PADS: Practical Attestation for Highly Dynamic Swarm Topologies

06/14/2018 ∙ by Moreno Ambrosin, et al. ∙ Università di Padova Fondazione Bruno Kessler Intel Sapienza University of Rome 0

Remote attestation protocols are widely used to detect device configuration (e.g., software and/or data) compromise in Internet of Things (IoT) scenarios. Unfortunately, the performances of such protocols are unsatisfactory when dealing with thousands of smart devices. Recently, researchers are focusing on addressing this limitation. The approach is to run attestation in a collective way, with the goal of reducing computation and communication. Despite these advances, current solutions for attestation are still unsatisfactory because of their complex management and strict assumptions concerning the topology (e.g., being time invariant or maintaining a fixed topology). In this paper, we propose PADS, a secure, efficient, and practical protocol for attesting potentially large networks of smart devices with unstructured or dynamic topologies. PADS builds upon the recent concept of non-interactive attestation, by reducing the collective attestation problem into a minimum consensus one. We compare PADS with a state-of-the art collective attestation protocol and validate it by using realistic simulations that show practicality and efficiency. The results confirm the suitability of PADS for low-end devices, and highly unstructured networks.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Smart Internet of Things (IoT) devices are used in many different fields, ranging from simple small scale systems, such as home automation, to large scale safety-critical environments, e.g., in military systems, drone-based surveillance systems, factory automation, or smart metering. Unfortunately, their role in critical systems, their low cost nature, and their wide usage, make IoT devices an attractive target for attackers [28]. Security in IoT is thus a major concern, to guarantee both the correct operational capabilities of devices, and prevent data thefts and/or privacy violations.

Malwares represent a major threat to IoT systems, through which attackers replace the original firmware from the devices with malicious code, to perform larger attacks [2, 3]. One effective way to detect these types of attacks is remote attestation, an interactive protocol between a prover () and a remote verifier () that allows to assess the integrity of ’s configuration (e.g., firmware and/or data). In a remote attestation protocol, sends a challenge to ; computes a measurement (typically a hash) of its configuration, and returns such measurement to , integrity and authenticity-protected with a Message Authentication Code (MAC), or digitally signed. then checks whether: (i) the received data is authentic; and (ii) if the received measurement conforms to an expected “good configuration” (e.g., taken from a database of known “good configurations”) [18, 19]. As reported in recent alternative solutions, the device itself can check whether the configuration is correct, and simply report a (signed or MAC-ed) binary value indicating whether attestation was successful or not [5]. Furthermore, to better match autonomous systems requirements, attestation can be started by rather than , at predefined points in time [22]. The security of remote attestation protocols, in practical settings, is guaranteed by a hybrid combination of software and hardware [16, 10], which acts as a root of trust for measurement in the device.

Unfortunately, remote attestation is hard to scale in its basic form. Indeed, its overhead is linear in the number of provers in a system, making it potentially unpractical for very large deployments, e.g., networks of autonomous and/or collaborating low-end devices. For this reason, in the past years researchers tried to design novel protocols, called collective attestation protocols, to allow attestation to scale, while retaining useful security properties [7, 5, 11, 24]. Previous work, however, focused on networks with mostly static topologies, scaling attestation over spanning trees, which are difficult and expensive to maintain in networks with faulty links, and/or dynamic topologies. Examples of this type of settings are decentralized coordination of Unmanned Aerial Vehicles (drones) [30, 13] or adaptive driverless cars traffic flow management [31, 17, 20].

Idea and Contribution. In this paper, we propose a novel protocol for efficiently and effectively collect attestation proofs from provers in highly dynamic networks of autonomous devices. Inspired by the sensor fusion literature [9], we take a different approach with respect to previous works. We start from the concept of non-interactive attestation [22], and turn the problem of efficiently collecting attestation proofs from provers, into a distributed consensus problem: A network of agents (i.e., provers) attest themselves (as in [22]), and then corroborate their individual results into a “fused” attestation result via minimum consensus. The final collective result will carry sufficient information to tell which devices in the network are in an healthy state, i.e., run a correct version of the firmware, and which are compromised. Our solution perfectly fits with networks of autonomous devices that operate without a central unit coordinating the operation.

We achieve this goal through PADS, the first protocol that supports attestation on highly dynamic and unstructured networks. PADS presents several key advantages w.r.t. existing literature:

  • It does not require the establishment of an overlay spanning tree to efficiently carry out the collective attestation process, and as such, it is suitable for unstructured networks;

  • It does not require provers to be always online and/or reachable during the whole attestation process;

  • It is computationally efficient and suitable for resource-constrained devices, and protocols;

  • As in [22], PADS starts at (and produces an attestation result related to) given points in time, and the verifier can at any time obtain the status of the network by querying any prover in the network;

  • It opens for intelligent uses of attestation results, e.g., healthy nodes can know the status of other nodes and exclude compromised nodes from computation.

We show the performance of PADS through simulations, and compare it against SANA [5]. Our experimental results confirm the suitability of PADS for low-end devices, and highly unstructured networks.

