ENSsys, Workshop co-located with ACM SenSys’21, November 15ś17, 2021, Coimbra, Portugal Rabbani et al. RESERVE: Remote Atestation of Intermitent loT devices Md Masoom Rabbani ES&S, imec-COSIC, ESAT, KU Leuven Diepenbeek, Belgium mdmasoom.rabbani@kuleuven.be Edlira Dushku DTU Compute, Technical University of Denmark (DTU) Lyngby, Denmark edldu@dtu.dk Jo Vliegen ES&S, imec-COSIC, ESAT, KU Leuven Diepenbeek, Belgium jo.vliegen@kuleuven.be An Braeken Faculty of Engineering, Vrije Universiteit Brussel (VUB) Brussels, Belgium an.braeken@vub.ac.be Nicola Dragoni DTU Compute, Technical University of Denmark (DTU) Lyngby, Denmark ndra@dtu.dk Nele Mentens ES&S, imec-COSIC, ESAT, KU Leuven & LIACS, Leiden University Diepenbeek, Belgium nele.mentens@kuleuven.be ABSTRACT Internet of Things (IoT) devices have enveloped our surround- ings and have been increasingly deployed in many domains. Even though the IoT has generated unprecedented opportunities, the poorly secured design of IoT devices makes them an easy target for cyber attacks. Aimed at securing IoT devices, Remote Attestation (RA) is a security technique that identifes threat presence in IoT systems. Typically, RA is an atomic procedure that requires unin- terrupted connectivity to execute. However, in energy harvesting context where intermittent IoT devices go into sleep mode imme- diately after regular operations, the atomic property is difcult to achieve. In this paper, we propose RESERVE, a novel lightweight RA protocol designed specifcally for Intermittent loT devices. RE- SERVE aims to improve the security of intermittent systems by detecting malware presence during online mode and guaranteeing with some probability software legitimacy during ofine mode. In particular, RESERVE ensures trustworthiness by organizing the device’s software into modules, and after regular operation each device attests as many modules as ft in its energy budget. CCS CONCEPTS · Security and privacy → Network security;· Computer sys- tems organization → Embedded systems. KEYWORDS remote attestation, security, intermittent computation ACM Reference Format: Md Masoom Rabbani, Edlira Dushku, Jo Vliegen, An Braeken, Nicola Drag- oni, and Nele Mentens. 2021. RESERVE: Remote Attestation of Intermittent loT devices. In The 19th ACM Conference on Embedded Networked Sensor Systems (SenSys ’21), November 15–17, 2021, Coimbra, Portugal. ACM, New York, NY, USA, 4 pages. https://doi.org/10.1145/3485730.3493364 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. ENSsys, Workshop co-located with ACM SenSys’21, November 15–17, 2021, Coimbra, Portugal © 2021 Association for Computing Machinery. ACM ISBN 978-1-4503-9097-2/21/11. . . $15.00 https://doi.org/10.1145/3485730.3493364 1 INTRODUCTION Internet of Things (IoT) devices are permeating our surroundings by increasingly getting deployed in multiple domains ranging from smart homes to smart cities. However, the vast majority of IoT devices lack even basic security properties, and testing of these devices is often overlooked due to their low-cost nature. Thus, attacks like stuxnet [18], Mirai botnet [17], smartTV hack [2], and IoT-ransomware [1], to mention only a few, have exploited IoT vulnerabilities and have shown to be devastating. To deal with the expanding attack surface in IoT, Remote Attes- tation (RA) is a well-established security mechanism that detects malware presence in a device. In RA, a trusted party called Verifer verifes the trustworthiness of a potentially untrusted device called Prover. Classically, RA gets executed randomly at unpredictable times and requires an uninterrupted power supply during attes- tation. In addition, during attestation, the Prover stops its regular operations for a certain period of time to perform RA execution. Thus, RA is an overhead operation. This is a very strong assumption for the energy-harvesting environments which deploy intermittent devices and therefore cannot rely on a continuous power source. To this end, performing RA over a network of devices that work under intermittent connectivity remains an open challenge. Europe has recently begun the green transition to reduce the global energy footprint and eventually be climate-neutral by 2050. Intermittent IoT devices are increasingly used in diferent felds such as oil-gas exploration, weather monitoring, and military ap- plication. Due to their sensitive mode of operation and deployment in inaccessible terrains, it is essential to guarantee the security of their operations because it frequently results in fnancial loss. To preserve energy, these devices perform their regular task and switch to sleep mode. Thus, executing uninterrupted RA is chal- lenging. Intermittent IoT systems require the development of novel RA protocols that address the interrupted nature of these systems and yet provide much-needed security. Contribution of the Paper. In the context of the challenges described above, this paper brings two main contributions: • To the best of our knowledge, RESERVE is the frst RA proto- col designed to enable attestation of intermittent IoT systems. • RESERVE brings novelty in the RA domain by releasing the atomic execution assumption of the state-of-the-art RA protocols and allowing interruptibility in the attestation ex- ecution. 578