1 Introduction
Malicious code is a wellknown threat to computational devices that support a programmable memory. The threat can be mitigated by proactive mechanisms that detect and prevent the installation of malware, viruses, or other sort of malicious code. Independently of the success of such defenses, a number of devices cannot afford the implementation of antimalware software due to computational and operational constraints, e.g. Internet of Things (IoT) devices. Hence, lowcost pervasive devices rarely come with buildin proactive defenses against malicious code.
Memory attestation is a digital forensics technique used to detect whether a device has been compromised by verifying the integrity of its memory [30, 28]. Devices unable to successfully pass the memory attestation procedure are regarded as corrupt, and are immediately isolated from other devices. A less ambitious, yet often equally effective, technique is known as secure memory erasure, which eliminates malicious code that resides in memory by fully erasing the device’s memory. This is considered an important preliminary step prior the download and installation of legitimate software.
Memory erasure in itself can be a functional requirement in IoT applications where the ownership of devices may change. Erasing the device’s memory helps the previous owner to protect confidentiality of the information stored in the device, while it gives the current owner a proof of absence of malicious software. The latter feature is exploited by Perito and Tsudik [25], who argue that memory erasure is a form of memory attestation; both can guarantee the absence of malware.
The memory erasure problem can be easily accomplished by accessing the hardware directly, but such access is cost ineffective and not scalable [18]. This has opened the door to a number of communication protocols aiming at guaranteeing that a given device has actually erased its memory, without resorting on hardware manipulation. Memory erasure protocols, also known as Proofs of Secure Erasure (PoSE) protocols [25], allow a remote verifier to be convinced that a prover has purged all of its memory. This is typically achieved by first depleting the prover’s memory with random data, and after asking the prover to compute a function on the received data as a proof of erasure [18, 1].
We observe that both memory attestation and memory erasure protocols have been historically designed to operate under nonstandard adversarial models, such as the model by Francillon et al. [13], where compromised devices do not reveal their secrets, or the models used in [25, 12, 16], where verifier and prover communicate in isolation. Implementing those adversarial models is not costfree, though, as they typically rely on especial hardware to make cryptographic keys inaccessible to attackers [13] or jamming techniques that selectively block malicious communication [25].
Recent work [1] starts to advocate for memory erasure protocols capable of functioning in the presence of maninthemiddle attackers, arguing that selective jamming is ineffective [26]. We address such problem in this article, and make the following contributions.

We introduce the notion of distant attacker: a DolevYao adversary [11] restricted to a given distance threshold on their communication with honest protocol participants.

We restrict the security protocol semantics introduced by Basin et al. [5] and provide a formal definition for secure memory erasure within a symbolic security model. We prove that such restriction is necessary.

We provide a high level specification of a memory erasure protocol and prove it secure in the presence of distant attackers. To the best of our knowledge, our protocol is the first memory erasure protocol that can operate in an environment controlled by a DolevYao attacker.

