Design and implementation of an attestation protocol for measured dynamic behavior

  • Toqeer Ali
  • Roslan Ismail
  • Shahrulniza Musa
  • Mohammad Nauman
  • Sohail Khan


Security of applications running on remote devices has become an essential need of enterprises. For this purpose, several software-based solutions have been proposed. However, it has been observed that software solutions are vulnerable to several kinds of attacks. Moreover, they cannot protect and monitor all parts of the system. To overcome this problem, researchers have proposed to monitor a target system from an isolated hardware and store system’s sensitive information in its tamper-proof memory locations. To realize such a solution, Trusted Computing Group (TCG) has proposed the specifications of a co-processor called Trusted Platform Module which is widely available in commodity hardware. Integrity Measurement Architecture is one of the well-known static techniques that brings TCG’s attestation from kernel to the application level. However, this method cannot measure runtime behavior of applications, which is necessary to detect runtime attacks such as buffer overflow and return-oriented programming. In this paper, we have extended the base work which aims to detect runtime vulnerabilities. Current high-level-based attestation protocol has been extended for dynamic behavior collection and verification, and the dynamic behavior is verified via several machine learning algorithms. Our results justify the use of this approach and show that a high rate detection was achieved for datasets of real-world vulnerabilities in the popular Firefox browser.


Trusted computing TPM Remote attestation Remote verification Dynamic behavior Machine learning Deep learning and android 


