Secure Memory Erasure in the Presence of Man-in-the-Middle Attackers

05/31/2019
by   Rolando Trujillo-Rasua, et al.
Deakin University
0

Memory erasure protocols serve to clean up a device's memory before the installation of new software. Although this task can be accomplished by direct hardware manipulation, remote software-based memory erasure protocols have emerged as a more efficient and cost-effective alternative. Existing remote memory erasure protocols, however, still rely on non-standard adversarial models to operate correctly, thereby requiring additional hardware to restrict the adversary's capabilities. In this work, we provide a formal definition of secure memory erasure within a symbolic security model that utilizes the standard Dolev-Yao adversary. Our main result consists of a restriction on the Dolev-Yao adversary that we prove necessary and sufficient to solve the problem of finding a protocol that satisfies secure memory erasure. We also provide a description of the resulting protocol using standard cryptographic notation, which we use to analyze the security and communication complexity trade-off commonly present in this type of protocols.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

06/08/2020

Client-Server Identification Protocols with Quantum PUF

Recently, major progress has been made towards the realisation of the qu...
06/09/2020

Improving the Security of "Measurement-Device-Independent Quantum Communication without Encryption"

Recently in 2018, Niu et al. proposed a measurement-device-independent q...
05/06/2021

Remote Attestation: A Literature Review

With the rising number of IoT devices, the security of such devices beco...
08/30/2018

On the Composability of Statistically Secure Random Oblivious Transfer

We show that stand-alone statistically secure random oblivious transfer ...
07/01/2020

Dispelling Myths on Superposition Attacks: Formal Security Model and Attack Analyses

It is of folkloric belief that the security of classical cryptographic p...
11/29/2017

UC Secure Issuer-Free Adaptive Oblivious Transfer with Hidden Access Policy

Privacy is a major concern in designing any cryptographic primitive when...
03/08/2021

Multiparty Protocol that Usually Shuffles

Multiparty computation is raising importance because it's primary object...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Malicious code is a well-known threat to computational devices that support a programmable memory. The threat can be mitigated by pro-active mechanisms that detect and prevent the installation of malware, viruses, or other sort of malicious code. Independently of the success of such defenses, a number of devices cannot afford the implementation of anti-malware software due to computational and operational constraints, e.g. Internet of Things (IoT) devices. Hence, low-cost pervasive devices rarely come with build-in pro-active defenses against malicious code.

Memory attestation is a digital forensics technique used to detect whether a device has been compromised by verifying the integrity of its memory [30, 28]. Devices unable to successfully pass the memory attestation procedure are regarded as corrupt, and are immediately isolated from other devices. A less ambitious, yet often equally effective, technique is known as secure memory erasure, which eliminates malicious code that resides in memory by fully erasing the device’s memory. This is considered an important preliminary step prior the download and installation of legitimate software.

Memory erasure in itself can be a functional requirement in IoT applications where the ownership of devices may change. Erasing the device’s memory helps the previous owner to protect confidentiality of the information stored in the device, while it gives the current owner a proof of absence of malicious software. The latter feature is exploited by Perito and Tsudik [25], who argue that memory erasure is a form of memory attestation; both can guarantee the absence of malware.

The memory erasure problem can be easily accomplished by accessing the hardware directly, but such access is cost ineffective and not scalable [18]. This has opened the door to a number of communication protocols aiming at guaranteeing that a given device has actually erased its memory, without resorting on hardware manipulation. Memory erasure protocols, also known as Proofs of Secure Erasure (PoSE) protocols [25], allow a remote verifier to be convinced that a prover has purged all of its memory. This is typically achieved by first depleting the prover’s memory with random data, and after asking the prover to compute a function on the received data as a proof of erasure [18, 1].

We observe that both memory attestation and memory erasure protocols have been historically designed to operate under non-standard adversarial models, such as the model by Francillon et al. [13], where compromised devices do not reveal their secrets, or the models used in [25, 12, 16], where verifier and prover communicate in isolation. Implementing those adversarial models is not cost-free, though, as they typically rely on especial hardware to make cryptographic keys inaccessible to attackers [13] or jamming techniques that selectively block malicious communication [25].

Recent work [1] starts to advocate for memory erasure protocols capable of functioning in the presence of man-in-the-middle attackers, arguing that selective jamming is ineffective [26]. We address such problem in this article, and make the following contributions.

  • We introduce the notion of distant attacker: a Dolev-Yao adversary [11] restricted to a given distance threshold on their communication with honest protocol participants.

  • We restrict the security protocol semantics introduced by Basin et al. [5] and provide a formal definition for secure memory erasure within a symbolic security model. We prove that such restriction is necessary.

