Abstract
For many years, trusted computing research has focused on the trustworthiness of single computer platforms. For example, how can I decide whether I can trust my personal computer (A) or another computer (B), who communicates with A? In reality, both A and B are part of a computing network, in which there are many other computers, and these computers’ behaviour affects the trustworthiness of any communication between A and B. Obviously, the target of trusted computing is not only to build trusted devices but also trusted networks. Attestation is a mechanism initially designed to ascertain the trustworthiness of a single device. To check on the trustworthiness of a network, we need a network attestation mechanism. The basis of attestation is a root of trust, and research on building roots of trust for individual devices has been successful. One of the next challenges, the most important one, is to create a root of trust for network attestation. In this paper, we introduce our research on designing such a root of trust. This uses devices’ individual roots of trust and a decentralised ledger together with the techniques of “zero trust but verify”, which means that to start with, any entity in the system is not trusted until its functionality can be verified. Based on the verification results, the entities can establish trust. We aim to use such a root of trust to aggregate the attestation evidence and verification results from multiple devices in a network and to achieve trust in the network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
TrustZone for Cortex-M. https://www.arm.com/technologies/trustzone-for-cortex-m. Accessed June 2023
Substrate Blockchain. https://github.com/paritytech/substrate. Accessed Nov 2022
Ambrosin, M., Conti, M., Ibrahim, A., Neven, G., Sadeghi, A.R., Schunter, M.: SANA: secure and scalable aggregate network attestation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 731–742 (2016)
Ankergård, S.F.J.J., Dushku, E., Dragoni, N.: PERMANENT: publicly verifiable remote attestation for internet of things through blockchain. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds.) FPS 2021. LNCS, vol. 13291, pp. 218–234. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-08147-7_15
Asokan, N., et al.: SEDA: scalable embedded device attestation. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 964–975 (2015)
Benet, J.: IPFS-content addressed, versioned, P2P file system. arXiv preprint arXiv:1407.3561 (2014)
Carpent, X., Rattanavipanon, N., Tsudik, G.: Remote attestation via self-measurement. ACM Trans. Des. Autom. Electron. Syst. (TODAES) 24(1), 1–15 (2018)
Chakraborty, D., Hanzlik, L., Bugiel, S.: simTPM: user-centric TPM for mobile devices. In: Proceedings of the 28th USENIX Security Symposium (2019)
Christidis, K., Devetsikiotis, M.: Blockchains and smart contracts for the internet of things. IEEE Access 4, 2292–2303 (2016)
Conti, M., Dushku, E., Mancini, L.V.: Distributed services attestation in IoT. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 261–273. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04834-1_14
Dushku, E., Rabbani, M.M., Conti, M., Mancini, L.V., Ranise, S.: SARA: secure asynchronous remote attestation for IoT systems. IEEE Trans. Inf. Forensics Secur. 15, 3123–3136 (2020)
Eldefrawy, K., Tsudik, G., Francillon, A., Perito, D.: Smart: secure and minimal architecture for (establishing dynamic) root of trust. In: NDSS, vol. 12, pp. 1–15 (2012)
GlobalPlatform Technology Root of Trust Definitions and Requirements Version 1.1.1 (2022). https://globalplatform.org/specs-library/root-of-trust-definitions-and-requirements-v1-1-gp-req_025/
Hristozov, S., Heyszl, J., Wagner, S., Sigl, G.: Practical runtime attestation for tiny IoT devices. In: NDSS Workshop on Decentralized IoT Security and Standards (DISS), vol. 18 (2018)
Ibrahim, A., Sadeghi, A.R., Tsudik, G.: US-AID: unattended scalable attestation of IoT devices. In: IEEE 37th Symposium on Reliable Distributed Systems (SRDS), pp. 21–30. IEEE (2018)
Jenkins, I.R., Smith, S.W.: Distributed IoT attestation via blockchain. In: 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID), pp. 798–801. IEEE (2020)
Jesus, V.: Blockchain-enhanced roots-of-trust. In: International Conference on Smart Communications and Networking (SmartNets), pp. 1–7. IEEE (2018)