  1. 1.
    IAIK: Institute for Applied Information Processing and Communications, Graz University of Technology.
  2. 2.
    Alam M, Zhang X, Nauman M, Ali T (2008) Behavioral attestation for web services (BA4WS). In: SWS’08: Proceedings of the ACM Workshop on Secure Web Services (SWS) Located at 15th ACM Conference on Computer and Communications Security (CCS-15). ACM Press, New YorkGoogle Scholar
  3. 3.
    Alam M, Zhang X, Nauman M, Ali T, Seifert JP (2008) Model-based behavioral attestation. In: SACMAT ’08: Proceedings of the Thirteenth ACM Symposium on Access Control Models and Technologies. ACM Press, New YorkGoogle Scholar
  4. 4.
    Anderson S, Bohren J, Boubez T et al Web services trust language (WS-Trust). Public draft release, Actional Corporation, BEA Systems, Computer Associates International, International Business Machines Corporation, Layer 7Google Scholar
  5. 5.
    Atkinson B, Della-Libera G, Hada S, Hondo M, Hallam-Baker P, Klein J, LaMacchia B, Leach P, Manferdelli J, Maruyama H et al. Web services security (WS-Security). Version 1Google Scholar
  6. 6.
    Azab AM, Ning P, Sezer EC, Zhang X (2009) Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, 2009. ACSAC’09. Annual. IEEE, pp 461–470Google Scholar
  7. 7.
    Beresford AR, Rice A, Skehin N, Sohan R (2011) Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. ACM, pp 49–54Google Scholar
  8. 8.
    Burguera I, Zurutuza U, Nadjm-Tehrani S (2011) Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, pp 15–26Google Scholar
  9. 9.
    Davi L, Sadeghi A, Winandy M (2009) Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing. ACM, pp 49–54Google Scholar
  10. 10.
    Dhurandhar A, Dobra A (2008) Probabilistic characterization of random decision trees. J Mach Learn Res 9:2321–2348zbMATHGoogle Scholar
  11. 11.
    Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach DS (2011) Quire: lightweight provenance for smart phone operating systems. In: USENIX Security Symposium, vol 31Google Scholar
  12. 12.
    Durumeric Z, Kasten J, Adrian D, Halderman JA, Bailey M, Li F, Weaver N, Amann J, Beekman J, Payer M, Paxson V (2014) The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp 475–488. doi: 10.1145/2663716.2663755.
  13. 13.
    Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans Comput Syst (TOCS) 32(2):5CrossRefGoogle Scholar
  14. 14. PAX Security Solution for Linux (2013). Accessed Mar 2013
  15. 15.
    Gu L, Cheng Y, Ding X, Deng R, Guo Y, Shao W (2009) Remote attestation on function execution. In: InTrust’09: Proceedings of the 2009 International Conference on Trusted SystemsGoogle Scholar
  16. 16.
    Gu L, Ding X, Deng R, Xie B, Mei H (2008) Remote attestation on program execution. In: STC ’08: Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing. ACM, New York. doi: 10.1145/1314354.1314362
  17. 17.
    Heuser S, Nadkarni A, Enck W, Sadeghi AR (2014) Asm: a programmable interface for extending android security. In: Proceedings of the 23rd USENIX Security Symposium (SEC14)Google Scholar
  18. 18.
    Ismail R, Syed TA, Musa S (2014) Design and implementation of an efficient framework for behaviour attestation using n-call slides. In: Proceedings of the 8th International Conference on Ubiquitous Information Management and Communication, ICUIMC ’14. ACM, New York, pp 36:1–36:8. doi: 10.1145/2557977.2558002
  19. 19.
    Jiang X, Wang X, Xu D (2007) Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, pp 128–138Google Scholar
  20. 20.
    Larose DT (2004) k-Nearest neighbor algorithm. In: Discovering knowledge in data: an introduction to data mining. Wiley, Hoboken, NJ, USA. doi: 10.1002/0471687545.ch5
  21. 21.
    Lorch M, Proctor S, Lepro R, Kafura D, Shah S (2003) First experiences using XACML for access control in distributed systems. In: XMLSEC ’03: Proceedings of the 2003 ACM Workshop on XML Security. ACM, New York, pp 25–37. doi: 10.1145/968559.968563
  22. 22.
    Loscocco PA, Wilson PW, Pendergrass JA, McDonell CD (2007) Linux kernel integrity measurement using contextual inspection. In: STC ’07: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing. ACM, New York, pp 21–29. doi: 10.1145/1314354.1314362
  23. 23.
    Magerman DM (1995) Statistical decision-tree models for parsing. In: Proceedings of the 33rd Annual Meeting on Association for Computational Linguistics. Association for Computational Linguistics, pp 276–283Google Scholar
  24. 24.
    McCune JM, Parno B, Perrig A, Reiter MK, Seshadri A (2007) Minimal TCB code execution. In: IEEE Symposium on Security and Privacy, 2007. SP’07, pp 267–272Google Scholar
  25. 25.
    Milenković M, Milenković A, Jovanov E (2005) Hardware support for code integrity in embedded processors. In: Proceedings of the 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems. ACM, pp 55–65Google Scholar
  26. 26.
