PACCOR4ESP: Embedded Device Security Attestation using Platform Attribute Certificates
- URL: http://arxiv.org/abs/2407.14286v1
- Date: Fri, 19 Jul 2024 13:17:00 GMT
- Title: PACCOR4ESP: Embedded Device Security Attestation using Platform Attribute Certificates
- Authors: Thomas GrĂ¼bl, Jan von der Assen, Markus Knecht, Burkhard Stiller,
- Abstract summary: This paper proposes an extension of the NSA Cybersecurity Directorate's Platform Attribute Certificate Creator for the ESP32.
The toolkit extracts security-relevant information from an ESP32-S3, such as the firmware hash, and automatically embeds it into a Platform Attribute Certificate.
- Score: 0.3474871319204387
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Verifying the integrity of embedded device characteristics is required to ensure secure operation of a device. One central challenge is to securely extract and store device-specific configurations for future verification. Existing device attestation schemes suffer from notable limitations, including a lack of standardization and a failure to encompass all hardware and software aspects inherent to a platform. This paper proposes an extension of the NSA Cybersecurity Directorate's Platform Attribute Certificate Creator (PACCOR) for the ESP32, a widely-used microcontroller series. Platform Attribute Certificates store device characteristics as per the Trusted Computing Group's Platform Certificate Profile. As of today, there is little research on hybrid attestation schemes utilizing Platform Attribute Certificates on embedded devices, which this work addresses. This paper presents a collection of attacks that can be detected using PACCOR4ESP. The toolkit extracts security-relevant information from an ESP32-S3, such as the firmware hash, bootloader hash, GPIO pin configuration, and a reference to the endorsement key of the secure element, and automatically embeds it into a Platform Attribute Certificate. Lastly, this work shows how PACCOR4ESP can be integrated with existing embedded device attestation frameworks, such as RAS, CRAFT, and SEDA.
Related papers
- Peacock: UEFI Firmware Runtime Observability Layer for Detection and Response [21.022582425069675]
Peacock is a framework that introduces integrity monitoring and remote verification for the boot process.<n>Our evaluation shows that Peacock reliably detects multiple real-world UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor.
arXiv Detail & Related papers (2026-01-12T10:38:43Z) - Application of Machine Learning Techniques for Secure Traffic in NoC-based Manycores [44.99833362998488]
This document explores an IDS technique using machine learning and temporal series for detecting DoS attacks in NoC-based manycore systems.<n>It is necessary to extract traffic data from a manycore NoC and execute the learning techniques in the extracted data.<n>The developed platform will have its data validated with a low-level platform.
arXiv Detail & Related papers (2025-01-21T10:58:09Z) - Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC)
ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic.
We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
arXiv Detail & Related papers (2024-11-21T18:26:05Z) - Secure Software/Hardware Hybrid In-Field Testing for System-on-Chip [0.0]
Modern Systems-on-Chips (SoCs) incorporate built-in self-test (BIST) modules deeply integrated into the device's intellectual property (IP) blocks.
BIST results potentially reveal the internal structure and state of the device under test (DUT) and hence open attack vectors.
So-called result compaction can overcome this vulnerability by hiding the BIST chain structure but introduces the issues of aliasing and invalid signatures.
We introduce a low-overhead software/ hardware hybrid approach that overcomes the mentioned limitations.
arXiv Detail & Related papers (2024-10-07T15:04:37Z) - Towards Credential-based Device Registration in DApps for DePINs with ZKPs [46.08150780379237]
We propose a credential-based device registration (CDR) mechanism that verifies device credentials on the blockchain.
We present a general system model, and technically evaluate CDR using zkSNARKs with Groth16 and Marlin.
arXiv Detail & Related papers (2024-06-27T09:50:10Z) - HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs)
TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks.
We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z) - Tamper-Evident Pairing [55.2480439325792]
Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard.
TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent.
This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
arXiv Detail & Related papers (2023-11-24T18:54:00Z) - A Lightweight and Secure PUF-Based Authentication and Key-exchange Protocol for IoT Devices [0.0]
Device Authentication and Key exchange are major challenges for the Internet of Things.
PUF appears to offer a practical and economical security mechanism in place of typically sophisticated cryptosystems like PKI and IBE.
We present a system in which the IoT device does not require a continuous active internet connection to communicate with the server in order to Authenticate itself.
arXiv Detail & Related papers (2023-11-07T15:42:14Z) - RIPencapsulation: Defeating IP Encapsulation on TI MSP Devices [6.4241197750493475]
This paper uncovers two fundamental weaknesses in IP Encapsulation (IPE), the TEE deployed by Texas Instruments for MSP430 and MSP432 devices.
We implement an attack called RIPencapsulation, which executes portions of code within the IPE and uses the partial state revealed through the register file to exfiltrate secret data.
arXiv Detail & Related papers (2023-10-25T08:00:59Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - Secure access system using signature verification over tablet PC [62.21072852729544]
We describe a highly versatile and scalable prototype for Web-based secure access using signature verification.
The proposed architecture can be easily extended to work with different kinds of sensors and large-scale databases.
arXiv Detail & Related papers (2023-01-11T11:05:47Z) - PASS: Protected Attribute Suppression System for Mitigating Bias in Face
Recognition [55.858374644761525]
Face recognition networks encode information about sensitive attributes while being trained for identity classification.
Existing bias mitigation approaches require end-to-end training and are unable to achieve high verification accuracy.
We present a descriptors-based adversarial de-biasing approach called Protected Attribute Suppression System ( PASS)'
Pass can be trained on top of descriptors obtained from any previously trained high-performing network to classify identities and simultaneously reduce encoding of sensitive attributes.
arXiv Detail & Related papers (2021-08-09T00:39:22Z) - SEDAT:Security Enhanced Device Attestation with TPM2.0 [0.3007949058551534]
This paper presents SE DAT, a novel methodology for remote attestation of the device via a security enhanced communication channel.
SE DAT provides a way for verifier to get on-demand device integrity and authenticity status via a secure channel.
It also enables the verifier to detect counterfeit hardware, change in firmware, and software code on the device.
arXiv Detail & Related papers (2021-01-16T03:41:01Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.