Abstract:Remote attestation is one of the ways to verify the state of an untrusted device. Earlier research has attempted remote verification of a devices' state using hardware, software, or hybrid approaches. Majority of them have used Attestation Key as a hardware root of trust, which does not detect hardware modification or counterfeit issues. In addition, they do not have a secure communication channel between verifier and prover, which makes them susceptible to modern security attacks. This paper presents SEDAT, a novel methodology for remote attestation of the device via a security enhanced communication channel. SEDAT performs hardware, firmware, and software attestation. SEDAT enhances the communication protocol security between verifier and prover by using the Single Packet Authorization (SPA) technique, which provides replay and Denial of Service (DoS) protection. SEDAT provides a way for verifier to get on-demand device integrity and authenticity status via a secure channel. It also enables the verifier to detect counterfeit hardware, change in firmware, and software code on the device. SEDAT validates the manufacturers` root CA certificate, platform certificate, endorsement certificate (EK), and attributes certificates to perform platform hardware attestation. SEDAT is the first known tool that represents firmware, and Integrity Measurement Authority (IMA) event logs in the Canonical Event Logs (CEL) format (recommended by Trusted Computing Group). SEDAT is the first implementation, to the best of our knowledge, that showcases end to end hardware, firmware, and software remote attestation using Trusted Platform Module (TPM2.0) which is resilient to DoS and replay attacks. SEDAT is the first remote verifier that is capable of retrieving a TPM2.0 quote from prover and validate it after regeneration, using a software TPM2.0 quote check.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is that in remote device verification, most of the existing methods use hardware, software or hybrid methods to verify the device state, but these methods have some limitations: 1. **Limitations of Hardware Root of Trust**: Most existing methods use the Attestation Key (AK) as the hardware root of trust, which cannot detect hardware modification or counterfeiting problems. 2. **Insufficient Communication Security**: Existing methods lack a secure communication channel between the verifier and the prover, making them vulnerable to modern security attacks, such as replay attacks and Denial - of - Service (DoS) attacks. 3. **Incomplete Integrity Verification**: Existing methods can usually only partially verify the hardware, firmware or software state of the device, and cannot verify all three aspects simultaneously. To overcome these limitations, the paper proposes SEDAT (Security Enhanced Device Attestation with TPM2.0), which is a new method for remote device verification by enhancing the secure communication channel. The main goals and contributions of SEDAT include: - **Comprehensive Verification of Hardware, Firmware and Software**: SEDAT can simultaneously verify the hardware, firmware and software state of the device, ensuring the integrity and authenticity of the device. - **Enhanced Security of Communication Protocol**: SEDAT provides protection against replay attacks and DoS attacks by using the Single Packet Authorization (SPA) technique, enhancing the security of the communication protocol. - **Support for Canonical Event Logs (CEL)**: SEDAT is the first tool to convert firmware and IMA event logs into CEL format, in line with the recommended standards of the Trusted Computing Group (TCG). - **End - to - End Remote Verification**: SEDAT is the first tool to use TPM2.0 to achieve end - to - end remote verification of hardware, firmware and software, with the ability to resist replay and DoS attacks. - **Open - Source Code**: All source code, tools and kernel patches are open - sourced under the BSD 2 - Clause License. Through these improvements, SEDAT aims to provide a more secure and comprehensive remote device verification solution, which is suitable for various application scenarios such as supply chain verification, inventory management and industrial control systems.

SEDAT:Security Enhanced Device Attestation with TPM2.0

PACCOR4ESP: Embedded Device Security Attestation using Platform Attribute Certificates

Formal Analysis and Implementation of a TPM 2.0-based Direct Anonymous Attestation Scheme

Attestation Waves: Platform Trust via Remote Power Analysis

Direct Anonymous Attestation with Efficient Verifier-Local Revocation for Subscription System

A Verified Architecture for Proofs of Execution on Remote Devices under Full Software Compromise

A secured TPM integration scheme towards smart embedded system based collaboration network

Trustworthy Environmental Monitoring Using Hardware-Assisted Security Mechanisms

DNAttest: Digital-twin-based Non-intrusive Attestation under Transient Uncertainty.

TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCB

Design and implementation of a portable TPM scheme for general-purpose trusted computing based on EFI

Secure Operations on Tree-Formed Verification Data

Tree-formed Verification Data for Trusted Platforms

Remote Credential Management with Mutual Attestation for Trusted Execution Environments

SNPGuard: Remote Attestation of SEV-SNP VMs Using Open Source Tools

undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation

Citizen Electronic Identities using TPM 2.0

Partial Attestation: Towards Cost-Effective and Privacy-Preserving Remote Attestations

PowerAlert: An Integrity Checker using Power Measurement

Enabling Secure and Usable Mobile Application: Revealing the Nuts and Bolts of software TPM in todays Mobile Devices

A Security Framework for Increasing Data and Device Integrity in Internet of Things Systems