Skip to main content
Log in

Formally verified bundling and appraisal of evidence for layered attestations

  • S.I. : Selected Extended Papers of NFM 2021
  • Published:
Innovations in Systems and Software Engineering Aims and scope Submit manuscript

Abstract

Remote attestation is a technology for establishing trust in a remote computing system. Copland is a domain-specific language for specifying attestation protocols that operate in diverse, layered measurement topologies. In this work, we formally define and verify the Copland Virtual Machine for executing Copland protocols alongside a dual generalized appraisal procedure. Together these components provide a principled pipeline to execute and bundle arbitrary Copland-based attestations, then unbundle and evaluate the resulting evidence for measurement content and cryptographic integrity. All artifacts are implemented as monadic, functional programs in the Coq proof assistant and verified with respect to the Copland reference semantics. Finally, we leverage formal properties of component implementations and their surrounding security architecture to aid in the design and analysis of attestation scenarios in the context of an active adversary attempting to subvert attestation. These components lay the foundation for a verified end-to-end attestation stack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Aydemir B, Charguéraud A, Pierce BC, Pollack R, Weirich S (2008) Engineering formal metatheory. In: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. POPL ’08, ACM, New York, NY, USA, pp 3–15. http://doi.acm.org/10.1145/1328438.1328443

  2. Berger S, Caceres R, Goldman K, Perez R, Sailer R, van Doorn L (2006) vTPM: Virtualizing the Trusted Platform Module, http://www.kiskeya.net/ramon/work/pubs/security06.pdf, iBM T. J. Watson Research Center, Hawthorne, NY 10532 USA

  3. Brasser F, El Mahjoub B, Sadeghi AR, Wachsmann C, Koeberl P (2015) Tytan: Tiny trust anchor for tiny devices. In: Proceedings of the 52nd annual design automation conference. DAC ’15, Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/2744769.2744922

  4. Carpent X, Rattanavipanon N, Tsudik G (2017) ERASMUS: efficient remote attestation via self- measurement for unattended settings. CoRR arXiv:1707.09043

  5. Challener D, Yoder K, Catherman R (2008) A practical guide to trusted computing. IBM Press, Indianapolis

    Google Scholar 

  6. Clemens J, Pal R, Sherrell B (2018) Runtime state verification on resource-constrained platforms. In: MILCOM 2018—2018 IEEE Military Communications Conference (MILCOM). pp 1–6

  7. Coker G, Guttman J, Loscocco P, Herzog A, Millen J, O’Hanlon B, Ramsdell J, Segall A, Sheehy J, Sniffen B (2011) Principles of remote attestation. Int J Inf Secur 10(2):63–81

  8. Coker GS, Guttman JD, Loscocco PA, Sheehy J, Sniffen BT (2008) Attestation: Evidence and trust. In: Proceedings of the international conference on information and communications security. vol LNCS 5308

  9. Datta A, Franklin J, Garg D, Kaynar D (2009) A logic of secure systems and its application to trusted computing. In: Security and privacy, 2009 30th IEEE Symposium on. IEEE, pp 221–236

  10. Davi L, Sadeghi AR, Winandy M (2009) Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM workshop on scalable trusted computing. STC ’09, Association for Computing Machinery, New York, NY, USA, pp 49-54. https://doi.org/10.1145/1655108.1655117,

  11. Eldefrawy K, Rattanavipanon N, Tsudik G (2017) Hydra: Hybrid design for remote attestation (using a formally verified microkernel). In: Proceedings of the 10th ACM conference on security and privacy in wireless and mobile networks. WiSec ’17, Association for Computing Machinery, New York, NY, USA, pp 99–110. https://doi.org/10.1145/3098243.3098261,

  12. Francillon A, Nguyen Q, Rasmussen KB, Tsudik G (2014) A minimalist approach to remote attestation. In: 2014 Design, Automation Test in Europe Conference Exhibition (DATE). pp 1–6

  13. Garfinkel T, Rosenblum M (2003) A virtual machine introspection based architecture for intrusion detection. In: NDSS

  14. Gevargizian J, Kulkarni P (2018) Msrr: Measurement framework for remote attestation. In: 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/ CyberSciTech). pp 748–753. Dependable, Autonomic and Secure Computing (DASC ’18)

  15. Gill A (2014) Domain-specific languages and code synthesis using Haskell. Commun. ACM 57(6):42–49. https://doi.org/10.1145/2605205, also appeared in ACM Queue, Vol 12(4), April 2014

  16. Gopalan A, Gowadia V, Scalavino E, Lupu E (2012) Policy driven remote attestation. In: Prasad R, Farkas K, Schmidt AU, Lioy A, Russello G, Luccio FL (eds) Security and privacy in mobile information and communication systems. Springer, Berlin Heidelberg, Berlin, Heidelberg, pp 148–159

