1. Introduction

Embedded systems have been the main target recently for botnets with the ever-increasing landscape of cybersecurity. Previously, general-purpose computers have been the primary targets, but with the kind of specialized tasks performed by embedded computing systems such as controllers, sensors, actuators and all possible hybrids thereof, the incentive has increased over the past few years. Stuxnet incident is a good demonstration of the impact of compromised embedded systems with an impressive scope \cite{chien2010}.  The rapid increase of proliferation of embedded devices with the development of internet of things and growing presence of mobile devices in many aspects of mundane tasks, remote attacks have become a clear and present danger. This motivates the necessity for countermeasures, a number of which have been proposed by the research community and some have been implemented by manufacturers.
Trusted computing is becoming more important especially in critical systems like smart grids, financial transaction processing systems etc. Emerging cybersecurity threats such as advanced persistent threats, malware, social engineering etc, has created numerous security problems to the current computing infrastructure due to its openness and interoperability. Inadequate access control systems have caused devastating attacks even at the hand of the expert users. Attempts have been made to make use of cryptographic infrastructure to a mass-market but with limited success \cite{1023787}. One of the proposed methods to ensure integrity and authenticity of remote systems is the remote attestation protocol by IBM \cite{Sailer:2004:DIT:1251375.1251391}. Attestation allows a program to authenticate itself and remote attestation is a means for one system to make reliable statements about the software it is running to another system.
Remote attestation provides a security guarantee to authenticate a remote host using its hardware and software configurations. The objective of the process is to enable a system to determine the level of trust in the integrity and authenticity of the remotely connected computing platform. Implementing remote attestation using Trusted Platform Module (TPM) is a fairly new security solution proposed by the Trusted Computing Group (TCG).  TPM is an international standard for a secure cryptoprocessor, which is a dedicated hardware designed to ensure the security of hardware platform used by a system by integrating cryptographic methods.  
The remote attestation protocol proposed by IBM \cite{Sailer2004} is vulnerable to several primitive cybersecurity attacks. We evaluate the proposed protocol for its weaknesses and propose a modified version of the protocol that is secure against the select threat models. We implemented our solution on the TPM 2.0 simulator and experimented results shows that it can successfully mitigate replay attacks and man-in-the-middle attacks which were vulnerable to the original protocol. 

1.1 Motivation

Attestation is designed to allow the remote host to build a trust foundation upon which future computation can be guaranteed for integrity and authenticity. These implementations may be benign or draconian and users will need to assess them carefully. If not properly implemented in a device will result in a certain loss of control. An owner may even be viewed as an adversary on her own machine. 

1.2 Problem Definition

Using TPM for local attestation is a proven to be secure but when it comes to remote attestation certain cryptographic primitives need to be implemented correctly in order to provide security guarantees, even though the hardware itself can be trusts it needs to make sure remote attestation can be achieved within an insecure network. In our work we implement a proof-of-work that remote attestation can be implemented using TPM which ensures security guarantees. 

2. Background

2.1 Trusted Platform Module

A trusted platform module is a computing chip with a cryptoprocessor, secure memory, a compute engine and I/O components, attached to a computing platform. A protected capability on a platform configuration register (PCR) called extend is defined in such a way that the current value constitutes of a trust chain (of events). A trust chain begins with a well-known initial state and comprises the sequence of events up to and including the event that brings a platform to its current state.  This sequence is bootstrapped by a hardware root for the trust for measurement (RTM) which can be static or dynamic \cite{article}.

2.2 Attestation

Attestation is a mechanism for software to prove its identity. The goal of attestation is to prove to a remote party that your operating system and application software are intact and trustworthy. The verifier trusts that attestation data is accurate because it is signed by a TPM whose key is certified by the CA \cite{Garfinkel:2003:FOS:1251054.1251079}

2.3 Dynamic Root of Trust

Recently a new mechanism was added to TPM specifications \cite{group} which provides a way to perform attestation dynamically i.e. after boot. Many vendors have welcomed this new mechanism and implemented in their own systems e.g. Intel TXT \cite{corporation2009} and AMD SVM \cite{devices2005}.  This is a technique that allows a specific CPU instruction to reset the state of some PCRs, isolate memory region, hash and atomically execute its content. Several tamper prevention mechanisms such as disabling DMA and resetting the TPM PCRs are included to prevent fraudulent attestation. 

3. Implementation

In our research, we have implemented the whole workflow from quoting authentication, remote attestation to encrypted data communication using TPM. Following shows an implementation of trusted runtime environment with TPM which can remotely communicate with another system (PP).  In the workflow, we need to make sure the following:
The whole workflow consists of two parts, TRE booting and TRE & PP data transmission, which shows how TRE is working with PP for data transmission and process acquirement. In our work, we used client-server architecture and Java programming language to fulfill the workflow.
TRE Boot
TRE is first running boot TPM, by showing how TRE is working for booting. After TPM boot, TPM will get the unified EK and generate the AIK with RSA private key and public key. Afterwards, TPM will extends the bytecode of running program to PCR and get the latest quote from PCR for attestation.
Encrypted Communication
Following describes encrypted communication establishment, in short, it contains the following steps;
  1. TRE will return one time six-digit token to PP to make sure that one the first one who receives this token can use this username / password to authenticate
  2. PP will send back the token together with a processing request to TRE
  3. TRE check this token is not used before, if not used, send the public key received from AIK to PP
  4. PP uses the received public key to use RSA algorithm to encrypt the username, in our simulating, we always use Mike and send back to TRE with encrypted data
  5. TRE received the encrypted data and use the AIK private key to decrypt the username
  6. TRE run the program query and return the result together with the generated quote in Step 1
  7. PP will run the quote part locally to confirm the TRE is not modified, which is the remote attestation step, and if passed, PP will trust the price value received from TRE.