Popis: |
Ensuring availability is a critical requirement for the Internet of Things (IoT). CIDER, a recovery architecture, and its follow-up scheme, Lazarus, are solutions to address this issue. CIDER introduced a new hardware module, the Authenticated Watchdog Timer (AWDT), to keep IoT devices running in normal mode as long as trusted authenticated tickets are received from a hub. If valid tickets are not received, the AWDT resets the device, and a recovery procedure takes over. Lazarus, a more advanced solution, implemented the AWDT in ARM TrustZone (TZ). CIDER and Lazarus promised to unconditionally recover control in case of compromised firmware. In this work, we analyze both and demonstrate that the schemes do not give such unconditional recovery. In particular, we identify two major problems. Attackers can easily make devices unavailable by manipulating the tickets. Even more severe is the fact that a runtime attack, utilizing a potential weakness in the trusted firmware, can also make a device unavailable and prevent the recovery mechanism. We notice that when the AWDT is implemented in TZ, a richer device security state information can be tracked securely, allowing the device to handle attacks in a much more robust way with a better availability guarantee. We design and implement a new solution using the same hardware as Lazarus. Our design introduces two new boot modes called LZ_VERIFY and MIN_APP. The former verifies whether the disruption is caused by a network issue or a runtime attack, enhancing the device’s decision-making for subsequent actions. The latter is when the device expends minimal computational effort to maintain usability while the attack is ongoing. Assuming the time spent in MIN_APP as uptime, our evaluation shows that under network attack conditions, the new design improves device availability from 1.66% to 99.95% compared to Lazarus, a significant improvement. A similar design is also possible using a hardware AWDT, as used by CIDER. |