Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TOCTOU Resilient Attestation for IoT Networks (Full Version)

Pavel Frolikov, Youngil Kim, Renascence Tarafder Prapty, Gene Tsudik

TL;DR

TRAIN tackles TOCTOU vulnerabilities in IoT swarm attestation by delivering synchronized network attestation through two variants: TRAIN_A with RTC-based timing and TRAIN_B with a clockless timing mechanism derived from network topology. It fuses RA and NA primitives (RATA, CASU, GAROTA) with hash-chains to maintain minimal per-device overhead while ensuring timely attestation even under multiple compromises. The approach achieves near-synchronous attestations, provides formalizable timing bounds, and demonstrates low hardware and energy overhead on open-source MSP430 and FPGA-based prototypes, with scalability to large networks in simulation. The work offers a practical route to secure, scalable, and resilient network attestation for safety-critical IoT deployments, backed by a public prototype and detailed evaluation.

Abstract

Internet-of-Things (IoT) devices are increasingly common in both consumer and industrial settings, often performing safety-critical functions. Although securing these devices is vital, manufacturers typically neglect security issues or address them as an afterthought. This is of particular importance in IoT networks, e.g., in the industrial automation settings. To this end, network attestation -- verifying the software state of all devices in a network -- is a promising mitigation approach. However, current network attestation schemes have certain shortcomings: (1) lengthy TOCTOU (Time-Of-Check-Time-Of-Use) vulnerability windows, (2) high latency and resource overhead, and (3) susceptibility to interference from compromised devices. To address these limitations, we construct TRAIN (TOCTOU-Resilient Attestation for IoT Networks), an efficient technique that minimizes TOCTOU windows, ensures constant-time per-device attestation, and maintains resilience even with multiple compromised devices. We demonstrate TRAIN's viability and evaluate its performance via a fully functional and publicly available prototype.

TOCTOU Resilient Attestation for IoT Networks (Full Version)

TL;DR

TRAIN tackles TOCTOU vulnerabilities in IoT swarm attestation by delivering synchronized network attestation through two variants: TRAIN_A with RTC-based timing and TRAIN_B with a clockless timing mechanism derived from network topology. It fuses RA and NA primitives (RATA, CASU, GAROTA) with hash-chains to maintain minimal per-device overhead while ensuring timely attestation even under multiple compromises. The approach achieves near-synchronous attestations, provides formalizable timing bounds, and demonstrates low hardware and energy overhead on open-source MSP430 and FPGA-based prototypes, with scalability to large networks in simulation. The work offers a practical route to secure, scalable, and resilient network attestation for safety-critical IoT deployments, backed by a public prototype and detailed evaluation.

Abstract

Internet-of-Things (IoT) devices are increasingly common in both consumer and industrial settings, often performing safety-critical functions. Although securing these devices is vital, manufacturers typically neglect security issues or address them as an afterthought. This is of particular importance in IoT networks, e.g., in the industrial automation settings. To this end, network attestation -- verifying the software state of all devices in a network -- is a promising mitigation approach. However, current network attestation schemes have certain shortcomings: (1) lengthy TOCTOU (Time-Of-Check-Time-Of-Use) vulnerability windows, (2) high latency and resource overhead, and (3) susceptibility to interference from compromised devices. To address these limitations, we construct TRAIN (TOCTOU-Resilient Attestation for IoT Networks), an efficient technique that minimizes TOCTOU windows, ensures constant-time per-device attestation, and maintains resilience even with multiple compromised devices. We demonstrate TRAIN's viability and evaluate its performance via a fully functional and publicly available prototype.

Paper Structure

This paper contains 31 sections, 16 equations, 8 figures, 6 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Targeted Devices
  4. Remote Attestation ($\sf{\mathcal{R}A}$)
  5. Network Attestation ($\sf{\mathcal{N}A}$)
  6. Building Blocks
  7. Hash Chains for Authentication
  8. Design Overview
  9. System Model
  10. Adversary Model
  11. Protocol Elements
  12. $\sf{TRAIN}$ Protocols
  13. $\sf{TRAIN_{A}}$: RTC-Based $\sf{\mathcal{N}A}$ Technique
  14. $\sf{TRAIN_{B}}$: Clockless $\sf{\mathcal{N}A}$ Technique
  15. Renewing Hash Chains
  16. ...and 16 more sections

Figures (8)

  • Figure 1: TOCTOU Window Minimized by $\sf{TRAIN}$
  • Figure 2: $\sf{\mathcal{V}rf}$ State Machine
  • Figure 3: $\sf{\mathcal{P}rv}$ State Machine
  • Figure 4: $\sf{TRAIN}$ Proof-Of-Concept with Three $\sf{\mathcal{P}rv}$-s
  • Figure 5: $\sf{TRAIN_{{\rm CASU}}\xspace}$ Hardware Security Properties
  • ...and 3 more figures