Lastly, we perform a probabilistic analysis of the security and communication complexity tradeoff of the proposed protocol via an instantiation of the high level specification to a class of protocols known as lookupbased distancebounding protocols [22]. Protocols of this type have been neglected in literature as they suffer from a securitymemory tradeoff, i.e. security is proportional to memory demand. However, we obtain the rather surprising result that such a drawback becomes a positive feature in memory erasure protocols.
The remainder of this article is organized as follows. Section 2 briefly covers the literature on memory erasure and memory attestation protocols. Section 3 provides an informal introduction to the adversarial model and the definition of secure memory erasure used throughout the paper. Section 4 and Section 5 formalize those intuitions within a symbolic security model. Section 6 presents a highlevel specification of a memory erasure protocol that resists maninthemiddle attacks. Finally, Section 7 is devoted to the analysis of the security and communication complexity tradeoff commonly found in this type of protocols.
2 Background
There exists two categories of memory attestation and memory erasure techniques [13]. The first one relies on special and trusted hardware installed on a device. This technique has been regarded as expensive and unsuitable for lowcost IoT devices [31]. The other one is softwarebased, where few assumptions on the hardware capabilities of devices are made.
In a memory attestation procedure, a verifier is capable of reading part or the entire prover’s memory. If the reading is correct, the verifier can determine whether malicious code resides in the prover and take security measures accordingly. Obtaining a proof of correct reading is challenging, though. The device can be already infected, making it easy for malicious code to delude simple reading requests.
Various memory attestation techniques have been introduced in recent years. SWATT [30]
, for example, challenges the prover to traverse and compute a checksum of its memory based on a random total order of memory indexes. For that, the verifier uses a pseudorandom sequence with a secret seed revealed to the prover prior commence of the attestation procedure. SWATT assumes that, with high probability, a number of indexes will hit memory occupied by the malicious code. This forces the malicious code to make onthefly checksum computations, which is detected by measuring the delay in the prover’s responses. A similar technique is used by Pioneer
[29].Shaneck et al. argue that tight timingbased techniques can hardly be used for remote attestation [31]
. The reason is that the network and communication channel may introduce unforeseen delays, and that accurately estimating computational time in software execution is a challenge in itself. Hence, Shaneck et al. propose a scheme where the verifier sends an obfuscated and selfmodifying attestation code to the prover. The security of their scheme is based on the observation that performing static analysis on a
freshly generated code is notoriously difficult for an attacker.Secure memory erasure is less ambitious than memory attestation in terms of reading capabilities. Yet it can be equally effective when it comes to ensuring that a device contains no malicious code in memory. A common assumption in the literature on memory erasure is that the prover does not receive external help during the execution of the protocol. This is enforced in [25] by selective jamming of all, but the prover, nearby devices during the run of the protocol. Communication jamming has the sideeffect of preventing maninthemiddle attackers from interfering with the execution of the protocol, hence making security analysis simpler.
Improvements upon the protocol in [25] have mainly focused on computational complexity, e.g. [12, 16], keeping selective jamming as a key security measure. However, communication jamming has the drawback of not been fully effective [26], i.e. it can be bypassed. Moreover, it may be illegal in some standard wireless bands. It follows the question of whether secure memory erasure protocols that resists maninthemiddle attacks can be implemented.
To the best of our knowledge, SPEED [1] is the first memory erasure protocol that aims to resist maninthemiddle attacks. It implements a memory isolation technique, as in [34], to store securityrelevant functions and cryptographic keys. In this trusted portion of the device’s memory, SPEED implements a distance bounding protocol [8] with the goal of enforcing proximity between prover and verifier. The authors argue that proximity makes it difficult for an attacker to tamper with the protocol’s messages. However, the security of their protocol still rely on assumptions that are not considered in the distance bounding literature, such as the use of visual inspection to prevent impersonation.
No memory erasure protocol in literature has been proven secure within standard symbolic security models, such as the DolevYao model [11]. In contrast, security standards (e.g. ISO/IEC 9798 [6]) and major security protocols (e.g. TLS 1.3 [10]) have been analyzed, fixed and improved, by expressing their goals within symbolic security models and verifying their correctness with automated proving tools, such as ProVerif [7] and Tamarin [23]. This work addresses such gap.
3 Secure memory erasure in the presence of distant attackers
