# **APEX: A Verified Architecture for Proofs of Execution on Remote Devices Under Full Software Compromise**

Ivan De Oliveira Nunes, Karim Eldefrawy, Norrathep Rattanavipanon, Gene Tsudik

29<sup>th</sup> USENIX Security Symposium August, 2020.

- Several interconnected devices
  - Control units
  - Sensors
  - Actuators
  - Network devices
- Examples
  - Industrial facilities
  - Home automation
  - Vehicles
- Heterogeneous:
  <u>Typically more sophisticated</u>
  <u>devices controlling simple low-end</u>
  <u>embedded systems</u>





- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car

Controller (Higher-end device)



Sensor (Low-end device)



Controllers rely on sensed values to make decisions (e.g., send help)



- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car



Controllers rely on sensed values to make decisions (e.g., send help)



- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car

Controller (Higher-end device)



Controllers rely on sensed values to make decisions (e.g., send help)





- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car



- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car

Controller (Higher-end device)





Problem: compromised software on the low-end sensor device might spoof sensed values



- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car

Controller (Higher-end device)



Problem: compromised software on the low-end sensor device might spoof sensed values



- Examples
  - Smoke detector in a household
  - Engine's temperature sensor in a car



# Low-End Embedded Devices, Sensors, Actuators... (aka amoebas of the computing world)

- Designed for: <u>Low-Cost</u>, <u>Low-Energy</u>, <u>Small-Size</u>.
- Memory: Program (-32kB) and Data (-2-16 kB)
- Single core CPU (~8–16MHz; 8– or 16–bit)
- Simple Communication (I/O) Interfaces (a few kbps)
- Examples: TI MSP-430, AVR ATMega32 (Arduino)





• In the face of potential software compromise of low-end devices:

- In the face of potential software compromise of low-end devices:
  - How to trust results/data produced by a simple remote embedded device?

- In the face of potential software compromise of low-end devices:
  - How to trust results/data produced by a simple remote embedded device?
  - Can we bind produced results/data to the execution of expected software?

- In the face of potential software compromise of low-end devices:
  - How to trust results/data produced by a simple remote embedded device?
  - Can we bind produced results/data to the execution of expected software?
  - Can we do this cost-effectively? Even if <u>all software</u> on a device can be modified and/or compromised <u>at any point in time</u>?

- In the face of potential software compromise of low-end devices:
  - How to trust results/data produced by a simple remote embedded device?
  - Can we bind produced results/data to the execution of expected software?
  - Can we do this cost-effectively? Even if <u>all software</u> on a device can be modified and/or compromised <u>at any point in time</u>?



- In the face of potential software compromise of low-end devices:
  - How to trust results/data produced by a simple remote embedded device?
  - Can we bind produced results/data to the execution of expected software?
  - Can we do this cost-effectively? Even if <u>all software</u> on a device can be modified and/or compromised <u>at any point in time</u>?



# **Background: The Software Process in a Sensor**

 Software on the Microcontroller triggers <u>Sensing Hardware</u> through <u>General Purpose Input-Output (GPIO)</u>, according to some communication protocol, and waits for the sensed value as a response.

### **Background: The Software Process in a Sensor**

 Software on the Microcontroller triggers <u>Sensing Hardware</u> through <u>General Purpose Input-Output (GPIO)</u>, according to some communication protocol, and waits for the sensed value as a response.

### Sensing Hardware:

- Digital or Analog circuitry
- E.g.: Resistors with variable resistance according to temperature, pressure, light, etc.

#### GPIO:

 Memory addresses connected to physical ports in the Microcontroller.



### **Background: The Software Process in a Sensor**

 Software on the Microcontroller triggers <u>Sensing Hardware</u> through <u>General Purpose Input-Output (GPIO)</u>, according to some communication protocol, and waits for the sensed value as a response.

### Sensing Hardware:

Digital or Analog circuitry

 E.g.: Resistors with variable resistance according to temperature, pressure, light, etc.

#### GPIO:

 Memory addresses connected to physical ports in the Microcontroller.



