Cumulative attestation kernels for embedded systems

Michael Lemay; Carl A. Gunter

doi:10.1109/TSG.2011.2174811

Cumulative attestation kernels for embedded systems

Research output: Contribution to journal › Article › peer-review

Abstract

To mitigate the threat of malware intrusions on networked embedded systems, it is desirable to provide remote attestation assurances for them. Embedded systems have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. We propose a Cumulative Attestation Kernel (CAK) that addresses these concerns. We demonstrate the value of CAKs for Advanced Metering Infrastructure (AMI) and show how to implement a CAK in less than one quarter of the memory available on low end flash MCUs similar to those used in AMI deployments. Regarding this prototype, we present the first formal proof we are aware of that a system is tolerant to power supply interruptions. We also discuss how to provide cumulative attestation for devices with tighter memory constraints by offloading computation and storage onto a Cumulative Attestation Coprocessor (CAC).

Original language	English (US)
Article number	6204240
Pages (from-to)	744-760
Number of pages	17
Journal	IEEE Transactions on Smart Grid
Volume	3
Issue number	2
DOIs	https://doi.org/10.1109/TSG.2011.2174811
State	Published - 2012

Keywords

Intrusion detection
meter reading
power system security
smart grids

ASJC Scopus subject areas

General Computer Science

Online availability

10.1109/TSG.2011.2174811

Library availability

Discover UIUC Full Text

Cite this

@article{f2cb8226676b448ba2cb44a29bfbeaf8,

title = "Cumulative attestation kernels for embedded systems",

abstract = "To mitigate the threat of malware intrusions on networked embedded systems, it is desirable to provide remote attestation assurances for them. Embedded systems have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. We propose a Cumulative Attestation Kernel (CAK) that addresses these concerns. We demonstrate the value of CAKs for Advanced Metering Infrastructure (AMI) and show how to implement a CAK in less than one quarter of the memory available on low end flash MCUs similar to those used in AMI deployments. Regarding this prototype, we present the first formal proof we are aware of that a system is tolerant to power supply interruptions. We also discuss how to provide cumulative attestation for devices with tighter memory constraints by offloading computation and storage onto a Cumulative Attestation Coprocessor (CAC).",

keywords = "Intrusion detection, meter reading, power system security, smart grids",

author = "Michael Lemay and Gunter, {Carl A.}",

note = "Manuscript received April 20, 2011; revised September 09, 2011; accepted October 17, 2011. Date of current version May 21, 2012. This work was supported in part by DOE DE-OE0000097, NSF CNS 07-16626, NSF CNS 07-16421, NSF CNS 05-24695, ONR N00014-08-1-0248, NSF CNS 05-24516, DHS 2006-CS-001-000001, HHS 90TR0003-01, NSF CNS 09-64392, NSF CNS 09-17218, and grants from the MacArthur Foundation, Boeing Corporation, and Lockheed Martin Corporation. The work of M. LeMay was supported on an NDSEG fellowship from AFOSR for part of this work. Paper no. TSG-00155-2011.",

year = "2012",

doi = "10.1109/TSG.2011.2174811",

language = "English (US)",

volume = "3",

pages = "744--760",

journal = "IEEE Transactions on Smart Grid",

issn = "1949-3053",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "2",

}

TY - JOUR

T1 - Cumulative attestation kernels for embedded systems

AU - Lemay, Michael

AU - Gunter, Carl A.

N1 - Manuscript received April 20, 2011; revised September 09, 2011; accepted October 17, 2011. Date of current version May 21, 2012. This work was supported in part by DOE DE-OE0000097, NSF CNS 07-16626, NSF CNS 07-16421, NSF CNS 05-24695, ONR N00014-08-1-0248, NSF CNS 05-24516, DHS 2006-CS-001-000001, HHS 90TR0003-01, NSF CNS 09-64392, NSF CNS 09-17218, and grants from the MacArthur Foundation, Boeing Corporation, and Lockheed Martin Corporation. The work of M. LeMay was supported on an NDSEG fellowship from AFOSR for part of this work. Paper no. TSG-00155-2011.

PY - 2012

Y1 - 2012

N2 - To mitigate the threat of malware intrusions on networked embedded systems, it is desirable to provide remote attestation assurances for them. Embedded systems have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. We propose a Cumulative Attestation Kernel (CAK) that addresses these concerns. We demonstrate the value of CAKs for Advanced Metering Infrastructure (AMI) and show how to implement a CAK in less than one quarter of the memory available on low end flash MCUs similar to those used in AMI deployments. Regarding this prototype, we present the first formal proof we are aware of that a system is tolerant to power supply interruptions. We also discuss how to provide cumulative attestation for devices with tighter memory constraints by offloading computation and storage onto a Cumulative Attestation Coprocessor (CAC).

AB - To mitigate the threat of malware intrusions on networked embedded systems, it is desirable to provide remote attestation assurances for them. Embedded systems have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. We propose a Cumulative Attestation Kernel (CAK) that addresses these concerns. We demonstrate the value of CAKs for Advanced Metering Infrastructure (AMI) and show how to implement a CAK in less than one quarter of the memory available on low end flash MCUs similar to those used in AMI deployments. Regarding this prototype, we present the first formal proof we are aware of that a system is tolerant to power supply interruptions. We also discuss how to provide cumulative attestation for devices with tighter memory constraints by offloading computation and storage onto a Cumulative Attestation Coprocessor (CAC).

KW - Intrusion detection

KW - meter reading

KW - power system security

KW - smart grids

UR - http://www.scopus.com/inward/record.url?scp=84861881940&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84861881940&partnerID=8YFLogxK

U2 - 10.1109/TSG.2011.2174811

DO - 10.1109/TSG.2011.2174811

M3 - Article

AN - SCOPUS:84861881940

SN - 1949-3053

VL - 3

SP - 744

EP - 760

JO - IEEE Transactions on Smart Grid

JF - IEEE Transactions on Smart Grid

IS - 2

M1 - 6204240

ER -

Cumulative attestation kernels for embedded systems

Abstract

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this