LAPE: A Lightweight Attestation of Program Execution Scheme for Bare-Metal Systems

Unlike traditional processors, Internet of Things (IoT) devices are short of resources to incorporate mature protections (e.g. MMU, TrustZone) against modern control-flow attacks. Remote (control-flow) attestation is fast becoming a key instrument in securing such devices as it has proven the effectiveness on not only detecting runtime malware infestation of a remote device, but also saving the computing resources by moving the costly verification process away. However, few control-flow attestation schemes have been able to draw on any systematic research into the software specificity of bare-metal systems, which are widely deployed on resource-constrained IoT devices. To our knowledge, the unique design patterns of the system limit implementations of such expositions. In this paper, we present the design and proof-of-concept implementation of LAPE, a lightweight attestation of program execution scheme that enables detecting control-flow attacks for bare-metal systems without requiring hardware modification. With rudimentary memory protection support found in modern IoT-class microcontrollers, LAPE leverages software instrumentation to compartmentalize the firmware functions into several "attestation compartments". It then continuously tracks the control-flow events of each compartment and periodically reports them to the verifier. The PoC of the scheme is incorporated into an LLVM-based compiler to generate the LAPE-enabled firmware. By taking experiments with several real-world IoT firmware, the results show both the efficiency and practicality of LAPE.