<u>Trustworthy Sensing:</u> Prove that a value was indeed obtained from the expected GPIO interface, via execution of the expected software

# Previous Work on Securing the Software-State of Low-End Embedded Systems

- Typically involves some form of <u>Remote Attestation (RA)</u>:
  - A general approach of detecting malware presence on invalid software state on devices
  - Two-party interaction between:
    - **Verifier**: trusted entity
      - (e.g., a higher-end controller device in a CPS)
    - **Prover**: potentially infected and untrusted **remote** IoT device
      - (e.g., a low-end sensor/actuator)
  - Goal: measure current internal state (the contents in memory) of prover

# Previous Work on Securing the Software-State of Low-End Embedded Systems

- Typically involves some form of <u>Remote Attestation (RA)</u>:
  - A general approach of detecting malware presence on invalid software state on devices
  - Two-party interaction between:
    - **Verifier**: trusted entity
      - (e.g., a higher-end controller device in a CPS)
    - **Prover**: potentially infected and untrusted **remote** IoT device
      - (e.g., a low-end sensor/actuator)
  - Goal: measure current internal state (the contents in memory) of prover

#### **Remote Attestation Interaction**



#### **Remote Attestation Interaction**



If secure should provide an <u>unforgeable proof</u> that the <u>Prover's memory corresponds to a</u> given value at the time of RA computation

- However... RA by itself is not sufficient
  - Does not prove execution of attested code
  - Does not bind the outputs to the execution of the code

- However... RA by itself is not sufficient
  - Does not prove execution of attested code
  - Does not bind the outputs to the execution of the code
- For example, attempts using a regular RA architecture:
  - Attest-then-Execute:
    - Vulnerable to: Attest → Compromise → Execute

- However... RA by itself is not sufficient
  - Does not prove execution of attested code
  - Does not bind the outputs to the execution of the code
- For example, attempts using a regular RA architecture:
  - Attest-then-Execute:
    - Vulnerable to: Attest → Compromise → Execute
  - Execute-then-Attest:
    - Vulnerable to: Compromise → Execute → Heal → Attest

- However... RA by itself is not sufficient
  - Does not prove execution of attested code
  - Does not bind the outputs to the execution of the code
- For example, attempts using a regular RA architecture:
  - Attest-then-Execute:
    - Vulnerable to: Attest → Compromise → Execute
  - Execute-then-Attest:
    - Vulnerable to: Compromise → Execute → Heal →Attest
  - Attest-then-Execute-then-Attest:
    - Vulnerable to: Attest → Compromise → Execute → Heal → Attest

- However... RA by itself is not sufficient
  - Does not prove execution of attested code
  - Does not bind the outputs to the execution of the code
- For example, attempts using a regular RA architecture:
  - Attest-then-Execute:
    - Vulnerable to: Attest → Compromise → Execute
  - Execute-then-Attest:
    - Vulnerable to: Compromise → Execute → Heal →Attest
  - Attest-then-Execute-then-Attest:
    - Vulnerable to: Attest → Compromise → Execute → Heal → Attest

Clever Malware hides itself! Not possible to prove that the proper code executed!

Proofs of (Remote Software) EXecution (PoX)

# Proofs of (Remote Software) EXecution (PoX)

- Cryptographic binding between:
  - Executed code
  - Outputs produced by this execution
  - <u>Temporally consistent remote attestation</u> of the executed code and respective outputs
- Extension to the RA capability

# Proofs of (Remote Software) EXecution (PoX)

- Cryptographic binding between:
  - Executed code
  - Outputs produced by this execution
  - <u>Temporally consistent remote attestation</u> of the executed code and respective outputs
- Extension to the RA capability
- Reminder! We must be mindful of:
  - Low-cost, low-energy, small-size
  - Possibility of <u>full software compromise</u>
    - Implies some hardware support!

