works.bib

@article{coker2011principles,
title={Principles of remote attestation},
author={Coker, George and Guttman, Joshua and Loscocco, Peter and Herzog, Amy and Millen, Jonathan and O’Hanlon, Brian and Ramsdell, John and Segall, Ariel and Sheehy, Justin and Sniffen, Brian},
journal={International Journal of Information Security},
volume={10},
number={2},
pages={63--81},
year={2011},
publisher={Springer}
}

@inproceedings{Kumar:2014:CVI:2535838.2535841,
author = {Kumar, Ramana and Myreen, Magnus O. and Norrish, Michael and Owens, Scott},
title = {CakeML: A Verified Implementation of ML},
booktitle = {Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages},
series = {POPL '14},
year = 2014,
isbn = {978-1-4503-2544-8},
location = {San Diego, California, USA},
pages = {179--191},
numpages = 13,
url = {http://doi.acm.org/10.1145/2535838.2535841},
doi = {10.1145/2535838.2535841},
acmid = 2535841,
publisher = {ACM},
address = {New York, NY, USA}
}

@article{pendergrass2017maat,
title={Maat: A Platform Service for Measurement and Attestation},
author={Pendergrass, J Aaron and Helble, Sarah and Clemens, John and Loscocco, Peter},
journal={arXiv preprint arXiv:1709.10147},
year=2017
}

@misc{pendergrass2017maat:github,
    title = {maat},
    author = {NationalSecurityAgency},
    year = {2023},
    howpublished = {\url{https://github.com/NationalSecurityAgency/maat}}
}

@inproceedings{Rowe:2016:Confining,
author = {Rowe, Paul D},
title = {Confining adversary actions via measurement},
booktitle={Third International Workshop on Graphical Models for Security},
address = {Lisbon, Portugal},
pages = {150-166},
year = {2016},
organization    = {Springer}
}

@inproceedings{Rowe:2016:Bundling,
author = {Rowe, Paul D},
title = {Bundling Evidence for Layered Attestation},
booktitle = {Trust and Trustworthy Computing},
year = {2016},
pages = {119--139},
publisher = {Springer International Publishing},
isbn = {978-3-319-45571-6},
doi = {10.1007/978-3-319-45572-3_7},
month = {08}
}

@article{Rowe:2019:Orchestrating,
author = {Rowe, Paul D and Ramsdell, John D and Alexander, Perry and Helble, Sarah C and Loscocco, Peter and Pendergrass, Aaron J and Petz, Adam},
title = {{Orchestrating Layered Attestations}},
journal = {Principles of Security and Trust},
address = {Prague, Czech Republic},
pages = {In Press},
year = 2019
}

@book{Chlipala:2013aa,
Author = {Chlipala, Adam},
Date-Added = {2015-09-15 19:03:08 +0000},
Date-Modified = {2015-09-15 19:03:16 +0000},
Publisher = {MIT Press},
Title = {Certified programming with dependent types: a pragmatic introduction to the coq proof assistant},
Year = {2013}
}

@article{Guttman:04:Verifying-infor,
Author = {Guttman, Joshua D. and Herzog, Amy L. and Ramsdell, John D. and Skorupka, Clement W.},
Date-Added = {2013-08-12 21:58:08 +0000},
Date-Modified = {2013-08-12 21:58:08 +0000},
Journal = {Journal of Computer Security},
Pages = {2005},
Title = {Verifying information flow goals in security-enhanced Linux},
Volume = {13},
Year = {2004}
}

@techreport{Ramsdell:09:An-Analysis-of-,
Address = {Center for Integrated Intelligence Systems, Bedford, MA},
Author = {Ramsdell, John D. and Guttman, Joshua D. and Millen, Jonathan K. and O'Hanlon, Brian},
Date-Added = {2011-07-06 11:22:04 -0500},
Date-Modified = {2011-07-06 11:22:34 -0500},
Institution = {MITRE},
Keywords = {security, formal methods},
Month = {December},
Number = {MTR090213},
Title = {An Analysis of the CAVES Attestation Protocol using CPSA},
Type = {Technical Remport},
Year = {2009}
}

@article{Helble:2021:flexible,
author = {Helble, Sarah C. and Kretz, Ian D. and Loscocco, Peter A. and Ramsdell, John D. and Rowe, Paul D. and Alexander, Perry},
title = {Flexible Mechanisms for Remote Attestation},
year = {2021},
issue_date = {November 2021},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {24},
number = {4},
issn = {2471-2566},
url = {https://doi.org/10.1145/3470535},
doi = {10.1145/3470535},
abstract = {Remote attestation consists of generating evidence of a system’s integrity via measurements and reporting the evidence to a remote party for appraisal in a form that can be trusted. The parties that exchange information must agree on formats and protocols. We assert there is a large variety of patterns of interactions among appraisers and attesters of interest. Therefore, it is important to standardize on flexible mechanisms for remote attestation. We make our case by describing scenarios that require the exchange of evidence among multiple parties using a variety of message passing patterns. We show cases in which changes in the order of evidence collection result in important differences to what can be inferred by an appraiser. We argue that adding the ability to negotiate the appropriate kind of attestation allows for remote attestations that better adapt to a dynamically changing environment. Finally, we suggest a language-based solution to taming the complexity of specifying and negotiating attestation procedures.},
journal = {ACM Trans. Priv. Secur.},
month = {sep},
articleno = {29},
numpages = {23},
keywords = {Remote attestation, layered attestation, attestation protocols}
}

@book{Bertot:2013aa,
	author = {Bertot, Yves and Cast{\'e}ran, Pierre},
	date-added = {2015-09-15 19:00:08 +0000},
	date-modified = {2015-09-15 19:00:19 +0000},
	publisher = {Springer Science \& Business Media},
	title = {Interactive theorem proving and program development: Coq'Art: the calculus of inductive constructions},
	year = {2013}}