2 Related Work

Asokan et al. [7] first highlighted the challenges in remote attestation for large swarms of low-end devices, and proposed SEDA, a scalable protocol for collective attestation. SEDA allows to perform attestation over an (overlay) spanning tree, rooted at ; each device attests its neighbors, and reports back to its parent (in the spanning tree). Each device in SEDA is equipped with the minimal hardware requirements necessary for attestation on embedded devices, i.e., a Read-Only Memory (ROM), and a Memory Protection Unit (MPU) [18]. SEDA provides an efficient mechanism to perform attestation, but requires full connectivity among nodes during the whole attestation process. DARPA [21] improves the resiliency of SEDA against strong attackers, by allowing nodes to collaboratively detect hardware-compromised devices. Unfortunately, DARPA inherits most of the main limitations of SEDA when it comes to dynamic networks. Ambrosin et al. [5] proposed SANA, an end-to-end secure protocol for collective attestation that, compared to SEDA, limits the strength of hardware attacks, is publicly verifiable, and does not require all the nodes in the system to be equipped with a Trusted Execution Environment (TEE), making it usable in heterogeneous deployments. SANA allows untrusted nodes to aggregate attestation proofs collected from provers, using a generalized aggregate multi-signature scheme. While resolving most of the major shortcomings of SEDA, SANA still requires full connectivity among devices; moreover, it introduces severe overhead on low-end provers. More recently, [11] propose two remote attestation protocols that improve SEDA with respect to scalability and resiliency to hardware attacks. However, [11] requires full connectivity among devices for the whole attestation process. Remarkably, the recent work in [24] improves SEDA by supporting more dynamic networks, at the price, however of additional complexity in the system (election of clustered nodes, etc.). More recently, Ibrahim et al. proposed SeED [22], a protocol that allows to perform a prover-initiated series of attestation step at different random points in time. This represents a good fit for several applications, and in dynamic networks. Unfortunately, SeED leverages SEDA to scale to collective attestation, and thus inherits its limitations. More recently, Carpent et al.[12] proposed ERASMUS, a remote attestation protocol for unattended devices which unlike other RA schemes promises to identify mobile adversaries between two successive attestation periods. Although it substantially minimizes prover’s computation but [12] leverages SEDA or LISA [7, 11] for collective attestation of swarms. Thus inherits their shortcomings.

3 System Model and Assumptions

3.1 System Model

We consider a network modeled as a graph with vertices and edges of interconnected (possibly low-power) devices. The number of edges in is static, with ; however, the topology of the network is highly dynamic, i.e., may vary over time. To make this explicit, we denote with the set of edges in at time instant . In a similar way, we use subscripts from a set of time instants with all other variables that range over time. We further indicate with the set of all the vertex neighbors of a vertex , at time , i.e., . From a communication standpoint, a device (i.e., a vertex) could be either unresponsive, or inactive. An unresponsive device is a device with which communications have been interrupted for some reason, for example, intentionally or for physical causes, e.g., the connection experienced interference. An inactive device is a device which does not participate in any communication with other devices, e.g., an isolated device in the network. A device is active or responsive if it is not inactive and we denote with the set of devices that are responsive at time instant .

Similarly to previous works in this area [7, 5], we define a collective attestation protocol as a protocol between the following entities: prover (), and verifier (). Each vertex in is a prover , and thus, in the remaining of the paper, we will use to refer to vertex in . We assume the existence of at least one verifier , which is not part of . As shown in Fig. 1, can communicate only with the provers that are in its communication range, as well as responsive, at a certain point in time .

Figure 1: Target system model for PADS. Provers communicate wirelessly with entities withing their wireless coverage, and are mobile; as such, at different points in time, the topology may change ( and in the picture). Similarly, the verifier can communicate with any prover in its wireless coverage.

3.2 Security Model

Prover Capability Requirements and Assumptions. In line with all the previous works in swarm attestation [7, 21, 5, 11], and in particular according to very recent works on non-interactive attestation [22], we assume each device presents the following minimal features: (i) A Read-Only Memory (ROM), where integrity-protected attestation code should reside; (ii) A Memory Protection Unit (MPU), that allows to enforce access control on areas of the memory, e.g., read-only access to certain memory areas exclusively to attestation protocol code [18]; (iii) A secure Real-Time Clock (RTC) [21], to tie the generation of the attestation proof to the current time; and (iv) A secure attestation trigger (AT) [22], i.e., a dedicated circuit that should be non-interruptible by the operating system running on the device.

Existing popular designs for embedded devices, such as SMART [16], TrustLite [23], or TyTAN [10], natively provide ROM and MPU capabilities, and have been used in most (if not all) previous works as reference architectures. The latter two features, RTC and AT, are provided by additional (yet minimal) dedicated hardware components, as shown in [22].

Device Classification.

From a security standpoint, in line with previous works, we classify a device with a provably correct (i.e., attestable) configuration as

healthy; in case the configuration is not correct, we classify the device as compromised.

However, as we deal with very dynamic networks, i.e., where over time may be a disconnected graph, could not be able to always determine the status of a device as healthy or compromised. On one hand, while healthy nodes usually are assumed to correctly follow the attestation protocol, it may happen that they do not reply to communication requests from other devices because inactive, e.g., they are busy, or decide to turn into an idle state to save battery during inactivity, or unresponsive for physical causes (e.g., a prover device moving out of range during a communication). On the other hand, a compromised prover may refuse to respond to try to evade detection. As a consequence, considering an unresponsive or inactive prover as compromised is, in principle, a wrong conclusion. From a communication perspective, we refer to provers that cannot be reached over the whole duration of the attestation protocol as unreachable, while we refer to provers that at least at one point in time take part in the protocol as reachable.

