Scientific knowledge map · Paper #41
Temporal Consistency of Integrity-Ensuring Computations and Applications to Embedded Systems Security
2018 · ACM Asia Conference on Computer and Communications Security (AsiaCCS)
- Theory
- Applied
- protocol
- scheme
Research question
What does the paper try to establish?
How can an interruptible integrity computation over mutable memory be made to describe a state that actually existed, without making a real-time embedded device unavailable for the entire computation?
Central answer
What is the proposed answer?
The paper defines temporal consistency, gives an attestation security game that makes the timing obligation explicit, and develops locking, copying, and inconsistency-detection mechanisms that trade memory availability against the interval for which the result is consistent. Implementations on two embedded boards report under ten-percent overhead for selected mechanisms.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence High
-
The complete paper combines an explicit model and security game, mechanism analysis, two implementations, and detailed experiments; code and independent reproduction were not audited.
Temporal-consistency model, notation, and attestation timing Temporal-consistency security game and adversarial objective Primitive, mechanism, and inconsistency-detection measurements - Auditability High
-
The author copy is checked in with SHA-256, page count, precise anchors, and an official DOI; implementation and raw measurements are not version-pinned here.
Problem, inconsistency attack, contributions, and claimed scope Official peer-reviewed publication identity - Production provenance Medium
-
Named authors, venue, DOI, full text, platforms, and methods are documented, while contribution roles, revision history, exact source revision, and experiment lineage remain unaudited.
Official peer-reviewed publication identity seL4-based implementation and experimental setup - External scrutiny Medium
-
AsiaCCS publication establishes venue scrutiny, but review reports, an artifact evaluation, and independent reproduction were not found.
Official peer-reviewed publication identity - Reception High
-
OpenAlex reported 21 citations on 2026-07-11; under the author-defined rule, more than 10 located citations is High. Counts do not certify correctness.
Dated citation-count snapshot - Contribution significance High
-
The paper frames a previously implicit implementation obligation, supplies a reusable definition and mechanism design space, and has documented follow-on attention; priority was not exhaustively audited.
Problem, inconsistency attack, contributions, and claimed scope Dated citation-count snapshot
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Temporal consistency for integrity computations
A definition, attack analysis, mechanism family, and two-platform evaluation for making long-running integrity computations over mutable embedded-system memory correspond to a real state.
Problem, inconsistency attack, contributions, and claimed scope-
question Research question
research questionCan integrity measurement remain interruptible for safety-critical work without producing a digest of a memory state that never existed?
Problem, inconsistency attack, contributions, and claimed scope Temporal-consistency model, notation, and attestation timing -
contribution Central answer
source assertedMake the desired consistency time or interval explicit, then enforce it with memory locking, snapshot copying, or detection-and-recovery rather than assuming immutable input.
Temporal-consistency model, notation, and attestation timing All-Lock, decreasing-lock, increasing-lock, and extended variants Memory-access violations and inconsistency detection -
definition Temporal consistency
definedFor a sequential function F over memory M, the output must equal F evaluated on all of M at some relevant time, rather than on a patchwork assembled from values observed before and after interrupts.
Temporal-consistency model, notation, and attestation timing -
threat model Mutable-memory and malware adversary
definedAn interrupting process or self-relocating malware can modify already measured or not-yet-measured blocks; remote attestation adds the objective of returning a valid-looking report while evading detection.
Problem, inconsistency attack, contributions, and claimed scope Temporal-consistency security game and adversarial objective -
scope System and enforcement assumptions
explicitly scopedThe mechanisms assume enforceable page or region permissions, trustworthy measurement code and key handling, and a platform able to mediate writes; the implementation uses seL4 capabilities and page faults on two ARM boards.
seL4-based implementation and experimental setup -
method Consistency mechanism family specified and implemented
The paper maps different lock and copy schedules to different consistency points, availability costs, and memory overheads.
All-Lock, decreasing-lock, increasing-lock, and extended variants Copy-lock, writeback, lazy-copy, and non-sequential variants-
scheme Locking variants
specified and implementedAll-Lock freezes all input; Dec-Lock releases blocks after reading and gives start-time consistency; Inc-Lock locks blocks as read and gives end-time consistency. Extended variants hold locks longer to widen the guaranteed interval.
