes of valuable private data, which makes them
an attractive target for different types of cyber attacks.
In this paper, we present SeED– the first non-interactive attes-
tation scheme for embedded devices, that is inherently resilient
to Denial of Service (DoS) attacks. SeED is more efficient than
traditional attestation schemes in terms of runtime and energy con-
sumptions. We investigate the applicability of SeED, identify its
minimal requirement, and test its security under different attacks.
We evaluated SeED in different settings including standalone (and
networks of) low-end embedded device(s). Our evaluation results
show an improvement of up to 50% in energy consumption and 35%
over runtime of existing attestation schemes. As future work, we
aim to generalize proposed techniques to other interactive security
protocols (beyond attestation), in order to improve efficiency and
mitigate DoS attacks on those security services.
ACKNOWLEDGEMENTS
We thank anonymous reviewers for their useful comments and con-
structive feedback. This work was supported by the German Science
Foundation, as part of project S2 within CRC 1119 CROSSING, the
German Federal Ministry of Education and Research (BMBF) within
CRISP, the EU’s Horizon 2020 research and innovation program
under grant number 643964 (SUPERCLOUD), and the Intel Collabo-
rative Research Institute for Secure Computing (ICRI-SC).
REFERENCES
[1] Jeep Hacking 101. http://spectrum.ieee.org/cars-that-think/transportation/
systems/jeep-hacking-101, 2015.
[2] Abera, T., Asokan, N., Davi, L., Koushanfar, F., Praverd, A., Tsudik, G., and
Sadeghi, A.-R. Things, trouble, trust: On building trust in iot systems. In 53rd
Design Automation Conference (DAC) (June 2016).
[3] Ambrosin, M., Conti, M., Ibrahim, A., Neven, G., Sadeghi, A.-R., and
Schunter, M. SANA: Secure and Scalable Aggregate Network Attestation. In
Proceedings of the 23rd ACM Conference on Computer & Communications Security
(2016), CCS ’16.
[4] Arbaugh, W., Farber, D., and Smith, J. A secure and reliable bootstrap archi-
tecture. In IEEE Symposium on Security and Privacy (1997).
[5] Arias, O., Davi, L., Hanreich, M., Jin, Y., Koeberl, P., Paul, D., Sadeghi, A.-R.,
and Sullivan, D. Hafix: Hardware-assisted flow integrity extension. In 52nd
Design Automation Conference (DAC) (June 2015).
[6] Asokan, N., Brasser, F., Ibrahim, A., Sadeghi, A.-R., Schunter, M., Tsudik,
G., and Wachsmann, C. SEDA: Scalable Embedded Device Attestation. In
Proceedings of the 22nd ACM Conference on Computer & Communications Security
(2015), CCS ’15, pp. 964–975.
[7] Barker, E. B., and Kelsey, J. M. Sp 800-90a. recommendation for random number
generation using deterministic random bit generators. Tech. rep., Gaithersburg,
MD, United States, 2012.
[8] Brasser, F., El Mahjoub, B., Sadeghi, A.-R., Wachsmann, C., and Koeberl,
P. Tytan: Tiny trust anchor for tiny devices. In Proceedings of the 52Nd Annual
Design Automation Conference (2015).
[9] Brasser, F., Rasmussen, K. B., Sadeghi, A.-R., and Tsudik, G. Remote attestation
for low-end embedded devices: the prover’s perspective. In Proceedings of the
53nd Annual Design Automation Conference (Austin, Texas, 2016), DAC ’16, ACM.
[10] Castelluccia, C., Francillon, A., Perito, D., and Soriente, C. On the difficulty
of software-based attestation of embedded devices. In Proceedings of the 16th ACM
Conference on Computer & Communications Security (2009), CCS ’09, pp. 400–409.
[11] de Meulenaer, G., Gosset, F., Standaert, O.-X., and Pereira, O. On the energy
cost of communication and cryptography in wireless sensor networks. In IEEE
International Conference on Wireless and Mobile Computing (2008).
[12] Eldefrawy, K., Tsudik, G., Francillon, A., and Perito, D. SMART: Secure and
SeED: Secure Non-Interactive Attestation for
Embedded Devices
minimal architecture for (establishing a dynamic) root of trust. In Network and
Distributed System Security Symposium (2012).
[13] Francillon, A., Nguyen, Q., Rasmussen, K. B., and Tsudik, G. A minimalist
approach to remote attestation. In Design, Automation & Test in Europe (2014).