In this section, we introduce an informal security framework to analyze memory erasure protocols in the presence of maninthemiddle attackers. A formalization within a symbolic security model of the concepts introduced in this section will follow immediately after.
3.1 Secure memory erasure
Most proofs of secure erasure (PoSE) are based on the notion of memory filling, whereby a verifier requests a prover to full its memory with meaningless data, such as a random sequence. In this setting, Karvelas and Kiayias [18] consider a memory erasure protocol secure if the prover cannot maintain a portion of its memory intact. Perito and Tsudik’s definition is more finegrained, stating that secure erasure is achieved when prover and verifier agree on a memory variable [25]. We adopt in this article the latter.
Definition 1 (Secure memory erasure).
Let and be a verifier and prover, respectively. Let be a variable stored in ’s memory, and a variable stored in ’s memory. A protocol satisfies secure memory erasure if, for every successful execution of the protocol, there exists an execution step where and the size of is equal to ’s writable memory.
In the absence of a maninthemiddle attacker, most memory erasure protocols satisfy Definition 1. As discussed by Perito and Tsudik’s [25], even a simple protocol where the verifier sends a random nonce and expects to receive the same nonce back as a proof of erasure satisfies Definition 1 for a sufficiently large nonce. Therefore, it remains to introduce the adversarial model against which the security of this type of protocols can be assessed.
3.2 The adversarial model
In security models, adversaries are characterized in terms of their ability to compromise agents and manipulate network traffic. While various notions of agent compromise exist [9, 4], the adversary’s capabilities to interact with the network are, with few exceptions, still those introduced by Dolev and Yao in 1982 [11]. That is, an adversary with the ability to block, modify, and inject arbitrary messages in the network.
In memory erasure protocols, the prover may have malicious code running in memory. This allows a DolevYao attacker, also known as maninthemiddle attacker, to easily impersonate the prover, making any intention of interaction with the prover meaningless. That is the reason why memory erasure protocols have been traditionally designed to operate within a clean environment, where no attacker is able to manipulate the network. Such a clean environment has been traditionally enforced by radio jamming [25]. As illustrated in Figure 1, a maninthemiddle attacker can be frustrated by allowing the prover to complete the protocol while selectively jamming the attacker’s signal. Even if the adversary is within the jamming radius, he can neither interact with the prover nor with the verifier.
The idea of creating an area where a maninthemiddle attacker looses his capabilities was taken a step further by Ammar et al. [1]. They proposed the use of a distance bounding protocol [8] to ensure proximity between prover and verifier. Intuitively, if the interaction between prover and verifier is limited to a sufficiently small area, as in Figure 2, the attacker is thwarted from participating in the protocol execution. In a sense, Ammar et al. suggest that distance bounding protocols can be used as a primitive to weaken maninthemiddle adversaries and simplify the design and analysis of security protocols. We make this notion more precise next.
Definition 2 (Distant attacker).
Given a distance threshold , a distant attacker is a DolevYao attacker whose distance to the verifier is larger than or equal to .
Clearly, the larger the weaker a distant attacker is with respect to the standard DolevYao adversary. Nonetheless, we point out that assuming a distant attacker is reasonable in various applications where the protocol is executed in a controlled environment, such as a private room. The challenge is to design a memory erasure protocol that resists attacks from a distant attacker with .
Our goal next is to formalize the intuitions exhibited in this section and prove the following two propositions. First, under standard assumptions in symbolic security protocol verifications, no protocol can resist a distant attacker with . Second, for every , there exists a security protocol that can be proven secure in the presence of a distant attacker with distance threshold .
4 The Security Model
To formalize the notion of distant attacker, we need a model that supports reasoning about distance between protocol participants. A security model of this type has been introduced by Basin et al. [5], provided with a tracebased semantics for distributed systems describing all possible interleaved events that protocol principles can execute.
4.1 Messages, events and inference rules
Messages. A security protocol defines the way various protocol participants, called agents, exchange cryptographic messages. To model cryptographic messages, we use a term algebra where is a signature, a set of variables, and a set of constants. We consider agents’ names, denoted , and nonces, denoted , to be constants in our term algebra as well, i.e. . The set of nonces is assumed to be partitioned into . This is to ensure that two different agents cannot produce the same nonce. The set itself is also partitioned into (honest agents) and (dishonest agents). Finally, we assume that the signature contains the following function symbols:

