AutoCert: Automated TOCTOU-secure digital certification for IoT with combined authentication and assurance

Abstract

The Internet of Things (IoT) network is comprised of heterogeneous devices which are part of critical infrastructures throughout the world. To enable end-to-end security, the Public Key Infrastructure (PKI) is undergoing advancements to incorporate IoT devices globally which primarily provides device authentication. In addition to this, integrity of the software-state is vital, where Remote Attestation (RA) and Integrity Certificates play an important role. Though, Integrity Certificate verifies the software-state integrity of the device at the time of execution of the remote attestation process, it does not provide mechanisms to validate that the current software-state corresponds to the attested state. This issue is referred to as the Time-Of-Check to Time-Of-Use (TOCTOU) problem and remains unsolved in the context of Integrity Certificates.In this paper, we propose AutoCert, the first TOCTOU-secure mechanism to combine software-state integrity with PKI for IoT which resolves the TOCTOU problem in RA and Integrity Certificates. To this end, we utilize the IETF Remote Attestation Procedures architecture and standard X509 IoT profile certificates to ensure both device authentication and software assurance for IoT. We implement and evaluate the performance of the AutoCert proof-of-concept on a real IoT device, the OPTIGA TPM Evaluation Kit, to show its practicality and usability. AutoCert can validate the attested state of an IoT device in approximately 4746 milliseconds, with a minimal network overhead of 350 bytes.