English

On the TOCTOU Problem in Remote Attestation

Cryptography and Security 2021-04-19 v2

Abstract

We propose Remote Attestation with TOCTOU Avoidance (RATA): a provably secure approach to address the RA TOCTOU problem. With RATA, even malware that erases itself before execution of the next RA, can not hide its ephemeral presence. RATA targets hybrid RA architectures (implemented as Hardware/Software co-designs), which are aimed at low-end embedded devices. We present two alternative techniques - RATAa and RATAb - suitable for devices with and without real-time clocks, respectively. Each is shown to be secure and accompanied by a publicly available and formally verified implementation. Our evaluation demonstrates low hardware overhead of both techniques. Compared with current RA architectures - that offer no TOCTOU protection - RATA incurs no extra runtime overhead. In fact, RATA substantially reduces computational costs of RA execution.

Keywords

Cite

@article{arxiv.2005.03873,
  title  = {On the TOCTOU Problem in Remote Attestation},
  author = {Ivan De Oliveira Nunes and Sashidhar Jakkamsetti and Norrathep Rattanavipanon and Gene Tsudik},
  journal= {arXiv preprint arXiv:2005.03873},
  year   = {2021}
}
R2 v1 2026-06-23T15:23:59.852Z