MID-003: Periodic/Continuous Integrity Measurement and Remote Attestation
Mitigation Tier: Leading
Description
Building on the simpler MID-009 - Operating System-based Runtime Integrity Check, devices can go further and periodically take integrity measurements and send them out in remote attestation messages. These measurements can be implemented separately across multiple parts of the device stack, such as the bootloader, firmware, software, and application process level, and can include readings on bootloader integrity, device timing statistics, process and page-table integrity, and overall memory integrity. With a combination of all of this information, users can gain a reasonable sense of if the device’s normal operations have been manipulated.
Note: Periodic integrity measurements are the most valuable and trustworthy when a device has a secure operating environment in which to perform its measurement calculations and network encryption. The presence of these properties may however expose a device to threats related to PID-41 - Device exposes remote network services, PID-4113 - Device includes cryptographic functions for sensitive data, such as encryption or authentication, PID-251 - Root of Trust is physically accessible or is not immutable, or PID-252 - Root of Trust is immutable
IEC 62443 4-2 Mappings
- CR 3.4 – Software and information integrity
References
[1] Microsoft. “Microsoft Azure Attestation.” microsoft.com. Accessed: Aug. 28, 2024. [Online.] Available: https://learn.microsoft.com/en-us/azure/attestation/overview
[2] Microsoft. “Attestation.” microsoft.com. Accessed: Aug. 28, 2024. [Online.] Available: https://learn.microsoft.com/en-us/azure/confidential-computing/attestation-solutions
[3] Z. Ling, H. Yan, X. Shao, J. Luo., Y. Xu, B. Pearson, and X. Fu. “Secure boot, trusted boot, and remote attestation for ARM TrustZone-based IoT Nodes” in Journal of Systems Architecture, Jul. 2021. Vol. 119. [Online.] Available: https://www.sciencedirect.com/science/article/pii/S1383762121001661
[4] Red Balloon Security. “Symbiote Injection Process.” redballoon.com. Accessed: Aug. 28, 2024. [Online.] Available: https://redballoonsecurity.com/symbiote-injection-process/