All-Lock, decreasing-lock, increasing-lock, and extended variants -
scheme Copy-based variants
specifiedCpy-Lock briefly locks while copying input into a stable buffer, then computes over the copy; writeback and lazy-copy variants change memory, pause, and storage tradeoffs.
Copy-lock, writeback, lazy-copy, and non-sequential variants -
protocol Detect and resolve inconsistency
implementedWrite-protect attested pages, catch a modifying process through fault IPC, suspend checksum computation, release affected memory, and choose to abort, restart, or continue while reporting the inconsistency.
Memory-access violations and inconsistency detection Primitive, mechanism, and inconsistency-detection measurements
-
-
claim group Principal claims mixed
The work makes definitional, security-game, mechanism-correctness, and measured-overhead claims whose support types differ.
Temporal-consistency model, notation, and attestation timing Temporal-consistency security game and adversarial objective Primitive, mechanism, and inconsistency-detection measurements-
claim Each mechanism realizes a stated consistency point
analytically supportedThe lock/copy ordering arguments connect Dec-Lock to the start state, Inc-Lock to the end state, and full locking or stable copies to stronger intervals, conditional on enforcement and sequential access assumptions.
All-Lock, decreasing-lock, increasing-lock, and extended variants Copy-lock, writeback, lazy-copy, and non-sequential variants -
claim Practical overhead on tested platforms
experimentally supportedThe paper reports that selected consistency mechanisms add less than ten percent runtime overhead on I.MX6-SabreLite and ODROID-XU4, with availability behavior depending on page size, memory size, and write activity.
Primitive, mechanism, and inconsistency-detection measurements Conclusions and guarantee/performance boundary
-
-
evidence group Evidence stack
mixed formal and empiricalSupport consists of an explicit model and security game, mechanism-by-mechanism timing arguments, an seL4 implementation, primitive microbenchmarks, and end-to-end measurements over varying memory and page sizes.
Temporal-consistency security game and adversarial objective seL4-based implementation and experimental setup Primitive, mechanism, and inconsistency-detection measurements -
limitation group Boundaries and tradeoffs
materialNo mechanism simultaneously minimizes locking, storage, downtime, and detection latency. Guarantees depend on mediated memory writes, and results from two boards do not establish portability or independent reproduction.
Copy-lock, writeback, lazy-copy, and non-sequential variants Memory-access violations and inconsistency detection Conclusions and guarantee/performance boundary -
artifact group Artifacts and audit trail
partialThe full paper and official record are public with local fixity; this audit did not locate a version-pinned implementation, benchmark scripts, raw data, or reproduction report.
seL4-based implementation and experimental setup Official peer-reviewed publication identity -
scrutiny External scrutiny
venue reviewedAsiaCCS publication and later citations establish external exposure, but review reports and independent experimental or formal audits were not located.
Official peer-reviewed publication identity Dated citation-count snapshot -
lineage Research lineage
documentedThe temporal-consistency analysis supplies the mechanism vocabulary later used to explain the availability conflict in paper #42 and forms part of the verified-attestation line leading to VRASED and PURE.
Problem, inconsistency attack, contributions, and claimed scope Conclusions and guarantee/performance boundary
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Problem, inconsistency attack, contributions, and claimed scope Abstract and Section 1, PDF pages 1-2
- Temporal-consistency model, notation, and attestation timing Section 3 and Figure 3, PDF page 4
- Temporal-consistency security game and adversarial objective Appendix A, PDF pages 13-14
- All-Lock, decreasing-lock, increasing-lock, and extended variants Sections 4.1-4.2, PDF page 5
- Copy-lock, writeback, lazy-copy, and non-sequential variants Sections 4.3-4.4, PDF pages 5-7
- Memory-access violations and inconsistency detection Sections 4.6-4.7, PDF page 7
- seL4-based implementation and experimental setup Sections 5.1-5.2, PDF pages 7-8
- Primitive, mechanism, and inconsistency-detection measurements Sections 5.3-5.6 and Figures 7-12, PDF pages 8-11
- Conclusions and guarantee/performance boundary Section 7, PDF page 12
- Official peer-reviewed publication identity AsiaCCS 2018, DOI 10.1145/3196494.3196526
- Dated citation-count snapshot OpenAlex reported 21 citing works on 2026-07-11