Given the above, from a security perspective we consider three possible outcomes of the attestation process, for a prover: Healthy, which means that the device is reachable, and has a correct configuration; Compromised, which means that device is reachable, but the running software configuration is incorrect; Unknown, which means that the device was unreachable, and thus not “covered” by the attestation protocol.

Adversary Model. We consider the following types of adversary:

  • Communication Adversary (): Conforms to the Dolev-Yao model [15]. is assumed to be fully in control of the communication channel between provers, and between provers and . This adversary can perform several types of attacks: (i) drop attestation reports from provers; (ii) replay attestation reports from provers, e.g., replay correct attestation reports even after a device is compromised; (iii) forge attestation reports from provers to change their value.

  • Software Adversary (): A purely software adversary can exploit vulnerabilities in provers’ software, e.g., to remotely inject malware (i.e., modify existing code, introduce new malicious code, or read unprotected memory locations). may adopt several strategies to remain undetected, such as: (i) Modify the code responsible for attestation inside the prover; (ii) Extract ’s security parameters; and (iii) Manipulate ’s clock to trigger future correct measurements of current software [22].

  • Mobile Software Adversary (): It is a software adversary that tries to evade detection by “physically moving”. As an example, compromised provers can keep sufficient distance from other provers to remain “undetected” by other approaching devices.

Finally, similarly to previous work in the area, we consider both physical adversaries and DoS attacks on provers out of the scope of this work.

Key Management. Key management has been studied extensively over the past years in several fields, e.g., in the context of Wireless Sensor Networks and Internet of Things (the reader may refer to [33] for a comprehensive survey of main approaches). While several previously proposed schemes may be adopted in our design, for the sake of simplicity we consider two main options: (1) enable the use of a naïve master key shared by all the devices in , and kept in a hardware-protected key storage, similar to [11]; or (2) adopt individual public/private key pair (and certificate) for each device, in order to allow message authentication or to exchange pair-wise symmetric keys. The choice here, as suggested in [11], depends on the type of adversary from which the scheme wants to protect against: indeed, it is clear that a shared master key would not mitigate an hardware attacker, while the use of (2) would limit the impact of an hardware compromise, at the price, however, of an higher cost in terms of performance.222ECDSA signature generation can take a thousand time more compared to a SHA-1 based MAC, to be computed on a resource-constrained platform [7]. Both options are valid, and the decision should be made depending on the trade-off between performance and security. In what follows, we target software-only attackers and, for ease of exposition, similarly to [11], we consider the symmetric case (1) to describe and evaluate PADS. Appendix 0.A briefly discusses potential consequences of having a stronger adversary in the system.

Requirements. We consider the following requirements for a secure non-interactive collective attestation in a highly dynamic environment:

  • Resiliency. The protocol must be resilient to cases where nodes mobility causes failures in (and consequent modifications to) the communication links between devices.

  • Efficiency. The lack of a topology makes collective attestation harder; nevertheless, the protocol should be efficient for large scale network of resource-constrained devices.

  • Heterogeneity. The collective attestation protocol shall support an heterogeneous population of devices, with different configurations.

  • Unforgeability. The collective attestation protocol shall guarantee that no software compromised device can forge an attestation result.

  • Low complexity. The collective attestation protocol should not require complex network and/or routing management.

4 Preliminaries and Notation

4.1 Minimum consensus

In this paper we rely on the minimum consensus protocol [26] to share attestation results among provers, and iteratively converge to a “snapshot” of the status of the network. can obtain the collective status of the network by query any prover in . Consensus algorithms have been proposed to overcome the necessity of distributed and fault-tolerant computation and information exchange algorithms. These protocols perfectly fit the constrains of networks characterized by: (i) no centralized entity coordinating computation, communication and time-synchronization, (ii) topology not completely known to the nodes of the network, and (iii) limited computational power and energy resources [9]. Consensus algorithms have wide application in wireless sensor networks [25, 26], unmanned air vehicles (UAVs) coordination [27], swarm flocking [8], and many other application scenarios attributable to IoT.

Of particular interest for our work are asynchronous consensus protocols [25, 26], where nodes periodically broadcast their status to neighbors within their connectivity radius. In practice, any node receives information by the neighborhood, updates his status333There is no need for a real update synchronization among the nodes. and shares the new state to his neighbors. By having each node iterating such step multiple times, the state of all the network nodes converges to the same consensus. The minimum consensus protocol [26] we are using in PADS distributively computes the minimum of the observations (attestation) provided by the nodes of the network. The input sequence of the minimum consensus protocol is represented by the sequence = (, …,  ), representing the inputs of the nodes in the network. According to [25], given , the protocol generates a sequence of observation states and in the step any node of the network updates its status by computing , where is the set of neighbors of the node (more details are provided in Section 5).

Finally, previous research works [32, 14] showed that distributed consensus protocols converge in a finite amount of time (i.e., steps), whose upper bound depends on the structure of the graph.

4.2 Notation

Table 1 introduces the notation we will use in this paper. Let represent the set of all bit strings of length . We use to represent a uniformly random sampling from a set , and with the cardinality of a set . PADS security relies on message authentication code (MAC), and pseudo-random number generator (PRNG).

