Abstract
Modern embedded systems are increasingly deployed in various settings to execute critical sensing/actuation tasks. At the lower end of the scale, they are designed with low-cost and energy-efficient microcontroller units (MCUs) that lack the common security features of general-purpose processors. To assess their state in a cost-effective manner, Control Flow Attestation (CFA) methods provide means for a trusted device operator (i.e., the Verifier -- Vrf) to detect attacks that compromise the integrity or runtime behavior of a remotely-deployed MCU (i.e., the Prover -- Prv). This is achieved by a root-of-trust (RoT) in Prv recording an authenticated trace (CFLog) of the exact control flow transfers that occur during a task's execution on Prv. While current CFA techniques succeed at generating authenticated runtime evidence, all prior work share limitations, assumptions, and oversights that limit CFA's real-world applicability. First, existing CFA cannot guarantee that Vrf receives evidence from a compromised Prv. Consequently, a compromised Prv can ignore requests from Vrf to preclude the observability of malicious behavior and prevent runtime auditing of execution behavior. As CFA mechanisms cannot guarantee communication from a compromised Prv, they assume physical intervention to remediate compromises. However, this can be costly or impossible depending on Prv's deployment. Furthermore, storage and transmission of CFLog-s incur substantial overheads that limit CFA's practical adoption (given the resource-constrained nature of MCUs). Although some existing works apply ``one-size-fits-all'' optimizations, they are not optimal as they cannot take advantage of expected application-specific behavior. Finally, the vast majority of existing works focus on RoT implementations on Prv to enable the secure generation of authentic runtime evidence. Consequently, Vrf's role is largely overlooked despite its crucial role. Existing works do not explore how Vrf can use runtime evidence beyond simple path validity checks, i.e., how Vrf can utilize runtime evidence from CFA to identify root-cause vulnerabilities of control flow attacks and plan remediations. This dissertation presents four contributions to address the aforementioned challenges and achieve practical end-to-end runtime auditing. First, we present two architectures (ACFA and TRACES) to guarantee the delivery of runtime evidence and provide Vrf with the ability to remediate detected compromises. ACFA and TRACES target low-end MCUs and achieve their security guarantees via (1) a custom hardware design and (2) leveraging trusted execution environment (TEE) hardware support, respectively. Next, we present SpecCFA, an architectural extension to CFA that allows Vrf to dynamically speculate on control flow sub-paths in MCU software. SpecCFA allows Vrf to optimize CFLog at runtime by replacing high-likelihood sub-paths with reserved symbols. As a result, Vrf can optimize CFLog-s generated based on application-specific behavior without loss of information. Finally, we study Vrf's point of view to determine the most effective type of runtime evidence to identify and remediate software vulnerabilities. Then, we present SABRE, a software architecture that leverages runtime evidence to detect control flow attacks, pinpoint exploit sources/targets, and automatically generate binary patches based on the detected root-cause memory vulnerability.
Publication Date
1-2025
Document Type
Dissertation
Student Type
Graduate
Degree Name
Computing and Information Sciences (Ph.D.)
Department, Program, or Center
Computing and Information Sciences Ph.D, Department of
College
Golisano College of Computing and Information Sciences
Advisor
Ivan De Oliveira Nunes
Advisor/Committee Member
Billy Brumley
Advisor/Committee Member
Michael Zuzak
Recommended Citation
Caulfield, Adam Ilyas, "Towards Secure Runtime Auditing of Remote Embedded System Software" (2025). Thesis. Rochester Institute of Technology. Accessed from
https://repository.rit.edu/theses/12008
Campus
RIT – Main Campus