[14] Gardner, R., Garera, S., and Rubin, A. Detecting code alteration by creating a
temporary memory bottleneck. IEEE Transactions on Information Forensics and
Security (2009).
[15] Hill, J., Szewczyk, R., Woo, A., Hollar, S., Culler, D., and Pister, K. System
architecture directions for networked sensors. In Proceedings of the Ninth In-
ternational Conference on Architectural Support for Programming Languages and
Operating Systems (New York, NY, USA, 2000), ASPLOS IX, ACM, pp. 93–104.
[16] Ibrahim, A., Sadeghi, A.-R., and Tsudik, G. DARPA: Device Attestation Resilient
against Physical Attacks. In Proceedings of the 9th ACM Conference on Security
and Privacy in Wireless and Mobile Networks (2016), WiSec ’16.
[17] Kennell, R., and Jamieson, L. H. Establishing the genuinity of remote computer
systems. In USENIX Security Symposium (2003).
[18] Koeberl, P., Schulz, S., Sadeghi, A.-R., and Varadharajan, V. TrustLite: A
security architecture for tiny embedded devices. In European Conference on
Computer Systems (2014).
[19] Kovah, X., Kallenberg, C., Weathers, C., Herzog, A., Albin, M., and But-
terworth, J. New results for timing-based attestation. In IEEE Symposium on
Security and Privacy (2012), pp. 239–253.
[20] Li, Y., McCune, J. M., and Perrig, A. VIPER: Verifying the integrity of peripherals’
firmware. In ACM Conference on Computer and Communications Security (2011).
[21] McCune, J. M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., and Perrig, A.
TrustVisor: Efficient TCB reduction and attestation. In Proceedings of the 2010
IEEE Symposium on Security & Privacy (2010), S&P ’10, pp. 143–158.
[22] McCune, J. M., Parno, B. J., Perrig, A., Reiter, M. K., and Isozaki, H. Flicker:
An execution infrastructure for TCB minimization. SIGOPS Operating Systems
Review 42, 4 (Apr. 2008), 315–328.
[23] OpenSim Ltd. OMNeT++ discrete event simulator. http://omnetpp.org/, 2015.
[24] Parno, B., McCune, J., and Perrig, A. Bootstrapping trust in commodity com-
puters. In IEEE Symposium on Security and Privacy (2010), pp. 414–429.
74
WiSec ’17 , July 18-20, 2017, Boston, MA, USA
[25] Petroni, Jr., N. L., Fraser, T., Molina, J., and Arbaugh, W. A. Copilot —
A coprocessor-based kernel runtime integrity monitor. In USENIX Security
Symposium (2004), USENIX Association, pp. 13–13.
[26] Sailer, R., Zhang, X., Jaeger, T., and Van Doorn, L. Design and implementation
of a TCG-based integrity measurement architecture. In Proceedings of the 13th
USENIX Security Symposium (2004), pp. 223–238.
[27] Schellekens, D., Wyseur, B., and Preneel, B. Remote attestation on legacy op-
erating systems with trusted platform modules. Science of Computer Programming
74, 1 (2008), 13–22.
[28] Seshadri, A., Luk, M., and Perrig, A. SAKE: Software attestation for key
establishment in sensor networks. In Distributed Computing in Sensor Systems.
2008.
[29] Seshadri, A., Luk, M., Perrig, A., van Doorn, L., and Khosla, P. SCUBA:
Secure code update by attestation in sensor networks. In ACM Workshop on
Wireless Security (2006).
[30] Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., and Khosla, P. Pioneer:
Verifying code integrity and enforcing untampered code execution on legacy
systems. In ACM Symposium on Operating Systems Principles (2005).
[31] Seshadri, A., Perrig, A., van Doorn, L., and Khosla, P. SWATT: Software-
based attestation for embedded devices. In IEEE Symposium on Security and
Privacy (2004).
[32] Shankar, U., Chew, M., and Tygar, J. D. Side Effects Are Not Sufficient to
Authenticate Software. In Proceedings of the 13th USENIX Security Symposium
(2004).
[33] Trusted Computing Group (TCG). Website.
http://www.trustedcomputinggroup.org, 2015.
[34] Vijayan, J. Stuxnet renews power grid security concerns, june 2010.
[35] Wurster, G., Van Oorschot, P. C., and Somayaji, A. A generic attack on
checksumming-based software tamper resistance. In Proceedings of the 2005 IEEE
Symposium on Security and Privacy (2005), S&P ’05, pp. 127–138.