Efficient Property-Based Remote Attestation Scheme

In order to ensure the security of the property-based remote attestation scheme, an improved, more efficient, forrml security model of property-based remote attestation is proposed, with which we prove that the user platform satis- fies the security property requirements predefmed by a remote relying party. Under the co-Corrtautational Diffie-Helknan （CDH） assumption, the proposed scheme is proved to be secure in the random oracle model. Compared with the existing schemes, the proposed scheme has a short property certificate and signature size, and requires less computational cost.

A Behavior-Based Remote Trust Attestation Model

While remote trust attestation is a useful concept to detect unauthorized changes to software, the current mechanism only ensures authenticity at the start of the operating system and cannot ensure the action of running software. Our approach is to use a behavior-based monitoring agent to make remote attestation more flexible, dynamic, and trustworthy. This approach was mostly made possible by extensive use of process information which is readily available in Unix. We also made use of a behavior tree to effectively record predictable behaviors of each process. In this paper, we primarily focus on building a prototype implementation of such framework, presenting one example built on it, successfully find potential security risks in the run time of a ftp program and then evaluate the performance of this model.

TPM-Based Remote Attestation for Wireless Sensor Networks

It is essential to design a protocol to allow sensor nodes to attest to their trustworthiness for mission- critical applications based on Wireless Sensor Networks （WSNs）. However, it is a challenge to evaluate the trustworthiness without appropriate hardware support. Hence, we present a hardware-based remote attestation protocol to tackle the problem within WSNs. In our design, each sensor node is equipped with a Trusted Platform Module （TPM） which plays the role of a trusted anchor. We start with the formulation of remote attestation and its security. The complete protocol for both single-hop and multi-hop attestations is then demonstrated. Results show the new protocol is effective, efficient, and secure.

Remote Attestation-Based Access Control on Trusted Computing Platform

Existing remote attestation schemes based on trusted computing have some merits on enhancing security assurance level, but they usually do not integrate tightly with the classical system security mechanism. In this paper, we present a component named remote attestation-based access controller （RABAC）, which is based on a combination of techniques, such as random number, Bell-La Padula （BLP） model, user identity combined with his security properties and so on. The component can validate the current hardware and software integrity of the remote platform, and implement access control with different security policy. We prove that the RABAC can not only improve the security of transferred information in remote attestation process but also integrate remote attestation and classical system security mechanism effectively.

Towards a Source-Code Oriented Attestation

The Binary-based attestation （BA） mechanism presented by the Trusted Computing Group can equip the application with the capability of genuinely identifying configurations of remote system. However, BA only supports the attestation for specific patterns of binary codes defined by a trusted party, mostly the software vendor, for a particular version of a software. In this paper, we present a Source-Code Oriented Attestation （SCOA） framework to enable custom built application to be attested to in the TCG attestation architecture. In SCOA, security attributes are bond with the source codes of an application instead of its binaries codes. With a proof chain generated by a Trusted Building System to record the building procedure, the challengers can determine whether the binary interacted with is genuinely built from a particular set of source codes. Moreover, with the security attribute certificates assigned to the source codes, they can determine the trustworthiness of the binary. In this paper, we present a TBS implementation with virtualization.

SAPEM: Secure Attestation of Program Execution and Program Memory for IoT Applications

Security is one of the major challenges that devices connected to the Internet of Things(IoT)face today.Remote attestation is used to measure these devices’trustworthiness on the network by measuring the device platform’s integrity.Several software-based attestation mechanisms have been proposed,but none of them can detect runtime attacks.Although some researchers have attempted to tackle these attacks,the proposed techniques require additional secured hardware parts to be integrated with the attested devices to achieve their aim.These solutions are expensive and not suitable in many cases.This paper proposes a dual attestation process,SAPEM,with two phases:static and dynamic.The static attestation phase examines the program memory of the attested device.The dynamic program ow attestation examines the execution correctness of the application code.It can detect code injection and runtime attacks that hijack the control-ow,including data attacks that affect the program control-ow.The main aim is to minimize attestation overhead while maintaining our ability to detect the specied attacks.We validated SAPEM by implementing it on Raspberry Pi using its TrustZone extension.We attested it against the specied attacks and compared its performance with the related work in the literature.The results show that SAPEM signicantly minimizes performance overhead while reliably detecting runtime attacks at the binary level.

