Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #46

PURE: Using Verified Remote Attestation to Obtain Proofs of Update, Reset and Erasure in Low-End Embedded Systems

Ivan De Oliveira Nunes, Karim Eldefrawy, Norrathep Rattanavipanon, and Gene Tsudik

2019 · IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

  • Theory
  • Applied
  • protocol

What does the paper try to establish?

Can a verifier do more than detect compromise on a low-end embedded device—can it obtain trustworthy evidence that the device was updated, erased, reset, and returned to a functional malware-free state?

What is the proposed answer?

PURE extends VRASED with three challenge-response services: Proof of Reset, Proof of Update, and Proof of Erasure. Security games and reductions tie valid proofs to the corresponding memory transition, modified trusted components are model-checked, and an OpenMSP430/Basys3 implementation adds about 0.4% registers and 50 bytes of trusted ROM.

Abstract

Remote Attestation (RA) is a security service that enables a trusted verifier (Vrf) to measure current memory state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv’s memory reflects a compromised state. However, RA by itself offers no means of remedying the situation once Prv is determined to be compromised. In this work we show how a secure RA architecture can be extended to enable important and useful security services for low-end embedded devices. In particular, we extend the formally verified RA architecture, VRASED, to implement provably secure software update, erasure, and system-wide resets. When (serially) composed, these features guarantee to Vrf that a remote Prv has been updated to a functional and malware-free state, and was properly initialized after such process. These services are provably secure against an adversary (represented by malware) that compromises Prv and exerts full control of its software state. Our results demonstrate that such services incur minimal additional overhead (0.4% extra hardware footprint, and 100-s milliseconds to generate combined proofs of update, erasure, and reset), making them practical even for the lowest-end embedded devices, e.g., those based on MSP430 or AVR ATMega micro-controller units (MCUs). All changes introduced by our new services to VRASED trusted components are also formally verified.

Provenance: Transcribed from the checked-in full-text PDF; calligraphic verifier/prover symbols were normalized to Vrf and Prv, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence High

The full paper combines explicit games and reductions, model-checked trusted-component changes, a concrete FPGA implementation, resource/runtime evaluation, and public artifacts, while retaining clear trusted-boundary limits.

Proof-of-Reset game, construction, theorem, and verified implementation Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary FPGA resources, ROM/RAM, and runtime evaluation Public implementation and verification artifacts
Auditability High

A checked-in full paper with hash/page count, precise anchors, DOI, and public code/verification branch make assumptions and evidence inspectable; the exact artifact revision is not pinned.

Problem, architecture goal, contributions, and headline overhead Public implementation and verification artifacts Official peer-reviewed publication identity
Production provenance Medium

Authors, venue, DOI, predecessor architecture, toolchain, hardware platform, and repository are documented; roles, revision history, immutable artifact versions, and run provenance remain incomplete.

Official peer-reviewed publication identity Public implementation and verification artifacts FPGA resources, ROM/RAM, and runtime evaluation
External scrutiny High

ICCAD review plus inspectable model-checked components and public implementation provide multiple scrutiny surfaces; independent reproduction and public review reports were not found.

Official peer-reviewed publication identity Public implementation and verification artifacts
Reception High

OpenAlex reported 16 citations on 2026-07-11; under the finalized rubric, 11 or more located citations is High.

Dated citation-count snapshot
Contribution significance High

PURE turns verified compromise detection into a composable remote-remediation path with formal and concrete evidence for constrained devices; broad deployment and independent replication remain unaudited.

Problem, architecture goal, contributions, and headline overhead FPGA resources, ROM/RAM, and runtime evaluation

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

PURE

A verified-attestation extension that gives a remote verifier cryptographic proofs of reset, update, and erasure on a low-end MCU.

Problem, architecture goal, contributions, and headline overhead
  1. contribution

    Central answer

    implemented and formally analyzed

    Reuse VRASED's protected HMAC and hardware monitor to bind a fresh challenge to reset, update, or erasure transitions, then serially compose the three services.

    VRASED architecture, LTL verification, and inherited RA game Proof-of-Reset game, construction, theorem, and verified implementation Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary Proof-of-Erasure construction and helper-code caveat
  2. threat model

    Full software-compromise adversary

    defined

    Malware controls the prover's writable memory and software execution, including code-reuse attempts and refusal to cooperate, but cannot violate protected hardware/ROM, extract the attestation key, or mount physical/fault attacks.

    Full software-compromise adversary and physical/hardware assumptions
  3. protocol group Three remediation services specified verified and implemented

    Each service has a security game and construction; only trusted-component changes are model-checked, while theorem proofs connect accepted HMAC evidence to the intended state transition.

    Proof-of-Reset game, construction, theorem, and verified implementation Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary Proof-of-Erasure construction and helper-code caveat
    1. protocol

      Proof of Erasure (PoE)

      implemented and reduction reused

      PoE specializes update to an all-zero target over the erased region; erasing all writable memory requires immutable or separately attested helper code to avoid hiding malware in an excluded region.

      Proof-of-Erasure construction and helper-code caveat
  4. claim group Principal claims mixed formal and empirical

    PURE claims game-based service security, formal conformance of modified trusted hardware, low incremental footprint, and practical runtime.

    Proof-of-Reset game, construction, theorem, and verified implementation Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary FPGA resources, ROM/RAM, and runtime evaluation
    1. claim

      Small incremental cost

      experimentally supported

      Relative to VRASED, PURE adds 4 LUTs, 3 registers, about 50 bytes of trusted ROM, and 26 bytes of helper code; PoR takes 26 ms at 8 MHz and update/erasure scale linearly with memory size.

      FPGA resources, ROM/RAM, and runtime evaluation
  5. evidence group

    Evidence stack

    formal artifact and fpga measurement

    Security games and theorem arguments, NuSMV checks of added trusted logic, an OpenMSP430/Basys3 FPGA implementation, resource synthesis, runtime measurements, and a public code branch jointly support the claims.

    Proof-of-Reset game, construction, theorem, and verified implementation Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary FPGA resources, ROM/RAM, and runtime evaluation Public implementation and verification artifacts
  6. limitation group

    Security and deployment boundaries

    material

    A valid proof does not authenticate who requested a malicious update unless verifier authentication is enabled; writable helper code can be erased or infected; physical attacks, faults, and the complete MCU are outside the model.

    Full software-compromise adversary and physical/hardware assumptions Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary Proof-of-Erasure construction and helper-code caveat

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Problem, architecture goal, contributions, and headline overhead Abstract and Section 1, PDF pages 1-2
  2. VRASED architecture, LTL verification, and inherited RA game Section 3, PDF pages 2-4
  3. Full software-compromise adversary and physical/hardware assumptions Section 4, PDF page 4
  4. Proof-of-Reset game, construction, theorem, and verified implementation Section 5, PDF pages 4-6
  5. Proof-of-Update game, construction, theorem, request authentication, and helper-code boundary Section 6, PDF pages 6-7
  6. Proof-of-Erasure construction and helper-code caveat Section 7, PDF page 7
  7. FPGA resources, ROM/RAM, and runtime evaluation Section 8, Table 2 and Figure 5, PDF pages 7-8
  8. Serial-composition conclusion and future directions Section 9, PDF page 8
  9. Public implementation and verification artifacts PURE repository branch, accessed 2026-07-11
  10. Official peer-reviewed publication identity ICCAD 2019, DOI 10.1109/ICCAD45719.2019.8942118
  11. Dated citation-count snapshot OpenAlex reported 16 citing works on 2026-07-11