Sensor (Low-end device)



• APEX: (Formally Verified) <u>Architecture for Proofs of Execution</u>

- APEX: (Formally Verified) <u>Architecture for Proofs of Execution</u>
- Idea:
  - With cost in mind... The simplest thing we can do is to set one bit
    - This bit is referred to as <u>"EXEC flag"</u>

- APEX: (Formally Verified) <u>Architecture for Proofs of Execution</u>
- Idea:
  - With cost in mind... The simplest thing we can do is to set one bit
    - This bit is referred to as <u>"EXEC flag"</u>
  - Minimal formally verified hardware controls **exec** value.
  - $\circ$  **EXEC** = **1** $\Rightarrow$  Attested software executed properly.
  - $\circ$  **EXEC** = **0** $\Rightarrow$  It did not execute, or execution was tampered with

- APEX: (Formally Verified) <u>Architecture for Proofs of Execution</u>
- Idea:
  - With cost in mind... The simplest thing we can do is to set one bit
    This bit is referred to as <u>"EXEC flag"</u>
  - Minimal formally verified hardware controls **exec** value.
  - $\circ$  **EXEC** = **1** $\Rightarrow$  Attested software executed properly.
  - $\circ$  **EXEC** = **0** $\Rightarrow$  It did not execute, or execution was tampered with
  - EXEC flag is stored in a fixed physical memory address that is covered by the RA measurement.

- APEX: (Formally Verified) <u>Architecture for Proofs of Execution</u>
- Idea:
  - With cost in mind... The simplest thing we can do is to set one bit
    This bit is referred to as <u>"EXEC flag"</u>
  - Minimal formally verified hardware controls **exec** value.
  - $\circ$  **EXEC** = **1** $\Rightarrow$  Attested software executed properly.
  - $\circ$  **EXEC** = **0** $\Rightarrow$  It did not execute, or execution was tampered with
  - EXEC flag is stored in a fixed physical memory address that is covered by the RA measurement.
- Assuming a secure underlying RA architecture, unforgeability guarantees that the <u>attestation result must reflect the actual</u> <u>value of EXEC during the RA computation</u>

#### **APEX**

• The problem is reduced to properly controlling EXEC value!

#### **APEX**

- The problem is reduced to properly controlling EXEC value!
- What does "proper execution" mean?

#### **APEX**

- The problem is reduced to properly controlling EXEC value!
- What does "proper execution" mean?
  - In this work:
    - 1 Executable <u>runs atomically</u> (i.e., uninterrupted), <u>from its first instruction</u>, <u>until its last instruction</u>.
    - 2 Execution happens after receiving the latest attestation challenge
      - Timeliness. No replayed PoX!!!
    - 3 Neither the Executable, nor its Outputs (if any) are modified in between the execution and subsequent RA computation.



#### METADATA:

 Set of physical addresses reserved to store configuration parameters about the execution





- METADATA:
  - Set of physical addresses reserved to store configuration parameters about the execution
- METADATA includes:
  - EXEC flag



#### METADATA:

 Set of physical addresses reserved to store configuration parameters about the execution

#### METADATA includes:

- EXEC flag
- Location for storing the received challenge



#### METADATA:

 Set of physical addresses reserved to store configuration parameters about the execution

#### METADATA includes:

- EXEC flag
- Location for storing the received challenge
- Pointers to location reserved for the execution output
  - Output Range (OR)



#### METADATA:

Set of physical addresses reserved to store configuration parameters about the execution

#### **METADATA** includes:

- EXEC flag
- Location for storing the received challenge
- Pointers to location reserved for the execution output
  - Output Range (OR)
- Pointers to the location of the executable
  - Executable Range (ER)



#### METADATA:

 Set of physical addresses reserved to store configuration parameters about the execution

#### METADATA includes:

- O EXEC flag
- Location for storing the received challenge
- Pointers to location reserved for the execution output
  - Output Range (OR)
- Pointers to the location of the executable
  - Executable Range (ER)

APEX hardware module controls EXEC value based on the parameters in METADATA and several CPU signals.



#### • Before execution:

- Execution configuration must be written to METADATA before execution
  - Including the challenge!



#### Before execution:

- Execution configuration must be written to METADATA before execution
  - Including the challenge!
- METADATA <u>cannot be changed</u> once execution starts!
  - Any change to METADATA at any point causes **EXEC=0**
  - Necessary for **PoX** security
  - More on this later...



