fusing hybrid remote attestation with a formally verified
play

Fusing Hybrid Remote Attestation with a Formally Verified - PowerPoint PPT Presentation

Aug 02, 2023 •119 likes •451 views

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim Eldefrawy, Norrathep Rattanavipanon , Gene Tsudik June 28, 2017 nrattana@uci.edu http://sprout.ics.uci.edu IoT/CPS/ES IoT/CPS/ES IoT/CPS/ES Remote

  1. Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim Eldefrawy, Norrathep Rattanavipanon , Gene Tsudik June 28, 2017 nrattana@uci.edu http://sprout.ics.uci.edu

  2. IoT/CPS/ES

  3. IoT/CPS/ES

  4. IoT/CPS/ES

  5. Remote Attestation (RA) ★ Remote verification of internal state of a prover by a verifier ○ Secure updates, deletion/reasure and resetting ★ Challenge-response protocol between ○ Untrusted prover : embedded device Trusted verifier : powerful entity ○ 1) chal 2) checksum Verifier Prover (e.g. MAC) 3) resp 4) verify

  6. Design of RA ★ Hardware-only Attestation ○ Secure hardware (e.g. TPM) ○ Overkill for medium/low-end IoT/embedded devices ★ Software-only Attestation ○ A.k.a. timing-based attestation ○ Does not support multi-hop communication ○ Underlying assumptions (seriously) challenged ★ Hybrid Attestation ○ Minimal hardware support for secure RA

  7. SMART (NDSS’12) First Hybrid Design in Remote Attestation for low-end microcontrollers (MCUs)

  8. SMART Properties 1) Exclusive Access to Key 2) No Leaks 3) Immutability 4) Uninterruptability 5) Controlled Invocation Secure & Minimal Architecture for Remote Trust (NDSS '12) A Minimalist Approach to Remote Attestation (DATE '14)

  9. SMART Properties 1) Exclusive Access to Key 2) No Leaks 3) Immutability 4) Uninterruptability 5) Controlled Invocation Hardware Requirement ★ ROM ★ MCU (bus) access controls Secure & Minimal Architecture for Remote Trust (NDSS '12) A Minimalist Approach to Remote Attestation (DATE '14)

  10. SMART Properties 1) Exclusive Access to Key 2) No Leaks 3) Immutability 4) Uninterruptability 5) Controlled Invocation Hardware Requirement ★ ROM ★ MCU (bus) access controls Secure & Minimal Architecture for Remote Trust (NDSS '12) A Minimalist Approach to Remote Attestation (DATE '14) Can be emulated using a formally verified software component

  11. Fusing Hybrid RA Design with seL4

  12. seL4 What is it? ● Formal verification of the kernel ○ Spec Impl Binary Capability-based access control ● ● Formally proven access control enforcement

  13. seL4 What is it? Why? ● Formal verification of the kernel ● Emulate hardware-enforced ○ Spec Impl Binary access controls in SMART Capability-based access control ● ● Provide isolation of Attestation ● Formally proven access control Process enforcement

  14. seL4 What is it? Why? ● Formal verification of the kernel ● Emulate hardware-enforced ○ Spec Impl Binary access controls in SMART Capability-based access control ● ● Provide isolation of Attestation ● Formally proven access control Process enforcement How? Map SMART properties into seL4 configuration

  15. Deriving Configuration SMART Properties Att Process Config. ★ E/A to key ★ Exclusive Access (E/A) to key ★ No leaks ★ E/A to virtual space ★ E/WA to executable ★ Immutability ★ Secure boot of seL4 and ★ Uninterruptability att. process ★ Controlled invocation ★ Highest priority ★ E/A to Thread Control Block (TCB)

  16. Our Approach - HYDRA ★ Run Attestation Process ( PR Att ) as initial user-space process ○ Contains capabilities to all objects, e.g. IPC, page and thread ○ Runs with highest scheduling priority ○ Manages the rest of user-space

