Abstract
Remote attestation allows validating the trustworthiness of a remote device. Existing attestation schemes either require hardware changes, trusted computing components, or rely on strict timing constraints. In this paper, we present a novel remote attestation approach, called DMA’n’Play, that tackles these practical limitations by leveraging DMA (direct memory access). Since DMA does not require CPU time, DMA’n’Play even allows attestation of devices with real-time constraints. To prevent the exploitation of side-channels which potentially could determine if the attestation is running, we developed DMA’n’Play To-Go, a small, mobile attestation device that can be plugged into the attested device. We evaluated DMA’n’Play on two real-world devices, namely a syringe pump and a drone. Our evaluation shows that DMA’n’Play adds negligible performance overhead and prevents data-only attacks, by validating critical data in memory.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abera, T., et al.: C-flat: control-flow attestation for embedded systems software. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2016)
Abera, T., Bahmani, R., Brasser, F., Ibrahim, A., Sadeghi, A.-R., Schunter, M.: Diat: data integrity attestation for resilient collaboration of autonomous systems. In: 2019 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2019)
Abramson, D., et al.: Intel virtualization technology for directed i/o. Intel Technol. J. 10(3) (2006)
Airbus: Operating life. online (2022). https://www.airbus.com/en/products-services/commercial-aircraft/the-life-cycle-of-an-aircraft/operating-life
Aivaliotis, P., Arkouli, Z., Georgoulias, K., Makris, S.: Degradation curves integration in physics-based models: towards the predictive maintenance of industrial robots. Robot. Comput. Integr. Manuf. 71 (2021)
Alrawi, O., Lever, C., Antonakakis, M., Monrose, F.: SoK: security evaluation of home-based IoT deployments. In: IEEE Symposium on Security and Privacy (SP). IEEE (2019)
Altawy, R., Youssef, A.M.: Security, privacy, and safety aspects of civilian drones: a survey. ACM Trans. Cyber-Phys. Syst. 1(2) (2016)
AMD: Amd i/o virtualization technology (iommu) specification. Online (2021). https://www.amd.com/system/files/TechDocs/48882_IOMMU.pdf
ARM: Amba 3 ahb-lite protocol specification. Online (2020). https://www.eecs.umich.edu/courses/eecs373/readings/ARM_IHI0033A_AMBA_AHB-Lite_SPEC.pdf
ARM: Arm cortex-m4 processor technical reference manual. Online (2020). https://developer.arm.com/documentation/100166/0001
ARM: Arm system memory management unit architecture specification. Online (2016). https://documentation-service.arm.com/static/5f900d34f86e16515cdc08fb
ARM: Trustzone technology for armv8-m architecture. Online (2018). https://developer.arm.com/documentation/100690/latest/
ARM: Configuring and enabling the mmu. Online (2022). https://developer.arm.com/documentation/den0024/a/The-Memory-Management-Unit/Translating-a-Virtual-Address-to-a-Physical-Address/Configuring-and-enabling-the-MMU
ARM: Trustzone for armv8-a. Online (2019). https://documentation-service.arm.com/static/602167b6873dd96c4deaf49b
Atmel Corporation: Atmega328p 8-bit avr microcontroller with 32k bytes in-system programmable flash datasheet. Online (2015). https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-7810-Automotive-Microcontrollers-ATmega328P_Datasheet.pdf
Bai, J.-J., Li, T., Lu, K., Hu, S.-M.: Static detection of unsafe DMA accesses in device drivers. In: 30th USENIX Security Symposium (2021)
Bartlett, G.: Extending the industrial robot life cycle. Online (2021). https://www.swri.org/industry/industrial-robotics-automation/blog/extending-the-industrial-robot-life-cycle
Becher, M., Dornseif, M., Klein, C.N.: Firewire: all your memory are belong to us. In: Proceedings of CanSecWest (2005)
