The paper “Towards Efficient Control-Flow Attestation with Software-Assisted Multi-level Execution Tracing” has been accepted for presentation at the Special Session “Securing Future Networks” of the “IEEE International Mediterranean Conference on Communications and Networking” (IEEE MeditCom 2021) that takes place 7-10 September 2021 in Athens, Greece. The UBITECH’s Digital Security and Trusted Computing research group proposes a multi-level execution tracing framework capitalizing on recent software features, namely the extended Berkeley Packet Filter and Intel Processor Trace technologies, that can efficiently capture the entire platform configuration and control-flow stacks, thus, enabling wide attestation coverage capabilities that can be applied on both resource-constrained devices and cloud services.
In particular, Dr Papamartzivanos, Dr Menesidou, Dr Gouvas and Dr Giannetsos present a novel hybrid tracer that enables the in-depth investigation and tracing of a system’s configuration and operation while simultaneously meeting these three requirements. Our approach is a software-assisted (or pseudo-hardware-based, due to the prerequisite existence of an Intel processor) solution based on a two-tier granularity tracing technique that combines two of the most prominent mechanisms, namely the extended Berkeley Packet Filter (eBPF) and Intel PT.
The main idea is that the installed eBPF and Intel PT probes will be programmed to intercept internal operations towards producing a run-time control-flow path. Such probes can be used to capture the execution of specific software components in both physical and virtual devices so that we can check and attest the integrity of the execution behaviour based on already defined policies from embedded devices to cloud services.
Overall, this new family of tracing mechanisms is precise since Intel PT has all program’s control-flow traces; it is efficient since the combination of these tracing techniques provide different levels of details of logged information and are activated only when needed by the CFA, thus, enhancing the security and trustworthiness of the integrity verification steps; finally, it is transparent such that it requires no binary instrumentation, and can be readily deployable on commodity systems.