    Chapter  Google Scholar 

  17. Haldar V, Chandra D, Franz M (2004) Semantic remote attestation – a virtual machine directed approach to trusted computing. In: Proceedings of the third virtual machine research and technology symposium. San Jose, CA

  18. Halling B, Alexander P (2013) Verifying a Privacy CA Remote Attestation Protocol. In: Proceedings of the NASA formal methods conference. Lecture Notes in Computer Science, vol 7871

  19. Helble S, Kretz I, Loscocco P, Ramsdell J, Rowe P, Alexander P (2021) Flexible mechanisms for remote attestation. ACM Trans Priv Secur 24:1–23

    Article  Google Scholar 

  20. Ho S, Abrahamsson O, Kumar R, Myreen MO, Tan YK, Norrish M (2018) Proof-producing synthesis of cakeml with I/O and local state from monadic HOL functions. In: Galmiche D, Schulz S, Sebastiani R (eds) Automated Reasoning–9th International Joint Conference (IJCAR). Lecture Notes in Computer Science, vol 10900. Springer, pp 646–662. https://doi.org/10.1007/978-3-319-94205-6_42, https://cakeml.org/ijcar18.pdf

  21. Jaeger T, Sailer R, Shankar U (2006) Prima: Policy-reduced integrity measurement architecture. In: Proceedings of the eleventh ACM symposium on access control models and technologies. SACMAT ’06, Association for Computing Machinery, New York, NY, USA, pp 19–28. https://doi.org/10.1145/1133058.1133063

  22. Jurgensen G, Petz A, Alexander P, Barclay T, Komp E, Neises M, Cousino A (2021) A copland attestation manager (am) in cakeml. https://github.com/ku-sldg/am-cakeml

  23. Kil C, Sezer EC, Azab AM, Ning P, Zhang X (2009) Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In: 2009 IEEE/IFIP international conference on dependable systems networks. pp 115–124 . https://doi.org/10.1109/DSN.2009.5270348

  24. Klein G, Andronick J, Elphinstone K, Heiser G, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S (2010) sel4: formal verification of an operating-system kernel. Communun ACM 53(6):107–115. https://doi.org/10.1145/1743546.1743574

    Article  Google Scholar 

  25. Klein G, Elphinstone K, Heiser G, Andronick J, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S (2009) sel4: formal verification of an os kernel. In: SOSP ’09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, New York, NY, USA, pp 207–220. https://doi.org/10.1145/1629575.1629596

  26. Koeberl P, Schulz S, Sadeghi AR, Varadharajan V (2014) Trustlite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems. EuroSys ’14, Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/2592798.2592824

  27. Kumar R, Myreen MO, Norrish M, Owens S (2014) Cakeml: a verified implementation of ml. In: Proceedings of the 41st ACM SIGPLAN-SIGACT symposium on principles of programming languages. POPL ’14, ACM, New York, NY, USA, pp 179–191. https://doi.org/10.1145/2535838.2535841,

  28. Lauer H, Salehi SA, Rudolph C, Nepal S (2018) User-centered attestation for layered and decentralised systems. Workshop on Decentralized IoT Security and Standards (DISS) 2018

  29. Loscocco PA, Smalley SD, Muckelbauer PA, Taylor RC, Turner SJ, Farrell JF (1998) The inevitability of failure: The flawed assumption of security in modern computing environments. In: In Proceedings of the 21st national information systems security conference. pp 303–314

  30. Loscocco PA, Wilson PW, Pendergrass JA, McDonell CD (2007) Linux kernel integrity measurement using contextual inspection. In: Proceedings of the 2007 ACM workshop on Scalable trusted computing. STC ’07, ACM, New York, NY, USA, pp 21–29. https://doi.org/10.1145/1314354.1314362

  31. Maliszewski R, Sun N, Wang S, Wei J, Qiaowei R Trusted boot (tboot). http://sourceforge.net/p/tboot/wiki/Home/

  32. Marlow S, et al (2010) Haskell 2010 language report. Available online http://www.haskell.org/(May 2011)

  33. Nunes IDO, Eldefrawy K, Rattanavipanon N, Steiner M, Tsudik G (2019) Vrased: A verified hardware/software co-design for remote attestation. In: Proceedings of the 28th USENIX Conference on Security Symposium. SEC’19, USENIX Association, USA, pp 1429–1446

  34. Pendergrass JA, Helble S, Clemens J, Loscocco P (2018) A platform service for remote integrity measurement and attestation. In: MILCOM 2018–2018 IEEE military communications conference (MILCOM). pp 1–6 https://doi.org/10.1109/MILCOM.2018.8599735