Bitcraze, A.B.: Datasheet crazyflie 2.1 - rev 3. Online (2021). https://www.bitcraze.io/documentation/hardware/crazyflie_2_1/crazyflie_2_1-datasheet.pdf
Böck, B., Austria, S.B.: Firewire-based physical security attacks on windows 7, efs and bitlocker. Secure Business Austria Research Lab (2009)
Brasser, F., Mahjoub, B.E., Sadeghi, A., Wachsmann, C., Koeberl, P.: Tytan: tiny trust anchor for tiny devices. In: 52nd Annual Design Automation Conference. ACM (2015)
Campau, T.: Average age of vehicles in the us increases to 12.2 years, according to s &p global mobility. Online (2022). https://ihsmarkit.com/research-analysis/average-age-of-vehicles-in-the-us-increases-to-122-years.html
Castelluccia, C., Francillon, A., Perito, D., Soriente, C.: On the difficulty of software-based attestation of embedded devices. In: 2009 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2009)
Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: IEEE Symposium on Security and Privacy (SP) (2017)
Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2) (2011)
Corteggiani, N., Camurati, G., Francillon, A.: Inception: system-wide security testing of real-world embedded systems software. In: 27th USENIX Security Symposium (2018)
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: 23rd USENIX Security Symposium (2014)
Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 24(11) (2016)
Dawoud, D.S., Dawoud, P.: Serial Communication Protocols and Standards RS232/485, UART/USART, SPI, USB, INSTEON. River Publishers, Wi-Fi and WiMAX (2020)
De Oliveira Nunes, I., Jakkamsetti, S., Rattanavipanon, N., Tsudik, G.: On the toctou problem in remote attestation. In: 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2021)
Dessouky, G., Abera, T., Ibrahim, A., Sadeghi, A.-R.: Litehax: lightweight hardware-assisted attestation of program execution. In: 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE (2018)
Dessouky, G., et al.: Lo-fat: low-overhead control flow attestation in hardware. In: 54th Annual Design Automation Conference (DAC). ACM (2017)
Dornseif, M.: Owned by an ipod: Firewire/1394 issues. In: CanSecWest Security Conference CORE05 (2005)
elm-tech: Gd25q32 datasheet. Online (2014). https://datasheetspdf.com/pdf-file/861582/ELM/GD25Q32/1
elm-tech: Gd25q32c datasheet. Online (2020). http://www.elm-tech.com/en/products/spi-flash-memory/gd25q32/gd25q32.pdf
Espressif Systems: Esp32 technical reference manual. Online (2020). https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf
Espressif Systems: Esp32-c3 technical reference manual. Online (2022). https://www.espressif.com/sites/default/files/documentation/esp32-c3_technical_reference_manual_en.pdf
Espressif Systems: Esp8266 technical reference manual. Online (2020). https://www.espressif.com/sites/default/files/documentation/esp8266-technical_reference_en.pdf
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, symantec corp., security response, vol. 5, no. 6 (2011)
Farwell, J.P., Rohozinski, R.: Stuxnet and the future of cyber war. Survival 53(1) (2011)
Feng, B., Mera, A., Lu, L.: P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In: 29th USENIX Security Symposium. USENIX Association (2020)
Frisk, U.: Direct memory attack the kernel. In: Proceedings of DEFCON, vol. 24 (2016)
Gemalto: The state of IoT security. Online (2018). https://www.infopoint-security.de/media/gemalto-state-of-iot-security-report.pdf
GNU Project - GNU Compiler Collection: Specifying attributes of variables. Online (2022). https://gcc.gnu.org/onlinedocs/gcc-11.3.0/gcc/Variable-Attributes.html#Variable-Attributes
Infineon: How to use direct memory access (DMA) controller in traveo ii family. Online (2021). https://www.infineon.com/dgdl/Infineon-AN220191_How_to_Use_Direct_Memory_Access_(DMA)_Controller_in_Traveo_II_Family-ApplicationNotes-v07_00-EN.pdf