denoting the pairing of two terms and . We will usually use as shorthand notation.

denoting the encryption of with the key . We will usually use as shorthand notation.

denoting the longterm shared symmetric secret key of two agents .
We use to denote the set of all terms obtained from the above term algebra.
It is worth remarking that we have intentionally omitted asymmetric encryption in our term algebra. The reason is that the protocols we analyze in this article make no use of public keys. That said, our results can be easily extended to a model that supports publickey encryption.
Events and traces. Agents can execute three types of events: i) send a message, ii) receive a message and iii) claim that a given security property holds. Hence we define the set of all possible events by the following grammar.
where is an agent’s name, a message, and a constant identifying a security property. We consider the auxiliary function , which provides the actor executing an event.
When constructing traces, each event is given a timestamp , representing the time at which the event has been executed. Therefore, a trace is a finite sequence of timestamped events . In this case, we say that has cardinality , denoted , and we use to denote the th element of , i.e. . The auxiliary function gives the largest timestamp in , while the function is extended to timestamped events in the straightforward way.
Inference. We formalize the way agents obtain and create knowledge by an inference relation . And, we use the shorthand notation to denote , indicating that agent can infer message from trace . We define the relation to be the least set that is closed under the inference rules in Figure 3. Each of these rules states that:

Rule I1: except other agent’s nonces, an agent can infer any constant, including its own set of nonces .

Rule I2: agents can infer their shared secret keys with other agents.