A MAC is a tuple of probabilistic polynomial time algorithms (, , ). takes as input a security parameter , and outputs a symmetric key ; and are, respectively, the computation of a MAC on a message using a key , and the verification of the MAC computed on a message using key (1 = valid MAC, 0 otherwise).

A PRNG is a probabilistic polynomial time algorithm . takes as input the previous state (at time ), and outputs a (pseudo-)random value , as well as its current state .

= (, ) Network of provers at time , with edges and vertices .
, Prover and verifier, respectively.
Neighbors of prover at time , in .
Set of active and responsive provers at time .
Size of the network, i.e., number of provers in .
Symmetric attestation key shared among provers in .
Time at which an attestation is performed.
Maximum time interval between two consecutive attestation runs.
PRNG secret seed, shared among provers.
Attestation result of at time .
Observation of network’s (attestation) status from at time , in the form of a bitmask of bits.
-th bits couple in representing the status of -th prover in .
Table 1: Notation.

5 PADS: Efficient Attestation

5.1 Protocol Rationale and Overview

The goal of PADS is to cope with settings with a high mobility degree. To this end, PADS achieves network attestation by corroborating individual attestation reports from devices, via consensus.

At a high-level, PADS works as follows. At the same point in time , each prover performs a local self-attestation step, checking whether its software configuration (i.e., its measurement ) corresponds to a known “good configuration”; this is achieved by matching it against a list of pre-installed, and thus static, configurations  (similar to [5]). If the configuration is “good”, i.e., , ’s local attestation procedure outputs , and otherwise.

Minimum consensus is used to spread the knowledge about each node state through the network. In order to let to obtain a “snapshot” of the status of the network from any prover, we let each prover maintain the status of the whole network, and update it iteratively. To ease an hardware implementation (see Section 5.2 for the details), we represent the three attestation outcomes introduced in Section 3.2 using the following 2 bits values:

  • Compromised (): responsive compromised prover.

  • Healthy (): responsive healthy prover.

  • Unknown (): healthy or compromised prover that is unreachable.

It follows that, from a consensus perspective, an observation for a prover is a bitmask of bits, reporting attestation information for the whole network . We indicate with , the attestation information relative to prover in , i.e., the -th pair of bits in .

When the consensus protocol starts after attestation, a prover has only knowledge about its attestation outcome , and thus sets ; having no knowledge on the state of other devices yet, the remaining pairs of bits in are set to , i.e., to represent the “unknown” state. In subsequent steps, provers exchange and combine their observations through the consensus algorithm, this way iteratively building a unique “view” of the status of the network. During a generic step any node broadcasts its (MAC-ed) observation about the network and receives (MAC-ed) observations from active devices 444Synchronization among devices is not really needed in the protocol and has been introduced for simplicity.. Note that, a compromised device transmitting a fake message can be identified from a wrong MAC (recall that, as stated in Section 3.2, the MPU in the device can prevent access to the memory area where resided); combines the observations of and the received observations from as:


Similarly other nodes update their status. Note that, if we restrict the set of possible values for every to , Eq. 1 can be efficiently computed using the operator.

In order to guarantee the correctness of the consensus results, the value of is stored in a access-restricted area of , protected by MPU inside the device; furthermore, messages are integrity protected by a MAC computed using a common key shared by all devices, and secured in an read/write protected area of the memory. Repeating updates using the consensus algorithm through all the network spreads this information to all nodes in .

Finally, in order to obtain the status of the network, queries any device in ; if the latter is not compromised ( verifies this by asking from ), it will return the consensus state representing its knowledge about each node. This allows to obtain an immediate approximation of the status of the network, limited by some uncertainty; such uncertainty derives from provers not replying, and/or information that has not yet reached the node. We underline that can query a anytime during the protocol. However closer is the query to , highest is the uncertainty.

5.2 Protocol Details

PADS comprises four phases: initialization, self-attestation, consensus, and verification (the latter two shown in Fig. 2).

Figure 2: PADS’s and procedures shown for a single reachable prover .

Initialization. Similar to [11], we assume for simplicity that nodes in the network are pre-provisioned with a shared symmetric key . As discussed in [11], this is sufficient in a software-only adversarial setting. Furthermore, we assume each prover is provisioned with the set of known good configurations (i.e., hash values); this list is either assumed to be static, or infrequently securely updated. Finally, as in [22], provers are provisioned with a shared secret seed that they will use to autonomously calculate a pseudo-random sequence of attestation times. Alternatively, the whole sequence of attestation times may be securely stored inside the device, at the price however, of a larger memory occupation.

Self-attestation. The next attestation procedure is performed at a certain point in time , which is computed by device’s secure clock using the function , and triggered by secure clock’s function . Each prover executes a self-attestation procedure. This procedure is similar to the one in [22], but with a major difference: measures its configuration producing a measurement value , but instead of sending to , it performs a “self-assessment”. More precisely, at time each computes the hash of a predefined area of the memory – 555The part of the memory measured during attestation can vary, and depends from the specific applicative scenario.. As in [5], this result is then checked against the (set of) good configuration(s) , pre-stored inside the device, using the function. The result of this operation is , i.e., 1 if the configuration is a good one, and 0 otherwise. further sets if , and otherwise.