  • We provide a high level specification of a memory erasure protocol and prove it secure in the presence of distant attackers. To the best of our knowledge, our protocol is the first memory erasure protocol that can operate in an environment controlled by a Dolev-Yao attacker.

  • Lastly, we perform a probabilistic analysis of the security and communication complexity trade-off of the proposed protocol via an instantiation of the high level specification to a class of protocols known as lookup-based distance-bounding protocols [22]. Protocols of this type have been neglected in literature as they suffer from a security-memory trade-off, i.e. security is proportional to memory demand. However, we obtain the rather surprising result that such a drawback becomes a positive feature in memory erasure protocols.

The remainder of this article is organized as follows. Section 2 briefly covers the literature on memory erasure and memory attestation protocols. Section 3 provides an informal introduction to the adversarial model and the definition of secure memory erasure used throughout the paper. Section 4 and Section 5 formalize those intuitions within a symbolic security model. Section 6 presents a high-level specification of a memory erasure protocol that resists man-in-the-middle attacks. Finally, Section 7 is devoted to the analysis of the security and communication complexity trade-off commonly found in this type of protocols.

2 Background

There exists two categories of memory attestation and memory erasure techniques [13]. The first one relies on special and trusted hardware installed on a device. This technique has been regarded as expensive and unsuitable for low-cost IoT devices [31]. The other one is software-based, where few assumptions on the hardware capabilities of devices are made.

In a memory attestation procedure, a verifier is capable of reading part or the entire prover’s memory. If the reading is correct, the verifier can determine whether malicious code resides in the prover and take security measures accordingly. Obtaining a proof of correct reading is challenging, though. The device can be already infected, making it easy for malicious code to delude simple reading requests.

Various memory attestation techniques have been introduced in recent years. SWATT [30]

, for example, challenges the prover to traverse and compute a checksum of its memory based on a random total order of memory indexes. For that, the verifier uses a pseudo-random sequence with a secret seed revealed to the prover prior commence of the attestation procedure. SWATT assumes that, with high probability, a number of indexes will hit memory occupied by the malicious code. This forces the malicious code to make on-the-fly checksum computations, which is detected by measuring the delay in the prover’s responses. A similar technique is used by Pioneer 

[29].

Shaneck et al. argue that tight timing-based techniques can hardly be used for remote attestation [31]

. The reason is that the network and communication channel may introduce unforeseen delays, and that accurately estimating computational time in software execution is a challenge in itself. Hence, Shaneck et al. propose a scheme where the verifier sends an obfuscated and self-modifying attestation code to the prover. The security of their scheme is based on the observation that performing static analysis on a

freshly generated code is notoriously difficult for an attacker.

Secure memory erasure is less ambitious than memory attestation in terms of reading capabilities. Yet it can be equally effective when it comes to ensuring that a device contains no malicious code in memory. A common assumption in the literature on memory erasure is that the prover does not receive external help during the execution of the protocol. This is enforced in [25] by selective jamming of all, but the prover, nearby devices during the run of the protocol. Communication jamming has the side-effect of preventing man-in-the-middle attackers from interfering with the execution of the protocol, hence making security analysis simpler.

Improvements upon the protocol in [25] have mainly focused on computational complexity, e.g. [12, 16], keeping selective jamming as a key security measure. However, communication jamming has the drawback of not been fully effective [26], i.e. it can be bypassed. Moreover, it may be illegal in some standard wireless bands. It follows the question of whether secure memory erasure protocols that resists man-in-the-middle attacks can be implemented.

To the best of our knowledge, SPEED [1] is the first memory erasure protocol that aims to resist man-in-the-middle attacks. It implements a memory isolation technique, as in [34], to store security-relevant functions and cryptographic keys. In this trusted portion of the device’s memory, SPEED implements a distance bounding protocol [8] with the goal of enforcing proximity between prover and verifier. The authors argue that proximity makes it difficult for an attacker to tamper with the protocol’s messages. However, the security of their protocol still rely on assumptions that are not considered in the distance bounding literature, such as the use of visual inspection to prevent impersonation.

No memory erasure protocol in literature has been proven secure within standard symbolic security models, such as the Dolev-Yao model [11]. In contrast, security standards (e.g. ISO/IEC 9798 [6]) and major security protocols (e.g. TLS 1.3 [10]) have been analyzed, fixed and improved, by expressing their goals within symbolic security models and verifying their correctness with automated proving tools, such as ProVerif [7] and Tamarin [23]. This work addresses such gap.

3 Secure memory erasure in the presence of distant attackers

In this section, we introduce an informal security framework to analyze memory erasure protocols in the presence of man-in-the-middle attackers. A formalization within a symbolic security model of the concepts introduced in this section will follow immediately after.

