Scientific knowledge map · Paper #50
VRASED: A Verified Hardware/Software Co-Design for Remote Attestation
2019 · 28th USENIX Security Symposium
- Applied
- System
- Implementation
- Formal Verification
- protocol
Research question
What does the paper try to establish?
Can a low-end embedded device obtain strong, formally stated remote-attestation guarantees with only a small amount of additional hardware?
Central answer
What is the proposed answer?
VRASED combines verified HMAC software with a small hardware monitor, then connects component properties to end-to-end soundness and security under explicit MCU, compiler, cryptographic, and physical-attack assumptions.
Full paper abstract
Abstract
Remote Attestation (RA) is a distinct security service that allows a trusted verifier (Vrf) to measure the software state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv is in an illegal or compromised state. Although several RA approaches have been explored (including hardware-based, software-based, and hybrid) and many concrete methods have been proposed, comparatively little attention has been devoted to formal verification. In particular, thus far, no RA designs and no implementations have been formally verified with respect to claimed security properties. In this work, we take the first step towards formal verification of RA by designing and verifying an architecture called VRASED: Verifiable Remote Attestation for Simple Embedded Devices. VRASED instantiates a hybrid (HW/SW) RA co-design aimed at low-end embedded systems, e.g., simple IoT devices. VRASED provides a level of security comparable to HW-based approaches, while relying on SW to minimize additional HW costs. Since security properties must be jointly guaranteed by HW and SW, verification is a challenging task, which has never been attempted before in the context of RA. We believe that VRASED is the first formally verified RA scheme. To the best of our knowledge, it is also the first formal verification of a HW/SW co-design implementation of any security service. To demonstrate VRASED’s practicality and low overhead, we instantiate and evaluate it on a commodity platform (TI MSP430). VRASED was deployed using the Basys3 Artix-7 FPGA and its implementation is publicly available.
Provenance: Transcribed from the checked-in full-text PDF; calligraphic verifier/prover symbols were normalized to Vrf and Prv, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence Medium
-
Strong formal and empirical evidence supports the stated model, but crucial transfer steps to the concrete compiler, MCU, and integration are assumed; later adversarial work found implementation-level gaps.
LTL, NuSMV, Verilog2SMV, and composition workflow Soundness and security proof chain Verification results, overhead, and performance Independent adversarial analysis of gaps between formal models and concrete implementations - Auditability High
-
An author-hosted paper, implementation, verification specifications, scripts, and proof material are public and documented, making the work directly inspectable; auditability is high. The map has not pinned an immutable repository revision or recorded an independent full reproduction.
Public implementation, build instructions, verification specifications, and proof artifacts Verification results, overhead, and performance - Production provenance Medium
-
The record documents named authorship and the publication or review status of the paper, establishing a baseline human and lifecycle provenance trail. Contributor roles, revision and effort history, AI or tool use, artifact-version lineage, and explicit final approval have not yet been audited, so this provisional medium rating should not be read as complete production provenance.
Problem, contribution, and priority claims Public implementation, build instructions, verification specifications, and proof artifacts - External scrutiny High
-
The work passed conference review, exposes public artifacts, received detailed independent adversarial examination, and has a public response that records scope distinctions and prototype changes.
Official peer-reviewed publication record Independent adversarial analysis of gaps between formal models and concrete implementations Author response clarifying the verified module, integration assumptions, and prototype changes - Reception High
-
OpenAlex reported 89 citations for the USENIX record on 2026-07-11. Under the author-defined corpus rule, 11 or more located citations is High; follow-on architectures, outside analysis, and an independent reimplementation add qualitative evidence, but neither count nor uptake establishes correctness.
Dated citation-count snapshot Independent description of VRASED's formal model, trusted boundaries, and research lineage Public implementation, build instructions, verification specifications, and proof artifacts - Contribution significance High
-
The paper introduced a first-of-kind verified hybrid remote-attestation architecture and helped establish a research line around both verified low-end security architectures and the limits of transferring proofs to implementations.
Problem, contribution, and priority claims Claimed significance, portability, and future directions Independent description of VRASED's formal model, trusted boundaries, and research lineage
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
VRASED
A formally specified hardware/software architecture for remote attestation on low-end embedded devices, accompanied by proofs, model checking, a public implementation, and FPGA evaluation.
Problem, contribution, and priority claims-
question Research question
research questionCan remote attestation for a constrained MCU be both practical and connected to explicit end-to-end soundness and security definitions?