@inproceedings{Petz:2021:faithful,
author = {Petz, Adam and Alexander, Perry},
title = {An Infrastructure for Faithful Execution of Remote Attestation Protocols},
year = {2021},
isbn = {978-3-030-76383-1},
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
url = {https://doi.org/10.1007/978-3-030-76384-8_17},
doi = {10.1007/978-3-030-76384-8_17},
abstract = {Remote attestation is a technology for establishing trust in a remote computing system. Copland is a domain-specific language for specifying attestation protocols that operate in diverse, layered measurement topologies. An accompanying reference semantics characterizes attestation-relevant system events and bundling of cryptographic evidence. In this work we formally define and verify the Copland Compiler and Copland Virtual Machine for executing Copland protocols. The compiler and vm are implemented as monadic, functional programs in the Coq proof assistant and verified with respect to the Copland reference semantics. In addition we introduce the Attestation Manager Monad as an environment for managing attestation freshness, binding results of Copland protocols to variables, and appraising evidence results. These components lay the foundation for a verified attestation stack.},
booktitle = {NASA Formal Methods: 13th International Symposium, NFM 2021, Virtual Event, May 24–28, 2021, Proceedings},
pages = {268–286},
numpages = {19},
keywords = {Remote attestation, Verification, Domain specific languages}
}

@inproceedings{nunes2019vrased,
  title={$\{$VRASED$\}$: A verified hardware/software co-design for remote attestation},
  author={Nunes, Ivan De Oliveira and Eldefrawy, Karim and Rattanavipanon, Norrathep and Steiner, Michael and Tsudik, Gene},
  booktitle={28th $\{$USENIX$\}$ Security Symposium ($\{$USENIX$\}$ Security 19)},
  pages={1429--1446},
  year=2019
}

@inproceedings{Petz:2021:design,
author = {Petz, Adam and Jurgensen, Grant and Alexander, Perry},
title = {Design and Formal Verification of a Copland-Based Attestation Protocol},
year = {2021},
isbn = {9781450391276},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3487212.3487340},
doi = {10.1145/3487212.3487340},
abstract = {We present the design and formal analysis of a remote attestation protocol and accompanying security architecture that generate evidence of trustworthy execution for legacy software. For formal guarantees of measurement ordering and cryptographic evidence strength, we leverage the Copland language and Copland Virtual Machine execution semantics. For isolation of attestation mechanisms we design a layered attestation architecture that leverages the seL4 microkernel. The formal properties of the protocol and architecture together serve to discharge assumptions made by an existing higher-level model-finding tool to characterize all ways an active adversary can corrupt a target and go undetected. As a proof of concept, we instantiate this analysis framework with a specific Copland protocol and security architecture to measure a legacy flight planning application. By leveraging components that are amenable to formal analysis, we demonstrate a principled way to design an attestation protocol and argue for its end-to-end correctness.},
booktitle = {Proceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design},
pages = {111–117},
numpages = {7},
keywords = {remote attestation, verification, formal methods},
location = {Virtual Event, China},
series = {MEMOCODE '21}
}

@inproceedings{Petz:2019:Copland,
author = {Petz, Adam and Alexander, Perry},
title = {A Copland Attestation Manager},
year = {2019},
isbn = {9781450371476},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3314058.3314060},
doi = {10.1145/3314058.3314060},
abstract = {Copland is a domain specific language designed for describing, analyzing and executing attestation protocols. Its formal semantics defines evaluation, sequencing, and dispatch of measurements resulting in evidence describing a system's state. That evidence is in turn appraised to determine if and how an external system will interact with it. The contribution of this work is a description of the first Copland interpreter and the attestation manager built around it. Following an overview of the syntax and formal semantics is a collection of motivating examples. Next is a description of a Haskell-based Copland interpreter and the attestation manager constructed around it. Examples are provided to show the interpreter's interface format. A description of the Copland landscape and future goals closes the presentation.},
booktitle = {Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security},
articleno = {6},
numpages = {10},
keywords = {attestation protocol manager, remote attestation},
location = {Nashville, Tennessee, USA},
series = {HotSoS '19}
}

@techreport{Martin:08:The-ten-page-in,
Address = {Oxford, UK},
Author = {Martin, A. and others},
Date-Added = {2012-11-11 18:44:14 +0000},
Date-Modified = {2012-11-11 18:45:54 +0000},
Institution = {Oxford University Computing Labratory},
Journal = {Research Report CS-RR-08-11},
Keywords = {trustedComputing,trp,security},
Number = {CS-RR-08-11},
Publisher = {Computing Laboratory, Oxford University Oxford},
Title = {The ten page introduction to trusted computing},
Year = {2008}
}

@techreport{Anati:SGX,
Address = {USA},
Author = {Ittai Anati and Shay Gueron and Simon P Johnson and Vincent R Scarlata},
Institution = {Intel Corporation},
Journal = {Research Report CS-RR-08-11},
Keywords = {SGX},
Publisher = {Intel Corporation},
Title = {Innovative Technology for CPU Based Attestation and Sealing},
Year = {2013}
}

@inproceedings{Haldar:04:Semantic-Remote,
Address = {San Jose, CA},
Author = {Haldar, Vivek and Chandra, Deepak and Franz, Michael},
Booktitle = {Proceedings of the Third Virtual Machine Research and Technology Symposium},
Date-Modified = {2012-08-20 16:58:33 +0000},
Month = {May},
Title = {Semantic Remote Attestation -- A Virtual Machine directed approach to Trusted Computing},
Year = {2004}
}

@inproceedings{Coker:08:Attestation:-Ev,
Author = {Coker, George S. and Guttman, Joshua D. and Loscocco, Peter A. and Sheehy, Justin and Sniffen, Brian T.},
Booktitle = {Proceedings of the International Conference on Information and Communications Security},
Date-Added = {2010-12-21 14:53:13 -0600},
Date-Modified = {2010-12-21 14:55:05 -0600},
Title = {Attestation: Evidence and Trust},
Volume = {LNCS 5308},
Year = {2008}
}

@article{Coker::Principles-of-R,
Author = {Coker, George and Guttman, Joshua and Loscocco, Peter and Herzog, Amy and Millen, Jonathan and O'Hanlon, Brian and Ramsdell, John and Segall, Ariel and Sheehy, Justin and Sniffen, Brian},
Date-Added = {2010-07-10 14:55:38 -0500},
Date-Modified = {2012-07-20 13:28:54 +0000},
Journal = {International Journal of Information Security},
Month = {June},
Number = {2},
Pages = {63--81},
Title = {Principles of Remote Attestation},
Volume = {10},
Year = {2011}
}

@techreport{Maughan:1998:RFC2408,
author = {Maughan, D. and Schertler, M. and Turner, J.},
title = {Internet Security Association and Key Management Protocol (ISAKMP)},
howpublished = {Internet Requests for Comments},
type="{RFC}",
number={2408},
pages = {1-86},
year = {1998},
month = {11},
publisher = {RFC Editor},
institution = {RFC Editor},
url={https://tools.ietf.org/html/rfc2408#page-5}
}