#### Before execution:

- Execution configuration must be written to METADATA before execution
  - Including the challenge!
- METADATA <u>cannot be changed</u> once execution starts!
  - Any change to METADATA at any point causes **EXEC=0**
  - Necessary for PoX security
  - More on this later...
- Configuration parameters can be written by untrusted software running on the Prover (i.e., the low end device), however:
  - Must specify ER to be the region actually containing the proper executable
  - Must specify OR sufficiently large to fit the expected output
  - Otherwise PoX will fail
    - More on this later...



#### During execution:

O Initially **EXEC=0** (default value, e.g., after boot or a reset)



#### During execution:

- Initially EXEC=0 (default value, e.g., after boot or a reset)
- O The <u>only way</u> to switch from <u>EXEC=0</u> to <u>EXEC=1</u> is to start execution from scratch
  - Program counter (PC) must point to the first instruction of ER (as determined in METADATA)



#### During execution:

- Initially <u>exec=0</u> (default value, e.g., after boot or a reset)
- The <u>only way</u> to switch from <u>EXEC=0</u> to <u>EXEC=1</u> is to start execution from scratch
  - Program counter (PC) must point to the first instruction of ER (as determined in METADATA)
- If any of the following happens before PC reaches the last instruction of ER, APEX sets EXEC=0:
  - <u>Interruption:</u> irq, reset, PC \( \pm \) ER, etc...
    - Gives Malware opportunity to skip instructions, change intermediate execution data, outputs etc.
  - **DMA activity:** Could tamper with intermediate execution results in data memory and OR, or change instructions in ER.



#### During execution:

- Initially EXEC=0 (default value, e.g., after boot or a reset)
- O The <u>only way</u> to switch from <u>EXEC=0</u> to <u>EXEC=1</u> is to start execution from scratch
  - Program counter (PC) must point to the first instruction of ER (as determined in METADATA)
- If any of the following happens before PC reaches the last instruction of ER, APEX sets EXEC=0:
  - <u>Interruption:</u> irq, reset, PC \( \pm \) ER, etc...
    - Gives Malware opportunity to skip instructions, change intermediate execution data, outputs etc.
  - **DMA activity:** Could tamper with intermediate execution results in data memory and OR, or change instructions in ER.



#### During execution:

- Initially EXEC=0 (default value, e.g., after boot or a reset)
- O The <u>only way</u> to switch from <u>EXEC=0</u> to <u>EXEC=1</u> is to start execution from scratch
  - Program counter (PC) must point to the first instruction of ER (as determined in METADATA)
- If any of the following happens before PC reaches the last instruction of ER, APEX sets EXEC=0:
  - <u>Interruption:</u> irq, reset, PC \( \pm \) ER, etc...
    - Gives Malware opportunity to skip instructions, change intermediate execution data, outputs etc.
  - **DMA activity:** Could tamper with intermediate execution results in data memory and OR, or change instructions in ER.

#### **Key Observations:**

- 1- The only way to leave ER's execution with EXEC=1 is by running ER in its entirety (until its last instruction)!
- 2- In order to bind the execution to the produced output, ER must write outputs to OR (as configured in METADATA)!



#### After execution:

- Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
  - Recall: RA covers METADATA, ER and OR.



- After execution:
  - Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
    - Recall: RA covers METADATA, ER and OR.
  - Malicious/Infected Prover: Before calling RA it might try to:
    - Modify ER:
      - Spoof the code that produced a given result
        - Maybe the execution was done with some other invalid/malicious code to begin with!



- After execution:
  - Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
    - Recall: RA covers METADATA, ER and OR.
  - Malicious/Infected Prover: Before calling RA it might try to:
    - Modify ER:
      - Spoof the code that produced a given result
        - Maybe the execution was done with some other invalid/malicious code to begin with!
    - Modify OR:
      - Spoof the execution result



- After execution:
  - Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
    - Recall: RA covers METADATA, ER and OR.
  - Malicious/Infected Prover: Before calling RA it might try to:
    - Modify ER:
      - Spoof the code that produced a given result
        - Maybe the execution was done with some other invalid/malicious code to begin with!
    - Modify OR:
      - Spoof the execution result
    - Modify METADATA to spoof challenge:
      - Use this execution proof with future challenges (execution replay attack!)



