Saved in:
Bibliographic Details
Main Authors: Chilese, Marco, Mitev, Richard, Orenbach, Meni, Thorburn, Robert, Atamli, Ahmad, Sadeghi, Ahmad-Reza
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2403.07465
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914710937403392
author Chilese, Marco
Mitev, Richard
Orenbach, Meni
Thorburn, Robert
Atamli, Ahmad
Sadeghi, Ahmad-Reza
author_facet Chilese, Marco
Mitev, Richard
Orenbach, Meni
Thorburn, Robert
Atamli, Ahmad
Sadeghi, Ahmad-Reza
contents Control-Flow Attestation (CFA) is a security service that allows an entity (verifier) to verify the integrity of code execution on a remote computer system (prover). Existing CFA schemes suffer from impractical assumptions, such as requiring access to the prover's internal state (e.g., memory or code), the complete Control-Flow Graph (CFG) of the prover's software, large sets of measurements, or tailor-made hardware. Moreover, current CFA schemes are inadequate for attesting embedded systems due to their high computational overhead and resource usage. In this paper, we overcome the limitations of existing CFA schemes for embedded devices by introducing RAGE, a novel, lightweight CFA approach with minimal requirements. RAGE can detect Code Reuse Attacks (CRA), including control- and non-control-data attacks. It efficiently extracts features from one execution trace and leverages Unsupervised Graph Neural Networks (GNNs) to identify deviations from benign executions. The core intuition behind RAGE is to exploit the correspondence between execution trace, execution graph, and execution embeddings to eliminate the unrealistic requirement of having access to a complete CFG. We evaluate RAGE on embedded benchmarks and demonstrate that (i) it detects 40 real-world attacks on embedded software; (ii) Further, we stress our scheme with synthetic return-oriented programming (ROP) and data-oriented programming (DOP) attacks on the real-world embedded software benchmark Embench, achieving 98.03% (ROP) and 91.01% (DOP) F1-Score while maintaining a low False Positive Rate of 3.19%; (iii) Additionally, we evaluate RAGE on OpenSSL, used by millions of devices and achieve 97.49% and 84.42% F1-Score for ROP and DOP attack detection, with an FPR of 5.47%.
format Preprint
id arxiv_https___arxiv_org_abs_2403_07465
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices
Chilese, Marco
Mitev, Richard
Orenbach, Meni
Thorburn, Robert
Atamli, Ahmad
Sadeghi, Ahmad-Reza
Cryptography and Security
Machine Learning
Control-Flow Attestation (CFA) is a security service that allows an entity (verifier) to verify the integrity of code execution on a remote computer system (prover). Existing CFA schemes suffer from impractical assumptions, such as requiring access to the prover's internal state (e.g., memory or code), the complete Control-Flow Graph (CFG) of the prover's software, large sets of measurements, or tailor-made hardware. Moreover, current CFA schemes are inadequate for attesting embedded systems due to their high computational overhead and resource usage. In this paper, we overcome the limitations of existing CFA schemes for embedded devices by introducing RAGE, a novel, lightweight CFA approach with minimal requirements. RAGE can detect Code Reuse Attacks (CRA), including control- and non-control-data attacks. It efficiently extracts features from one execution trace and leverages Unsupervised Graph Neural Networks (GNNs) to identify deviations from benign executions. The core intuition behind RAGE is to exploit the correspondence between execution trace, execution graph, and execution embeddings to eliminate the unrealistic requirement of having access to a complete CFG. We evaluate RAGE on embedded benchmarks and demonstrate that (i) it detects 40 real-world attacks on embedded software; (ii) Further, we stress our scheme with synthetic return-oriented programming (ROP) and data-oriented programming (DOP) attacks on the real-world embedded software benchmark Embench, achieving 98.03% (ROP) and 91.01% (DOP) F1-Score while maintaining a low False Positive Rate of 3.19%; (iii) Additionally, we evaluate RAGE on OpenSSL, used by millions of devices and achieve 97.49% and 84.42% F1-Score for ROP and DOP attack detection, with an FPR of 5.47%.
title One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2403.07465