@misc{Carrel:1998:RFC2409,
series =    {Request for Comments},
number =    {2409},
howpublished =  {RFC 2409},
publisher = {RFC Editor},
doi =       {10.17487/RFC2409},
url =       {https://www.rfc-editor.org/info/rfc2409},
author =    {David Carrel and Dan Harkins},
title =     {{The Internet Key Exchange (IKE)}},
pagetotal = {41},
year =      {1998},
month =     {nov},
}

@misc{strongSwan,
title = {strongSwan},
howpublished = {\url{https://www.strongswan.org/}},
note = {Accessed: 2022-06-29},
author ={Andreas Steffen},
year =      {2021},
month =     {Oct},
}

@misc{tpm, 
title={Trusted Platform Module}, 
howpublished = {\url{https://trustedcomputinggroup.org/work-groups/trusted-platform-module/}},
author = {Trusted Computing Group},
year = {2023}, 
month = {March}, 
}

@INPROCEEDINGS{Pendergrass:2018:Maat,
author={Pendergrass, J. Aaron and Helble, Sarah and Clemens, John and Loscocco, Peter},
booktitle={MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)}, 
title={A Platform Service for Remote Integrity Measurement and Attestation}, 
year={2018},
volume={},
number={},
pages={1-6},
doi={10.1109/MILCOM.2018.8599735}
}


@TECHREPORT{isakmp-thesis,
author = {Ajaya Chitturi and Ajaya Chitturi and John B. Carter and Jay Lepreau and Ann W. Hart},
title = {Implementing Mandatory Network Security In A Policy-Flexible System},
institution = {University of Utah},
year = {1998}
}

@article{recovery,
title = "ISAKMP Key Recovery Extensions",
journal = "Computers \& Security",
volume = "19",
number = "1",
pages = "91 - 99",
year = "2000",
issn = "0167-4048",
doi = "https://doi.org/10.1016/S0167-4048(00)86368-3",
url = "http://www.sciencedirect.com/science/article/pii/S0167404800863683",
author = "David Balenson and Tom Markham",
abstract = "This document describes the proposed approach for negotiating and exchanging key recovery information within the Internet Security Association Key Management Protocol (ISAKMP)."
}

@mastersthesis{fritz-thesis,
    title = {A Type Dependent Policy Language},
    author = {Anna Fritz},
    year = {2021},
    school = {University of Kansas}
}

@inproceedings{Rowe:2021:AutomatedTrust,
author = {Rowe, Paul D. and Ramsdell, John D. and Kretz, Ian D.},
title = {Automated Trust Analysis of Copland Specifications for Layered Attestations},
year = {2021},
isbn = {9781450386890},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3479394.3479418},
doi = {10.1145/3479394.3479418},
abstract = {In distributed systems, trust decisions are often based on remote attestations in which evidence is gathered about the integrity of subcomponents. Layered attestations leverage hierarchical dependencies among the subcomponents to bolster the trustworthiness of evidence. Copland is a declarative, domain-specific language for specifying complex layered attestations. How phrases are composed bears directly on the trustworthiness of the evidence they produce, and complex phrases become quite difficult to analyze by hand. We introduce an automated method for analyzing executions of attestations specified by Copland phrases in an adversarial setting. We develop a general theory of executions with adversarial corruption and repair events. Our approach is to enrich the Copland semantics according to this theory. Using the model finder Chase, we characterize all executions consistent with a set of initial assumptions. From this set of models, an analyst can discover all ways an active adversary can corrupt subcomponents without being detected by the attestation. These efforts afford trust policymakers the ability to compare attestations expressed as Copland phrases against trust policy in a way that encompasses both static and runtime concerns.},
booktitle = {23rd International Symposium on Principles and Practice of Declarative Programming},
articleno = {23},
numpages = {15},
keywords = {Layered Attestation, Model Finding, Trustworthy Computing},
location = {Tallinn, Estonia},
series = {PPDP 2021}
}

@misc{Ramsdell:2020:Chase,
    title = {Chase: A model finder for finitary geometric logic},
    author = {John Ramsdell},
    year = {2020},
    howpublished = {\url{https://github.com/ramsdell/chase}}
}

@misc{Ramsdell:2020:Chase:Guide,
    title = {Chase User Guide},
    author = {John Ramsdell},
    year = {2020},
    howpublished = {\url{https://ramsdell.github.io/chase/index.html}}
}

@inproceedings{Petz:2021:DesignAndFormal,
author = {Petz, Adam and Jurgensen, Grant and Alexander, Perry},
title = {Design and Formal Verification of a Copland-Based Attestation Protocol},
year = {2021},
isbn = {9781450391276},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3487212.3487340},
doi = {10.1145/3487212.3487340},
abstract = {We present the design and formal analysis of a remote attestation protocol and accompanying security architecture that generate evidence of trustworthy execution for legacy software. For formal guarantees of measurement ordering and cryptographic evidence strength, we leverage the Copland language and Copland Virtual Machine execution semantics. For isolation of attestation mechanisms we design a layered attestation architecture that leverages the seL4 microkernel. The formal properties of the protocol and architecture together serve to discharge assumptions made by an existing higher-level model-finding tool to characterize all ways an active adversary can corrupt a target and go undetected. As a proof of concept, we instantiate this analysis framework with a specific Copland protocol and security architecture to measure a legacy flight planning application. By leveraging components that are amenable to formal analysis, we demonstrate a principled way to design an attestation protocol and argue for its end-to-end correctness.},
booktitle = {Proceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design},
pages = {111–117},
numpages = {7},
keywords = {verification, formal methods, remote attestation},
location = {Virtual Event, China},
series = {MEMOCODE '21}
}

@manual{Coq,
title = {Coq Reference Manual},
author ={Coq development team},
note = {Version 8.5pl1},
organization = {INRIA},
url = {https://coq.inria.fr/distrib/current/refman/},
year = {2016}
}

@misc{Copland::website,
title = {Copland website},
author = {},
year = {2021},
howpublished = {\url{https://ku-sldg.github.io/copland/}}
}

@misc{Ltac::website,
title = {Ltac},
author = {Inria},
year = {2022},
howpublished = {\url{https://coq.inria.fr/refman/proof-engine/ltac.html}}
}

