TY - GEN
T1 - Toward Profiling IoT Processes for Remote Service Attestation
AU - Johnson, William A.
AU - Housley, John
AU - Ghafoor, Sheikh
AU - Prowell, Stacy
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - The Internet of Things (IoT) is ubiquitous in modern life and is being used very widely in industrial control systems, smart grids, home appliances and many more. IoT devices are used to get information from sensors, process information, and send signals to actuators and controllers. In general these devices form a distributed computing network while in operation. Malware in IoT or any embedded devices is a potential security threat. Detecting malware in such a setting while in operation is non-Trivial, because these low power devices may not have the computational ability to perform traditional security operations. Additionally, an infected device may cause other machines to misbehave by interfering with the data they receive. Remote Attestation is a security service designed to detect an infection in a device well before the malware detonates. Recent works have turned their attention to service attestation, or attesting the service that a network provides, rather than the individual devices themselves. Traditional remote attestation schemes use cryptographic hashing algorithms as evidence, but this approach generates exponentially more hashes as heterogeneous IoT devices are added to the network and their jobs' complexity increases. In this work, we propose an approach to collect the contents of executable virtual memory from an IoT device. We develop a protocol based on our approach that can build a profile of a process running on an IoT device, such evidence can be analyzed automatically with high granularity. We validate our protocol by testing on both a personal computer, and a real-world Industrial IoT device under process injection attacks. Our results show that our protocol will be able to detect small changes to process memory over time, and that an injection as small as one word can be detected and read.
AB - The Internet of Things (IoT) is ubiquitous in modern life and is being used very widely in industrial control systems, smart grids, home appliances and many more. IoT devices are used to get information from sensors, process information, and send signals to actuators and controllers. In general these devices form a distributed computing network while in operation. Malware in IoT or any embedded devices is a potential security threat. Detecting malware in such a setting while in operation is non-Trivial, because these low power devices may not have the computational ability to perform traditional security operations. Additionally, an infected device may cause other machines to misbehave by interfering with the data they receive. Remote Attestation is a security service designed to detect an infection in a device well before the malware detonates. Recent works have turned their attention to service attestation, or attesting the service that a network provides, rather than the individual devices themselves. Traditional remote attestation schemes use cryptographic hashing algorithms as evidence, but this approach generates exponentially more hashes as heterogeneous IoT devices are added to the network and their jobs' complexity increases. In this work, we propose an approach to collect the contents of executable virtual memory from an IoT device. We develop a protocol based on our approach that can build a profile of a process running on an IoT device, such evidence can be analyzed automatically with high granularity. We validate our protocol by testing on both a personal computer, and a real-world Industrial IoT device under process injection attacks. Our results show that our protocol will be able to detect small changes to process memory over time, and that an injection as small as one word can be detected and read.
KW - IoT Security
KW - Malware Detection
KW - Remote Attesation
KW - Service Attestation
UR - http://www.scopus.com/inward/record.url?scp=85207826305&partnerID=8YFLogxK
U2 - 10.1109/ISPDC62236.2024.10705398
DO - 10.1109/ISPDC62236.2024.10705398
M3 - Conference contribution
AN - SCOPUS:85207826305
T3 - 2024 23rd International Symposium on Parallel and Distributed Computing, ISPDC 2024
BT - 2024 23rd International Symposium on Parallel and Distributed Computing, ISPDC 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd International Symposium on Parallel and Distributed Computing, ISPDC 2024
Y2 - 8 July 2024 through 10 July 2024
ER -