{"schema_version":"0.1","map_id":"paper-47-map","publication_id":47,"publication_anchor":"paper-47","slug":"paper-47","canonical_path":"/knowledge/papers/paper-47/","machine_path":"/knowledge/papers/paper-47.json","root_node_id":"paper-47","stage":"mapped_draft","contribution_type_vocabulary_version":"0.1","contribution_types":[],"title":"Opinion: Advancing Remote Attestation via Computer-Aided Formal Verification of Designs and Synthesis of Executables","year":2019,"status":"Published · opinion paper","venue":"12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)","topic":"secure-systems-networks","labels":["Perspective"],"authors":["Karim Eldefrawy","Gene Tsudik"],"keywords":["remote attestation","formal verification","program synthesis","trusted computing","research agenda"],"research_question":"What must the remote-attestation community add to manual protocol reasoning and ad hoc implementation to obtain stronger confidence in claimed security, safety, and robustness?","central_answer":"The position paper argues for computer-aided specification and verification of RA protocols and hardware/software architectures, followed by correct-by-construction synthesis of executable components. It supports the agenda with concrete prior-design failures and identifies open obligations in property completeness, end-to-end verification, synthesis, and group attestation.","curation":{"drafted_at":"2026-07-11","drafted_by":[{"actor_type":"ai","name":"OpenAI Codex","role":"full-text argument mapping and initial assessment"}],"method":"Source-grounded review of the complete four-page opinion paper, including visual inspection of its first and research-agenda pages. The map distinguishes recommendations and case studies from proved technical results.","source_scope":"full_source_audit","approval":{"status":"pending","note":"AI-authored source map awaiting full author audit. Interpretation of the agenda and significance ratings remains provisional."}},"sources":[{"id":"source-paper-47-author-pdf","type":"author_hosted_copy","title":"Opinion: Advancing Remote Attestation via Computer-Aided Formal Verification of Designs and Synthesis of Executables","url":"/pubs/2019/ra-opinion_wisec2019.pdf","provenance_category":"author","media_type":"application/pdf","sha256":"8783d63cfbc287967fe23e65a708f59c1ca1345409ccda52c9d0ad9444463df3","page_count":4},{"id":"source-paper-47-official","type":"official_publication_record","title":"ACM WiSec 2019 publication record","url":"https://doi.org/10.1145/3317549.3323403","provenance_category":"official"},{"id":"source-paper-47-archive","type":"public_archive_copy","title":"NSF Public Access copy","url":"https://par.nsf.gov/servlets/purl/10121392","provenance_category":"archive"},{"id":"source-paper-47-citations","type":"citation_index_snapshot","title":"OpenAlex work W2946516862","url":"https://openalex.org/W2946516862","accessed_at":"2026-07-11"}],"source_anchors":[{"id":"anchor-paper-47-thesis","source_id":"source-paper-47-author-pdf","label":"Opinion thesis, motivation, and claimed objective","locator":"Abstract and Section 1, PDF page 1","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=1"},{"id":"anchor-paper-47-model","source_id":"source-paper-47-author-pdf","label":"RA protocol, remote adversary, and scope of desired verification","locator":"Section 2.1, PDF pages 1-2","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=1"},{"id":"anchor-paper-47-landscape","source_id":"source-paper-47-author-pdf","label":"Software, hardware, and hybrid RA comparison","locator":"Section 2.2, PDF page 2","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=2"},{"id":"anchor-paper-47-methods","source_id":"source-paper-47-author-pdf","label":"Existing verification efforts, HYDRA, and VRASED boundaries","locator":"Section 3.1, PDF page 3","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=3"},{"id":"anchor-paper-47-cases","source_id":"source-paper-47-author-pdf","label":"Temporal-consistency, interrupt atomicity, and availability case studies","locator":"Section 3.2, PDF page 3","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=3"},{"id":"anchor-paper-47-agenda","source_id":"source-paper-47-author-pdf","label":"Four-part research agenda","locator":"Section 4, PDF pages 3-4","url":"/pubs/2019/ra-opinion_wisec2019.pdf#page=3"},{"id":"anchor-paper-47-publication","source_id":"source-paper-47-official","label":"Official opinion-paper publication identity","locator":"WiSec 2019, DOI 10.1145/3317549.3323403","url":"https://doi.org/10.1145/3317549.3323403"},{"id":"anchor-paper-47-reception","source_id":"source-paper-47-citations","label":"Dated citation-count snapshot","locator":"OpenAlex reported 1 citing work on 2026-07-11","url":"https://openalex.org/W2946516862"}],"nodes":[{"id":"paper-47","kind":"paper","parent_id":null,"order":1,"epistemic_status":"published_opinion","title":"A formal-methods agenda for remote attestation","summary":"A position paper arguing that RA security claims need machine-assisted models, proofs, and synthesized implementations, supported by failure case studies and a