@misc{Coplandavm::website,
title = {copland-avm, nfm21 release},
author = {Petz, Adam},
year = {2021},
howpublished = {\url{https://github.com/ku-sldg/copland-avm/releases/tag/v1.0}}
}

@misc{TJ_prop,
title = {Proof-Producing Synthesis of CakeML from Coq},
author = {Barclay, TJ},
year = {2022},
howpublished = {PhD Proposal}, 
school = {University of Kansas}
}

@inproceedings{10.1145/2364527.2364545,
author = {Myreen, Magnus O. and Owens, Scott},
title = {Proof-Producing Synthesis of ML from Higher-Order Logic},
year = {2012},
isbn = {9781450310543},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/2364527.2364545},
doi = {10.1145/2364527.2364545},
abstract = {The higher-order logic found in proof assistants such as Coq and various HOL systems provides a convenient setting for the development and verification of pure functional programs. However, to efficiently run these programs, they must be converted (or "extracted") to functional programs in a programming language such as ML or Haskell. With current techniques, this step, which must be trusted, relates similar looking objects that have very different semantic definitions, such as the set-theoretic model of a logic and the operational semantics of a programming language.In this paper, we show how to increase the trustworthiness of this step with an automated technique. Given a functional program expressed in higher-order logic, our technique provides the corresponding program for a functional language defined with an operational semantics, and it provides a mechanically checked theorem relating the two. This theorem can then be used to transfer verified properties of the logical function to the program.We have implemented our technique in the HOL4 theorem prover, translating functions to a core subset of Standard ML, and have applied it to examples including functional data structures, a parser generator, cryptographic algorithms, and a garbage collector.},
booktitle = {Proceedings of the 17th ACM SIGPLAN International Conference on Functional Programming},
pages = {115–126},
numpages = {12},
keywords = {theorem proving},
location = {Copenhagen, Denmark},
series = {ICFP '12}
}


@article{Myreen::2012::proof,
author = {Myreen, Magnus O. and Owens, Scott},
title = {Proof-Producing Synthesis of ML from Higher-Order Logic},
year = {2012},
issue_date = {September 2012},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {47},
number = {9},
issn = {0362-1340},
url = {https://doi.org/10.1145/2398856.2364545},
doi = {10.1145/2398856.2364545},
abstract = {The higher-order logic found in proof assistants such as Coq and various HOL systems provides a convenient setting for the development and verification of pure functional programs. However, to efficiently run these programs, they must be converted (or "extracted") to functional programs in a programming language such as ML or Haskell. With current techniques, this step, which must be trusted, relates similar looking objects that have very different semantic definitions, such as the set-theoretic model of a logic and the operational semantics of a programming language.In this paper, we show how to increase the trustworthiness of this step with an automated technique. Given a functional program expressed in higher-order logic, our technique provides the corresponding program for a functional language defined with an operational semantics, and it provides a mechanically checked theorem relating the two. This theorem can then be used to transfer verified properties of the logical function to the program.We have implemented our technique in the HOL4 theorem prover, translating functions to a core subset of Standard ML, and have applied it to examples including functional data structures, a parser generator, cryptographic algorithms, and a garbage collector.},
journal = {SIGPLAN Not.},
month = {sep},
pages = {115–126},
numpages = {12},
keywords = {theorem proving}
}

@techreport{ietf-rats-architecture-18,
number =    {draft-ietf-rats-architecture-18},
type =      {Internet-Draft},
institution =   {Internet Engineering Task Force},
publisher = {Internet Engineering Task Force},
note =      {Work in Progress},
url =       {https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/18/},
author =    {Henk Birkholz and Dave Thaler and Michael Richardson and Ned Smith and Wei Pan},
title =     {Remote Attestation Procedures Architecture},
pagetotal = {56},
year =      {2022},
month =     {jun},
day =       {14},
abstract =  {In network protocol exchanges it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary claims. An attempt is made to provide for a model that is neutral toward processor architectures, the content of claims, and protocols.},
}

@inproceedings{4,
    author={I. {Hajjeh} and A. {Serhrouchni} and F. {Tastet}},
    booktitle={GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489)}, 
    title={ISAKMP handshake for SSL/TLS}, 
    year={2003},
    volume={3},
    number={},
    pages={1481-1485 vol.3},
    doi={10.1109/GLOCOM.2003.1258484}
}

@inproceedings{6,
    author={X. {Qing} and C. {Adams}},
    booktitle={2006 Canadian Conference on Electrical and Computer Engineering}, 
    title={KEAML - Key Exchange and Authentication Markup Language}, 
    year={2006},
    volume={},
    number={},
    pages={634-638},
    doi={10.1109/CCECE.2006.277583}
}

@techreport{11,
    title = {Internet Security Association and Key Management Protocol},
    author = {Hecker, Artur},
    year = {2002},
    month = {1},
    institution = {ENST Paris},
    URL={https://perso.telecom-paristech.fr/hecker/files/ISAKMP.pdf}
}

@misc{Ramalingam, 
    title={Internet Security Association and Key Management Protocol (ISAKMP) }, 
    publisher={College of Applied Sciences}, 
    author={Ramalingam, Rajasekar},
    year={2017},
    url={https://www.slideshare.net/RajasekarVr/internet-security-association-and-key-management-protocol-isakmp}
}

@inproceedings{InevitabilityofFail,
  title={The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments},
  author={Peter Loscocco and Stephen Dale Smalley and P. A. Muckelbauer and R. Taylor and S. Turner and J. Farrell},
  year={2000}
}

@InProceedings{trust_defined,
author="Xiu, Daoxi
and Liu, Zhaoyu",
editor="Zhou, Jianying
and Lopez, Javier
and Deng, Robert H.
and Bao, Feng",
title="A Formal Definition for Trust in Distributed Systems",
booktitle="Information Security",
year="2005",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="482--489",
isbn="978-3-540-31930-6"
}

@INPROCEEDINGS{ERASMUS,
author={Carpent, Xavier and Tsudik, Gene and Rattanavipanon, Norrathep},
booktitle={2018 Design, Automation \& Test in Europe Conference \& Exhibition}, 
title={ERASMUS: Efficient remote attestation via self-measurement for unattended settings}, 
year={2018},
volume={},
number={},
pages={1191-1194},
doi={10.23919/DATE.2018.8342195}
}