    Nauman M, Khan S, Zhang X (2010) Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM, pp 328–332Google Scholar
  27. 27.
    Nauman M, Khan S, Zhang X, Seifert JP (2010) Beyond kernel-level integrity measurement: enabling remote attestation for the android platform. In: Acquisti A, Smith SW, Sadeghi AR (eds) Trust and trustworthy computing. Trust 2010. Lecture notes in Computer Science, vol 6101. Springer, Berlin, Heidelberg, pp 1–15Google Scholar
  28. 28.
    Noorman J, Agten P, Daniels W, Strackx R, Van Herrewege A, Huygens C, Preneel B, Verbauwhede I, Piessens F (2013) Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp 479–498Google Scholar
  29. 29.
    Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: SACMAT ’02: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies. ACM Press, New York, pp 57–64. doi: 10.1145/507711.507722
  30. 30.
    Payne BD, de Carbone M, Lee W (2007) Secure and flexible monitoring of virtual machines. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, pp 385–397Google Scholar
  31. 31.
    Petroni Jr, NL, Fraser T, Molina J, Arbaugh WA (2004) Copilot—a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, pp 179–194Google Scholar
  32. 32.
    Reina A, Fattori A, Cavallaro L (2013) A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: ACM European Workshop on Systems Security (EuroSec). ACMGoogle Scholar
  33. 33.
    Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security SymposiumGoogle Scholar
  34. 34.
    Sandhu R (1996) Rationale for the RBAC96 family of access control models. In: RBAC ’95: Proceedings of the First ACM Workshop on Role-Based Access Control. ACM Press, New York, p 9. doi: 10.1145/270152.270167
  35. 35.
    Sandhu RS (1993) Lattice-based access control models. IEEE Computer Society Press, Los Alamitos, pp 9–19Google Scholar
  36. 36.
    Schiffman J, Moyer T, Vijayakumar H, Jaeger T, McDaniel P (2010) Seeding clouds with trust anchors. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop. ACM, pp 43–46Google Scholar
  37. 37.
    Schulz S, Sadeghi AR, Wachsmann C (2011) Short paper: lightweight remote attestation using physical functions. In: Proceedings of the Fourth ACM Conference on Wireless Network Security. ACM, pp 109–114Google Scholar
  38. 38.
    Shacham H (2007) The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, pp 552–561Google Scholar
  39. 39.
    Stumpf F, Tafreschi O, Röder P, Eckert C (2006) A robust integrity reporting protocol for remote attestation. In: Second Workshop on Advances in Trusted Computing (WATC06 Fall), pp 25–36Google Scholar
  40. 40.
    Sule MJ, Li M, Taylor GA, Furber S (2015) Deploying trusted cloud computing for data intensive power system applications. In: Power Engineering Conference (UPEC), 2015 50th International Universities. IEEE, pp 1–5Google Scholar
  41. 41.
    Svetnik V, Liaw A, Tong C, Culberson JC, Sheridan RP, Feuston BP (2003) Random forest: a classification and regression tool for compound classification and QSAR modeling. J Chem Inf Comput Sci 43(6):1947–1958CrossRefGoogle Scholar
  42. 42.
    Tanveer TA, Alam M, Nauman M (2010) Scalable remote attestation with privacy protection. In: Chen L, Yung M (eds) Trusted systems. INTRUST 2009. Lecture notes in Computer Science, vol 6163. Springer, Berlin, Heidelberg, pp 73–87Google Scholar
  43. 43.
    Thomson I (2016) Patch ASAP: tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants—the register. Accessed 20 Feb 2016
  44. 44.
    Tuck N, Calder B, Varghese G (2004) Hardware and binary modification support for code pointer protection from buffer overflow. In: 37th International Symposium on Microarchitecture, 2004. MICRO-37 2004. IEEE, pp 209–220Google Scholar
  45. 45.
    Xu R, Saïdi H, Anderson R (2012) Aurasium: practical policy enforcement for android applications. In: USENIX Security Symposium, pp 539–552Google Scholar
  46. 46.
    Yoshihama S, Ebringer T, Nakamura M, Munetoh S, Mishina T, Maruyama H (2007) WS-attestation: enabling trusted computing on web services. In: Baresi L, Di Nitto E (eds) Test and analysis of web services. Springer, Berlin, Heidelberg, pp 441–469CrossRefGoogle Scholar
  47. 47.
    Zhu L, Zhang Z, Liao L, Guo C (2012) A secure robust integrity reporting protocol of trusted computing for remote attestation under fully adaptive party corruptions. In: Zhang Y (ed) Future wireless networks and information systems. Lecture notes in Electrical Engineering, vol 143. Springer, Berlin, Heidelberg, pp 211–217Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Toqeer Ali
    • 1
  • Roslan Ismail
    • 2
  • Shahrulniza Musa
    • 2
  • Mohammad Nauman
    • 3
  • Sohail Khan
    • 2
  1. 1.Islamic University of Almadinah AlmunawwarahMadinaSaudi Arabia
  2. 2.University Kuala LumpurKuala LumpurMalaysia
  3. 3.Max Planck Institute for Software SystemsKaiserslauternGermany

Personalised recommendations