Practical Runtime Attestation for Tiny IoT Devices

One of the main challenges in IoT security is to assure the integrity of the firmware running on a constrained low-cost device. A solution to this challenge could be provided by a security service called “remote attestation”, where the device generates an evidence about its deployed firmware for attestation by a remote verifier in the backend. This enables to discover malware on enrolled devices, to protect the ecosystem from these compromised devices and to take proper counteraction to restore the infected devices.

How an attestation evidence can be generated at boot time on a tiny microcontroller was investigated in earlier work and also specified by the TCG’s DICE specification. It is, however, challenging to generate such attestation evidence during runtime, where the device usually is prone to powerful attacks.

Previous approaches have attempted to solve this challenge by using custom hardware extensions of the CPU architecture. We developed a method based on DICE to securely generate attestation evidence at runtime using only standard CPU features like the MPU, privileged/unprivileged levels of execution in combination with the boot ROM and lock mechanism required by DICE. In particular, we use the MPU and privilege levels to effectively isolate the attestation logic and secrets from the possibly compromised firmware.

As a result, our method can immediately be applied to a broad range of popular microcontrollers.

At Fraunhofer AISEC, we developed a prototype for the frequently used Cortex-M4-based STM32L476 microcontroller.

Further information

Fraunhofer AISEC

Fraunhofer Institute for Applied and Integrated Security AISEC under the responsibility of Prof. Dr. Claudia Eckert is one of the leading research institutions in Europe. Fraunhofer AISEC is focused on development of application-oriented security solutions and their precise and tailored integration into existing systems. Core competences of over 90 scientific and technical members of staff lie in the areas of hardware security and the security of embedded systems, product and intellectual property protection, network security, and security in cloud- and service-oriented computing. Fraunhofer AISEC’s clients operate in a variety of industrial sectors, such as the chip card industry, telecommunications, the automotive industry, and mechanical engineering, as well as the software and healthcare industries. The main goal is to support and improve the competitiveness of our clients and partners in the manufacturing and service sectors as well as those in the public sector.

Newsletter Subscribe