Document Type

Technical Report

Publication Date

3-1-2020

Technical Report Number

TR2020-877

Abstract

The growing number and nature of Internet of Things (IoT) devices makes these resource-constrained appliances particularly vulnerable and increasingly impactful in their exploitation. Current estimates for the number of connected "things" commonly reach the tens of billions. The low-cost and limited computational strength of these devices can preclude security features. Additionally, economic forces and a lack of industry expertise in security often contribute to a rush to market with minimal consideration for security implications. It is essential that users of these emerging technologies, from consumers to IT professionals, be able to establish and retain trust in the multitude of diverse and pervasive compute devices that are ever more responsible for our critical infrastructure and personal information. Remote attestation is a well-known technique for building such trust between devices. In standard implementations, a potentially untrustworthy prover attests, using public key infrastructure, to a verifier about its configuration or properties of its current state. Attestation is often performed on an ad hoc basis with little concern for historicity. However, controls and sensors manufactured for the Industrial IoT (IIoT) may be expected to operate for decades. Even in the consumer market, so-called "smart" things can be expected to outlive their manufacturers. This longevity combined with limited software or firmware patching creates an ideal environment for long-lived zero-day vulnerabilities. Knowing both if a device is vulnerable and if so when it became vulnerable is a management nightmare as IoT deployments scale. For network connected machines, with access to sensitive information and real-world physical controls, maintaining some sense of a device's lifecycle would be insightful. In this paper, we propose a novel attestation architecture, DAN: a distributed attestation network, utilizing blockchain to store and share device information. We present the design of this new attestation architecture, and describe a virtualized simulation, as well as a prototype system chosen to emulate an IoT deployment with a network of Raspberry Pi, Infineon TPMs, and a Hyperledger Fabric blockchain. We discuss the implications and potential challenges of such a network for various applications such as identity management, intrusion detection, forensic audits, and regulatory certification.

Comments

This is an extended version of the paper accepted to SIoTEC 2020.

Share

COinS