3.1 Secure memory erasure

Most proofs of secure erasure (PoSE) are based on the notion of memory filling, whereby a verifier requests a prover to full its memory with meaningless data, such as a random sequence. In this setting, Karvelas and Kiayias [18] consider a memory erasure protocol secure if the prover cannot maintain a portion of its memory intact. Perito and Tsudik’s definition is more fine-grained, stating that secure erasure is achieved when prover and verifier agree on a memory variable [25]. We adopt in this article the latter.

Definition 1 (Secure memory erasure).

Let and be a verifier and prover, respectively. Let be a variable stored in ’s memory, and a variable stored in ’s memory. A protocol satisfies secure memory erasure if, for every successful execution of the protocol, there exists an execution step where and the size of is equal to ’s writable memory.

In the absence of a man-in-the-middle attacker, most memory erasure protocols satisfy Definition 1. As discussed by Perito and Tsudik’s [25], even a simple protocol where the verifier sends a random nonce and expects to receive the same nonce back as a proof of erasure satisfies Definition 1 for a sufficiently large nonce. Therefore, it remains to introduce the adversarial model against which the security of this type of protocols can be assessed.

3.2 The adversarial model

In security models, adversaries are characterized in terms of their ability to compromise agents and manipulate network traffic. While various notions of agent compromise exist [9, 4], the adversary’s capabilities to interact with the network are, with few exceptions, still those introduced by Dolev and Yao in 1982 [11]. That is, an adversary with the ability to block, modify, and inject arbitrary messages in the network.

In memory erasure protocols, the prover may have malicious code running in memory. This allows a Dolev-Yao attacker, also known as man-in-the-middle attacker, to easily impersonate the prover, making any intention of interaction with the prover meaningless. That is the reason why memory erasure protocols have been traditionally designed to operate within a clean environment, where no attacker is able to manipulate the network. Such a clean environment has been traditionally enforced by radio jamming [25]. As illustrated in Figure 1, a man-in-the-middle attacker can be frustrated by allowing the prover to complete the protocol while selectively jamming the attacker’s signal. Even if the adversary is within the jamming radius, he can neither interact with the prover nor with the verifier.

Figure 1: Preventing man-in-the-middle attacks via jamming.

The idea of creating an area where a man-in-the-middle attacker looses his capabilities was taken a step further by Ammar et al. [1]. They proposed the use of a distance bounding protocol [8] to ensure proximity between prover and verifier. Intuitively, if the interaction between prover and verifier is limited to a sufficiently small area, as in Figure 2, the attacker is thwarted from participating in the protocol execution. In a sense, Ammar et al. suggest that distance bounding protocols can be used as a primitive to weaken man-in-the-middle adversaries and simplify the design and analysis of security protocols. We make this notion more precise next.

Figure 2: Preventing attacks from distant attackers.
Definition 2 (Distant attacker).

Given a distance threshold , a distant attacker is a Dolev-Yao attacker whose distance to the verifier is larger than or equal to .

Clearly, the larger the weaker a distant attacker is with respect to the standard Dolev-Yao adversary. Nonetheless, we point out that assuming a distant attacker is reasonable in various applications where the protocol is executed in a controlled environment, such as a private room. The challenge is to design a memory erasure protocol that resists attacks from a distant attacker with .

Our goal next is to formalize the intuitions exhibited in this section and prove the following two propositions. First, under standard assumptions in symbolic security protocol verifications, no protocol can resist a distant attacker with . Second, for every , there exists a security protocol that can be proven secure in the presence of a distant attacker with distance threshold .

4 The Security Model

To formalize the notion of distant attacker, we need a model that supports reasoning about distance between protocol participants. A security model of this type has been introduced by Basin et al. [5], provided with a trace-based semantics for distributed systems describing all possible interleaved events that protocol principles can execute.

4.1 Messages, events and inference rules

Messages. A security protocol defines the way various protocol participants, called agents, exchange cryptographic messages. To model cryptographic messages, we use a term algebra where is a signature, a set of variables, and a set of constants. We consider agents’ names, denoted , and nonces, denoted , to be constants in our term algebra as well, i.e. . The set of nonces is assumed to be partitioned into . This is to ensure that two different agents cannot produce the same nonce. The set itself is also partitioned into (honest agents) and (dishonest agents). Finally, we assume that the signature contains the following function symbols:

  • denoting the pairing of two terms and . We will usually use as shorthand notation.

  • denoting the encryption of with the key . We will usually use as shorthand notation.

  • denoting the long-term shared symmetric secret key of two agents .

We use to denote the set of all terms obtained from the above term algebra.