Problem, contribution, and priority claims -
contribution Central answer
source assertedUse verified HMAC software for the attestation computation and a small verified hardware monitor to enforce key protection, safe execution, and reset policies.
Problem, contribution, and priority claims LTL, NuSMV, Verilog2SMV, and composition workflow -
scope Scope, adversary, and assumptions explicitly scoped
The guarantees concern software-controlled attacks on a low-end MCU and hold only when the stated machine, compiler, cryptographic, and hardware boundaries are satisfied.
Adversarial capabilities, axioms A1-A7, and exclusions RA security game and SW-Att boundary-
threat model Software adversary
definedThe adversary controls all untrusted software and writable data, can relocate malware, and can control DMA, but cannot modify protected ROM or directly bypass HW-Mod.
Adversarial capabilities, axioms A1-A7, and exclusions RA security game and SW-Att boundary -
assumption Axioms A1-A7
assumedThe proof trusts accurate PC, memory, DMA, reset, and interrupt signals, plus compiler register cleanup and semantic preservation from verified C to assembly.
Adversarial capabilities, axioms A1-A7, and exclusions Soundness and security proof chain -
limitation Excluded attacks and components
explicitly excludedPhysical attacks, induced hardware faults, physical side channels, and verification of the complete MCU implementation are outside the proved model.
Adversarial capabilities, axioms A1-A7, and exclusions
-
-
method Architecture and enforcement path implemented
The design composes a trusted software attestation routine with hardware state machines that watch execution and force reset on policy violations.
Secure-attestation properties P1-P7 LTL, NuSMV, Verilog2SMV, and composition workflow-
component SW-Att
partially machine checkedHACL* HMAC-SHA256 derives a challenge-specific key and authenticates the requested memory region; HACL* supplies inherited F* proofs, while mapping those guarantees into VRASED's model is manual.
RA security game and SW-Att boundary -
component HW-Mod
model checkedHardware monitors observe program-counter, memory, interrupt, DMA, and reset signals; FSMs enforce LTL policies and reset the MCU when a policy is violated.
LTL, NuSMV, Verilog2SMV, and composition workflow LTL enforcement for access control, atomicity, confidentiality, DMA, and reset -
definition Required properties P1-P7
definedKey access control, no leakage, secure reset, functional correctness, immutability, atomicity, and controlled invocation are the bridge from components to remote-attestation guarantees.
Secure-attestation properties P1-P7
-
-
claim group Principal claims mixed
The paper makes formal claims about a stated model, an empirical claim about concrete overhead, and a priority claim about first-of-kind verification.
End-to-end soundness definition RA security game and SW-Att boundary Verification results, overhead, and performance-
claim End-to-end soundness
machine checked within modelSW-Att returns a temporally consistent HMAC of the attested memory as it existed when attestation began, conditional on the stated model and trusted boundaries.
End-to-end soundness definition Soundness and security proof chain -
claim End-to-end security
proved conditionalA polynomial-time software adversary cannot forge a valid report for a different memory state except with negligible probability, assuming a secure HMAC and the machine/compiler axioms.
RA security game and SW-Att boundary Soundness and security proof chain -
claim Practical overhead
experimentally supportedThe standard FPGA design adds 6.3% logic cells and reports approximately 3.6 million cycles, or 450 ms at 8 MHz, to attest 4 KB.
Verification results, overhead, and performance
-
-
evidence group Evidence chain documented
The evidence combines inherited software proofs, model-checked hardware properties, compositional reasoning, public artifacts, and FPGA measurements.
LTL, NuSMV, Verilog2SMV, and composition workflow Verification results, overhead, and performance Soundness and security proof chain-
evidence Formal verification path
machine checked and provedNuSMV checks the hardware LTL properties and composition; Spot checks stated LTL implications; the final HMAC security reduction is a conditional paper proof rather than a wholly machine-checked proof.
LTL, NuSMV, Verilog2SMV, and composition workflow Soundness and security proof chain -
evidence Prototype and measurements
implemented and measuredThe authors synthesize an OpenMSP430-based implementation for a Basys3 Artix-7 FPGA and report model-checker resources, hardware cost, memory, and attestation time.