@inproceedings{HYDRA,
author = {Eldefrawy, Karim and Rattanavipanon, Norrathep and Tsudik, Gene},
title = {HYDRA: Hybrid Design for Remote Attestation (Using a Formally Verified Microkernel)},
year = {2017},
isbn = {9781450350846},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3098243.3098261},
doi = {10.1145/3098243.3098261},
booktitle = {Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks},
pages = {99–110},
numpages = {12},
location = {Boston, Massachusetts},
series = {WiSec '17}
}

@INPROCEEDINGS{Francillon:2014:Minimalist,
  author={Francillon, Aurélien and Nguyen, Quan and Rasmussen, Kasper B. and Tsudik, Gene},
  booktitle={2014 Design, Automation \& Test in Europe Conference \& Exhibition}, 
  title={A minimalist approach to Remote Attestation}, 
  year={2014},
  volume={},
  number={},
  pages={1-6},
  doi={10.7873/DATE.2014.257}}

@inproceedings{PRIMA,
author = {Jaeger, Trent and Sailer, Reiner and Shankar, Umesh},
title = {PRIMA: Policy-Reduced Integrity Measurement Architecture},
year = {2006},
isbn = {1595933530},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/1133058.1133063},
doi = {10.1145/1133058.1133063},
abstract = {We propose an integrity measurement approach based on information flow integrity,which we call the Policy-Reduced Integrity Measurement Architecture (PRIMA).The recent availability of secure hardware has made it practical for a system to measure its own integrity, such that it can generate an integrity proof for remote parties. Various approaches have been proposed,but most simply measure the loaded code and static data to approximate runtime system integrity.We find that these approaches suffer from two problems: (1)the load-time measurements of code alone do not accurately reflect runtime behaviors,such as the use of untrusted network data,and (2) they are ineficient,requiring all measured entities to be known and fully trusted even if they have no impact on the target application.Classical integrity models are based on information flow,so we design the PRIMA approach to enable measurement of information flow integrity and prove that it achieves these goals. We prove how a remote party can verify useful information flow integrity properties using PRIMA. A PRIMA prototype has been built based on the open-source Linux Integrity Measurement Architecture (IMA)using SELinux policies to provide the information flow.},
booktitle = {Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies},
pages = {19–28},
numpages = {10},
keywords = {information flow, remote attestation, Clark-Wilson Lite integrity},
location = {Lake Tahoe, California, USA},
series = {SACMAT '06}
}

@inproceedings{DRAFT,
  author    = {Wenjuan Xu and
               Gail{-}Joon Ahn and
               Hongxin Hu and
               Xinwen Zhang and
               Jean{-}Pierre Seifert},
  editor    = {Dimitris Gritzalis and
               Bart Preneel and
               Marianthi Theoharidou},
  title     = {DR\@FT: Efficient Remote Attestation Framework for Dynamic Systems},
  booktitle = {Computer Security - {ESORICS} 2010, 15th European Symposium on Research
               in Computer Security, Athens, Greece, September 20-22, 2010. Proceedings},
  series    = {Lecture Notes in Computer Science},
  volume    = {6345},
  pages     = {182--198},
  publisher = {Springer},
  year      = {2010},
  url       = {https://doi.org/10.1007/978-3-642-15497-3\_12},
  doi       = {10.1007/978-3-642-15497-3\_12},
  timestamp = {Fri, 09 Apr 2021 18:36:28 +0200},
  biburl    = {https://dblp.org/rec/conf/esorics/XuAHZS10.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}

@misc{baez2022evaluating,
  title={Evaluating SGX’s Remote Attestation Security Through the Analysis of Copland Phrases},
  author={Baez, Freddy Eduardo Veloz},
  year={2022},
  school={WORCESTER POLYTECHNIC INSTITUTE}
}

@inproceedings{Rowe:2021:OnOrdering,
author="Rowe, Paul D.",
editor="Dougherty, Daniel
and Meseguer, Jos{\'e}
and M{\"o}dersheim, Sebastian Alexander
and Rowe, Paul",
title="On Orderings in Security Models",
bookTitle="Protocols, Strands, and Logic: Essays Dedicated to Joshua Guttman on the Occasion of his 66.66th Birthday",
year="2021",
publisher="Springer International Publishing",
address="Cham",
pages="370--393",
abstract="Security decisions are often made on the basis of a comparison of two or more alternatives. Is it better go with design A or design B? Which security policy is best for my needs? What combination of defensive mitigations provide the best protection from attack? Implicit in such comparisons are ordering relations {\$}{\$}{\backslash}preceq {\$}{\$}⪯among the alternatives. Such ordering relations crop up in numerous security formalisms. This paper studies preorders that arise in three formalisms for very different domains of security: attack trees, Copland specifications of layered attestations, and cryptographic protocols. While these three areas of study appear to be very different in subject matter and form, we identify a common construction for defining preorders that arise in them. This new perspective unlocks novel connections that should allow insights in one domain to bear fruit in the others as well.",
isbn="978-3-030-91631-2",
doi="10.1007/978-3-030-91631-2_21",
url="https://doi.org/10.1007/978-3-030-91631-2_21"
}

@article{Sfyrakis:2020:Survey,
  doi = {10.48550/ARXIV.2005.12453},
  url = {https://arxiv.org/abs/2005.12453},
  author = {Sfyrakis, Ioannis and Gross, Thomas},
  keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
  title = {A Survey on Hardware Approaches for Remote Attestation in Network Infrastructures},
  journal = {arXiv},
  year = {2020}, 
  copyright = {arXiv.org perpetual, non-exclusive license}
}

@inproceedings{Seshadri:2005:Pioneer,
author = {Seshadri, Arvind and Luk, Mark and Shi, Elaine and Perrig, Adrian and van Doorn, Leendert and Khosla, Pradeep},
title = {Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems},
year = {2005},
isbn = {1595930795},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/1095810.1095812},
doi = {10.1145/1095810.1095812},
abstract = {We propose a primitive, called Pioneer, as a first step towards verifiable code execution on untrusted legacy hosts. Pioneer does not require any hardware support such as secure co-processors or CPU-architecture extensions. We implement Pioneer on an Intel Pentium IV Xeon processor. Pioneer can be used as a basic building block to build security systems. We demonstrate this by building a kernel rootkit detector.},
booktitle = {Proceedings of the Twentieth ACM Symposium on Operating Systems Principles},
pages = {1–16},
numpages = {16},
keywords = {verifiable code execution, rootkit detection, dynamic root of trust, software-based code attestation, self-check-summing code},
location = {Brighton, United Kingdom},
series = {SOSP '05}
}