Consensus. In this phase, provers corroborate their “observations” of the status of the network, using the distributed minimum consensus introduced in Section 4.1. The goal is to jointly converge to the same “view” of the network, represented as a bitmask. To do that, periodically each prover broadcasts its observation, i.e., at time ; this is the bitmask representing a snapshot of the status of the network, together with a timestamp , and a MAC taken over , , and . Every other prover receiving a (broadcast) message, verifies the MAC , checks whether resides within a valid time interval (to prevent reply attacks), and finally performs the minimum consensus calculus according to Eq. 1.

Verification. collects the final network status , i.e., the result of the collective attestation protocol, from a prover , randomly chosen from .

executes this final step in any moment after a “reasonable” amount of time

, which can be estimated by

, or simply fixed. Furthermore, the choice of may be dictated by physical conditions, e.g., is in proximity of . The final verification step is as simple as listening the message broadcasted by , verifying the MAC on it (using ), and check whether resides within a valid time interval (i.e., within the range ). If any of the above checks fail, outputs , i.e., the result of the collective attestation process is ; otherwise, will output , and the representativity value , and records all the goods and compromised devices.

5.3 Security of PADS

We now discuss the security of PADS against the adversary model introduced in Section 3.2. In a collective attestation protocol, the goal of a local and/or remote adversary is to modify the configuration (e.g., firmware and/or data) of one or more provers , and evade detection from the verifier . This can be formalized as a security experiment , where interacts with and during the execution of the protocol. After a polynomial number of steps in , outputs (,), where is the attestation result ( if it accepts attestation result, otherwise ) and is a measure of the quality of the fetched attestation result. We define the result of the experiment as the output of , i.e., .

We consider a collective attestation protocol for dynamic networks to be secure, if is negligible in , with polynomial in . In other words, a collective attestation protocol for dynamic networks is considered secure if it is computationally infeasible for a (polynomial) attacker to induce to accept a fake attestation result. It follows that PADS is a secure collective attestation protocol for dynamic networks, if: (1) the MAC, e.g., a Hash-based MAC (HMAC), in use is selective forgery resistant, and (2) the adopted pseudo-random number generator is cryptographically secure. PADS adopts SeED [22] to perform self-attestation at pseudo-random points in time; as such, we refer the reader to [22] for a proof of the security of self-attestation scheme, and we use it as a building block in our security discussion.

In what follows, we will focus on the consensus part of the protocol, and discuss the security of PADS w.r.t. a communication adversary , a software adversary , and a mobile adversary .

  • Communication Adversary (). can try to either forge a message exchanged among provers, or the ones exchanged among a prover and

    , or try to “reuse” an old good attestation message. Both attacks will fail, since: (i) the probability for

    , or a prover to accept a message with a forged MAC is negligible in ; and (ii) each attestation message contains both the time of attestation , and a timestamp , which guarantee the freshness of the received message.

  • Software Adversary (). A purely software (remote) adversary may attempt the following attack strategies to remain undetected: (i) Modify the code responsible for attestation inside the prover; (ii) Extract ’s security parameters; and (iii) Manipulate ’s clock to trigger future correct measurements of current software [22]. These attacks have been proven infeasible for a polynomial attacker in [22]. Furthermore, similarly to self-attestation, consensus operations are performed by a piece of code protected by secure boot.

  • Mobile Software Adversary () Assume at time a mobile (software-only) adversary compromises a prover before the next attestation time , and tries to avoid detection by simply not taking part to the protocol, e.g., physically move out of the communication range of other provers in . As a result, no prover in will modify the part of the bitmask related to the compromised prover, , whose value will remain ; this information will not affect the decision of , who may decide, adopting a conservative approach, to consider as compromised.

6 Implementation and Evaluation

We base our evaluation of PADS on SeED [22], a recently proposed protocol for devices self-attestation. Fig. 3 shows the implementation design of PADS on top of the enhanced version of TrustLite [23] used in [22]. SeED [22] extends TrustLite with a Real-Time Clock (RTC) that is not modifiable via software (i.e., that is write protected), and an Attestation Trigger (AT) that updates and monitors the value of a timer stored in a secure register.

Figure 3: Implementation of PADS based on SeED [22] and TrustLite [23].

We quantify PADS performance based on runtime, energy consumption, and memory overhead. Furthermore, we evaluate the ability for PADS to “cover” a sufficiently wide area of the “reachable” provers population, within a certain time , using the following notion of coverage:

Definition 1 (Coverage)

We say that at time PADS has coverage , if at least a portion of the provers in hold information of at least a portion of the reachable provers population.

As an example, in a network of 100 provers, where 10% of them are unreachable, = 90% means that 80% of the 90 reachable provers in hold information about the 90% of them. Intuitively, the higher the level of coverage, the higher the number of update steps that are required. This has clearly an impact in the performance of the protocol, that we estimate and present in the following. As in [7], in our evaluation we consider a SHA-1 based HMAC.

Memory Overhead. In a shared key setting, i.e., all the provers share the same symmetric key for attestation, the required memory overhead for PADS depends on , the number of allowed configurations in , and the size of the bitmask, which grows linearly with the number of provers . Overall, let , and considering each element of  of 20 B, regardless from the coverage, we can quantify the memory overhead of PADS as bits.

