Modern society is getting accustomed to the Internet of Things (IoT) and Cyber-Physical Systems (CPS) for a variety of applications that involves security-critical user data and information transfers. In the lower end of the spectrum, these devices are resource-constrained with no attack protection. They become a soft target for malicious code modification attacks that steals and misuses device data in malicious activities. The resilient system requires continuous detection, prevention, and/or recovery and correct code execution (including in degraded mode). By end large, existing security primitives (e.g., secure-boot, Remote Attestation RA, Control Flow Attestation (CFA) and Data Flow Attestation (DFA)) focuses on detection and prevention, leaving the proof of code execution and recovery unanswered. To this end, the proposed work presents lightweight RARES -- Runtime Attack Resilient Embedded System design using verified Proof-of-Execution. It presents first custom hardware control register (Ctrl_register) based runtime memory modification attacks classification and detection technique. It further demonstrates the Proof Of Concept (POC) implementation of use-case-specific attacks prevention and onboard recovery techniques. The prototype implementation on Artix 7 Field Programmable Gate Array (FPGA) and state-of-the-art comparison demonstrates very low (2.3%) resource overhead and efficacy of the proposed solution.

翻译：现代社会正逐渐适应物联网和网络物理系统在涉及安全关键用户数据和信息传输的各种应用。在低端设备中，这些资源受限系统缺乏攻击防护能力，成为恶意代码篡改攻击的软目标——攻击者窃取并滥用设备数据实施恶意活动。弹性系统需要持续检测、预防和/或恢复，并确保（包括降级模式下的）正确代码执行。总体而言，现有安全原语（如安全启动、远程认证、控制流认证和数据流认证）主要关注检测与预防，而未能解决代码执行证明与恢复问题。为此，本文提出轻量级RARES——基于可验证执行证明的运行时攻击弹性嵌入式系统设计。该方案首次提出基于专用硬件控制寄存器（Ctrl_register）的运行时内存篡改攻击分类与检测技术，并进一步展示了特定用例攻击预防与板载恢复技术的概念验证实现。在Artix 7现场可编程门阵列上的原型实现与最新技术对比表明，该方案资源开销极低（2.3%），且具有高效性。