Remote Attestation Assurance Arguments for Trusted Execution Environments

Abstract

Remote attestation (RA) is emerging as an important security mechanism for cyber-physical systems with strict security requirements. Trusted computing at large and Trusted Execution Environments (TEEs) in particular have been identified as key technologies to enable RA since they ideally allow retaining some element of control over remote devices despite them being compromised at the OS level. Unfortunately, sometimes it is claimed that TEEs provide RA support without really substantiating how this support is provided. In this paper we build the assurance arguments for RA to carefully map how secure RA depends on underlying security properties and how these in turn can be provided by TEE capabilities. We base our security analysis of RA on existing literature on security requirements for RA and use Goal Structuring Notation (GSN) as the method to build the security arguments. Our analysis identifies the set of TEE properties (as described in the GlobalPlatform standard) that are needed to support RA, and which goals that cannot be mapped to TEE implementations, and therefore require other forms of evidence for RA to be trusted at the top level.