C-FLAT: Control-FLow ATtestation for Embedded Systems Software
This addresses security vulnerabilities in IoT and embedded devices, offering a more comprehensive run-time attestation solution, though it is an incremental step building on existing hardware security extensions.
The paper tackles the problem of run-time attacks on embedded systems by introducing C-FLAT, a remote attestation method that verifies an application's control-flow path without requiring source code, and demonstrates its efficacy against control-flow hijacking attacks with a prototype on Raspberry Pi.
Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to run-time attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive run-time remote attestation, we present the design and implementation of Control- FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.