Abstract

Modern embedded systems are increasingly deployed in various settings to execute critical sensing/actuation tasks. At the lower end of the scale, they are designed with low-cost and energy-efficient microcontroller units (MCUs) that lack the common security features of general-purpose processors. To assess their state in a cost-effective manner, Control Flow Attestation (CFA) methods provide means for a trusted device operator (i.e., the Verifier -- Vrf) to detect attacks that compromise the integrity or runtime behavior of a remotely-deployed MCU (i.e., the Prover -- Prv). This is achieved by a root-of-trust (RoT) in Prv recording an authenticated trace (CFLog) of the exact control flow transfers that occur during a task's execution on Prv. While current CFA techniques succeed at generating authenticated runtime evidence, all prior work share limitations, assumptions, and oversights that limit CFA's real-world applicability. First, existing CFA cannot guarantee that Vrf receives evidence from a compromised Prv. Consequently, a compromised Prv can ignore requests from Vrf to preclude the observability of malicious behavior and prevent runtime auditing of execution behavior. As CFA mechanisms cannot guarantee communication from a compromised Prv, they assume physical intervention to remediate compromises. However, this can be costly or impossible depending on Prv's deployment. Furthermore, storage and transmission of CFLog-s incur substantial overheads that limit CFA's practical adoption (given the resource-constrained nature of MCUs). Although some existing works apply ``one-size-fits-all'' optimizations, they are not optimal as they cannot take advantage of expected application-specific behavior. Finally, the vast majority of existing works focus on RoT implementations on Prv to enable the secure generation of authentic runtime evidence. Consequently, Vrf's role is largely overlooked despite its crucial role. Existing works do not explore how Vrf can use runtime evidence beyond simple path validity checks, i.e., how Vrf can utilize runtime evidence from CFA to identify root-cause vulnerabilities of control flow attacks and plan remediations. This dissertation presents four contributions to address the aforementioned challenges and achieve practical end-to-end runtime auditing. First, we present two architectures (ACFA and TRACES) to guarantee the delivery of runtime evidence and provide Vrf with the ability to remediate detected compromises. ACFA and TRACES target low-end MCUs and achieve their security guarantees via (1) a custom hardware design and (2) leveraging trusted execution environment (TEE) hardware support, respectively. Next, we present SpecCFA, an architectural extension to CFA that allows Vrf to dynamically speculate on control flow sub-paths in MCU software. SpecCFA allows Vrf to optimize CFLog at runtime by replacing high-likelihood sub-paths with reserved symbols. As a result, Vrf can optimize CFLog-s generated based on application-specific behavior without loss of information. Finally, we study Vrf's point of view to determine the most effective type of runtime evidence to identify and remediate software vulnerabilities. Then, we present SABRE, a software architecture that leverages runtime evidence to detect control flow attacks, pinpoint exploit sources/targets, and automatically generate binary patches based on the detected root-cause memory vulnerability.

Publication Date

1-2025

Document Type

Dissertation

Student Type

Graduate

Degree Name

Computing and Information Sciences (Ph.D.)

Department, Program, or Center

Computing and Information Sciences Ph.D, Department of

College

Golisano College of Computing and Information Sciences

Advisor

Ivan De Oliveira Nunes

Advisor/Committee Member

Billy Brumley

Advisor/Committee Member

Michael Zuzak

Campus

RIT – Main Campus

Share

COinS