Communication Overhead. During PADS’s consensus phase, each prover transmits (and/or receives), at every time : its bitmask ( bits), the attestation time (32 bits) , the timestamp (32 bits), and one HMAC (160 bits). In total: . Clearly, depending on the underlying layer 2 protocol and the size of the network, we may have more or less fragmentation of the transmitted data. In low-power settings, it is desirable to limit the number of transmitted frames, and thus, the “maximum” size of the network that PADS can serve depends on the payload size offered by the underlying layer 2 protocol.

Energy Consumption. We base our estimation of the overall energy consumption on the required energy for sending and receiving a single PADS message, and to compute the main cryptographic operations. Let , , , and denote, respectively, the energy required to send a byte, receive a byte, calculate one HMAC, calculate the minimum consensus over the received bitmask, and perform self-attestation. Recall that, at each round each prover sends: the bitmask , the attestation time , a timestamp , and one HMAC. Thus, we can estimate the energy consumption for sending and receiving a single PADS message for as:

Let be the number of rounds of consensus required by the protocol. To provide an overall estimate of the energy required by PADS, without loss of generality we assume each prover shares its bitmask at fixed time intervals . Recall that is the set of neighbors of prover at time . At each time , a prover computes an HMAC, broadcasts a packet, receives a number of broadcast messages from its neighbors , and verifies the HMAC associated with them. We estimate the energy required by PADS for a prover as:

Runtime. Similar to previous works, we evaluated PADS’s runtime using Omnet++ [4], and the MiXiM [1] framework (for realistic communication protocol simulation and mobility). We considered networks of medium-large sizes, from 128 to 16,384. In our simulation we consider provers to have specifications comparable to the one in [22], and thus used their reported micro-benchmarks as parameters of our simulation. All the communications are carried out over the IEEE 802.15.4 MAC layer protocol, the de-facto standard protocol for IoT [7, 5, 6]. The IEEE 802.15.4 protocol provides a maximum data rate of 250 Kbps, a maximum coverage of 75 m, and a frame size of 127 B. We investigated the performance of PADS in two scenarios: (1) A scenario where provers move following a random path. To model provers mobility, we randomly deployed provers over a simulated area of size proportional to the number of devices (e.g., simulating an area covered by a swarm of drones), starting from  m for 128 provers. The random movement of provers makes the network dynamic and loosely connected. (2) A static scenario, as considered in previous work, where provers are organized in three topologies of various branching factor; in this setting, we compare the runtime of PADS w.r.t. SANA [5].

Before presenting our results, in order to measure the runtime of PADS we define the notion of Minimum Coverage Time (MCT):

Definition 2 (Min Coverage Time)

The Minimum Coverage Time (MCT) for PADS, given a desired coverage level , is the minimum amount of time necessary to reach . Formally:

We measured the runtime of PADS as the average MCT. We used delays to simulate provers’ internal operations, according to [7] and [22]. We considered 48 ms as the time it takes to compute both a hash, and an HMAC [7]. Furthermore, for every generated attestation response, the overhead introduced by the self attestation part of PADS is 187 ms [22]. This is approximated by the generation of 32 random bits, and the calculation of a hash over the amount of memory to be attested. Note that, different from [22], we do not compute an HMAC on the measurement, as the measurement is not sent to the verifier, but checked locally; thus, our evaluation is conservative.

For different levels of coverage, we measured the average time for that coverage to be reached (average of 50 runs), considering network of small-large sizes, from 128 to 8,196 devices; we adopted a static rate for broadcasting the bitmask, i.e., 500 ms. Furthermore, we considered all the provers, either good or compromised, to participate to the attestation process. Results are presented in Fig. 4. As we can see from Fig. a, PADS can reach, on average, 95% of coverage for the 95% of the population (i.e., ) with a MCT lower than 70 seconds, for populations of 8,196 devices. Furthermore, as indicated in Fig. b, the coverage grows more than linearly over time (shown for and in Fig. b).

In a completely dynamic setting, PADS runtime shows a non-negligible growth. This is mainly due not only to the increase of the population, but also on the amount of data to be transmitted (which grows linearly in the number of provers). Despite this growth, PADS presents a remarkably manageable overhead for large networks, which makes it a good match for practical applications. Furthermore, we stress that, while previous work would have failed completing the attestation process due to the high degree of mobility of this scenario, PADS allows to complete the attestation process.

(a) PADS runtime
(b) Variation of and avg. steps number for
Figure 4: Evaluation of PADS in mobile wireless setting, varying number of provers and size of the area (proportionally to the number of provers); broadcast frequency is 500 ms. Fig. a shows the runtime of PADS considering different values of ; Fig. b shows the relation between and average number of steps.

We further compare PADS with SANA [5], a recently proposed collective attestation scheme, which outperformed previous work in the literature. We run both protocols on static tree topologies of branching factor () 2 and 3, using for PADS a broadcast frequency of 100 ms. Results are shown in Fig. 5. As we can see, PADS has a lower runtime (i.e., MTC) compared to SANA, mainly due to the more lightweight cryptography involved. Furthermore, we can see how the runtime of PADS diminishes with the branching factor of the tree topology. This confirms the low overhead of our protocol, even for large networks of more than 16,000 devices. We finally remind that the time necessary for verifier to obtain the final attestation results in PADS is the time necessary for querying a single device; that is, the collection of the final result is separate from the collection and agregation of the single attestation proofs. In SANA, instead, the attestation protocol starts after the verifier queries the first node; in this case, has to wait until the protocol is concluded.