#### After execution:

- Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
  - Recall: RA covers METADATA, ER and OR.
- Malicious/Infected Prover: Before calling RA it might try to:
  - Modify ER:
    - Spoof the code that produced a given result
      - Maybe the execution was done with some other invalid/malicious code to begin with!
  - Modify OR:
    - Spoof the execution result
  - Modify METADATA to spoof challenge:
    - Use this execution proof with future challenges (execution replay attack!)
  - Modify METADATA to change ER/OR addresses:
    - Make it look like a valid proof of execution of some other ER, somewhere else in memory.
    - Make it look like this execution produced some other result, stored somewhere else in memory.

## **Attested Memory** Chal MOD $OR_{max}$ MOD $OR_{min}$ $ER_{max}$ $ER_{min}$ EXEC=1 EROR

#### After execution:

- Honest Prover: Calls attestation. Memory is set to produce a valid PoX for execution of <u>ER</u> with output <u>OR</u>
  - Recall: RA covers METADATA, ER and OR.
- Malicious/Infected Prover: Before calling RA it might try to:
  - Modify ER:
    - Spoof the code that produced a given result
      - Maybe the execution was done with some other invalid/malicious code to begin with!
  - Modify OR:
    - Spoof the execution result
  - Modify METADATA to spoof challenge:
    - Use this execution proof with future challenges (execution replay attack!)
  - Modify METADATA to change ER/OR addresses:
    - Make it look like a valid proof of execution of some other ER, somewhere else in memory.
    - Make it look like this execution produced some other result, stored somewhere else in memory.

APEX hardware module monitors for such actions setting **EXEC=0** if any of them happen!





METADATA is received by untrusted software running on the Prover that may (or may not):



#### METADATA is received by untrusted software running on the Prover that may (or may not):

- 3. Install the received code in the defined location
- 4. Setup configuration registers (e.g., "where to store the output" among others)
- 5. Execute the installed code
- 6. Call VRASED attestation functionality (locations to be attested defined according to step 4 above).



#### Meanwhile APEX verified hardware monitors steps 3 to 6:

- Controls the value of a 1-bit flag "EXEC".
  - IMPORTANT: EXEC is read-only to all software.
- EXEC=1 if and only if steps steps 3 to 6 happen securely:
  - If untrusted software misbehaves in 3 to 6: **EXEC=0**.
  - Several important details to the meaning of "securely" omitted in this presentation.
- EXEC value and the execution output are also covered by VRASED's attestation (in addition to the executed code).



#### VRASED's Attestation produces result H:

- Attestation result **H** is sent back to the Verifier along with output **O**.
- Both "EXEC" flag and are **O** are covered by VRASED's attestation.
- Verifier will only accept H reflecting EXEC=1.
- Therefore, Prover can not produce pair (H, O) that will be accepted by the verifier unless:
  - O was indeed produced by the execution expected software (as defined in METADATA).

Cryptographic challenge ensure freshness of the execution (i.e., no replay of previous executions/results).

## **APEX Verification**

#### **APEX Verification**

- Formal Verification: Why bother?
  - Formal specification:
    - Provides unambiguous logical expressions to state APEX sub-properties avoiding misinterpretation of requirements.
  - O Did we get it right?
    - Once properties are formally specified, the hardware design can be proved to adhere to such properties (computer aided verification via model checking)
  - Are these properties enough?
    - Many properties... we could be missing something!
    - Can use theorem proving to <u>show that the conjunction of all properties</u>, when applied to the low-end device machine model <u>implies an end-to-end</u> <u>notion of secure PoX</u>.