Rule I3: all function symbols in , but , can be used to infer arbitrary terms constructed over already inferable terms. The function symbol is reserved to be used only in rule I2.

Rule I4: a receive event allows agent to infer .

Rule I5: agents have the ability to unpair messages.

Rule I6: an encrypted message can be decrypted with the decryption key .
4.2 A security protocol semantics
Protocol specification. The following protocol specification assumes that agents remain in a static location during the protocol execution. This is a standard assumption in security models dealing with physical properties, such as [5, 27, 22]. An uninterpreted distance function is used to denote the distance between agents and .
A protocol is defined by a set of derivation rules, similar to the inference rules used above, specifying how execution traces make progress. Its semantics, denoted , is the least set closed under those rules. We now describe the type of rules we use to inductively define the set of traces of a protocol. The base case is modeled by the start rule (), which indicates that the empty trace is in for every protocol .
The other two rules, and , are used to model the network behavior and corruption capability of the adversary. The rule states that a message previously sent by can be received by any agent whose distance to is consistent with the physical relation between constant speed, distance, and time. That is to say, given the propagation speed of the communication channel, it must hold that a message sent by at time and received by at time satisfies .
Lastly, the rule allows the adversary to impersonate dishonest agents and send events on their behalf. Note that, unless otherwise specified, variables in derivation rules are universally quantified.
The rules , and , are part of every protocol specification, which are used to model trace initialization, network operation, and the behavior of dishonest agents. It remains to define the behavior of honest agents. Such behavior is defined by protocoldependent rules with the following constraints.

References to dishonest agents in either the premises or the conclusion of a protocol rule are not allowed. The reason is that the behavior of dishonest agents is fully specified by the rule.

All events in a rule ought to be executed by the same agent. That is, the logic of an agent’s behavior is independent from the specification of other agents. Hence agents interact exclusively through the rule.