It is worth remarking that we have intentionally omitted asymmetric encryption in our term algebra. The reason is that the protocols we analyze in this article make no use of public keys. That said, our results can be easily extended to a model that supports public-key encryption.

Events and traces. Agents can execute three types of events: i) send a message, ii) receive a message and iii) claim that a given security property holds. Hence we define the set of all possible events by the following grammar.

where is an agent’s name, a message, and a constant identifying a security property. We consider the auxiliary function , which provides the actor executing an event.

When constructing traces, each event is given a time-stamp , representing the time at which the event has been executed. Therefore, a trace is a finite sequence of time-stamped events . In this case, we say that has cardinality , denoted , and we use to denote the th element of , i.e. . The auxiliary function gives the largest time-stamp in , while the function is extended to time-stamped events in the straightforward way.

Inference. We formalize the way agents obtain and create knowledge by an inference relation . And, we use the shorthand notation to denote , indicating that agent can infer message from trace . We define the relation to be the least set that is closed under the inference rules in Figure 3. Each of these rules states that:

  • Rule I1: except other agent’s nonces, an agent can infer any constant, including its own set of nonces .

  • Rule I2: agents can infer their shared secret keys with other agents.

  • Rule I3: all function symbols in , but , can be used to infer arbitrary terms constructed over already inferable terms. The function symbol is reserved to be used only in rule I2.

  • Rule I4: a receive event allows agent to infer .

  • Rule I5: agents have the ability to unpair messages.

  • Rule I6: an encrypted message can be decrypted with the decryption key .

Figure 3: Inference rules

4.2 A security protocol semantics

Protocol specification. The following protocol specification assumes that agents remain in a static location during the protocol execution. This is a standard assumption in security models dealing with physical properties, such as [5, 27, 22]. An uninterpreted distance function is used to denote the distance between agents and .

A protocol is defined by a set of derivation rules, similar to the inference rules used above, specifying how execution traces make progress. Its semantics, denoted , is the least set closed under those rules. We now describe the type of rules we use to inductively define the set of traces of a protocol. The base case is modeled by the start rule (), which indicates that the empty trace is in for every protocol .

The other two rules, and , are used to model the network behavior and corruption capability of the adversary. The rule states that a message previously sent by can be received by any agent whose distance to is consistent with the physical relation between constant speed, distance, and time. That is to say, given the propagation speed of the communication channel, it must hold that a message sent by at time and received by at time satisfies .

Lastly, the rule allows the adversary to impersonate dishonest agents and send events on their behalf. Note that, unless otherwise specified, variables in derivation rules are universally quantified.

The rules , and , are part of every protocol specification, which are used to model trace initialization, network operation, and the behavior of dishonest agents. It remains to define the behavior of honest agents. Such behavior is defined by protocol-dependent rules with the following constraints.

  • References to dishonest agents in either the premises or the conclusion of a protocol rule are not allowed. The reason is that the behavior of dishonest agents is fully specified by the rule.

  • All events in a rule ought to be executed by the same agent. That is, the logic of an agent’s behavior is independent from the specification of other agents. Hence agents interact exclusively through the rule.

  • Terms used in the conclusion of a protocol rule ought to be derivable from the premises by using the inference rules in Figure 3.

Example 1.

We use a simplified version of the memory erasure protocol introduced by Perito and Tsudik [25]. In the protocol, the verifier sends a challenge and the prover reflects it back to the verifier111This is a simplification of the original protocol [25] used for illustration purposes only. . Its specification is given in Figure 4, where rule V1 states that can choose any of its own nonces and send it through. For the sake of simplicity, we are assuming in protocol rules that nonces are fresh. Hence, when we use the premise we are also requiring that has not been used in the trace . Rule P1 indicates that, upon reception of a nonce , sends back. Finally, V2 is used by to claim that a given erasure property should hold after reception of the nonce . Further below we explain claim events in more detail.

Figure 4: Specification of Perito and Tsudik’s protocol.

Execution traces and security properties. An execution trace of a protocol is any trace inductively defined by the set of rules . For example, the protocol specification in Figure 4 gives the following trace via application of the , V1, , P1, and V2 rules, where and .

Finally, a security property is a first-order logic statement on execution traces, which is said to be satisfied by a protocol if the property holds for all traces in . To account for the fact that a security property needs not be satisfied over the entire execution of a protocol, we are using claim events as placeholders to indicate those execution steps where a security property needs to be verified. This is, for example, the role of the claim event in the protocol specification in Figure 4. In this case, the verifier expects that, upon reception of the nonce , the prover has received the nonce .

5 An underapproximation of secure memory erasure

We consider traces where a verifier interacts with a prover to obtain a proof of secure erasure, with the restriction that any external help the prover can receive comes from attackers that are located at a distance from the verifier no lower than a given threshold . The following predicate is used to determine whether a trace satisfies such condition, with respect to a verifier and a prover .

where .