Figure 5: Runtime of PADS vs SANA [5], varying number of nodes and , with . We considered up to 50 different configurations, and 60% compromised provers.

7 Conclusions

This paper presented PADS, an efficient, practical, and secure protocol for attesting potentially large and highly dynamic networks of resource-constrained autonomous devices. PADS overcomes the limitations of previous works in the literature on collective attestation; it uses the recently proposed concept of self attestation, and turns the collective attestation problem into a minimum consensus one. We showed the performance of PADS via realistic simulations, in terms of devices capabilities and communication protocol, confirming both the practicality and efficiency of PADS.

As a future work, we will investigate ways to reduce the complexity of the protocol in terms of both communication and required processing for devices; we will explore the use of Bloom Filters as a way to reduce the size of the payload, as well as adopting more intelligent techniques to selectively pick messages to use for consensus; we will modify the protocol to manage nodes joining (or leaving) the network after the initial setup.


  • [1] MiXiM framework for Omnet++., 2011.
  • [2] Target attack shows danger of remotely accessible hvac systems., 2014.
  • [3] Jeep hacking 101., 2015.
  • [4] Omnet++ Discrete Event Simulator., 2017.
  • [5] M. Ambrosin, M. Conti, A. Ibrahim, G. Neven, A.-R. Sadeghi, and M. Schunter. SANA: Secure and Scalable Aggregate Network Attestation. In CCS ’16, pages 731–742, 2016.
  • [6] M. Ambrosin, H. Hosseini, K. Mandal, M. Conti, and R. Poovendran. Despicable Me(ter): Anonymous and Fine-grained Metering Data Reporting with Dishonest Meters. In CNS ’16, pages 163–171, 2016.
  • [7] N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi, M. Schunter, G. Tsudik, and C. Wachsmann. SEDA: Scalable Embedded Device Attestation. In CCS ’15, pages 964–975, 2015.
  • [8] V. D. Blondel, J. M. Hendrickx, A. Olshevsky, and J. N. Tsitsiklis. Convergence in Multiagent Coordination, Consensus, and Flocking. In CDC-ECC ’05, pages 2996–3000, 2005.
  • [9] S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Randomized Gossip Algorithms. IEEE/ACM Trans. Netw., 14(SI):2508–2530, 2006.
  • [10] F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and P. Koeberl. TyTAN: Tiny Trust Anchor for Tiny Devices. In DAC ’15, pages 1–6, 2015.
  • [11] X. Carpent, K. ElDefrawy, N. Rattanavipanon, and G. Tsudik. LIghtweight Swarm Attestation: a Tale of Two LISA-s. In ASIACCS ’17, page in press, 2017.
  • [12] X. Carpent, N. Rattanavipanon, and G. Tsudik. ERASMUS: efficient remote attestation via self- measurement for unattended settings. CoRR, abs/1707.09043.
  • [13] P. Dasgupta. A Multiagent Swarming System for Distributed Automatic Target Recognition Using Unmanned Aerial Vehicles. IEEE Trans. Syst., Man, Cybern., 38(3):549–563, 2008.
  • [14] A. G. Dimakis, S. Kar, J. M. Moura, M. G. Rabbat, and A. Scaglione. Gossip Algorithms for Distributed Signal Processing. Proc. IEEE, 98(11):1847–1864, 2010.
  • [15] D. Dolev and A. Yao. On the security of public key protocols. IEEE Trans. Inf. Theory, 29(2):198–208, 1983.
  • [16] K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito. SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust. In NDSS ’12, pages 1–15, 2012.
  • [17] D. J. Fagnant and K. Kockelman. Preparing a nation for autonomous vehicles: opportunities, barriers and policy recommendations. Transportation Research Part A: Policy and Practice, 77:167–181, 2015.
  • [18] A. Francillon, Q. Nguyen, K. B. Rasmussen, and G. Tsudik. Systematic Treatment of Remote Attestation. IACR Cryptology ePrint Archive, 2012:713, 2012.
  • [19] A. Francillon, Q. Nguyen, K. B. Rasmussen, and G. Tsudik. A Minimalist Approach to Remote Attestation. In DATE ’14, page 244, 2014.
  • [20] P. Gora and I. Rüb. Traffic models for self-driving connected cars. Transportation Research Procedia, 14:2207–2216, 2016.
  • [21] A. Ibrahim, A.-R. Sadeghi, G. Tsudik, and S. Zeitouni. DARPA: Device attestation resilient to physical attacks. In WiSec ’16, pages 171–182, 2016.
  • [22] A. Ibrahim, A.-R. Sadeghi, and S. Zeitouni. SeED: Secure Non-Interactive Attestation for Embedded Devices. In WiSec ’17, pages 64–74, 2017.
  • [23] P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan. TrustLite: A security architecture for tiny embedded devices. In EuroSys ’14, page 10, 2014.
  • [24] F. Kohnhäuser, N. Büscher, S. Gabmeyer, and S. Katzenbeisser. SCAPI: a Scalable Attestation Protocol to Detect Software and Physical Attacks. In WiSec ’17, pages 75–86, 2017.
  • [25] R. Olfati-Saber and R. M. Murray. Consensus Problems in Networks of Agents with Switching Topology and Time-Delays. IEEE Trans. Autom. Control, 49(9):1520–1533, 2004.
  • [26] R. Olfati-Saber and J. S. Shamma. Consensus Filters for Sensor Networks and Distributed Sensor Fusion. In CDC-ECC ’05, pages 6698–6703, 2005.
  • [27] W. Ren, R. W. Beard, and E. M. Atkins. A Survey of Consensus Problems in Multi-agent Coordination. In ACC ’05, pages 1859–1864, 2005.
  • [28] S. Security. IoT devices being increasingly used for DDoS attacks, 2017.
  • [29] R. V. Steiner and E. Lupu. Attestation in wireless sensor networks: A survey. ACM Comp. Surveys, 49(3):51, 2016.
  • [30] K. P. Valavanis and G. J. Vachtsevanos. Handbook of unmanned aerial vehicles. Springer Publishing Company, Incorporated, 2014.
  • [31] M. M. Waldrop et al. No drivers required. Nature, 518(7537):20–20, 2015.
  • [32] V. Yadav and M. V. Salapaka. Distributed protocol for determining when averaging consensus is reached. pages 715–720, 2007.
  • [33] Y. Zhou, Y. Fang, and Y. Zhang. Securing Wireless Sensor Networks: a Survey. IEEE Commun. Surveys Tuts., 10(3), 2008.

