On the TOCTOU Problem in Remote Attestation

by   Ivan De Oliveira Nunes, et al.

We propose Remote Attestation with TOCTOU Avoidance (RATA): a provably secure approach to address the RA TOCTOU problem. With RATA, even malware that erases itself before execution of the next RA, can not hide its ephemeral presence. RATA targets hybrid RA architectures (implemented as Hardware/Software co-designs), which are aimed at low-end embedded devices. We present two alternative techniques - RATAa and RATAb - suitable for devices with and without real-time clocks, respectively. Each is shown to be secure and accompanied by a publicly available and formally verified implementation. Our evaluation demonstrates low hardware overhead of both techniques. Compared with current RA architectures - that offer no TOCTOU protection - RATA incurs no extra runtime overhead. In fact, RATA substantially reduces computational costs of RA execution.



There are no comments yet.


page 1


Tiny-CFA: A Minimalistic Approach for Control-Flow Attestation Using Verified Proofs of Execution

The design of tiny trust anchors has received significant attention over...

Formally Verified Hardware/Software Co-Design for Remote Attestation

In this work, we take the first step towards formal verification of RA b...

A Verified Architecture for Proofs of Execution on Remote Devices under Full Software Compromise

Modern society is increasingly surrounded by, and accustomed to, a wide ...

EmLog: Tamper-Resistant System Logging for Constrained Devices with TEEs

Remote mobile and embedded devices are used to deliver increasingly impa...

Porting of eChronos RTOS on RISC-V Architecture

eChronos is a formally verified Real Time Operating System(RTOS) designe...

Towards a Backdoorless Network Architecture Based on Remote Attestation and Backdoor Inspection

To keep a system secure, all devices in the system need to be benign. To...

DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis

Microcontroller-based embedded devices are at the core of Internet-of-Th...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.