Secure memory erasure is defined below as a statement on traces satisfying the attacker separation property, rather than on the full protocol semantics. Intuitively, if at some step of an execution trace an agent believes that another agent has erased its memory by storing a (sufficiently large) message , then it must be the case that previously received or sent a message .

Definition 3 (Secure memory erasure).

Let be a protocol. The claim event is said to be correct in with respect to a distant attacker with distance threshold if,

Observe that the action of receiving or sending a message is considered a guarantee that an agent has or had in memory. This indeed resembles the standard notion of agreement  [20] in security protocols. Moreover, the prover is allowed to be dishonest. This is less common in security properties expressed within a symbolic model, but a key assumption in the memory erasure scenario.

It is worth remarking that Definition 3 underapproximates the intuition given in Definition 1, as it neglects the size of the term . We make the assumption that the size of the term prover and verifier agree upon is known by the analyst, e.g. is a 1024-bit nonce, and that such size is large enough to deplete the prover’s memory. This means that optimizations on the size of the memory required to store ought to be analyzed out of the introduced model, as we do further below in Section 7.

5.1 Analyzing a variant of SPEED

To illustrate how the proposed definition can be used, we analyze a variant of SPEED [1]. This choice is based on the fact that SPEED is, to the best of our knowledge, the first memory erasure protocol that measures the distance between prover and verifier, which is a property that can be exploited to prevent man-in-the-middle attacks. We remark, nonetheless, that SPEED was thought to resist a definition of security weaker than that in Definition 3. Our analysis below serves for illustration purposes only and does not diminish the merits of the protocol.

The SPEED protocol, depicted in Figure 5, starts when the verifier sends the hash of a random bit-sequence to the prover . Upon reception of the hash value, executes rounds of rapid bit exchanges, known as the fast phase [8], where the prover measures the round-trip-time of several bit exchange rounds with the verifier. At the th round of the fast phase, chooses a random bit and sends it to . Then immediately responds with . The round-trip-time of the bit exchange is calculated by upon receiving , allowing to verify that is below a given threshold. also computes the bit-sequence where , and checks that . If both verification steps are passed successfully, erases its memory with a default value and sends a MAC computation on the protocol transcript and the internal memory of the prover.

Figure 5: The SPEED protocol with shared keys.

We note that, because the original design of SPEED does not use cryptographic keys, it ought to rely on offline methods, such as visual inspection, to fight against impersonation attacks. Given that neither visual inspection nor any other type of offline method is considered by the security model introduced herein, we strength the protocol by assuming a MAC function that uses a shared secret key between prover and verifier.

The security analysis of SPEED given in [1] is based on the following four main assumptions. First, the prover does not execute sessions in parallel with verifiers. Second, the adversary cannot tamper with the security-relevant functions of the prover. Third, the cryptographic primitives and sources of randomness used in the protocol are secure. And fourth, the round-trip-time calculations can be used by the prover to enforce proximity with the verifier [8]. We, nevertheless, can construct an attack trace that satisfies those assumptions and invalidates Definition 3.

The attack trace (depicted in Figure 6) consists of an adversary impersonating a prover, with the peculiarity that the prover is willingly contributing to the attack by revealing its cryptographic keys, i.e. the prover is dishonest. It starts when the verifier aims at erasing the memory of a prover , for which a random sequence of size is generated. sends the hash of to , which should be used later by to check proximity with . At this point, an adversary takes over the communication with and replies to by executing rounds of the fast phase, as established by the protocol. We assume the adversary-verifier communication occurs at an arbitrary distance , and that is voluntarily not taking part in the protocol execution. The adversary chooses to challenge the verifier with a sequence of zeros. At the end of the fast phase, replies with where is the default value the prover is expected to use to erase its memory. Such MAC value is correct, making incorrectly believe that has erased its memory by storing the value .

The presented attack is based on the simple observation that a dishonest prover can provide the adversary (i.e. another dishonest device) with the cryptographic material necessary to pass the memory erasure protocol. This means that a single rogue device can be used to bypass the memory erasure procedure of many compromised devices, that is, the attack scales easily. Moreover, this type of external help is not ruled out by the security model, because the adversary complies with the restriction of being far enough from the verifier.

Figure 6: Attack on SPEED with shared keys.

5.2 Impossibility result towards secure memory erasure

Before presenting an alternative to SPEED, we deem important providing an impossibility result on the problem of finding a protocol that satisfies secure memory erasure when , as this proves the necessity of the restriction on the distance between the adversary and the verifier.

Theorem 1.