Infineon: Mpu_memory_protection for kit_aurix_tc297_tft. Online (2020). https://www.infineon.com/dgdl/?fileId=5546d46274cf54d50174da37dc1d222e
Infineon: Mpu_memory_protection for kit_aurix_tc297_tft. Online (2017). https://www.nxp.com/docs/en/supporting-information/BL-Micro-NXP-Microcontroller-Overview-James-Huang.pdf
Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. ACM SIGARCH Comput. Archit. News 42(3) (2014)
Koscher, K., et al.: Experimental security analysis of a modern automobile. In: IEEE Symposium on Security and Privacy (SP). IEEE (2010)
Kurth, M., Gras, B., Andriesse, D., Giuffrida, C., Bos, H., Razavi, K.: Netcat: practical cache attacks from the network. In: IEEE Symposium on Security and Privacy (SP). IEEE (2020)
Kwon, D., Shin, J., Kim, G., Lee, B., Cho, Y., Paek, Y.: uxom: Efficient execute-only memory on arm cortex-m. In: 28th USENIX Security Symposium. USENIX Association (2019)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Privacy 9(3) (2011)
Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: an open framework for architecting trusted execution environments. In: 15th European Conference on Computer Systems (EuroSys ’20). ACM (2020)
Leens, F.: An introduction to I2C and SPI protocols. IEEE Instrum. Meas. Mag. 12(1) (2009)
Levy, A., et al.: Multiprogramming a 64kb computer safely and efficiently. In: 26th Symposium on Operating Systems Principles, SOSP ’17. ACM (2017)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy (SP). IEEE (2015)
Markettos, T., et al.:: Thunderclap: exploring vulnerabilities in operating system IOMMU protection via DMA from untrustworthy peripherals (2019)
Mera, A., Feng, B., Lu, L., Kirda, E.: Dice: automatic emulation of DMA input channels for dynamic firmware analysis. In: IEEE Symposium on Security and Privacy (SP). IEEE (2021)
Mera, A., Chen, Y.H., Sun, R., Kirda, E., Lu, L.: D-box: DMA-enabled compartmentalization for embedded applications. In: 2022 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2022)
Microchip Technology Inc: Atmega48a/pa/88a/pa/168a/pa/328/p. Online (2018). https://ww1.microchip.com/downloads/en/DeviceDoc/ATmega48A-PA-88A-PA-168A-PA-328-P-DS-DS40002061A.pdf
Motorola Inc: SPI block guide v03.06. Document number S12SPIV3/D (2003)
Nunes, I.D.O., Eldefrawy, K., Rattanavipanon, N., Steiner, M., Tsudik, G.: Vrased: a verified hardware/software co-design for remote attestation. In: 28th USENIX Security Symposium (2019)
Nunes, I.D.O., Eldefrawy, K., Rattanavipanon, N., Tsudik, G.: Apex: a verified architecture for proofs of execution on remote devices under full software compromise. In: 29th USENIX Security Symposium (2020)
Nunes, I.D.O., Jakkamsetti, S., Tsudik, G.: Dialed: data integrity attestation for low-end embedded devices. In: 58th ACM/IEEE Design Automation Conference (DAC). IEEE (2021)
Nunes, I.D.O., Jakkamsetti, S., Tsudik, G.: Tiny-CFA: minimalistic control-flow attestation using verified proofs of execution. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE (2021)
NXP: Examples of setting the DMA controller on the power architecture mpc5675k family of microcontrollers. Online (2012). https://www.nxp.com/docs/en/application-note/AN4522.pdf
Osborne, A.: Introductions to Microcomputers:, vol. 1. Basic Concepts, McGraw-Hill Osborne Media (1980)
OWASP: Internet of things (IoT) top 10 2018 (2018). https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: IEEE Symposium on Security and Privacy (SP). IEEE (2017)
Reilly, E.D.: Memory-Mapped I/O. Wiley, Hoboken (2003). ISBN 0470864125
RISC-V: The RISC-V instruction set manual volume ii: privileged architecture. Online (2017). https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf
