Remote Attestation Protocol Specification and Analysis

Summary Statement

One component of the proposed approach is to formalize the expression of the steps in a remote attestation protocol, for two purposes.  A formal language description enables a formal analysis of the correctness, completeness, and security of the protocol.  This of course is critical, because adding remote attestation to the OT increases its attack surface, and formal specification and analysis mitigates the threat.   The second component is to use modeling and simulation to explore whether a given remote attestation protocol violates the many unique constraints in an OT network. There can be complexity and tradeoffs in this analysis.  For example, one protocol might call for complete measurement and analysis of evidence of a device before processing any system measurement that device provides.  This provides the highest level of trust in that system measurement but the frequency of the check almost surely renders that policy impractical.  A model of a given system, along with the costs and frequency of application of remote attestation policies can be used during protocol design phase to prune away designs that will violate OT constraints.

Energy Delivery System (EDS) Gap Analysis

Remote attestation is the activity of gathering evidence about a remote device and the software/firmware on it, and analyzing that evidence to develop trust that the device is who it says it is, and contains digital artifacts (e.g., software, signature files, configurations) that are required for interacting with the device.  Current state of the practice in OT networks is to trust the identity of a device based on the simplest of measurements, e.g. a MAC address, and to simply trust its digital artifacts are what one hopes and expects they are.    Remote attestation technology exists to strengthen the kind of evidence needed to gain trust in a remote device, but that technology can be complex and has non-trivial resource costs associated with it.  The gap is to find ways of implementing remote attestation that provide the level of trust needed for the operations that need it, while respecting the resource constraints of OT systems, the resiliency of those systems to failures and attacks on the attestation infrastructure, and the OT system real-time requirements.

More Information

Following a pivot to explore the suitability of using DPUs to support remote attestation, we have invested effort into benchmarking the DPUs we have to understand the performance of its hardware accelerators, and associated overheads.

 

We have implemented and tested an approach to maintain information about the integrity of code and memory state of edge devices in an OT network.   In past progress reports we identified promising technology called a “Security micro-visor” which when embedded in the kernel of such devices enables them to store secrets and securely compute cryptographic operations.   The security micro-visor can also selectively control windows of opportunity to change the device code and static data state.  Our approach assumes such capability in particular to securely compute and store HMACs.  This capability can be used to send messages whose contents can be validated by a recipient, and can be used to compute hashes of an edge device’s code and static data state.  With this capability an edge device can communicate verifiable messages with a “security server” in the OT that shares a private key with the device.

 

The core idea for our approach to remote attestation is have the security server maintain integrity information for all the edge devices it manages.   The security server can maintain hash values for each  edge device’s code and static data state, and periodically challenge a device to recompute its hash. The edge device returns a verifiable hash and the security can check that value against the expected one.  The security server assumes the edge device is attested if its request is responded to correctly.  Otherwise it can score the edge device as untrusted, and can communicate that assessment to other devices in the OT network.  

 

The frequency of the attestation recheck is a tunable parameter.

 

Our testing sought to understand and quantify the benefit of using a DPU at the security server.    One benefit is the isolation of the edge device states and hashes, the DPU protects them from rogue software in the security server.   Another benefit is due to hardware accelerators for cryptographic operations, here in particular, the computation of hashes to check message integrity.

 

The baseline case is using a server that does not have a DPU, and has no other specialized hardware support.    We can compare this against the performance of a non-DPU bearing server that has hardware support for hashing, and against the performance of a DPU-bearing security server.

 

Figure 1 plots the time required to authenticate the hash report from all edge device (provers) in an experiment where a number of edge devices were more-or-less simultaneously asked to report their state.  The time does not include any delays on the edge device side, it measures only the length of time the security server uses to validate all of the responses,  starting with the instant it starts the first validation and ends with the time it completes the last one.    Comparing the baseline case with the case where the security server has a DPU, we see a performance gain that exceeds a factor of 16.

 

 

Figure 1 Comparison of Baseline and DPU Systems

 

Figure 2 illustrates the results when we make the same comparison with a cpu that has a hash accelerator (but no DPU).

Figure 2 Comparison of SHA-accelerated server with DPU

 

Here we see that SHA-accelerated server computes the authentication of 64 or fewer provers faster (nearly a factor of 3 for 64 provers), but that that advantage dissipates with larger number of edge devices.    The key take-away here is that one can get the performance benefits of a DPU using other accelerators, but the DPU automatically provides isolation of critical secrets that were not present for the non-DPU case we studied.   However,  there are other non-DPU ways of augmenting servers with protection for secrets and code execution, and future work will explore these as well.

 

We completed the projected by conducting further experiments. The work and these experiments form the basis of an MS thesis by our student William Kozlawski, and a conference paper “Auto-PGT: An Automated Policy Generation Tool for Securing Industrial Control Systems”, submitted to EAI SecureComm.

 

Under separate funding we are continuing to explore application of the DPU with OT networks, in network reliability contexts that utilities have identified, and are looking towards market impact in that sphere as well.