Full Program »
Verify&Revive: Secure Detection and Recovery of Compromised Low-end Embedded Devices
Tiny and specialized computing platforms, so-called embedded or Internet of Things (IoT) devices, are increasingly used in safety- and privacy-critical application scenarios. A significant number of such devices offer limited or no security features, making them attractive targets for a wide variety of cyber attacks, exemplified by malware infestations. One key component in securing these devices is establishing a root of trust, which is typically attained via remote attestation (RA), a security service that aims to ascertain the current state of a remote device and detect any malicious tampering. Although several (software-based, hardware-based, and hybrid) RA approaches have been proposed to address this problem, two main issues remain, regardless of the type of RA. First, all but one of the existing RA approaches are vulnerable to Time-Of-Check Time-Of-Use (TOCTOU) attack, where a transient malware may infect the corresponding embedded device between two consecutive RA routines without being detected. Second, little attention has been devoted to efficiently and securely rescuing devices that are determined to be compromised, increasing the maintenance cost of IoT deployments, especially in industrial control systems, where (re-)deploying a new device is often a cost-sensitive operation. Motivated by the fact that many low-end devices neither support hardware-based RA nor can afford hardware modifications required by hybrid approaches, we tackle the aforementioned issues by proposing Verify&Revive, the first reliable pure-software approach to remote attestation with recovery techniques, targeting the low-end range of IoT devices. It consists of two components: Verify and Revive. Verify is a TOCTOU-secure RA scheme with a built-in secure erasure module that is automatically executed as a countermeasure in case of detection of a malware infection on the IoT device. Revive is a secure code update scheme that is executed upon request to install regular updates or as a recovery technique to restore the last benign settings of the cleaned, yet non-functioning, IoT device. A proof of attestation, erasure, and update/recovery is obtained relying on trustworthy software, leveraging and extending a formally-verified software-based memory isolation technique, called the Security MicroVisor (SμV). We implement and evaluate Verify&Revive on industrial resource-constrained IoT devices, showing very low overhead in terms of a memory footprint, performance, and battery lifetime.