Embedded Security Architectures

Question 1

Time of Check Time of Use Problem

Answer 1

• Software manipulated after attestation (and before execution)
• Verifier not aware of the change in the state

Question 2

SMART

Answer 2

• Secure Minimal Architecture for (Establishing a Dynamic) Root of Trust
• A hardware architecture, which enables the deployment of the security objectives
• Goal: Remote code attestation
  -> TOCTOU problem
  -> Provide prove of execution

Question 3

SMART adversary model

Answer 3

• Full control over software
• No invasive hardware attacks
• No side-channel attacks

Question 4

SMART System assumptions

Answer 4

• Immutable memory (ROM)
• Memory (RAM) erased at reset

Question 5

SMART attestation

Answer 5

• Shared key between prover and verifier
• Key only accessible from attestation code
• Attestation code:
  -> no bugs/no information leakage (static analysis)
  -> Atomic execution (attestation code then attested code)
  -> Entrance only at first address, exit only at last address (code reuse attacks)

Question 6

SMART protocol parameters passed to prover

Answer 6

• Is: Start of code region to attest
• Ie: End of code region to attest
• entry: Entry of the code (first instruction) to execute
• flagx: Whether or not to execute the code (specified by entry) after the attestation process
• Nonce

Question 7

SMART protocol

Answer 7

1) Attestation is issued by verifier
2) Determine output address, start SMART attestation
3) HMAC of code section and parameters authenticated with key
4) Verify valid key access
5) Result is written to RAM
6) Remove all intermediate values
7) Start execution of the attested code
8) Send HASH value to verifier

Question 8

SMART Advantages

Answer 8

• Prove of Execution: Execution of attested code is triggered after SMART (uninterrupted in absence of hardware attacks)
• Minimal changes to CPU/MPU

Question 9

SMART Disadvantages

Answer 9

• Limited flexibility
  -> Attestation code not changeable/updateable
• Non-interruptible execution/reset on violation
  -> Limits scope of measured code
  -> Limited runtime for measured code in real-time-systems

Question 10

TrustLite

Answer 10

• A Security Architecture for Tiny Embedded Devices
• Goal: Generalization of Execution-Aware Memory Protection Unit
  -> Free configurable protection memory-regions (Trustlets)
  -> No new/special CPU instructions

Question 11

TrustLite Adversary Model

Answer 11

• Full control over software (except loader)
• No hardware and side-channel attacks

Question 12

TrustLite System assumptions

Answer 12

• Device Key shared with device owner
• memory-mapped I/O for all peripheral access
• TrustLite aware Exception Engine

Question 13

TrustLite Features

Answer 13

• Generalization of Execution Aware Memory Protection Unit
  -> Not based on privilege level, directly associates data & code regions
  -> Free configurable protection regions (Trustlets)
  -> No additional CPU instructions required
• Secure Exception Handling
  -> Interruptible Trustlets with secure context saving
• Secure Loading
  -> Secure loading of Trustlets and setup of MPU
• Inter Process Communication (IPC)
  -> Secure IPC between mutually authenticated Trustlets with one-round handshake

Question 14

TrustLite: Trustlet Loading

Answer 14

1) Load Trustlets into the main memory
2) Protect MPU configuration itself, MPU marked as read-only. From this point it is immutable until system reboot
3) Load operating system

Question 15

TrustLite: Exception Handling

Answer 15

1) Interrupt while Trustlet is executed
2) State saved on Trustlet stack
3) Update Trustlet table
4) Load OS Stack
5) Load Interrupt Service Routine
-> Each Trustlet has its own stack stored in its own memory region
-> CPU state (context) is not maintained (is erased) when switching between Trustlets (specific Trustlet is restored for execution)

Question 16

TrustLite: Attestation Trustlet

Answer 16

1) Verifier sends nonce to the device
2) Attestation Trustlet calculates HASH over code region, the nonce and the device key
3) Result is sent to the verifier

Question 17

TrustLite Advantages

Answer 17

• Flexible
  -> Trustlets execution is interruptible
  -> Protection regions freely configurable
• Update is possible
• Peripheral devices access
  -> Access to hardware components can be limited to certain Trustlets
• Isolation of arbitrary code

Question 18

TrustLite Disadvantages

Answer 18

• Trustlets loader is trusted (part of the Trusted Computing Base TCB)
• Static Trustlet code region-allocation required for inter process communication
• Number of allowed rules in the MPU is fixed at manufacturing time

Question 19

Attestation Solutions Comparison: Authentication of Prover

Answer 19

• SMART
  -> Key access exclusive to ROM-code
  -> One specific execution aware MPU rule
• TrustLite
  -> Key access exclusive to Attest Trustlet and Key access restricted via EA-MPU
  -> General EA-MPU rule

Question 20

Attestation Solutions Comparison: Freshness of Attestation

Answer 20

• SMART and TrustLite: Verifier challenges Prover with nonce

Question 21

Attestation Solutions Comparison: Integrity of Attestation

Answer 21

• SMART
  -> On ROM-code entry interrupts are disabled
  -> Platform reset on (non-maskable) interrupt
• TrustLite
  -> Option 1: Interrupts disabled while Attest Trustlet executes
  -> Option 2: Attest Trustlet is interruptible
  –> Attest Trustlet state does not leak confidential information due to exception handling of TrustLite
  –> Attestation target must be immutable until attestation is complete, e.g., set MPU rules for attested code to read-only

Question 22

Jeep Hack

Answer 22

1. Inject IPC messages over the network
   -> e.g. override SSH key and start SSH service
2. Reflash proxy Controller with modified firmware
3. Send CAN messages to control the car

Question 23

Software-based Attestation

Answer 23

• Exploits computational constraints of prover
• Only memory checksum can produce desired result in time
• No security hardware or root of trust