C-FLAT: Control-FLow ATtestation for Embedded Systems Software

TL;DR

C-FLAT is a novel remote attestation method for embedded systems that verifies control-flow integrity at runtime, enhancing security against sophisticated control hijacking attacks without needing source code access.

Contribution

It introduces C-FLAT, a runtime control-flow attestation framework for embedded devices, implemented on Raspberry Pi with ARM TrustZone, addressing limitations of static approaches.

Findings

Successfully detects control-flow hijacking attacks.

Achieves acceptable performance on real-world embedded applications.

Provides a practical, hardware-assisted solution for runtime attestation.

Abstract

Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to run-time attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive run-time remote attestation, we present the design and implementation of Control- FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.