Appendix 0.A Discussion

Advantages. The first and probably most important advantage that PADS has w.r.t. previous works, is that is suitable for highly dynamic, mobile unstructured topologies, as confirmed by our evaluation. The use of consensus makes the whole proliferation of the attestation results resilient to both temporary device disconnections, and topology changes. Most of the previous works in the area were designed for static topologies, over which a spanning tree should be maintained, with non-negligible overhead; as such, they would most certainly fail in this scenario [7, 5, 21, 11, 22]; one exception is the work in [24], which provides adaptability to changes in the topology, at the price, however, of a complex topology maintenance.

The second main advantage of PADS, is the capability of the verifier to obtain the status of the population by simply contacting a random prover. This, again, makes PADS very resilient against node failures or sudden changes in the topology. This is due to the fact that the whole status of the network is shared among every prover; furthermore, a verifier has the ability to query a device for the status of the network at any point in time, being assured that this would return a valid attestation result, with a utility (i.e., a coverage) dependent on the status of the protocol.

Finally, while growing more than linearly in the number of devices (mostly because the amount of information that each prover must exchange grows linearly in the number of nodes in the system), the overhead introduced by PADS is manageable in resource-constrained environments, as showed by our simulations in Section 6; furthermore, in the same (static) setting as previous work, PADS shows comparable if not superior performance w.r.t. the state of the art. This makes PADS a good candidate for attestation in scenarios where other exact methods would fail, e.g., swarms of drones for surveillance. We stress that PADS for the first time enables swarm attestation in dynamic topologies of autonomous devices, while previous protocols works only on static networks. Therefore, by design, PADS trades scalability for adaptability and resiliency in dynamic scenarios.

Limitations. While PADS brings numerous advantages w.r.t. the state of the art, we are conscious that network dynamics is not network security’s friend, and we acknowledge that PADS is not perfect.

First, the final consensus is a representation of the status of the devices composing the network at the time the last attestation has been triggered by the device’s secure clock. Therefore, a device compromised after such timestamp can remain undetected666Note that, [22] uses pseudo-random generation of attestation times to tackle mobile attackers compromising a device and then re-establish a correct configuration between consecutive attestation runs.. Unfortunately, this is a well known limitation of most attestation protocols, commonly defined as “time of check to time of use” [29].

Finally PADS aligns with previous works that considered a software-only attacker [7, 22, 11], and thus a single physically compromised device is sufficient to reveal the secret shared among all other devices, enabling the attacker to inject completely fake attestation reports in the network. However, even in the simplest case, we argue that PADS shows some degree of resiliency with respect to previous works that made the same assumptions. Intuitively, this is provided by the combination of the following two properties of PADS: (a) in a generic setting, information is not processed along a tree; (b) data combination uses a minimum consensus approach. Property (a) suggests that there will be a certain degree of redundancy in the propagated information, which every (honest) device will receive from a non-constant neighborhood of (honest and malicious) devices; furthermore, will collect the final result from one or more random provers. In this case, the dynamic nature of the network topology is a friend of security. Consider for example the protocol in [7]: here, a single physically compromised device at a specific position in the spanning tree could “fake” the attestation report of a whole subtree of devices, even if the devices in the tree are only software compromised. In PADS, instead, in order to make sure a whole group of devices can evade detection, the attacker will have to physically compromise all of them (to be able to have access to the shared key, and craft a bitmask for each). Indeed, due to Property (b), it is unfeasible even for a powerful attacker with access to the shared secret, to change the value of a software-compromised device from to , if previously “propagated” in the network by honest provers as . This requires a much higher effort for the attacker compared to [7]. Physically compromised devices have been considered in [5] and [21]. However, as previously stated, both works are unsuitable for dynamic topologies; furthermore, [5] is quite costly in terms of required computation (see Section 6).