Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #42

Reconciling Remote Attestation and Safety-Critical Operation on Simple IoT Devices

Xavier Carpent, Karim Eldefrawy, Norrathep Rattanavipanon, Ahmad-Reza Sadeghi, and Gene Tsudik

2018 · 55th Design Automation Conference (DAC)

  • Theory
  • protocol

What does the paper try to establish?

How can remote attestation preserve malware-detection value when its atomic memory scan can delay safety-critical work, yet making the scan interruptible creates opportunities for transient or self-relocating malware?

What is the proposed answer?

There is no single cost-free reconciliation. The paper organizes a protocol design space around periodic self-measurement, randomized traversal, and lock-scheduled interruptible measurements; each changes freshness, false-negative probability, temporal consistency, availability, hardware assumptions, or communication requirements.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence Medium

The complete paper offers explicit threat scenarios, timing evidence, and mechanism/probability analysis, but it is an invited synthesis without a new implementation, full formal proof, or independent evaluation.

Hashing cost and safety-critical fire-alarm example SMARM shuffled-measurement analysis Conclusions and tradeoff boundary
Auditability High

Checked-in author text with SHA-256/page count, an NSF copy, precise page anchors, and a DOI make all represented arguments directly inspectable.

Safety/security conflict, malware classes, and mitigation overview Official invited-paper publication identity
Production provenance Medium

Authorship, invited status, venue, date, DOI, and manuscript are documented; contributor roles, revision history, and exact source lineage are not.

Safety/security conflict, malware classes, and mitigation overview Official invited-paper publication identity
External scrutiny Medium

DAC publication establishes external exposure, but review reports, artifact review, and independent validation of the synthesis were not found.

Official invited-paper publication identity
Reception High

OpenAlex reported 12 citations on 2026-07-11; under the author-defined rule, more than 10 located citations is High.

Dated citation-count snapshot
Contribution significance Medium

The paper clearly exposes a safety/security conflict and organizes practical protocol choices, but it primarily synthesizes mechanisms developed across prior work.

Safety/security conflict, malware classes, and mitigation overview Conclusions and tradeoff boundary

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Remote attestation under safety-critical constraints

A protocol-level analysis of why atomic attestation threatens availability and why interruptibility threatens malware detection, with a taxonomy of imperfect mitigations.

Safety/security conflict, malware classes, and mitigation overview
  1. threat model

    Malware and availability threats

    defined

    Transient malware can leave between measurements, self-relocating malware can evade a predictable interruptible scan, and malware may trigger a nominally critical task to preempt attestation.

    Transient, self-relocating, and interrupt-triggering malware
  2. method Mitigation design space comparative analysis

    The paper compares three protocol families rather than presenting a single deployed system.

    All-Lock, decreasing-lock, and increasing-lock protocols SMARM shuffled-measurement analysis ERASMUS and SeED self-measurement designs and assumptions
    1. protocol

      Shuffled measurement

      probability analyzed

      SMARM hides traversal order so roving malware cannot know which block is safe; one scan leaves escape probability near e^-1, so repeated independent scans reduce but do not eliminate false negatives.

      SMARM shuffled-measurement analysis
  3. scrutiny

    External scrutiny

    invited venue paper

    DAC publication provides external venue exposure, while the represented source is an invited analytical paper and public review reports were not located.

    Official invited-paper publication identity

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Safety/security conflict, malware classes, and mitigation overview Abstract and Section 1, PDF page 1
  2. RA approaches, on-demand protocol, and coverage assumptions Sections 2.1-2.3, PDF pages 1-2
  3. Hashing cost and safety-critical fire-alarm example Sections 2.4-2.5 and Figure 2, PDF pages 2-3
  4. Transient, self-relocating, and interrupt-triggering malware Section 2.5, PDF page 3
  5. All-Lock, decreasing-lock, and increasing-lock protocols Section 3.1, PDF pages 3-5
  6. SMARM shuffled-measurement analysis Section 3.2, PDF page 5
  7. ERASMUS and SeED self-measurement designs and assumptions Section 3.3, PDF pages 5-6
  8. Conclusions and tradeoff boundary Section 4, PDF page 6
  9. Official invited-paper publication identity DAC 2018, DOI 10.1145/3195970.3199853
  10. Dated citation-count snapshot OpenAlex reported 12 citing works on 2026-07-11