Let . Then for every protocol and trace ,

Proof.

Consider a trace such that it contains a claim event . We observe that can be constructed based on a partition of the set with . Hence we consider another dishonest agent such that and . That is, both and are in the same location and has not been active in . Then we construct the trace as follows, for every and every ,

Now, let be the minimum time-stamp of an event in . We create the following trace,

The trace consists of revealing its secret key with , followed by learning the keys and . The remaining events in are those in respecting the original order. We will prove that . For that, we use to denote the sub-trace with and to denote the empty trace . Then we prove via induction that for every and every ,

(1)
(2)

Base case . Notice that if , then either is a constant or , according to the derivation rules in Figure 3. The second event in allows to infer (Rule I4). And, if is a constant and not a nonce, then all agents can infer (Rule I1). Therefore, . Now, given that , it follows that is in .

Inductive step. We now assume that (1) and (2) hold for every with . We analyze two cases.

Case 1: for some time-stamp and term . In this case, by construction of the trace . As a result, it holds that , which proves (1) for by contrapositive. To prove that (2) holds for , we just need to notice that is appended to via application of the rule . Because all events, but those of , in are preserved in , and ’s events are now mimic by , rule can also be applied to append to , which gives .

Case 2: for every time-stamp and term . In this case, it follows that . By hypothesis of induction we thus obtain that , which proves the induction step for (1). It remains to prove that (2) holds for , for which we analyze two more cases.

  • for some time-stamp and term . The rule is used to append to , meaning that . By (1) we obtain that . Hence via application of the rule we obtain that .

  • The last case is , which occurs when . Because all events in , except those from , are preserved in , then .

We conclude that . Now, by construction, also satisfies that and that no and exist such that or . Given that , also holds. This yields the expected result. ∎

The main corollary of the theorem above is that no protocol can satisfy secure memory erasure with . This corresponds to the case where no restriction to a distant attacker is imposed. We thus conclude that restricting traces to a given separation between honest and dishonest agents is necessary towards the goal of finding a secure memory erasure protocol. We prove in the next section that such restriction is also sufficient.

6 A secure memory erasure protocol

In this section we introduce a memory erasure protocol that can be proven secure within the security model introduced in earlier sections. This is, to the best of our knowledge, the first memory erasure protocol that resists man-in-the-middle attacks.

6.1 The protocol

We propose a protocol that aims at mutual authentication between prover and verifier. The need of authenticating the verifier is to prevent illegitimate erasure requests, while prover authentication is a necessary step towards obtaining a proof of erasure. In addition, the verifier measures the round-trip-time of a message exchange to obtain a bound on its distance to the prover. This is a distance bounding technique [8] that will prove useful to counteract distant attackers.

The protocol, depicted in Figure 7, starts when the prover sends a nonce . A verifier replies with a Message Authentication Code (MAC) on the nonce and a freshly generated nonce , which is used by to authenticate . As usual, the MAC function is computed using and ’s shared key . Right after, a time-measurement phase commences, where starts a clock and sends a challenge to . Immediately after receiving the challenge, replies with , where is a hash function. Upon reception of the prover’s response, stops the clock and calculates the round-trip-time . Then checks that is correct and that , where is a protocol parameter denoting a maximum time-delay tolerance. If both verification steps succeed, claims that has erased its memory.

Figure 7: A secure memory erasure protocol.

The reader may have noticed that the introduced memory erasure protocol does not use standard notation from the literature in distance bounding, where the time-measurement phase is composed of various rounds of single-bit exchanges [8, 2]

. For the moment we require this high level of abstraction to come up with formal security proofs. Nonetheless, in Section 

7 below we unfold the proposed protocol and describe it using standard cryptographic notation for distance bounding protocols.

6.2 Security analysis

Figure 8 provides a formal specification of the protocol in the modeling language introduced earlier. That specification is used to enunciate the various results that come next. In the remainder of this section, we use to refer to the protocol defined by the protocol rules in Figure 8.

Figure 8: Specification of the introduced memory erasure protocol.
Lemma 2.

Let be a projection function on time-stamped traces defined by , for every . Let . satisfies that

(3)
Proof.

We use the security protocol verification tool Tamarin [23] to prove this lemma. The Tamarin specification of the protocol and lemma can be found at https://github.com/memory-erasure-tamarin/code. Therefore, the correctness of this proof relies on the claim that the provided Tamarin implementation faithfully corresponds to the formalization provided herein. ∎

Lemma 2 states that either the prover (if the prover is honest) or a dishonest agent on behalf of the prover (if the prover is dishonest) will respond to the challenge sent by the verifier to calculate the round-trip-time.