  17. Our Approach - HYDRA ★ Run Attestation Process ( PR Att ) as initial user-space process ○ Contains capabilities to all objects, e.g. IPC, page and thread ○ Runs with highest scheduling priority ○ Manages the rest of user-space ★ Only spawn new process that does not contain capabilities to PR Att ’s: Executable/Key ○ Working virtual memory ○ TCB ○

  19. Implementation ➢ Prototype on I.MX6-SabreLite and Odroid-XU4 https://boundarydevices.com/product/sabre-lite-imx6-sbc/ http://www.hardkernel.com/main/products/prdt_info.php ➢ Existing secure boot mechanism in Sabre Lite

  20. Benchmarking

  21. Challenges / Lessons Learned

  22. Challenges when using seL4 Formal verification of seL4 assumes: ★ Proper initialization of the kernel ○ Motivate using hardware-enforced secure boot ★ Correct behavior of the underlying hardware Sol: Run seL4 on top of a formally verified processor ○ ○ But does such hardware exist? ○ Not yet … but possible in the future, e.g. CHERI ISA [1] based on Bluespec SystemVerilog [2] [1] R. N. Watson, et al. Capability hardware enhanced risc instructions: Cheri instruction-set architecture, 2016. [2] R. Nikhil and K. Czeck, BSV by Example. CreateSpace Independent Publishing Platform, 2010

  23. Platform Specific Secure Boot ★ Requires configurable/programmable secure boot ○ Not easy to find in commercial development boards ★ SabreLite’s High Assurance Boot (HAB) ○ Based on a digital signature scheme ○ Configurable through HAB ROM APIs

  24. seL4 seL4 + seL4 + Signature Signature Rod Ziolkowski, i.MX Applications Processor Trust Architecture, 2013

  25. Ensuring Freshness of Attestation Requests ★ Computational Denial-of-Service from: ○ Bogus requests ○ Delay, replay or reordering attacks ★ Solution: Verify requests! Requires timestamp generated by a reliable read-only clock. ○ ○ Read-only property can be enforced using seL4’s capability. ○ Reliable property requires a (semi-synchronous) real-time clock. Remote Attestation for Low-End Embedded Devices: the Prover’s Perspective (DAC’16)

  26. Ensuring Freshness of Attestation Requests ★ No real-time clock driver implementation in Sabre Lite. ★ Workaround by generating pseudo-timestamp using a counter + a secondary storage ○ Upon starting, PR Att loads T 0 that was saved before the last reboot. When the first request arrives, check its timestamp ( T 1 ) with T 0 ○ ○ Verify request. If success, keep track of T 1 and start counter. ○ TS = T 1 + counter value ○ Periodically store TS

  27. Conclusion ❖ First hybrid design for Remote Attestation using a formally verified microkernel (seL4) ➢ Emulate certain properties that were previously only realizable using hardware features ❖ Prototype on two commercially available platforms ❖ Challenges ➢ seL4 assumptions ➢ Secure boot ➢ Timestamp generation

  28. Questions?

  29. References

  30. Extras - # partitions experiments (for Wisec?)

  31. Extras - ODROID experiments (for Wisec?)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim Eldefrawy , Norrathep Rattanavipanon, Gene Tsudik HRL Labs UC Irvine UC Irvine (Currently at SRI) July 18, 2017 karim.eldefrawy@sri.com IoT/CPS/ES 2

1.07k views • 41 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model Patrick Lincoln and John Rushby Computer Science Laboratory SRI International Menlo Park CA USA FTCS 93 1 Summary What we have

494 views • 25 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B. Rasmussen, Gene Tsudik UC Irvine Overview Motivation Definition of Remote Attestation From Definition to Properties From Properties

452 views • 17 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

836 views • 81 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
Measuring Semantic Integrity for Remote Attestation Fabrizio Baiardi 1 Diego Cilea 2 Daniele

Measuring Semantic Integrity for Remote Attestation Fabrizio Baiardi 1 Diego Cilea 2 Daniele