@inproceedings{Defrawy2012SMARTSA,
  title={SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust},
  author={Karim M. El Defrawy and Gene Tsudik and Aur{\'e}lien Francillon and Daniele Perito},
  booktitle={Network and Distributed System Security Symposium},
  year={2012}
}

@misc{rfc_doi,
	series =	{Request for Comments},
	number =	2407,
	howpublished =	{RFC 2407},
	publisher =	{RFC Editor},
	doi =		{10.17487/RFC2407},
	url =		{https://rfc-editor.org/rfc/rfc2407.txt},
        author =	{Derrell Piper},
	title =		{{The Internet IP Security Domain of Interpretation for ISAKMP}},
	pagetotal =	32,
	year =		1998,
	month =		nov,
	abstract =	{This document defines the Internet IP Security DOI (IPSEC DOI), which instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations. {[}STANDARDS-TRACK{]}},
}

@book{Chlipala:2013:Frap,
	author = {Chlipala, Adam},
	date-added = {2021-09-15 19:03:08 +0000},
	date-modified = {2021-09-15 19:03:16 +0000},
	publisher = {MIT Press},
	title = {Formal Reasoning About Programs},
	year = {2023}}


@ARTICLE{dolevYao,
  author={Dolev, D. and Yao, A.},
  journal={IEEE Transactions on Information Theory}, 
  title={On the security of public key protocols}, 
  year={1983},
  volume={29},
  number={2},
  pages={198-208},
  doi={10.1109/TIT.1983.1056650}}

@misc{copland-lang,
	author = {{--}},
	howpublished = {\url{https://copland-lang.org}},
	title = {The Copland Framework website},
	year = 2019}

  @misc{coq2cakeml,
	author = {Barclay, T.J.},
	howpublished = {  \url{https://github.com/ku-sldg/coq2cakeml}},
	title = {coq2cakeml},
	year = 2023}

  @misc{amcakeml-github,
	author = {Jurgensen, Grant and Petz, Adam and Alexander, Perry and Barclay, T.J. and Komp, Ed and Neises, Michael and Cousino, Andrew},
	howpublished = {\url{https://github.com/ku-sldg/am-cakeml}},
	journal = {GitHub repository},
	publisher = {GitHub},
	title = {A Copland Attestation Manager (AM) in CakeML},
	year = {2021}}

  @misc{amhaskell-github,
	author = {Petz, Adam and Alexander, Perry and Komp, Ed},
	howpublished = {\url{https://github.com/ku-sldg/haskell-am}},
	journal = {GitHub repository},
	publisher = {GitHub},
	title = {A Copland Attestation Manager (AM) in Haskell},
	year = {2019}}

  @misc{nfm23-github,
	author = {Fritz, Anna and Alexander, Perry},
	howpublished = {\url{https://github.com/ku-sldg/nfm2023}},
	journal = {GitHub repository},
	publisher = {GitHub},
	title = {A Framework for Policy Based Negotiation in Coq},
	year = {2023}}

@misc{Michael_prop,
title = {Trustworthy Measurements of a Linux Kernel and Layered Attestation via a Verified Microkernel},
author = {Neises, Michael},
year = {2023},
howpublished = {PhD Proposal}, 
school = {University of Kansas}
}

@mastersthesis{cousino-thesis,
    title = {Recording Remote Attestations on the Blockchain},
    author = {Andrew Cousino},
    year = {2023},
    school = {University of Kansas}
}

@inproceedings{Petz:2024:verified,
author = {Petz, Adam and Thomas, Will and Barclay, TJ and Schmalz, Logan and Fritz, Anna and Alexander, Perry},
title = {Verified Configuration and Deployment of Layered Attestation Managers},
year = {2024},
publisher = {In Progress},
address = {},
booktitle = {In Progress},
numpages = {22}
}

%% selinux resources

@inproceedings{Jaeger:03:Analyzing-integ,
	acmid = {1251358},
	address = {Berkeley, CA, USA},
	author = {Jaeger, Trent and Sailer, Reiner and Zhang, Xiaolan},
	booktitle = {Proceedings of the 12th conference on USENIX Security Symposium - Volume 12},
	date-added = {2013-08-14 16:47:47 +0000},
	date-modified = {2013-08-14 16:47:53 +0000},
	keywords = {security, SELinux, access control},
	location = {Washington, DC},
	numpages = {1},
	pages = {5--5},
	publisher = {USENIX Association},
	series = {SSYM'03},
	title = {Analyzing integrity protection in the SELinux example policy},
	url = {http://dl.acm.org/citation.cfm?id=1251353.1251358},
	year = {2003},
	bdsk-url-1 = {http://dl.acm.org/citation.cfm?id=1251353.1251358}}

  @inproceedings{Zanin:04:Towards-a-forma,
	acmid = {990059},
	address = {New York, NY, USA},
	author = {Zanin, Giorgio and Mancini, Luigi Vincenzo},
	booktitle = {Proceedings of the ninth ACM symposium on Access control models and technologies},
	date-added = {2013-08-14 16:39:55 +0000},
	date-modified = {2013-08-14 16:39:55 +0000},
	doi = {10.1145/990036.990059},
	isbn = {1-58113-872-5},
	keywords = {security, SELinux, flask},
	location = {Yorktown Heights, New York, USA},
	numpages = {10},
	pages = {136--145},
	publisher = {ACM},
	series = {SACMAT '04},
	title = {Towards a formal model for security policies specification and validation in the selinux system},
	url = {http://doi.acm.org/10.1145/990036.990059},
	year = {2004},
	bdsk-url-1 = {http://doi.acm.org/10.1145/990036.990059},
	bdsk-url-2 = {http://dx.doi.org/10.1145/990036.990059}}

