Bypassing software-based remote attestation using debug registers

Remote attestation (RA) is an essential feature in many security protocols to verify the memory integrity of remote embedded devices susceptible to malware infections. The attestation process needs to be consecutive and atomic to prevent a self-relocating malware from evading detection. Most of the prior attestation techniques disable interrupts during execution to prevent another process from interrupting the integrity check. This paper investigates the shortcomings of existing software-based attestation techniques and stresses the threat of debug exceptions to existing software-based attestation. We present Debug Register-based Self-relocating Attack (DRSA), a novel self-relocating malware against software-based attestation based on debug registers. DRSA gains control of the checksum function by raising debug exceptions and erasing itself before the next attestation. We further implement DRSA on commodity OSes and validate its effectiveness based on two existing software-based proposals. Our evaluation demonstrates that DRSA incurs low overhead, and it is extremely difficult for the verifier to detect it. can bypass the attestation with very little attack overhead.