Kouzinopoulos, C.S., et al.: Using blockchains to strengthen the security of internet of things. In: Gelenbe, E., et al. (eds.) Euro-CYBERSEC 2018. CCIS, vol. 821, pp. 90–100. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95189-8_9
Kuang, B., Fu, A., Susilo, W., Yu, S., Gao, Y.: A survey of remote attestation in internet of things: attacks, countermeasures, and prospects. Comput. Secur. 112, 102498 (2022)
Moreau, L., Conchon, E., Sauveron, D.: Craft: a continuous remote attestation framework for IoT. IEEE Access 9, 46430–46447 (2021)
Park, J., Kim, K.: TM-Coin: trustworthy management of TCB measurements in IoT. In: IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), pp. 654–659. IEEE (2017)
Parthipan, L., et al.: A survey of technologies for building trusted networks. In: IEEE Globecom Workshops (GC Wkshps), pp. 1–6. IEEE (2021)
Sfyrakis, I., Gross, T.: A survey on hardware approaches for remote attestation in network infrastructures. arXiv preprint arXiv:2005.12453 (2020)
Steiner, R.V., Lupu, E.: Attestation in wireless sensor networks: a survey. ACM Comput. Surv. (CSUR) 49(3), 1–31 (2016)
Trusted Platform Module (2008). https://trustedcomputinggroup.org/
DICE attestation architecture (2021). https://trustedcomputinggroup.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Implementation Overview
A Implementation Overview
Docker components of the test implementation.
Attestation using a DRoT.
The component TL-setup is realised with a CAS gateway (an IPFS [6] node) that connects the Device Attesters (IRoTs) and Verifiers to an IPFS cluster; a DL gateway that is a substrate [2] blockchain node connected to the device networks; and a Contract manager that manages contracts with the DL and provides contract addresses and contract interface descriptions to the device attester and verifier. The runtime layout is illustrated in Fig. 5.
Components TL-aggregate and TL-get are realised with a substrate smart-contract named att_root compiled to WebAssembly (WASM). In the prototype, the contract exposes interfaces to write the attestation evidence and claims, and to read them. The contract stores only CID of the data in the DL, along with the hostid of the device attester, and the Nonce value for that particular attestation. The attestation data is stored in the CAS addressable by the CID. The hostid and nonce on the DL confirms the integrity of the data on the untrusted CAS.
Each IRoT is realised by a Device Attester container. The execution directories within the Device Attester container image is treated as the device’s Trusted Computing Base (TCB) and an initialisation of Root of Trust for Measurement (RTM) was realised by measuring the contents of the execution directories and storing the hashes in an eventlog and the final hash value in the TPM by extending a PCR. This eventlog and the TPM quote of the respective PCRs then make up the attestation evidence and be verified by the verifier. The Device Aattester uses a software TPM2 and TPM Access Broker and Resource Manager. This software is built as part of the TPM2 toolbox simulator. In addition, the Device Attester uses two python utilities named tpm-talk and dl-talk commands to interact with the TPM and DL respectively.
A Verifier is realised by a Verifier container in the implementation. The verifier is a kind of an IRoT with the added functionality of being able to verify attestation evidence. Thus, it contains the same software TPM stack as the device attester. The verifier implements V-retrieve and V-dispatch with dl-talk to retrieve attestation evidence from and return the result to the TL. It implements V-verify with tpm-talk to perform verification of the attestation quote.
Figure 6 describes interactions between the components in the prototype system during a typical execution.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Parthipan, L., Chen, L., Newton, C.J.P., Li, Y., Liu, F., Wang, D. (2023). DRoT: A Decentralised Root of Trust for Trusted Networks. In: Wang, D., Yung, M., Liu, Z., Chen, X. (eds) Information and Communications Security. ICICS 2023. Lecture Notes in Computer Science, vol 14252. Springer, Singapore. https://doi.org/10.1007/978-981-99-7356-9_40
Download citation
DOI: https://doi.org/10.1007/978-981-99-7356-9_40
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7355-2
Online ISBN: 978-981-99-7356-9
eBook Packages: Computer ScienceComputer Science (R0)