  @inproceedings{Hicks:07:A-logical-speci,
	acmid = {1266854},
	address = {New York, NY, USA},
	author = {Hicks, Boniface and Rueda, Sandra and St.Clair, Luke and Jaeger, Trent and McDaniel, Patrick},
	booktitle = {Proceedings of the 12th ACM symposium on Access control models and technologies},
	date-added = {2012-07-18 16:18:54 +0000},
	date-modified = {2012-07-18 16:18:59 +0000},
	doi = {10.1145/1266840.1266854},
	isbn = {978-1-59593-745-2},
	keywords = {SELinux, multi-level security, policy analysis, policy compliance},
	location = {Sophia Antipolis, France},
	numpages = {10},
	pages = {91--100},
	publisher = {ACM},
	series = {SACMAT '07},
	title = {A logical specification and analysis for SELinux MLS policy},
	url = {http://doi.acm.org/10.1145/1266840.1266854},
	year = {2007},
	bdsk-url-1 = {http://doi.acm.org/10.1145/1266840.1266854},
	bdsk-url-2 = {http://dx.doi.org/10.1145/1266840.1266854}}

  @book{Mayer:07:SELinux-by-Exam,
	author = {Mayer, Frank and MacMillan, Karl and Caplan, David},
	date-added = {2009-01-05 14:44:18 -0600},
	date-modified = {2009-01-05 14:46:04 -0600},
	publisher = {Prentice Hall},
	title = {{SELinux} by {E}xample},
	year = {2007}}

  @inproceedings{Spencer:99:The-Flask-Secur,
	author = {Spencer, R. and Smalley, S. and Loscocco, P. and Hibler, M. and Andersen, D. and Lepreau, J.},
	booktitle = {Proceedings of the Eighth USENIX Security Symposium},
	date-added = {2010-07-12 10:36:00 -0500},
	date-modified = {2010-07-12 10:37:57 -0500},
	month = {August},
	pages = {123--139},
	title = {The Flask Security Architecture: System Support for Diverse Security Policies},
	year = {1999}}

  @article{Alexander:15:Modeling,
	author = {Alexander, P. and Pike, L. and Loscocco, P. and Coker, G.},
	date-modified = {2015-09-14 04:42:57 +0000},
	journal = {ACM Transactions on Information and System Security (TISSEC)},
	number = {2},
	title = {Model Checking Distributed Mandatory Access Control Policies},
	volume = {18},
	year = {2015}}

  @inproceedings{Sprenger:2007aa,
	author = {Sprenger, Christoph and Basin, David},
	booktitle = {Theorem Proving in Higher Order Logics},
	date-added = {2015-03-27 19:13:02 +0000},
	date-modified = {2015-03-27 19:13:42 +0000},
	keywords = {security, verification, monadic semantics},
	pages = {302--318},
	publisher = {Springer},
	title = {A monad-based modeling and verification toolbox with application to security protocols},
	year = {2007}}

@techreport{CPSA,
	address = {Center for Integrated Intelligence Systems, Bedford, MA},
	author = {Liskov, Moses D. and Ramsdell, John D. and Guttman, Joshua D. and Rowe, Paul D.},
	date-added = {2011-07-06 11:22:04 -0500},
	date-modified = {2011-07-06 11:22:34 -0500},
	institution = {MITRE},
	keywords = {security, formal methods},
	month = {June},
	number = {},
	title = {The Cryptographic Protocol Shapes Analyzer: A Manual},
	type = {Technical Report},
	year = {2016}}

@INPROCEEDINGS{Archer::2003::Analyzing,
  author={Archer, M. and Leonard, E. and Pradella, M.},
  booktitle={Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks}, 
  title={Analyzing security-enhanced Linux policy specifications}, 
  year={2003},
  volume={},
  number={},
  pages={158-169},
  doi={10.1109/POLICY.2003.1206969}}

@article{Hannaford,
  author          = {Kerber, R},
  journal         = {The Boston Globe},
  number          = {},
  title           = {Advanced tactic targeted grocer: `Malware' stole Hannaford data},
  pages          = {1-18},
  month 		= {March},
  year            = {2008}
}

@article{eleven-charged,
  author          = {Stone, Brad},
  journal         = {The New York Times},
  number          = {},
  title           = {11 charged in theft of 41 million card numbers},
  pages          = {B-1},
  month 		= {August},
  year            = {2008}
}

@article{silent-skimmer,
  author          = {Guru},
  journal         = {Cyber Security News},
  number          = {},
  title           = {Silent Skimmer Group Attacking Online Shopping Websites},
  pages          = {},
  month 		= {September},
  year            = {2023}
}

@article{capitol-one, 
author = {Khan, Shaharyar and Kabanov, Ilya and Hua, Yunke and Madnick, Stuart}, 
title = {A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned}, 
year = {2022}, 
issue_date = {February 2023}, 
publisher = {Association for Computing Machinery}, 
address = {New York, NY, USA}, 
volume = {26}, 
number = {1}, 
issn = {2471-2566}, 
url = {https://doi.org/10.1145/3546068}, 
doi = {10.1145/3546068}, 
abstract = {The 2019 Capital One data breach was one of the largest data breaches impacting the privacy and security of personal information of over a 100 million individuals. In most reports about a cyberattack, you will often hear that it succeeded because a single employee clicked on a link in a phishing email or forgot to patch some software, making it seem like an isolated, one-off, trivial problem involving maybe one person, committing a mistake or being negligent. But that is usually not the complete story. By ignoring the related managerial and organizational failures, you are leaving in place the conditions for the next breach. Using our Cybersafety analysis methodology, we identified control failures spanning control levels, going from rather technical issues up to top management, the Board of Directors, and Government regulators. In this analysis, we reconstruct the Capital One hierarchical cyber safety control structure, identify what parts failed and why, and provide recommendations for improvements. This work demonstrates how to discover the true causes of security failures in complex information systems and derive systematic cybersecurity improvements that likely apply to many other organizations. It also provides an approach that individuals can use to evaluate and better secure their organizations.}, 
journal = {ACM Trans. Priv. Secur.}, 
month = {nov}, 
articleno = {3}, 
numpages = {29}, 
keywords = {Capital One breach, cybersafety, cybersecurity, privacy, STAMP} }