Enhancing the Trustworthiness of 6G Based on Trusted Multi-Cloud Infrastructure:A Practice of Cryptography Approach

Due to the need for massive device connectivity,low communication latency,and various customizations in 6G architecture,a distributed cloud deployment approach will be more relevant to the space-air-ground-sea integrated network scenario.However,the openness and heterogeneity of the 6G network cause the problems of network security.To improve the trustworthiness of 6G networks,we propose a trusted computing-based approach for establishing trust relationships inmulti-cloud scenarios.The proposed method shows the relationship of trust based on dual-level verification.It separates the trustworthy states of multiple complex cloud units in 6G architecture into the state within and between cloud units.Firstly,SM3 algorithm establishes the chain of trust for the system’s trusted boot phase.Then,the remote attestation server(RAS)of distributed cloud units verifies the physical servers.Meanwhile,the physical servers use a ring approach to verify the cloud servers.Eventually,the centralized RAS takes one-time authentication to the critical evidence information of distributed cloud unit servers.Simultaneously,the centralized RAS also verifies the evidence of distributed RAS.We establish our proposed approach in a natural OpenStack-based cloud environment.The simulation results show that the proposed method achieves higher security with less than a 1%system performance loss.

DIV： Dynamic Integrity Validation Framework for Detecting Compromises on Virtual Machine Based Cloud Services in Real Time

with the increasing popularity of cloud services,attacks on the cloud infrastructure also increase dramatically.Especially,how to monitor the integrity of cloud execution environments is still a difficult task.In this paper,a real-time dynamic integrity validation(DIV) framework is proposed to monitor the integrity of virtual machine based execution environments in the cloud.DIV can detect the integrity of the whole architecture stack from the cloud servers up to the VM OS by extending the current trusted chain into virtual machine's architecture stack.DIV introduces a trusted third party(TTP) to collect the integrity information and detect remotely the integrity violations on VMs periodically to avoid the heavy involvement of cloud tenants and unnecessary information leakage of the cloud providers.To evaluate the effectiveness and efficiency of DIV framework,a prototype on KVM/QEMU is implemented,and extensive analysis and experimental evaluation are performed.Experimental results show that the DIV can efficiently validate the integrity of files and loaded programs in real-time,with minor performance overhead.

Protocol for Trusted Channel Based on Portable Trusted Module

Web-based e-commerce applications need a trusted channel,which provides confidential communication,identity authentication and integrity assurance of endpoints,to guarantee the security of electronic transactions.A user-oriented trusted computing system based on Portable Trusted Module(PTM)is presented.Remote attestation is incorporated into Transport Layer Security(TLS)handshake protocol based on PTM so as to establish a trusted channel between two endpoints in network.This protocol can resist masquerading,trusted path and runtime attacks and propagate the trust in the computing system to the end user effectively.The test results of our proof-of-concept prototype show that our protocol for trusted channel is feasible for deployment in e-commerce applications on the Internet.

PIMS:An Efficient Process Integrity Monitoring System Based on Blockchain and Trusted Computing in Cloud-Native Context

With the advantages of lightweight and high resource utilization,cloud-native technology with containers as the core is gradually becoming themainstreamtechnical architecture for information infrastructure.However,malware attacks such as Doki and Symbiote threaten the container runtime’s security.Malware initiates various types of runtime anomalies based on process form(e.g.,modifying the process of a container,and opening the external ports).Fortunately,dynamic monitoring mechanisms have proven to be a feasible solution for verifying the trusted state of containers at runtime.Nevertheless,the current routine dynamic monitoring mechanisms for baseline data protection are still based on strong security assumptions.As a result,the existing dynamicmonitoringmechanismis still not practical enough.To ensure the trustworthiness of the baseline value data and,simultaneously,to achieve the integrity verification of the monitored process,we combine blockchain and trusted computing to propose a process integrity monitoring system named IPMS.Firstly,the hardware TPM 2.0 module is applied to construct a trusted security foundation for the integrity of the process code segment due to its tamper-proof feature.Then,design a new format for storing measurement logs,easily distinguishing files with the same name in different containers from log information.Meanwhile,the baseline value data is stored on the blockchain to avoidmalicious damage.Finally,trusted computing technology is used to perform fine-grained integrity measurement and remote attestation of processes in a container,detect abnormal containers in time and control them.We have implemented a prototype system and performed extensive simulation experiments to test and analyze the functionality and performance of the PIMS.Experimental results show that PIMS can accurately and efficiently detect tampered processes with only 3.57% performance loss to the container.

Anonymous authentication scheme of trusted mobile terminal under mobile Internet

In order to solve the contradictions between user privacy protection and identity authentication, an anonymous authentication scheme under mobile Internet is proposed, which is based on the direct anonymous attestation of trusted computing and uses the encrypting transfer and signature validation for its implementation. Aiming at two access mode of trusted mobile terminal under mobile Internet, self access and cross-domain access, the authentication process of each mode is described in details. The analysis shows that the scheme implements anonymous authentication on mobile Internet and is correct, controllable and unforgeable.