four-part agenda.","source_anchor_ids":["anchor-paper-47-thesis"]},{"id":"paper-47-question","kind":"question","parent_id":"paper-47","order":1,"epistemic_status":"research_agenda_question","title":"Research question","summary":"How can RA move from plausible manual arguments to implementations whose architecture-level obligations are explicit and mechanically checked?","source_anchor_ids":["anchor-paper-47-thesis"]},{"id":"paper-47-answer","kind":"perspective","parent_id":"paper-47","order":2,"epistemic_status":"argued_position","title":"Central position","summary":"Specify RA requirements and threat models precisely, verify protocol and hardware/software components with computer aid, prove their composition, and synthesize executable artifacts from checked descriptions.","source_anchor_ids":["anchor-paper-47-thesis","anchor-paper-47-methods","anchor-paper-47-agenda"]},{"id":"paper-47-scope","kind":"scope","parent_id":"paper-47","order":3,"epistemic_status":"explicit","title":"Scope of the argument","summary":"The discussion focuses on challenge-response measurement against a remote software adversary; completeness of the initial security definition itself and physical adversaries are explicitly orthogonal or excluded.","source_anchor_ids":["anchor-paper-47-model"]},{"id":"paper-47-premise","kind":"premise","parent_id":"paper-47","order":4,"epistemic_status":"argued","title":"Why RA is a tractable first target","summary":"RA has only a few messages and basic primitives such as HMAC, yet hybrid implementations expose processor, memory, interrupt, and control-flow details that manual abstractions routinely miss.","source_anchor_ids":["anchor-paper-47-model","anchor-paper-47-methods"]},{"id":"paper-47-cases-node","kind":"evidence_group","parent_id":"paper-47","order":5,"epistemic_status":"case_based_argument","title":"Failure case studies","summary":"Three examples illustrate how omitted machine details can undermine a security or correctness story.","source_anchor_ids":["anchor-paper-47-cases"]},{"id":"paper-47-case-consistency","kind":"evidence","parent_id":"paper-47-cases-node","order":1,"epistemic_status":"literature_case","title":"Temporal consistency","summary":"Interruptible hashing may combine bytes from states that never coexisted, invalidating the implicit static-input premise and enabling relocating malware.","source_anchor_ids":["anchor-paper-47-cases"]},{"id":"paper-47-case-atomicity","kind":"evidence","parent_id":"paper-47-cases-node","order":2,"epistemic_status":"architecture_case","title":"Non-instantaneous interrupt control","summary":"On some MCUs, enabling or disabling interrupts spans cycles and can itself be interrupted, so a paper assumption of instantaneous atomicity may block formal verification or security.","source_anchor_ids":["anchor-paper-47-cases"]},{"id":"paper-47-case-availability","kind":"evidence","parent_id":"paper-47-cases-node","order":3,"epistemic_status":"design_case","title":"Self-attestation denial of service","summary":"A return-address API can point back to attestation entry and combine with enforced atomicity to trap a device in an endless attestation loop; a termination proof would expose the corner case.","source_anchor_ids":["anchor-paper-47-cases"]},{"id":"paper-47-agenda-node","kind":"agenda","parent_id":"paper-47","order":6,"epistemic_status":"proposed","title":"Four-part research program","summary":"The paper separates property completeness, design verification, implementation synthesis, and heterogeneous/group attestation as distinct obligations.","source_anchor_ids":["anchor-paper-47-agenda"]},{"id":"paper-47-agenda-properties","kind":"open_problem","parent_id":"paper-47-agenda-node","order":1,"epistemic_status":"proposed","title":"Prove completeness and minimality","summary":"Establish that the chosen properties/components are sufficient and no unnecessary hardware remains, especially for minimalist hybrid RA.","source_anchor_ids":["anchor-paper-47-agenda"]},{"id":"paper-47-agenda-verification","kind":"open_problem","parent_id":"paper-47-agenda-node","order":2,"epistemic_status":"proposed","title":"End-to-end computer-aided proofs","summary":"Verify protocols and HW/SW co-designs in compatible frameworks and prove composition rather than relying on separately checked components plus manual glue.","source_anchor_ids":["anchor-paper-47-agenda"]},{"id":"paper-47-agenda-synthesis","kind":"open_problem","parent_id":"paper-47-agenda-node","order":3,"epistemic_status":"proposed","title":"Correct-by-construction executables","summary":"Extend synthesis beyond small hardware monitors and inherited HMAC binaries to the complete attestation executable and services built on it.","source_anchor_ids":["anchor-paper-47-agenda"]},{"id":"paper-47-agenda-groups","kind":"open_problem","parent_id":"paper-47-agenda-node","order":4,"epistemic_status":"proposed","title":"Group and heterogeneous RA","summary":"Derive and verify properties for multiple, possibly heterogeneous provers instead of assuming single-prover requirements compose