UC Irvine

In recent years, embedded and cyber-physical systems (CPS), under the guise of Internet-of-

Things (IoT), have entered many aspects of daily life. Despite many benefits, this develop-

ment also greatly expands the so-called attack surface and turns these newly computerized

gadgets into attractive attack targets. One key component in securing IoT devices is malware

detection, which is typically attained with (secure) remote attestation. Remote attestation

is a distinct security service that allows a trusted verifier to verify the internal state of a

remote untrusted device. Remote attestation is especially relevant for low/medium-end em-

bedded devices that are incapable of protecting themselves against malware infection. As

safety-critical IoT devices become commonplace, it is crucial for remote attestation not to

interfere with the device’s normal operations. In this dissertation, we identify major issues in

reconciling remote attestation and safety-critical application needs. We show that existing

attestation techniques require devices to perform uninterruptible (atomic) operations during

attestation. Such operations can be time-consuming and thus may be harmful to the device’s

safety-critical functionality. On the other hand, simply relaxing security requirements of re-

mote attestation can lead to other vulnerabilities. To resolve this conflict, this dissertation

presents the design, implementation, and evaluation of several mitigation techniques. In par-

ticular, we propose two light-weight techniques capable of providing interruptible attestation

modality. In contrast to traditional techniques, our proposed techniques allow interrupts to

occur during attestation while ensuring malware detection via shuffled memory traversals or

memory locking mechanisms. Another type of techniques pursued in this dissertation aims

to minimize the real-time computation overhead during attestation. We propose using peri-

odic self-measurements to measure and record the device’s state, resulting in more flexible

scheduling of the attestation process and also in no real-time burden as part of its interaction

with verifier. This technique is particularly suitable for swarm settings with a potentially

large number of safety-critical devices. Finally, we develop a remote attestation HYDRA

architecture, based on a formally verified component, and use it as a building block in our

proposed mitigation techniques. We believe that this architecture may be of independent

interest.