Terms used in the conclusion of a protocol rule ought to be derivable from the premises by using the inference rules in Figure 3.
Example 1.
We use a simplified version of the memory erasure protocol introduced by Perito and Tsudik [25]. In the protocol, the verifier sends a challenge and the prover reflects it back to the verifier^{1}^{1}1This is a simplification of the original protocol [25] used for illustration purposes only. . Its specification is given in Figure 4, where rule V1 states that can choose any of its own nonces and send it through. For the sake of simplicity, we are assuming in protocol rules that nonces are fresh. Hence, when we use the premise we are also requiring that has not been used in the trace . Rule P1 indicates that, upon reception of a nonce , sends back. Finally, V2 is used by to claim that a given erasure property should hold after reception of the nonce . Further below we explain claim events in more detail.
Execution traces and security properties. An execution trace of a protocol is any trace inductively defined by the set of rules . For example, the protocol specification in Figure 4 gives the following trace via application of the , V1, , P1, and V2 rules, where and .
Finally, a security property is a firstorder logic statement on execution traces, which is said to be satisfied by a protocol if the property holds for all traces in . To account for the fact that a security property needs not be satisfied over the entire execution of a protocol, we are using claim events as placeholders to indicate those execution steps where a security property needs to be verified. This is, for example, the role of the claim event in the protocol specification in Figure 4. In this case, the verifier expects that, upon reception of the nonce , the prover has received the nonce .
5 An underapproximation of secure memory erasure
We consider traces where a verifier interacts with a prover to obtain a proof of secure erasure, with the restriction that any external help the prover can receive comes from attackers that are located at a distance from the verifier no lower than a given threshold . The following predicate is used to determine whether a trace satisfies such condition, with respect to a verifier and a prover .
where .
Secure memory erasure is defined below as a statement on traces satisfying the attacker separation property, rather than on the full protocol semantics. Intuitively, if at some step of an execution trace an agent believes that another agent has erased its memory by storing a (sufficiently large) message , then it must be the case that previously received or sent a message .
Definition 3 (Secure memory erasure).
Let be a protocol. The claim event is said to be correct in with respect to a distant attacker with distance threshold if,
Observe that the action of receiving or sending a message is considered a guarantee that an agent has or had in memory. This indeed resembles the standard notion of agreement [20] in security protocols. Moreover, the prover is allowed to be dishonest. This is less common in security properties expressed within a symbolic model, but a key assumption in the memory erasure scenario.
It is worth remarking that Definition 3 underapproximates the intuition given in Definition 1, as it neglects the size of the term . We make the assumption that the size of the term prover and verifier agree upon is known by the analyst, e.g. is a 1024bit nonce, and that such size is large enough to deplete the prover’s memory. This means that optimizations on the size of the memory required to store ought to be analyzed out of the introduced model, as we do further below in Section 7.
5.1 Analyzing a variant of SPEED
To illustrate how the proposed definition can be used, we analyze a variant of SPEED [1]. This choice is based on the fact that SPEED is, to the best of our knowledge, the first memory erasure protocol that measures the distance between prover and verifier, which is a property that can be exploited to prevent maninthemiddle attacks. We remark, nonetheless, that SPEED was thought to resist a definition of security weaker than that in Definition 3. Our analysis below serves for illustration purposes only and does not diminish the merits of the protocol.
The SPEED protocol, depicted in Figure 5, starts when the verifier sends the hash of a random bitsequence to the prover . Upon reception of the hash value, executes rounds of rapid bit exchanges, known as the fast phase [8], where the prover measures the roundtriptime of several bit exchange rounds with the verifier. At the th round of the fast phase, chooses a random bit and sends it to . Then immediately responds with . The roundtriptime of the bit exchange is calculated by upon receiving , allowing to verify that is below a given threshold. also computes the bitsequence where , and checks that . If both verification steps are passed successfully, erases its memory with a default value and sends a MAC computation on the protocol transcript and the internal memory of the prover.
We note that, because the original design of SPEED does not use cryptographic keys, it ought to rely on offline methods, such as visual inspection, to fight against impersonation attacks. Given that neither visual inspection nor any other type of offline method is considered by the security model introduced herein, we strength the protocol by assuming a MAC function that uses a shared secret key between prover and verifier.
The security analysis of SPEED given in [1] is based on the following four main assumptions. First, the prover does not execute sessions in parallel with verifiers. Second, the adversary cannot tamper with the securityrelevant functions of the prover. Third, the cryptographic primitives and sources of randomness used in the protocol are secure. And fourth, the roundtriptime calculations can be used by the prover to enforce proximity with the verifier [8]. We, nevertheless, can construct an attack trace that satisfies those assumptions and invalidates Definition 3.
The attack trace (depicted in Figure 6) consists of an adversary impersonating a prover, with the peculiarity that the prover is willingly contributing to the attack by revealing its cryptographic keys, i.e. the prover is dishonest. It starts when the verifier aims at erasing the memory of a prover , for which a random sequence of size is generated. sends the hash of to , which should be used later by to check proximity with . At this point, an adversary takes over the communication with and replies to by executing rounds of the fast phase, as established by the protocol. We assume the adversaryverifier communication occurs at an arbitrary distance , and that is voluntarily not taking part in the protocol execution. The adversary chooses to challenge the verifier with a sequence of zeros. At the end of the fast phase, replies with where is the default value the prover is expected to use to erase its memory. Such MAC value is correct, making incorrectly believe that has erased its memory by storing the value .
The presented attack is based on the simple observation that a dishonest prover can provide the adversary (i.e. another dishonest device) with the cryptographic material necessary to pass the memory erasure protocol. This means that a single rogue device can be used to bypass the memory erasure procedure of many compromised devices, that is, the attack scales easily. Moreover, this type of external help is not ruled out by the security model, because the adversary complies with the restriction of being far enough from the verifier.
5.2 Impossibility result towards secure memory erasure
Before presenting an alternative to SPEED, we deem important providing an impossibility result on the problem of finding a protocol that satisfies secure memory erasure when , as this proves the necessity of the restriction on the distance between the adversary and the verifier.
Theorem 1.
Let . Then for every protocol and trace ,
Proof.
Consider a trace such that it contains a claim event . We observe that can be constructed based on a partition of the set with . Hence we consider another dishonest agent such that and . That is, both and are in the same location and has not been active in . Then we construct the trace as follows, for every and every ,
Now, let be the minimum timestamp of an event in . We create the following trace,
The trace consists of revealing its secret key with , followed by learning the keys and . The remaining events in are those in respecting the original order. We will prove that . For that, we use to denote the subtrace with and to denote the empty trace . Then we prove via induction that for every and every ,
(1)  
(2) 
Base case . Notice that if , then either is a constant or , according to the derivation rules in Figure 3. The second event in allows to infer (Rule I4). And, if is a constant and not a nonce, then all agents can infer (Rule I1). Therefore, . Now, given that , it follows that is in .
Case 1: for some timestamp and term . In this case, by construction of the trace . As a result, it holds that , which proves (1) for by contrapositive. To prove that (2) holds for , we just need to notice that is appended to via application of the rule . Because all events, but those of , in are preserved in , and ’s events are now mimic by , rule can also be applied to append to , which gives .
Case 2: for every timestamp and term . In this case, it follows that . By hypothesis of induction we thus obtain that , which proves the induction step for (1). It remains to prove that (2) holds for , for which we analyze two more cases.