Ruytenberg, B.: Breaking thunderbolt protocol security: vulnerability report. Online (2020). https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf
Sabt, M., Achemlal, M., Bouabdallah, A.: Trusted execution environment: what it is, and what it is not. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1. IEEE (2015)
Seshadri, A., Perrig, A., van Doorn, L., Khosla, P.K.: Swatt: software-based attestation for embedded devices. In: IEEE Symposium on Security and Privacy (SP). IEEE (2004)
Song, D., et al.: Periscope: an effective probing and fuzzing framework for the hardware-OS boundary. In: 2019 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2019)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37300-8_2
STMicroelectronics: Managing memory protection unit in stm32 mcus. Online (2021). https://www.st.com/resource/en/application_note/dm00272912-managing-memory-protection-unit-in-stm32-mcus-stmicroelectronics.pdf
STMicroelectronics: Using the stm32f0/f1/f3/gx/lx series DMA controller. Online (2020). https://www.st.com/resource/en/application_note/cd00160362-using-the-stm32f0f1f3gxlx-series-dma-controller-stmicroelectronics.pdf
STMicroelectronics: Using the stm32f2, stm32f4 and stm32f7 series DMA controller. Online (2016). https://www.st.com/resource/en/application_note/dm00046011-using-the-stm32f2-stm32f4-and-stm32f7-series-dma-controller-stmicroelectronics.pdf
Sun, Z., Feng, B., Lu, L., Jha, S.: Oat: attesting operation integrity of embedded devices. In: IEEE Symposium on Security and Privacy (SP). IEEE (2020)
Surminski, S., Niesler, C., Brasser, F., Davi, L., Sadeghi, A.-R.: Realswatt: remote software-based attestation for embedded devices under realtime constraints. In: 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2021)
Tatar, A., Konoth, R.K., Athanasopoulos, E., Giuffrida, C., Bos, H., Razavi, K.: Throwhammer: rowhammer attacks over the network and defenses. In: 2018 USENIX Annual Technical Conference (USENIX ATC 18) (2018)
Texas Instruments Incorporated: Direct memory access (DMA) controller module. Online (2018). https://www.ti.com/lit/ug/slau395f/slau395f.pdf
The LLVM Compiler Infrastructure Project: Attributes in clang. Online (2022). https://clang.llvm.org/docs/AttributeReference.html#variable-attributes
Valmari, A.: The state explosion problem. In: Reisig, W., Rozenberg, G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 429–528. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-65306-6_21
Van der Veen, V., et al.: Practical context-sensitive CFI. In: 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2015)
Wenzl, M., Merzdovnik, G., Ullrich, J., Weippl, E.: From hack to elaborate technique–a survey on binary rewriting. ACM Comput. Surv. (CSUR) 52(3) (2019)
Wetzels, J.: The RTOS exploit mitigation blues. Online (2017). https://hardwear.io/document/rtos-exploit-mitigation-blues-hardwear-io.pdf
Wijnen, B., Hunt, E.J., Anzalone, G.C., Pearce, J.M.: Open-source syringe pump library. PloS ONE 9(9) (2014)
Acknowledgements
This work has been partially funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation)—SFB 1119—236615297 within project S2. This work was supported by the DFG Priority Program SPP 2253 Nano Security (Project RAINCOAT—Number: 440059533).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Surminski, S., Niesler, C., Davi, L., Sadeghi, AR. (2023). DMA’n’Play: Practical Remote Attestation Based on Direct Memory Access. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13906. Springer, Cham. https://doi.org/10.1007/978-3-031-33491-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-33491-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33490-0
Online ISBN: 978-3-031-33491-7
eBook Packages: Computer ScienceComputer Science (R0)