Our main observation at this point is that the condition satisfied by the memory erasure claim event in Lemma 2 is stronger than the condition required to satisfy causality-based secure distance bounding, as introduced in [21]. This allows us to prove the main theorem of this section.

Theorem 3.

Let be the time upper bound used in , a distance threshold of a distant attacker, and the transmission speed of the communication channel. If , then satisfies secure memory erasure.

Proof.

According to Definition 3, it is sufficient to prove that

Consider two agents, and with , and a trace such that . Consider now the projection of the trace . It follows that satisfies that with . This allows us to use Lemma 2 and conclude that there must exist such that , , and for some agent , which is either itself or dishonest. Mapping back those events onto the trace , we obtain that there exists timestamps such that , and .

By looking at the protocol rules (concretely V3) and the fact that is honest, it follows that and that . This means that , i.e. . On the one hand, because satisfies , we obtain that either or is honest. On the other hand, Lemma 2 gives that either or is dishonest. Given that cannot be honest and dishonest at the same time, we conclude that . As a result, , which concludes the proof. ∎

Theorem 3 proves that the proposed memory erasure protocol (depicted in Figure 8) resists man-in-the-middle attacks from a distant attacker with distance threshold . That is, the protocol does not contain logical flaws with respect to the mathematical model and properties introduced in this article.

The next and last section of this article is dedicated to analysing attacks that are not regarded as man-in-the-middling in the traditional sense; hence not captured by the security model. We refer to probabilistic attacks that aim to bypass the protocol without fully storing the term in memory. Of course, this requires switching from symbolic analysis to probabilistic analysis.

7 A protocol based on cyclic tree automata

The goal of this section is to instantiate the high level specification of the introduced protocol into a concrete class of protocols that can be used to analyze the security and communication complexity trade-off commonly present in memory attestation and memory erasure protocols [31, 18, 25, 12, 16].

7.1 Lookup-based memory erasure protocols

The instantiation we propose is largely inspired by the design of lookup-based distance bounding protocols [15, 3, 14, 17, 19, 22, 24, 32], and we will use the automata-based representation introduced by Mauw et al. [22] to describe them. The main feature of this type of protocols is that, in order to obtain tight values on the round-trip-time calculation, they use simple lookup operations during the time-measurement phase.

An automaton, i.e. a state-labeled Deterministic Finite Automaton (DFA), is of the form , where is a set of input symbols, is a set of output symbols, is a set of states, is the initial state, is a transition function, and is a labeling function.

Example 2 (Cyclic tree automata.).

As a running example, we consider a concrete type of automaton , called cyclic tree automaton, that resembles the tree structure used in [3]. Cyclic tree automata (see Figure 9) are characterized by a depth , which determines the number of states in to be equal to . The input and output symbol sets are binary, i.e. , and the transition function is defined in two steps. First, given the set of states , and , for every . The remaining states connect back to and as follows, and , for every .

Figure 9: A cyclic tree automaton with depth . Dashed and solid edges represent transitions with input symbol and , respectively.

In a lookup-based protocol, prover and verifier move through a given automaton in a synchronous way by feeding the transition function with a sequence of challenges sent by the verifier; starting from the initial state. For example, in Figure 9, if the verifier sends challenges , and , then both prover and verifier are meant to follow the path . Each of those transitions are regarded as a lookup operation, because the prover’s responses are determined by the labels of the states in the path. Taking back our running example, the prover’s response to challenge is , to a second challenge is , and to a third challenge is .

The formalization of the prover-to-verifier interaction described above is as follows. Given an automaton and a current state , a lookup operation is regarded as a transition to a new state where is a verifier’s challenge. The corresponding response for such challenge is the output symbol attached to the new state , i.e., . We use to denote the state reached by the sequence of input symbols . Formally, if , otherwise . Similarly, is used to denote the output symbol assigned to the state reached by the sequence . Finally, the sequence of output symbols resulting from the input sequence in an automaton is denoted .

Figure 10 depicts our class of lookup-based memory erasure protocols. It consists of three phases. An initial phase where verifier and prover agree on an automaton , such as a cyclic tree automaton. In this phase, the prover authenticates the verifier to prevent unauthorized readers from erasing its memory. After the initial phase, the fast phase starts, consisting of a series of rapid bit exchanges where the prover is challenged to traverse the automaton generated during the initialization phase. In the final phase the verifier takes a decision based on the round-trip-times values and the prover’s responses obtained during the fast phase. Details on each phase is given next.

Figure 10: The class of lookup-based memory erasure protocol.