unchanged.","source_anchor_ids":["anchor-paper-47-agenda"]},{"id":"paper-47-boundaries","kind":"limitation_group","parent_id":"paper-47","order":7,"epistemic_status":"explicit","title":"Evidentiary boundary","summary":"This is an agenda and case-based argument, not a new protocol, proof, synthesized toolchain, implementation, or empirical evaluation; feasibility is illustrated by prior systems.","source_anchor_ids":["anchor-paper-47-thesis","anchor-paper-47-methods"]},{"id":"paper-47-artifacts","kind":"artifact_group","parent_id":"paper-47","order":8,"epistemic_status":"publication_only","title":"Publication resources","summary":"Author, NSF, and DOI copies are public with local fixity. No new code or dataset is claimed by the opinion paper.","source_anchor_ids":["anchor-paper-47-thesis","anchor-paper-47-publication"]},{"id":"paper-47-scrutiny","kind":"scrutiny","parent_id":"paper-47","order":9,"epistemic_status":"venue_reviewed_opinion","title":"External scrutiny","summary":"WiSec publication and shepherd acknowledgment establish venue exposure, but the normative agenda has not been independently validated as a theorem or standard.","source_anchor_ids":["anchor-paper-47-publication"]},{"id":"paper-47-lineage","kind":"lineage","parent_id":"paper-47","order":10,"epistemic_status":"documented","title":"VRASED/HYDRA/PURE context","summary":"HYDRA illustrates verified-component reuse, VRASED advances model-checked co-design, and PURE extends it to remediation; the paper argues the broader end-to-end agenda remains unfinished.","source_anchor_ids":["anchor-paper-47-methods","anchor-paper-47-agenda"]}],"relations":[{"id":"paper-47-relation-answer-question","type":"addresses","from_id":"paper-47-answer","to_id":"paper-47-question"},{"id":"paper-47-relation-premise-answer","type":"motivates","from_id":"paper-47-premise","to_id":"paper-47-answer"},{"id":"paper-47-relation-cases-answer","type":"supports","from_id":"paper-47-cases-node","to_id":"paper-47-answer"},{"id":"paper-47-relation-consistency-cases","type":"component_of","from_id":"paper-47-case-consistency","to_id":"paper-47-cases-node"},{"id":"paper-47-relation-atomicity-cases","type":"component_of","from_id":"paper-47-case-atomicity","to_id":"paper-47-cases-node"},{"id":"paper-47-relation-availability-cases","type":"component_of","from_id":"paper-47-case-availability","to_id":"paper-47-cases-node"},{"id":"paper-47-relation-agenda-answer","type":"operationalizes","from_id":"paper-47-agenda-node","to_id":"paper-47-answer"},{"id":"paper-47-relation-scope-answer","type":"qualifies","from_id":"paper-47-scope","to_id":"paper-47-answer"},{"id":"paper-47-relation-boundaries-answer","type":"qualifies","from_id":"paper-47-boundaries","to_id":"paper-47-answer"},{"id":"paper-47-relation-lineage-paper","type":"contextualizes","from_id":"paper-47-lineage","to_id":"paper-47"}],"assessment":{"id":"paper-47-assessment-2026-07-11","rubric_version":"0.2","assessed_at":"2026-07-11","status":"ai_draft_author_review_pending","note":"These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.","axes":[{"id":"epistemic_evidence","level":"medium","rationale":"The complete paper gives concrete architecture-level case studies and a logically separated agenda, but it is explicitly an opinion paper without new formal or experimental validation.","basis_source_anchor_ids":["anchor-paper-47-cases","anchor-paper-47-agenda"]},{"id":"auditability","level":"high","rationale":"A complete checked-in author copy with hash/page count, NSF archive copy, precise anchors, and DOI makes every represented argument inspectable.","basis_source_anchor_ids":["anchor-paper-47-thesis","anchor-paper-47-publication"]},{"id":"production_provenance","level":"medium","rationale":"Authors, venue, DOI, shepherd acknowledgment, and manuscript are documented; contribution roles, revision history, and drafting process are not.","basis_source_anchor_ids":["anchor-paper-47-thesis","anchor-paper-47-publication"]},{"id":"external_scrutiny","level":"medium","rationale":"WiSec publication establishes editorial and venue scrutiny, but public review reports or consensus validation of the proposed agenda were not located.","basis_source_anchor_ids":["anchor-paper-47-publication"]},{"id":"reception","level":"low","rationale":"OpenAlex reported 1 citation on 2026-07-11; under the finalized rubric, 0 through 8 located citations is Low.","basis_source_anchor_ids":["anchor-paper-47-reception"]},{"id":"contribution_significance","level":"medium","rationale":"The agenda identifies concrete, consequential gaps and links them to known failures, but downstream adoption is limited in the dated citation snapshot.","basis_source_anchor_ids":["anchor-paper-47-cases","anchor-paper-47-agenda","anchor-paper-47-reception"]}]},"reception_snapshot":{"as_of":"2026-07-11","method":"OpenAlex DOI lookup","citation_count":1,"source_url":"https://openalex.org/W2946516862","signals":["OpenAlex reported 1 work citing the WiSec opinion paper."],"limitation":"Citation counts vary by index/date and may undercount influence expressed through citations to VRASED, HYDRA, PURE, or the underlying case-study papers."}}