  35. Pendergrass JA, Hull N, Clemens J, Helble SC, Thober M, McGill K, Gregory M, Loscocco P (2019) Runtime detection of userspace implants. In: MILCOM 2019–2019 IEEE military communications conference (MILCOM). pp 1–6 , https://doi.org/10.1109/MILCOM47813.2019.9020783

  36. Petroni NL, Hicks M (2007) Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th acm conference on computer and communications security. CCS ’07, Association for Computing Machinery, New York, NY, USA, pp 103–115. https://doi.org/10.1145/1315245.1315260,

  37. Petroni Jr N, Fraser T, Walters A, Arbaugh W (2006) An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th USENIX security symposium. pp 289–304

  38. Petz A, Alexander P (2019) A copland attestation manager. In: Hot topics in science of security (HoTSoS’19). Nashville, TN

  39. Petz A (2020) copland-avm, nfm21 release. https://github.com/ku-sldg/copland-avm/releases/tag/v1.0

  40. Petz A, Jurgensen G, Alexander P (2021) Design and formal verification of a copland-based attestation protocol. In: ACM-IEEE international conference on formal methods and models for system design (MEMOCODE’21)

  41. Petz A, Komp E (2020) haskell-am. https://github.com/ku-sldg/haskell-am

  42. PLSE U (2016) Verdi. https://github.com/uwplse/verdi

  43. Ramsdell J, Rowe PD, Alexander P, Helble S, Loscocco P, Pendergrass JA, Petz A (2019) Orchestrating layered attestations. In: Principles of Security and Trust (POST’19). Prague, Czech Republic

  44. Ramsdell JD (2020) Chase: a model finder for finitary geometric logic. https://github.com/ramsdell/chase

  45. Rowe PD (2016) Confining adversary actions via measurement. Third international workshop on graphical models for security, pp 150–166

  46. Rowe P, Ramsdell J, Kretz I (2021) Automated trust analysis of copland specifications for layered attestations. In: Principles and practice of declarative programming (PPDP 21)

  47. Rowe PD (2016) Bundling evidence for layered attestation. In: Trust and trustworthy computing. Springer International Publishing, Cham, pp 119–139

  48. Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a tcg-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium. USENIX Association, Berkeley, CA

  49. Shi E, Perrig A, Van Doorn L (2005) Bind: a fine-grained attestation service for secure distributed systems. In: Security and Privacy, 2005 IEEE Symposium on. IEEE, pp 154–168

  50. Tan H, Tsudik G, Jha S (2017) Mtra: Multiple-tier remote attestation in iot networks. In: 2017 IEEE conference on communications and network security (CNS). pp 1–9 . https://doi.org/10.1109/CNS.2017.8228638

  51. The Coq Development Team: Coq, https://coq.inria.fr

  52. Wedaj S, Paul K, Ribeiro VJ (2019) Dads: decentralized attestation for device swarms. ACM Trans Priv Secur 22(3):19:1-19:29. https://doi.org/10.1145/3325822

    Article  Google Scholar 

  53. Wei J, Pu C, Rozas CV, Rajan A, Zhu F (2010) Modeling the runtime integrity of cloud servers: a scoped invariant perspective. In: 2010 IEEE second international conference on cloud computing technology and science. pp 651–658. https://doi.org/10.1109/CloudCom.2010.29

  54. Wilcox JR, Woos D, Panchekha P, Tatlock Z, Wang X, Ernst MD, Anderson T (2015) Verdi: A framework for implementing and formally verifying distributed systems. In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI ’15, Association for Computing Machinery, New York, NY, USA, pp 357–368. https://doi.org/10.1145/2737924.2737958

  55. Woos D, Wilcox JR, Simmons K, Palmskog K, Doenges R (2020) Structtact coq library. https://github.com/uwplse/StructTact

  56. Xu W, Ahn GJ, Hu H, Zhang X, Seifert JP (2010) Dr@ft: Efficient remote attestation framework for dynamic systems. In: Gritzalis D, Preneel B, Theoharidou M (eds) Computer Security - ESORICS 2010. Springer, Berlin Heidelberg, Berlin, Heidelberg, pp 182–198

    Chapter  Google Scholar 

Download references

Acknowledgements

This work is an extended version of the paper entitled “An Infrastructure for Faithful Execution of Remote Attestation Protocols” published in May 2021 at the NASA Formal Methods Symposium (NFM ’21). This work is funded by the NSA Science of Security initiative contract #H98230-18-D-0009 and Defense Advanced Research Project Agency contract #HR0011-18-9-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Government.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Adam Petz.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Petz, A., Alexander, P. Formally verified bundling and appraisal of evidence for layered attestations. Innovations Syst Softw Eng 19, 411–426 (2023). https://doi.org/10.1007/s11334-022-00475-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11334-022-00475-1

Keywords

Navigation