Secure runtime auditing in remote embedded/IoT devices

Embedded and IoT devices are becoming increasingly widespread, often supporting safety-critical operations. However, these devices typically lack the advanced security features of more powerful systems due to cost and energy constraints, making them vulnerable to software-based attacks. To address this, Control Flow Attestation (CFA) has been proposed as a cost-effective method to detect control flow hijacking attacks on remote devices by verifying their runtime behavior. CFA generates a trace that logs the destination of all executed branching instructions, thereby allowing a remote verifier to inspect the control flow of a potentially compromised device. Nonetheless, while CFA can be used to detect runtime compromises, it cannot guarantee the eventual delivery of the execution evidence to the verifier.

In this talk, I will first introduce the notion of runtime auditing, which aims to address CFA's shortcoming. Then, I will present our two recent research results, which design and implement architectures with runtime auditing guarantees. The first work, ACFA, combines an active root-of-trust architecture with the first low-cost hybrid (hardware/software) CFA co-design to bring runtime auditing to even the most resource-constrained embedded devices; meanwhile, our second work, TRACES, demonstrates that similar guarantees can be achieved on commodity MCUs with TrustZone-M. Finally, I will conclude by discussing open challenges and potential directions for future research in this area.