for some timestamp and term . The rule is used to append to , meaning that . By (1) we obtain that . Hence via application of the rule we obtain that .

The last case is , which occurs when . Because all events in , except those from , are preserved in , then .
We conclude that . Now, by construction, also satisfies that and that no and exist such that or . Given that , also holds. This yields the expected result. ∎
The main corollary of the theorem above is that no protocol can satisfy secure memory erasure with . This corresponds to the case where no restriction to a distant attacker is imposed. We thus conclude that restricting traces to a given separation between honest and dishonest agents is necessary towards the goal of finding a secure memory erasure protocol. We prove in the next section that such restriction is also sufficient.
6 A secure memory erasure protocol
In this section we introduce a memory erasure protocol that can be proven secure within the security model introduced in earlier sections. This is, to the best of our knowledge, the first memory erasure protocol that resists maninthemiddle attacks.
6.1 The protocol
We propose a protocol that aims at mutual authentication between prover and verifier. The need of authenticating the verifier is to prevent illegitimate erasure requests, while prover authentication is a necessary step towards obtaining a proof of erasure. In addition, the verifier measures the roundtriptime of a message exchange to obtain a bound on its distance to the prover. This is a distance bounding technique [8] that will prove useful to counteract distant attackers.
The protocol, depicted in Figure 7, starts when the prover sends a nonce . A verifier replies with a Message Authentication Code (MAC) on the nonce and a freshly generated nonce , which is used by to authenticate . As usual, the MAC function is computed using and ’s shared key . Right after, a timemeasurement phase commences, where starts a clock and sends a challenge to . Immediately after receiving the challenge, replies with , where is a hash function. Upon reception of the prover’s response, stops the clock and calculates the roundtriptime . Then checks that is correct and that , where is a protocol parameter denoting a maximum timedelay tolerance. If both verification steps succeed, claims that has erased its memory.
The reader may have noticed that the introduced memory erasure protocol does not use standard notation from the literature in distance bounding, where the timemeasurement phase is composed of various rounds of singlebit exchanges [8, 2]
. For the moment we require this high level of abstraction to come up with formal security proofs. Nonetheless, in Section
7 below we unfold the proposed protocol and describe it using standard cryptographic notation for distance bounding protocols.6.2 Security analysis
Figure 8 provides a formal specification of the protocol in the modeling language introduced earlier. That specification is used to enunciate the various results that come next. In the remainder of this section, we use to refer to the protocol defined by the protocol rules in Figure 8.
Lemma 2.
Let be a projection function on timestamped traces defined by , for every . Let . satisfies that
(3)  
Proof.
We use the security protocol verification tool Tamarin [23] to prove this lemma. The Tamarin specification of the protocol and lemma can be found at https://github.com/memoryerasuretamarin/code. Therefore, the correctness of this proof relies on the claim that the provided Tamarin implementation faithfully corresponds to the formalization provided herein. ∎
Lemma 2 states that either the prover (if the prover is honest) or a dishonest agent on behalf of the prover (if the prover is dishonest) will respond to the challenge sent by the verifier to calculate the roundtriptime.
Our main observation at this point is that the condition satisfied by the memory erasure claim event in Lemma 2 is stronger than the condition required to satisfy causalitybased secure distance bounding, as introduced in [21]. This allows us to prove the main theorem of this section.
Theorem 3.
Let be the time upper bound used in , a distance threshold of a distant attacker, and the transmission speed of the communication channel. If , then satisfies secure memory erasure.
Proof.
According to Definition 3, it is sufficient to prove that
Consider two agents, and with , and a trace such that . Consider now the projection of the trace . It follows that satisfies that with . This allows us to use Lemma 2 and conclude that there must exist such that , , and for some agent , which is either itself or dishonest. Mapping back those events onto the trace , we obtain that there exists timestamps such that , and .
By looking at the protocol rules (concretely V3) and the fact that is honest, it follows that and that . This means that , i.e. . On the one hand, because satisfies , we obtain that either or is honest. On the other hand, Lemma 2 gives that either or is dishonest. Given that cannot be honest and dishonest at the same time, we conclude that . As a result, , which concludes the proof. ∎
Theorem 3 proves that the proposed memory erasure protocol (depicted in Figure 8) resists maninthemiddle attacks from a distant attacker with distance threshold . That is, the protocol does not contain logical flaws with respect to the mathematical model and properties introduced in this article.
The next and last section of this article is dedicated to analysing attacks that are not regarded as maninthemiddling in the traditional sense; hence not captured by the security model. We refer to probabilistic attacks that aim to bypass the protocol without fully storing the term in memory. Of course, this requires switching from symbolic analysis to probabilistic analysis.
7 A protocol based on cyclic tree automata
The goal of this section is to instantiate the high level specification of the introduced protocol into a concrete class of protocols that can be used to analyze the security and communication complexity tradeoff commonly present in memory attestation and memory erasure protocols [31, 18, 25, 12, 16].
7.1 Lookupbased memory erasure protocols
The instantiation we propose is largely inspired by the design of lookupbased distance bounding protocols [15, 3, 14, 17, 19, 22, 24, 32], and we will use the automatabased representation introduced by Mauw et al. [22] to describe them. The main feature of this type of protocols is that, in order to obtain tight values on the roundtriptime calculation, they use simple lookup operations during the timemeasurement phase.
An automaton, i.e. a statelabeled Deterministic Finite Automaton (DFA), is of the form , where is a set of input symbols, is a set of output symbols, is a set of states, is the initial state, is a transition function, and is a labeling function.
Example 2 (Cyclic tree automata.).
As a running example, we consider a concrete type of automaton , called cyclic tree automaton, that resembles the tree structure used in [3]. Cyclic tree automata (see Figure 9) are characterized by a depth , which determines the number of states in to be equal to . The input and output symbol sets are binary, i.e. , and the transition function is defined in two steps. First, given the set of states , and , for every . The remaining states connect back to and as follows, and , for every .
In a lookupbased protocol, prover and verifier move through a given automaton in a synchronous way by feeding the transition function with a sequence of challenges sent by the verifier; starting from the initial state. For example, in Figure 9, if the verifier sends challenges , and , then both prover and verifier are meant to follow the path . Each of those transitions are regarded as a lookup operation, because the prover’s responses are determined by the labels of the states in the path. Taking back our running example, the prover’s response to challenge is , to a second challenge is , and to a third challenge is .