Introduction Proposed Solution: VIMS Conclusion Measuring Semantic Integrity for Remote Attestation Fabrizio Baiardi 1 Diego Cilea 2 Daniele Sgandurra 2 Francesco Ceccarelli 3 1 Polo G. Marconi - La Spezia, Universit di Pisa, Italy 2

378 views • 33 slides
Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier Carpent, Norrathep (Oak) Rattanavipanon , Gene Tsudik nrattana@uci.edu SPROUT Lab: sprout.ics.uci.edu University of California, Irvine 1

644 views • 42 slides
The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk and Dr. Ray Muzyka Joint CEOs and Co-Executive Producers, BioWare Corp. This talk examines some of the different options available in forming a

73 views • 6 slides
GLCAC Inc. Jennifer C. Carter MPP Results at the Community Level P3: Safe at Home Prepare

GLCAC Inc. Jennifer C. Carter MPP Results at the Community Level P3: Safe at Home Prepare

GLCAC Inc. Jennifer C. Carter MPP Results at the Community Level P3: Safe at Home Prepare your home Prevent fire incidents Preserve family, home, economic security Lawrence Garage Fire Spreads Crews Battle Large Fire In

1.05k views • 67 slides
Evaluating Theories of Coreference Resolution Coreference Resolution: The Task Bayer AG has

Evaluating Theories of Coreference Resolution Coreference Resolution: The Task Bayer AG has

Ethan Roday LING 575 SP16 2016/05/19 Evaluating Theories of Coreference Resolution Coreference Resolution: The Task Bayer AG has approached Monsanto Co. about a takeover that would fuse two of the worlds largest suppliers of crop seeds and

1.35k views • 85 slides
Climate Finance Readiness Seminar for NIEs #4 Dennis Bours Adaptation and Resilience M&E

Climate Finance Readiness Seminar for NIEs #4 Dennis Bours Adaptation and Resilience M&E

Climate Finance Readiness Seminar for NIEs #4 Dennis Bours Adaptation and Resilience M&E Officer, GEF IEO Experiences and lessons learned in the application of tools and approaches to monitoring and evaluation for adaptation projects

316 views • 15 slides
Theory of Computer Games Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Goal Course name: Theory of Computer Games Prerequisite: A.I. Goal: This course introduces techniques for computers to play various

515 views • 27 slides
HydraFS: a High-Throughput File System for the HYDRAstor Content-Addressable Storage System

HydraFS: a High-Throughput File System for the HYDRAstor Content-Addressable Storage System

HydraFS: a High-Throughput File System for the HYDRAstor Content-Addressable Storage System Cristian Ungureanu, Benjamin Atkin, Akshat Aranya, Salil Gokhale, Steve Rago, Grzegorz Calkowski, Cezary Dubnicki, Aniruddha Bohra Feb 26, 2010

1.36k views • 80 slides
Enter the Hydra: T oward Principled Bug Bounties and Exploit-Resistant Smart Contracts EPFL

Enter the Hydra: T oward Principled Bug Bounties and Exploit-Resistant Smart Contracts EPFL

Ari Juels Phil Daian, Florian Tramer Cornell Tech, Jacobs, IC3 Stanford Lorenz Breidenbach Cornell Tech, ETH, IC3 Enter the Hydra: T oward Principled Bug Bounties and Exploit-Resistant Smart Contracts EPFL SuRI 18 June 2018 Whats

1.07k views • 71 slides
5G, mmW and Beyond Ali M. Niknejad Berkeley Wireless Research Center 1 BWRC xG Vision (x >=

5G, mmW and Beyond Ali M. Niknejad Berkeley Wireless Research Center 1 BWRC xG Vision (x >=

IMS 2017 5G Summit: RFIC/CMOS Technologies for 5G, mmW and Beyond Ali M. Niknejad Berkeley Wireless Research Center 1 BWRC xG Vision (x >= 5) 2 Stay Wireless In Europe, ~50% of LTE base stations are wireless. Why not use the same

755 views • 24 slides

More recommend