cumulative attestation kernels for embedded systems michael lemay and carl a. gunter
TRANSCRIPT
![Page 1: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/1.jpg)
Cumulative Attestation Kernels for Embedded Systems
Michael LeMay and Carl A. Gunter
![Page 2: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/2.jpg)
Cumulative Attestation
Instantaneous Attestation
• Multiple Platform Configuration Registers (PCRs) measure various parts of the current system state:
Cumulative Attestation
• A comprehensive chronological log of the firmware images is maintained:
2
FW 1
Time
FW 2 FW 3 FW 4 FW 1 FW 2 FW 3 FW 4
PCR 0 = H(FW 4.0)
PCR n = H(FW 4.n)
…H(FW 1) H(FW 2) H(FW 3) H(FW 4)
![Page 3: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/3.jpg)
• Design & prototype of Cumulative Attestation Kernel for Flash MCUs with MPUs
• Experimental performance evaluation of prototype
• Formal verification that prototype satisfies important correctness and fault-tolerance properties
Contributions
3
![Page 4: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/4.jpg)
• Comprehensiveness: Audit log must represent all firmware ever active on system
• Accuracy: Active firmware must be recorded as latest entry in audit log
• Must be possible to verify devices remotely over high-latency network– Offloading attacks must be considered
Security Requirements
4
![Page 5: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/5.jpg)
• Prevents remote attacks over network from scaling
• Sample demand response attack:– Millions of meters slowly compromised– At some point in future, all cut off power at the
same time– Bad effects on grid!
Threat Model
5
![Page 6: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/6.jpg)
Other Potential Target Systems
6
Intelligent Electronic Device: - Monitors and controls state of electric power grid - Physically protected, but potentially network accessible
Pay-As-You-Drive (PAYD) Auto Insurance: - Records data used as input to critical financial processes - Located in unprotected, hostile environment - Occasional network connectivity
![Page 7: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/7.jpg)
• Cost-effectiveness
• Energy-efficiency
• Suitability forhardware protections
• Fault-Tolerance/Robustness
Platform-Imposed Requirements
7
![Page 8: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/8.jpg)
• 8-bit Flash MCUs:– Atmel AVR MEGA 1280:
• 128KiB Flash• 8KiB RAM• 4KiB EEPROM• 16 MIPS
• 32-bit Flash MCUs:– Atmel AVR32 UC3A0512 (April 2007):
• 512KiB Flash• 64KiB RAM• 91 MIPS• Memory Protection Unit
Target Platform: 32-bit Flash MCUs
8
![Page 9: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/9.jpg)
Design/Prototype Characteristics
9
88KiB
512KiB40KiB (107events/upgrades)
191.5KiB
Kernel RAM:12KiB out of 64KiB
![Page 10: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/10.jpg)
Lack of FW Upgrade Fault-Tolerance
10
Segment #0
Segment #1
Segment #2
Segment #3
Segment #0
Segment #1
Segment #2
Segment #3
Firmware Buffer Application Firmware
![Page 11: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/11.jpg)
Fault-Tolerant FW Upgrades
11
Segment #0
Segment #1
Segment #2
Segment #3
Segment #0
Segment #1
Segment #3
Firmware Buffer Application Firmware
Staging Area
System State
UpgradeProgressPointer
Staging
Backup
Finishing
Segment #2
![Page 12: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/12.jpg)
Fault-Tolerant Flash FS
12
Persistent CopyFile #1 File #2 File #n
Working CopyFile #1 File #2 File #n
Persisted Working CopyFile #1 File #2 File #n
![Page 13: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/13.jpg)
• Ideal goal: Verify important properties using specification derived directly from implementation code
• Challenges in achieving goal:– C has ill-defined semantics and code tends to be more
verbose and less-organized than that of higher-level languages
– Attempted to use subset of C# compiled to native code to implement system
• Finally implemented system in C++ and manually derived model
Verification Challenges
13
![Page 14: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/14.jpg)
Experimental Results - Time
14
![Page 15: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/15.jpg)
TPM Power Measurements
15
![Page 16: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/16.jpg)
Prototype Results – Energy Efficiency
TPM idle power consumption: 10.6 mW16
![Page 17: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/17.jpg)
• SCE deploying 5.3 million meters• Annual TPM idle energy consumption:
~500MWh (~45 average US households)*
* http://tonto.eia.doe.gov/ask/electricity_faqs.asp
Power Efficiency Implications
17
![Page 18: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/18.jpg)
• Object-oriented Maude with continuations• Model checker, using Linear Temporal Logic to
express theorems
Verification Overview
18
![Page 19: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/19.jpg)
• Flash write and program upgrade operations can be interrupted at any time by a reset operation
• Recovery operations subsequent to such an interruption can also be repeatedly interrupted (but not forever!)
• Memory write operations result in unpredictable (“garbage”) data in the destination location when interrupted
Model Assumptions
19
![Page 20: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/20.jpg)
• Phase 1: Verify complex system interactions, assuming that storage primitives are fault tolerant– Firmware upgrades and rollbacks– Corresponding audit log operations
• Phase 2: Verify storage primitive fault tolerance– Static flash filesystem fault tolerance– Firmware upgrade fault tolerance
• Attempting to merge the two phases overloads the Maude model checker (segfault)
Verification Strategy
20
![Page 21: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/21.jpg)
• Expressed theorems in Linear-Temporal-Logic• Automatically checked theorems using Maude
model checker
Proof Generation Methodology
21
![Page 22: Cumulative Attestation Kernels for Embedded Systems Michael LeMay and Carl A. Gunter](https://reader035.vdocuments.us/reader035/viewer/2022070412/56649e115503460f94afcabd/html5/thumbnails/22.jpg)
• Cumulative Attestation Kernels address the need for strong remote firmware integrity monitoring of flash MCUs with memory protection hardware
• Developed efficient prototype CAK• Verified correctness and fault-tolerance
properties using model checker
Conclusion
22