Initial phase. As in the high-level specification depicted in Figure 7, the first two messages of the protocol are used by the prover to authenticate the verifier before executing the remainder of the protocol, i.e. before erasing its memory. If this authentication step is successful, both prover and verifier build an automaton based on the output of a pseudo random function seeded with the triple . Detail on how such automaton can be built based on the output of a pseudo-random function can be found in [3] and [22]. Here we abstract away from those details and consider the output of the initial phase to be a randomly chosen automaton from a set of automata. Formally, let be the universe of automata with input and output symbol set and , respectively. Given a lookup-based memory erasure protocol , we use to denote all possible automata that can result from the initial phase in .

Fast phase. The fast phase of the protocol starts right after agreeing on a random automaton from . It consists of the following rounds. For to , the verifier picks a random bit and sends it to the prover. Upon reception of , the prover applies the transition function and returns the label of the state , with being the initial state of the automaton. The verifier stops the timer immediately after receiving the prover’s response and calculates the round-trip-time .

Final phase. At the end of the fast phase the verifier checks that all round-trip-times are below the pre-defined time threshold . The verifier also checks that all responses are correct by traversing the automaton with its own challenges . If either of those verification steps fails, the verifier considers the protocol unsuccessful.

Our main claim here is that the protocol in Figure 7 is an accurate abstraction of the lookup-based memory erasure protocol in Figure 10, provided that guessing the automaton used during an honest prover-to-verifier execution is unfeasible for an attacker. Although this does not necessarily prevent probabilistic attacks, as we show next, it asserts that lookup-based memory erasure protocols contain no logical flaws. That is to say, the introduced lookup-based memory erasure protocol resists man-in-the-middle attackers as defined in Sections 4 and 5.

7.2 Security and communication complexity trade-off

The security and communication complexity trade-off stems from the fact that the portion of the prover’s memory that can be attested is proportional to the communication complexity of the protocol [31, 18, 25, 12, 16]. In lookup-based memory erasure protocols, we define communication complexity as the number of rounds used during the fast phase, and memory to be attested as the size of the automaton agreed upon during the initial phase.

We consider an implementation-independent notion of size for automata, which corresponds to the number of states of an automaton. Formally, given we consider the function defined by .

In an honest session between prover and verifier, the outcome of the initial phase is an automaton randomly chosen from the set . In this case, the memory required on the prover’s side to execute the protocol is at least the size of the automaton agreed upon with the verifier. However, a fraudulent prover may use a smaller automaton with the intention of successfully passing the memory erasure protocol without fully erasing its memory.

Definition 4 (Fraudulent prover).

Given a protocol , a fraudulent prover is defined by a function such that for every , .

The probability of success of a fraudulent prover is calculated by, given a random automaton and random sequence ,

The space saving of a fraudulent prover is given by the formula,

Maximizing both probability of success and space saving is unattainable. The smallest automaton a fraudulent prover can use consists of a single state with two self-transitions, one with and another with . But, in this case its probability of success becomes , where is the number of rounds during the fast phase. Thus fraudulent provers will aim at striking a good trade-off between probability of success and space savings.

In general, we are interested on an optimal fraudulent prover that achieves the maximum probability of success restricted to a given size for the automata. This might be achieved by using automata minimization techniques, such as [33], where sub-automata that repeats often are assigned a single state. Although this is a promising research direction, we focus in this article on a simpler fraudulent strategy that consists of ignoring portions of the automaton in order to meet a given memory requirement. The problem of determining and analyzing optimal fraudulent provers is thus left for future work.

7.3 Analysis of a protocol based on cyclic tree automata

We deliver a concrete trade-off analysis by considering a lookup-based memory erasure protocol that only utilizes cyclic tree automata of a given depth, called tree-based memory erasure protocol. That is, given the universe of cyclic tree automata with depth , denoted , we define the tree-based memory erasure protocol to be a lookup-based protocol with . We also consider that a fraudulent prover can remove a subtree from a cyclic tree automaton, with the idea of leaving room to the malicious software to persist in memory. Formally, given a cyclic tree automaton of depth , denoted , the fraudulent prover chooses a state and disconnects it from the tree as follows. For every such that with , is set to be equal to . The resulting set of disconnected states is inductively defined by and . States in are consequently removed from . We use to denote the resulting automaton.

Theorem 4.

Let be a depth value and the universe of cyclic tree automata with state set . Given a state with , let be a fraudulent prover defined by for every . If for some positive integer , then for a random automaton and random sequence ,

Proof.

Let . We use to denote the distance of a shortest path between states and in the automaton . Let and be the sequence of input symbols such that .

Assume . If , then given that no state in that has been removed in is used. Otherwise, If , with probability , given that and are randomly chosen. Because the probability of is equal to , we obtain an overall probability of

For the general case where , we notice that, by construction of the cyclic tree automaton, the following property holds,

The same property holds for the modified automaton . Therefore,