Abstract
The Internet of Things (IoT) ecosystem comprises billions of heterogeneous Internet-connected devices which are revolutionizing many domains, such as healthcare, transportation, smart cities, to mention only a few. Along with the unprecedented new opportunities, the IoT revolution is creating an enormous attack surface for potential sophisticated cyber attacks. In this context, Remote Attestation (RA) has gained wide interest as an important security technique to remotely detect adversarial presence and assure the legitimate state of an IoT device. While many RA approaches proposed in the literature make different assumptions regarding the architecture of IoT devices and adversary capabilities, most typical RA schemes rely on minimal Root of Trust by leveraging hardware that guarantees code and memory isolation. However, the presence of a specialized hardware is not always a realistic assumption, for instance, in the context of legacy IoT devices and resource-constrained IoT devices. In this paper, we survey and analyze existing software-based RA schemes (i.e., RA schemes not relying on specialized hardware components) through the lens of IoT. In particular, we provide a comprehensive overview of their design characteristics and security capabilities, analyzing their advantages and disadvantages. Finally, we discuss the opportunities that these RA schemes bring in attesting legacy and resource-constrained IoT devices, along with open research issues.
Highlights
IntroductionWith the Internet of Things (IoT) revolution, IoT devices are experiencing an exponential growth, becoming pervasive in infrastructure and industrial systems (e.g., digital transportation, smart cities, automated factories), and emerging as an integral part of our everyday life (e.g., smart home, wearable devices)
With the Internet of Things (IoT) revolution, IoT devices are experiencing an exponential growth, becoming pervasive in infrastructure and industrial systems, and emerging as an integral part of our everyday life
Based on their architectural design, Remote Attestation (RA) schemes can broadly be classified into three main categories: (1) Software-based RA (e.g., Seshadri et al [4,5]) which provides security guarantees based on strict running time constraints of the verification procedure; (2) Hardware-based RA (e.g., Sailer et al [6], Tan et al [7]) which uses a tamper-resistant hardware module as a secure execution environment; and (3) Hybrid RA (e.g., Eldefrawy et al [8], Brasser et al [9]) which rely on a minimal read-only hardware-protected memory
Summary
With the Internet of Things (IoT) revolution, IoT devices are experiencing an exponential growth, becoming pervasive in infrastructure and industrial systems (e.g., digital transportation, smart cities, automated factories), and emerging as an integral part of our everyday life (e.g., smart home, wearable devices). The prover sends proofs about its current state of the memory (typically a hash of the memory) to the verifier, whereas the verifier matches the received evidence with the expected legitimate state (known in advance) of the prover, and according to that it validates whether the prover is trustworthy or not. Based on their architectural design, RA schemes can broadly be classified into three main categories: (1) Software-based RA (e.g., Seshadri et al [4,5]) which provides security guarantees based on strict running time constraints of the verification procedure;. It is assumed that the verifier and the prover interact through a secure communication channel
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