OpenMSP430 and FPGA implementation Verification results, overhead, and performance -
artifact Public code and proof artifacts
publicly availableThe public repository includes source, build instructions, Verilog modules, verification specifications, scripts, and soundness/security proof material; this map has not pinned a commit or independently reproduced it.
Public implementation, build instructions, verification specifications, and proof artifacts
-
-
limitation group Trusted boundary and limitations material
The strongest guarantees apply to the formalized module and model; moving from verified source and FSMs to a concrete MCU/FPGA system introduces trusted steps.
Adversarial capabilities, axioms A1-A7, and exclusions Soundness and security proof chain-
limitation Compiler and timing preservation
assumedmsp430-gcc is trusted to preserve functional semantics and register cleanup; preservation of HACL* timing properties by the compiler and MCU is also assumed.
Adversarial capabilities, axioms A1-A7, and exclusions Soundness and security proof chain -
limitation MCU core and integration
unverified integrationThe whole OpenMSP430 core and its concrete integration are not verified; implementers must establish that each target MCU satisfies the abstract signal and reset axioms.
Adversarial capabilities, axioms A1-A7, and exclusions Author response clarifying the verified module, integration assumptions, and prototype changes -
limitation Physical and availability attacks
out of scopePhysical hardware attacks are excluded, and the base design does not authenticate verifier requests; the paper discusses an optional authenticated variant to reduce request-flooding risk.
Adversarial capabilities, axioms A1-A7, and exclusions Soundness and security proof chain
-
-
scrutiny Independent scrutiny and correction context independently examined
Later researchers examined the gap between VRASED's formal model and its concrete openMSP430 instantiation, and the VRASED repository records a scoped response and prototype changes.
Independent adversarial analysis of gaps between formal models and concrete implementations Author response clarifying the verified module, integration assumptions, and prototype changes-
counterevidence Mind the Gap analysis
independently reportedThe 2022 study reports attacks against concrete implementations and argues that formal guarantees do not automatically transfer across unmodeled assumptions and integration steps.
Independent description of VRASED's formal model, trusted boundaries, and research lineage Independent adversarial analysis of gaps between formal models and concrete implementations -
response VRASED repository response
author responseThe maintainers state that reported issues do not falsify properties of the verified RA module; they distinguish integration violations, out-of-model hardware changes, and an unverified fork, and report changes to the sample instantiation.
Author response clarifying the verified module, integration assumptions, and prototype changes
-
-
lineage Significance and research lineage
documentedVRASED presents a first-of-kind verified hybrid remote-attestation architecture and became a basis for follow-on architectures and independent examination of how proofs meet real systems.
Claimed significance, portability, and future directions Independent description of VRASED's formal model, trusted boundaries, and research lineage Public implementation, build instructions, verification specifications, and proof artifacts
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Problem, contribution, and priority claims Abstract and Section 1, PDF page 1
- Adversarial capabilities, axioms A1-A7, and exclusions Section 3.1, PDF pages 4-5
- Secure-attestation properties P1-P7 Section 3.2 and Figure 2, PDF page 5
- LTL, NuSMV, Verilog2SMV, and composition workflow Sections 3.3-3.4 and Figures 4-5, PDF page 6
- End-to-end soundness definition Section 4.2, Definition 1, PDF page 7
- RA security game and SW-Att boundary Section 4.2, Definition 2 and Figure 6, PDF page 8
- LTL enforcement for access control, atomicity, confidentiality, DMA, and reset Sections 4.4-4.9, PDF pages 9-11
- OpenMSP430 and FPGA implementation Section 6.1, PDF page 12
- Verification results, overhead, and performance Sections 6.2-6.4 and Tables 2-4, PDF page 13
- Claimed significance, portability, and future directions Sections 7-8, PDF pages 14-15
- Soundness and security proof chain Appendix A, Theorems 1-2, PDF pages 16-18
- Official peer-reviewed publication record USENIX Security 2019
- Public implementation, build instructions, verification specifications, and proof artifacts Repository README, accessed 2026-07-11
- Author response clarifying the verified module, integration assumptions, and prototype changes Repository README: A Note on the Extent of VRASED Verification, accessed 2026-07-11
- Independent description of VRASED's formal model, trusted boundaries, and research lineage Sections I-II, PDF pages 2-4
- Independent adversarial analysis of gaps between formal models and concrete implementations Abstract and contributions, PDF pages 1-2
- Dated citation-count snapshot OpenAlex reported 89 citing works for the USENIX record when accessed 2026-07-11