The formalization of the provertoverifier interaction described above is as follows. Given an automaton and a current state , a lookup operation is regarded as a transition to a new state where is a verifier’s challenge. The corresponding response for such challenge is the output symbol attached to the new state , i.e., . We use to denote the state reached by the sequence of input symbols . Formally, if , otherwise . Similarly, is used to denote the output symbol assigned to the state reached by the sequence . Finally, the sequence of output symbols resulting from the input sequence in an automaton is denoted .
Figure 10 depicts our class of lookupbased memory erasure protocols. It consists of three phases. An initial phase where verifier and prover agree on an automaton , such as a cyclic tree automaton. In this phase, the prover authenticates the verifier to prevent unauthorized readers from erasing its memory. After the initial phase, the fast phase starts, consisting of a series of rapid bit exchanges where the prover is challenged to traverse the automaton generated during the initialization phase. In the final phase the verifier takes a decision based on the roundtriptimes values and the prover’s responses obtained during the fast phase. Details on each phase is given next.
Initial phase. As in the highlevel specification depicted in Figure 7, the first two messages of the protocol are used by the prover to authenticate the verifier before executing the remainder of the protocol, i.e. before erasing its memory. If this authentication step is successful, both prover and verifier build an automaton based on the output of a pseudo random function seeded with the triple . Detail on how such automaton can be built based on the output of a pseudorandom function can be found in [3] and [22]. Here we abstract away from those details and consider the output of the initial phase to be a randomly chosen automaton from a set of automata. Formally, let be the universe of automata with input and output symbol set and , respectively. Given a lookupbased memory erasure protocol , we use to denote all possible automata that can result from the initial phase in .
Fast phase. The fast phase of the protocol starts right after agreeing on a random automaton from . It consists of the following rounds. For to , the verifier picks a random bit and sends it to the prover. Upon reception of , the prover applies the transition function and returns the label of the state , with being the initial state of the automaton. The verifier stops the timer immediately after receiving the prover’s response and calculates the roundtriptime .
Final phase. At the end of the fast phase the verifier checks that all roundtriptimes are below the predefined time threshold . The verifier also checks that all responses are correct by traversing the automaton with its own challenges . If either of those verification steps fails, the verifier considers the protocol unsuccessful.
Our main claim here is that the protocol in Figure 7 is an accurate abstraction of the lookupbased memory erasure protocol in Figure 10, provided that guessing the automaton used during an honest provertoverifier execution is unfeasible for an attacker. Although this does not necessarily prevent probabilistic attacks, as we show next, it asserts that lookupbased memory erasure protocols contain no logical flaws. That is to say, the introduced lookupbased memory erasure protocol resists maninthemiddle attackers as defined in Sections 4 and 5.
7.2 Security and communication complexity tradeoff
The security and communication complexity tradeoff stems from the fact that the portion of the prover’s memory that can be attested is proportional to the communication complexity of the protocol [31, 18, 25, 12, 16]. In lookupbased memory erasure protocols, we define communication complexity as the number of rounds used during the fast phase, and memory to be attested as the size of the automaton agreed upon during the initial phase.
We consider an implementationindependent notion of size for automata, which corresponds to the number of states of an automaton. Formally, given we consider the function defined by .
In an honest session between prover and verifier, the outcome of the initial phase is an automaton randomly chosen from the set . In this case, the memory required on the prover’s side to execute the protocol is at least the size of the automaton agreed upon with the verifier. However, a fraudulent prover may use a smaller automaton with the intention of successfully passing the memory erasure protocol without fully erasing its memory.
Definition 4 (Fraudulent prover).
Given a protocol , a fraudulent prover is defined by a function such that for every , .
The probability of success of a fraudulent prover is calculated by, given a random automaton and random sequence ,
The space saving of a fraudulent prover is given by the formula,
Maximizing both probability of success and space saving is unattainable. The smallest automaton a fraudulent prover can use consists of a single state with two selftransitions, one with and another with . But, in this case its probability of success becomes , where is the number of rounds during the fast phase. Thus fraudulent provers will aim at striking a good tradeoff between probability of success and space savings.
In general, we are interested on an optimal fraudulent prover that achieves the maximum probability of success restricted to a given size for the automata. This might be achieved by using automata minimization techniques, such as [33], where subautomata that repeats often are assigned a single state. Although this is a promising research direction, we focus in this article on a simpler fraudulent strategy that consists of ignoring portions of the automaton in order to meet a given memory requirement. The problem of determining and analyzing optimal fraudulent provers is thus left for future work.
7.3 Analysis of a protocol based on cyclic tree automata
We deliver a concrete tradeoff analysis by considering a lookupbased memory erasure protocol that only utilizes cyclic tree automata of a given depth, called treebased memory erasure protocol. That is, given the universe of cyclic tree automata with depth , denoted , we define the treebased memory erasure protocol to be a lookupbased protocol with . We also consider that a fraudulent prover can remove a subtree from a cyclic tree automaton, with the idea of leaving room to the malicious software to persist in memory. Formally, given a cyclic tree automaton of depth , denoted , the fraudulent prover chooses a state and disconnects it from the tree as follows. For every such that with , is set to be equal to . The resulting set of disconnected states is inductively defined by and . States in are consequently removed from . We use to denote the resulting automaton.
Theorem 4.
Let be a depth value and the universe of cyclic tree automata with state set . Given a state with , let be a fraudulent prover defined by for every . If for some positive integer , then for a random automaton and random sequence ,
Proof.
Let . We use to denote the distance of a shortest path between states and in the automaton . Let and be the sequence of input symbols such that .
Assume . If , then given that no state in that has been removed in is used. Otherwise, If , with probability , given that and are randomly chosen. Because the probability of is equal to , we obtain an overall probability of
For the general case where , we notice that, by construction of the cyclic tree automaton, the following property holds,
The same property holds for the modified automaton . Therefore,
Comments
There are no comments yet.