## **APEX Sub-Properties Formally**

 $G: \{reset \rightarrow \neg EXEC\}$ 

| 6                            |                                                                                                                                                                       |
|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                              | Definition 7. Necessary Sub-Properties for Secure Proofs of Execution in LTL.                                                                                         |
| Formalized                   | Ephemeral Immutability:                                                                                                                                               |
| using Linear                 | $\mathbf{G}:\ \{[W_{en} \wedge (D_{addr} \in ER)] \vee [DMA_{en} \wedge (DMA_{addr} \in ER)] \rightarrow \neg EXEC\}$                                                 |
| Temporal                     | Ephemeral Atomicity:                                                                                                                                                  |
| Logic(LTL)                   | $\mathbf{G}: \ \{(PC \in ER) \land \neg (\mathbf{X}(PC) \in ER) \rightarrow PC = ER_{max} \lor \neg \mathbf{X}(EXEC) \ \}$                                            |
| <b>8</b>                     | $\mathbf{G}:\ \{\neg(PC\in ER) \land (\mathbf{X}(PC)\in ER) \rightarrow \mathbf{X}(PC) = ER_{min} \lor \neg\mathbf{X}(EXEC)\}$                                        |
| Hardware                     | $\mathbf{G}:\ \{(PC \in ER) \land irq \rightarrow \neg EXEC\}$                                                                                                        |
|                              | Output Protection:                                                                                                                                                    |
| compliance<br>verified using | $\mathbf{G}:\ \{[\neg(PC\in ER) \land (W_{en} \land D_{addr} \in OR)] \lor (DMA_{en} \land DMA_{addr} \in OR) \lor (PC\in ER \land DMA_{en}) \rightarrow \neg EXEC\}$ |
| O                            | Executable/Output (ER/OR) Boundaries & Challenge Temporal Consistency:                                                                                                |
| NuSMV                        | $\mathbf{G}: \{ER_{min} > ER_{max} \lor OR_{min} > OR_{max} \to \neg EXEC\}$                                                                                          |
|                              | $\mathbf{G}: \{ER_{min} \le CR_{max} \lor ER_{max} > CR_{max} \to \neg EXEC\}$                                                                                        |
|                              | $\mathbf{G}:\ \{[W_{en} \land (D_{addr} \in METADATA)] \lor [DMA_{en} \land (DMA_{addr} \in METADATA)] \rightarrow \neg EXEC\}$                                       |
| Check APEX                   | Remark: Note that $Chal_{mem} \in METADATA$ .                                                                                                                         |
| paper for details            | Response Protection:                                                                                                                                                  |
|                              | $\mathbf{G}:\ \{\neg EXEC \land \mathbf{X}(EXEC) \rightarrow \mathbf{X}(PC = ER_{min})\}$                                                                             |

 $A_{en} \wedge (DMA_{addr} \in ER) \rightarrow \neg EXEC$ (3)  $R) \rightarrow PC = ER_{max} \lor \neg \mathbf{X}(EXEC) \}$ (4)  $\rightarrow \mathbf{X}(PC) = ER_{min} \lor \neg \mathbf{X}(EXEC)$ (5) (6)

(7)

(8)

(9)

(10)

(11)

(12)

## **Are APEX Properties Enough?**

The conjunction of APEX properties are shown to imply the following LTL Statement:

```
Definition 5. Formal specification of APEX's correctness.  \{ PC = ER_{min} \land [(PC \in ER \land \neg Interrupt \land \neg reset \land \neg DMA_{en}) \quad U \quad PC = ER_{max}] \quad \land \\ [(\neg Modify\_Mem(ER) \land \neg Modify\_Mem(METADATA) \land (PC \in ER \lor \neg Modify\_Mem(OR))) \quad U \quad PC = CR_{min}] \\ \} \quad B \quad \{EXEC \land PC \in CR\}
```

- The notion of Secure PoX is formalized as a Security Game
- APEX is hardware is composed into VRASED formally verified RA architecture [Sec'19]
- The composition is shown to imply **Secure PoX**, as long as
  - 1- VRASED is a secure RA Architecture (RA Security Game), and
  - 2- The above LTL statement holds.

See APEX paper for formal definitions and proof details.

## **Implementation and Evaluation**

## **Implementation and Evaluation**

- APEX was instantiated along with VRASED on OpenMSP430 Verilog Design
- Synthesized on Basys3
  FPGA
- Used to implement a fire sensor that "cannot lie".

## **Publicly Available at:**

https://github.com/sprout-uci/APEX



## **Implementation and Evaluation**

- On top of VRASED:
- 12% more Look-Up Tables
- 2% additional registers
- Relatively inexpensive in comparison with related security services for run-time attestation, such as Control Flow Attestation (CFA).







(b) % extra HW overhead: # Registers

# Thank you for listening. Questions?