The wide adoption of IoT gadgets and Cyber-Physical Systems (CPS) makes embedded devices increasingly important. While some of these devices perform mission-critical tasks, they are usually implemented using Micro-Controller Units (MCUs) that lack security mechanisms on par with those available to general-purpose computers, making them more susceptible to remote exploits that could corrupt their software integrity. Motivated by this problem, prior work has proposed techniques to remotely assess the trustworthiness of embedded MCU software. Among them, Control Flow Attestation (CFA) enables remote detection of runtime abuses that illegally modify the program's control flow during execution. Despite these advances, current CFA methods share a fundamental limitation: they preclude interrupts during the execution of the software operation being attested. Simply put, existing CFA techniques are insecure unless interrupts are disabled on the MCU. On the other hand, we argue that the lack of interruptability can obscure CFA usefulness, as most embedded applications depend on interrupts to process asynchronous events in real-time. To address this limitation, we propose Interrupt-Safe Control Flow Attestation (ISC-FLAT): a CFA technique that is compatible with existing MCUs and enables interrupt handling without compromising the authenticity of CFA reports. Similar to other CFA techniques that do not require customized hardware modifications, ISC-FLAT leverages a Trusted Execution Environment (TEE) (in particular, our prototype is built on ARM TrustZone-M) to securely generate unforgeable CFA reports without precluding applications from processing interrupts. We implement a fully functional ISC-FLAT prototype on the ARM Cortex-M33 MCU and demonstrate that it incurs minimal runtime overhead when compared to existing TEE-based CFA methods that do not support interrupts.

翻译：物联网设备和信息物理系统（CPS）的广泛应用使得嵌入式设备日益重要。虽然其中一些设备执行关键任务，但它们通常采用微控制器单元（MCU）实现，缺乏通用计算机所具有的安全机制，因此更容易遭受可能破坏其软件完整性的远程攻击。针对这一问题，已有研究工作提出了远程评估嵌入式MCU软件可信度的技术。其中，控制流证明（CFA）能够远程检测运行时滥用行为，这些行为会在程序执行期间非法篡改其控制流。尽管取得这些进展，当前CFA方法存在一个根本性局限：在软件操作被证明的执行过程中，它们禁止中断。简而言之，除非在MCU上禁用中断，现有CFA技术是不安全的。另一方面，我们认为缺乏中断能力会削弱CFA的实用性，因为大多数嵌入式应用依赖于中断来实时处理异步事件。为克服这一局限，我们提出了中断安全控制流证明（ISC-FLAT）：一种与现有MCU兼容的CFA技术，它能够在不影响CFA报告真实性的前提下处理中断。与其他无需定制硬件修改的CFA技术类似，ISC-FLAT利用可信执行环境（TEE）（具体而言，我们的原型基于ARM TrustZone-M构建）安全地生成不可伪造的CFA报告，同时不阻止应用程序处理中断。我们在ARM Cortex-M33 MCU上实现了完整的ISC-FLAT原型，并证明与现有不支持中断的基于TEE的CFA方法相比，其引入的运行时开销极小。