SCRAPS:
Scalable Collective Remote Attestation for Pub-Sub IoT Networks with Untrusted Proxy Verifier

Petzi et al. 2022 (31st USENIX Security Symposium, pp. 3484-3501)
Summary: Garrett Mills <glm@ku.edu>
https://garrettmills.dev/go/scraps
Attestation (noun) - the activity of making a claim to an appraiser about the properties of a target by supplying evidence which supports that claim. [1]
Smart Contracts (noun) - scripts stored on the blockchain. The contracts have their own state, and are triggered by messages/transactions sent to their respective addresses. [2]
Challenges adapting RA to IoT:

  1. IoT relies on asynchronous channels
  2. IoT devices may go offline to save power
  3. IoT networks use untrusted brokers
SCRAPS

  • Manufacturer's SC (config)
  • ProxyVerifier SC (appraiser)
  • Prover (target)
  • Verifier (requester)
  1. Prover registers with Broker
  2. Prover computes measurement using chain hash
  3. ProxyVerifier appraises evidence using config & freshness
  4. Verifier requests appraisal from ProxyVerifier
  1. Prover registers with Broker
  2. Prover computes measurement using chain hash
  3. ProxyVerifier appraises evidence using config & freshness
  4. Verifier requests appraisal from ProxyVerifier
  1. Prover registers with Broker
  2. Prover computes measurement using chain hash
  3. ProxyVerifier appraises evidence using config & freshness
  4. Verifier requests appraisal from ProxyVerifier
  1. Prover registers with Broker
  2. Prover computes measurement using chain hash
  3. ProxyVerifier appraises evidence using config & freshness
  4. Verifier requests appraisal from ProxyVerifier
Figure 6
Figure 8

Smart Contracts

Stength: Problem/architecture formulation
Strength: Performance
Strength: Appraiser is as secure as the chain
Strength: Use of blockchain eliminates some attacks
Weakness: Interaction between freshness and sleep
Weakness: Limited appraisal & trust flexibility
Weakness: Determination of  $T_{min}$ and  $T_{exp}$
Weakness: Depends on manufacturer's pub-key to verify
Weakness: Evidence & appraisal privacy
Future work: Formal verification of ProxyVerifier
Future work: SC-based flexible mechanisms
Future work: SC-based flexible mechanisms (reprise)
References

[0] Petzi, Lukas, Ala Eddine Ben Yahya, Alexandra Dmitrienko, Gene Tsudik, Thomas Prantl, and Samuel Kounev. “SCRAPS: Scalable Collective Remote Attestation for Pub-Sub IoT Networks with Untrusted Proxy Verifier,” 2022, 18.

[1] Coker, George, Joshua Guttman, Peter Loscocco, Amy Herzog, Jonathan Millen, Brian O’Hanlon, John Ramsdell, Ariel Segall, Justin Sheehy, and Brian Sniffen. “Principles of Remote Attestation.” International Journal of Information Security 10, no. 2 (June 2011): 63–81. https://doi.org/10.1007/s10207-011-0124-7.

[2] Christidis, Konstantinos, and Michael Devetsikiotis. “Blockchains and Smart Contracts for the Internet of Things.” IEEE Access 4 (2016): 2292–2303. https://doi.org/10.1109/ACCESS.2016.2566339.

[3] Helble, Sarah C., Ian D. Kretz, Peter A. Loscocco, John D. Ramsdell, Paul D. Rowe, and Perry Alexander. “Flexible Mechanisms for Remote Attestation.” ACM Transactions on Privacy and Security 24, no. 4 (September 30, 2021): 29:1-29:23. https://doi.org/10.1145/3470535.