Secure Code Updates for Mesh Networked Commodity Low-End Embedded Devices

Kohnhäuser, Florian; Katzenbeisser, Stefan

doi:10.1007/978-3-319-45741-3_17

Cited by 17 publications

(16 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Perito and Tsudik [40] used PoSE to propose a practical approach to secure erasure and code update in embedded devices and evaluated the scheme's feasibility in commodity sensors. Kohnhauser and Katzenbeisser [58] presented a code update scheme which verifier can enforce the correct distribution and installation of code updates on all devices in the network. Especially the scheme allowed the administrator to provide secure code updates for a group of devices.…”

Section: Control Flow Integritymentioning

confidence: 99%

RIPTE: Runtime Integrity Protection Based on Trusted Execution for IoT Device

Qin

Liu

Zhao

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

Software attacks like worm, botnet, and DDoS are the increasingly serious problems in IoT, which had caused large-scale cyber attack and even breakdown of important information infrastructure. Software measurement and attestation are general methods to detect software integrity and their executing states in IoT. However, they cannot resist TOCTOU attack due to their static features and seldom verify correctness of control flow integrity. In this paper, we propose a novel and practical scheme for software trusted execution based on lightweight trust. Our scheme RIPTE combines dynamic measurement and control flow integrity with PUF device binding key. Through encrypting return address of program function by PUF key, RIPTE can protect software integrity at runtime on IoT device, enabling to prevent the code reuse attacks. The results of our prototype’s experiment show that it only increases a small size TCB and has a tiny overhead in IoT devices under the constraint on function calling. In sum, RIPTE is secure and efficient in IoT device protection at runtime.

show abstract

Section: Control Flow Integritymentioning

confidence: 99%

RIPTE: Runtime Integrity Protection Based on Trusted Execution for IoT Device

Qin

Liu

Zhao

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…For constrained devices, several secure update mechanisms have been proposed, mainly for sensor networks in combination with attestation [1,14,20,23,36,40,41]. After trying to distribute the update, the server requests an attestation proof of successful update application.…”

Section: Related Workmentioning

confidence: 99%

The Lazarus Effect: Healing Compromised Devices in the Internet of Small Things

Huber

Hristozov

Ott

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

We live in a time when billions of IoT devices are being deployed and increasingly relied upon. This makes ensuring their availability and recoverability in case of a compromise a paramount goal. The large and rapidly growing number of deployed IoT devices make manual recovery impractical, especially if the devices are dispersed over a large area. Thus, there is a need for a reliable and scalable remote recovery mechanism that works even after attackers have taken full control over devices, possibly misusing them or trying to render them useless. To tackle this problem, we present Lazarus, a system that enables the remote recovery of compromised IoT devices. With Lazarus, an IoT administrator can remotely control the code running on IoT devices unconditionally and within a guaranteed time bound. This makes recovery possible even in case of severe corruption of the devices' software stack. We impose only minimal hardware requirements, making Lazarus applicable even for low-end constrained off-the-shelf IoT devices. We isolate Lazarus's minimal recovery trusted computing base from untrusted software both in time and by using a trusted execution environment. The temporal isolation prevents secrets from being leaked through side-channels to untrusted software. Inside the trusted execution environment, we place minimal functionality that constrains untrusted software at runtime. We implement Lazarus on an ARM Cortex-M33-based microcontroller in a full setup with an IoT hub, device provisioning and secure update functionality. Our prototype can recover compromised embedded OSs and bare-metal applications and prevents attackers from bricking devices, for example, through flash wear out. We show this at the example of FreeRTOS, which requires no modifications but only a single additional task. Our evaluation shows negligible runtime performance impact and moderate memory requirements.

show abstract

“…Trusted Execution Environments (TEEs), remote attestation schemes, etc. have been proposed by both the industry [74] and academia [8,18,24,30,39,44,63,64]. To narrow the focus, remote attestation (RA) has recently emerged as the central means to detect malware presence on remote low-end devices.…”

Section: Problem Statementmentioning

confidence: 99%

“…SPEED [8] is an approach to secure verifiable erasure for Class-1 IoT devices [17] which tackles the shortcomings of PoSE by building on top of a software-based memory isolation technique along with a distance bounding protocol, ruling out the assumption of jamming nearby devices. The work in [44] presents a verifiable code update scheme for a swarm of low-end embedded devices which verifies and enforces the correct installation of code updates on all devices in the network, considering that each device in the network should maintain minimal hardware requirements which are represented by a ROM and secure storage. ASSURED [13] is a hybrid-based scalable architecture for secure software updates of embedded devices, which extends and outperforms TUF [61], the popular state-ofthe-art secure update mechanism.…”

Section: Secure Erasure Recovery and Code Updatementioning

confidence: 99%