@inproceedings{Ott:2023:Universal-Remote-Attestation-Cloud-Platforms,
author = {Ott, Simon and Kamhuber, Monika and Pecholt, Joana and Wessel, Sascha},
title = {Universal Remote Attestation for Cloud and Edge Platforms},
year = {2023},
isbn = {9798400707728},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3600160.3600171},
doi = {10.1145/3600160.3600171},
abstract = {With more computing workloads being shifted to the cloud, verifying the integrity of remote software stacks through remote attestation becomes an increasingly important topic. During remote attestation, a prover provides attestation evidence to a verifier, backed by a hardware trust anchor. While generating this information, which is essentially a list of hashes, is easy, examining the trustworthiness of the overall platform based on the provided list of hashes without context is difficult. Furthermore, as different trust anchors use different formats, interaction between devices using different attestation technologies is a complex problem. To address this problem, we propose a universal, hardware-agnostic device-identity and attestation framework. Our framework focuses on easing attestation by having provers present meaningful metadata to verify the integrity of the attestation evidence. We implemented and evaluated the framework for Trusted Platform Modules (TPM), AMD SEV-SNP attestation, and ARM PSA Entity Attestation Tokens (EATs).},
booktitle = {Proceedings of the 18th International Conference on Availability, Reliability and Security},
articleno = {12},
numpages = {11},
keywords = {Channel Binding, TPM, AMD SEV-SNP, Integrity Validation, ARM PSA, Remote Attestation},
location = {<conf-loc>, <city>Benevento</city>, <country>Italy</country>, </conf-loc>},
series = {ARES '23}
}

@INPROCEEDINGS{iot-att,
  author={Kim, Kyeong Tae and Lim, Jae Deok and Kim, Jeong-Nyeo},
  booktitle={2022 24th International Conference on Advanced Communication Technology (ICACT)}, 
  title={An IoT Device-trusted Remote Attestation Framework}, 
  year={2022},
  volume={},
  number={},
  pages={218-223},
  keywords={Performance evaluation;Virtual machine monitors;Real-time systems;Security;Trust management;Standards;Secure storage;Remote Attestation;Security;IoT},
  doi={10.23919/ICACT53585.2022.9728853}}

  @INPROCEEDINGS{Scalable-cloud,
  author={Berger, Stefan and Goldman, Kenneth and Pendarakis, Dimitrios and Safford, David and Valdez, Enriquillo and Zohar, Mimi},
  booktitle={2015 IEEE International Conference on Cloud Engineering}, 
  title={Scalable Attestation: A Step Toward Secure and Trusted Clouds}, 
  year={2015},
  volume={},
  number={},
  pages={185-194},
  keywords={Hardware;Kernel;Public key;Appraisal;Linux;Semiconductor device measurement;Security;Integrity;Attestation},
  doi={10.1109/IC2E.2015.32}}

@inproceedings{Tan:2011:TRAP,
author = {Tan, Hailun and Hu, Wen and Jha, Sanjay},
title = {A TPM-Enabled Remote Attestation Protocol (TRAP) in Wireless Sensor Networks},
year = {2011},
isbn = {9781450309028},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/2069087.2069090},
doi = {10.1145/2069087.2069090},
abstract = {Given the limited resources and computational power of current embedded sensor devices, memory protection is difficult to achieve and generally unavailable. Hence, the software run-time buffer overflow that is used by the worm attacks in the Internet could be easily exploited to inject malicious codes into Wireless Sensor Networks (WSNs). Previous software-based remote code verification approaches such as SWATT and SCUBA have been shown difficult to deploy in recent work. In this paper, we propose and implement a remote attestation protocol for detecting unauthorized tampering in the application codes running on sensor nodes with the assistance of Trusted Platform Modules (TPMs), the tiny, cost-effective and tamper-proof cryptographic microcontrollers. In our design, each sensor node is equipped with a TPM and the firmware running on the node could be verified by the other sensor nodes in a WSN, including the sink. Specifically, we present a hardware-based remote attestation protocol, discuss the potential attacks an adversary could launch against the protocol, and provide comprehensive system performance results of the protocol in a multi-hop sensor network testbed.},
booktitle = {Proceedings of the 6th ACM Workshop on Performance Monitoring and Measurement of Heterogeneous Wireless and Wired Networks},
pages = {9--16},
numpages = {8},
keywords = {trusted platform module, wireless sensor networks, remote attestation},
location = {Miami, Florida, USA},
series = {PM2HW2N '11}
}

@inproceedings{Loscocco:07:Linux-kernel-in,
	acmid = {1314362},
	address = {New York, NY, USA},
	author = {Loscocco, Peter A. and Wilson, Perry W. and Pendergrass, J. Aaron and McDonell, C. Durward},
	booktitle = {Proceedings of the 2007 ACM workshop on Scalable trusted computing},
	date-added = {2012-08-20 18:40:53 +0000},
	date-modified = {2012-11-24 21:31:03 +0000},
	doi = {10.1145/1314354.1314362},
	isbn = {978-1-59593-888-6},
	keywords = {security, LKIM, attestation, integrity measurement, system monitoring},
	location = {Alexandria, Virginia, USA},
	numpages = {9},
	pages = {21--29},
	publisher = {ACM},
	series = {STC '07},
	title = {Linux kernel integrity measurement using contextual inspection},
	url = {http://doi.acm.org/10.1145/1314354.1314362},
	year = {2007},
	bdsk-url-1 = {http://doi.acm.org/10.1145/1314354.1314362},
	bdsk-url-2 = {http://dx.doi.org/10.1145/1314354.1314362}}

@article{lkim--pen,
  author          = {J. Aaron Pendergrass and Kathleen N. McGill},
  journal         = {JOHNS HOPKINS APL TECHNICAL DIGEST},
  number          = {2},
  title           = {LKIM: The Linux Kernel Integrity Measurer},
  volume          = {32},
  year            = {2013}
}

@manual{Trusted-Computing-Group:07:TCG-TPM-Specifi,
	address = {3885 SW 153rd Drive, Beaverton, OR 97006},
	author = {{Trusted Computing Group}},
	date-added = {2013-08-23 15:47:23 +0000},
	date-modified = {2013-08-23 15:47:44 +0000},
	edition = {Version 1.2 Revision 103},
	keywords = {security, tpm},
	month = {July},
	organization = {Trusted Computing Group},
	title = {TCG TPM Specification},
	url = {https://www.trustedcomputinggroup.org/resources/tpm_main_specification/},
	year = {2007},
	bdsk-url-1 = {https://www.trustedcomputinggroup.org/specs/TPM/},
	bdsk-url-2 = {https://www.trustedcomputinggroup.org/resources/tpm_main_specification/}}

  @ARTICLE{ieee-trust-compute,
  author={Yan, Zheng and Govindaraju, Venu and Zheng, Qinghua and Wang, Yan},
  journal={IEEE Access}, 
  title={IEEE Access Special Section Editorial: Trusted Computing}, 
  year={2020},
  volume={8},
  number={},
  pages={25722-25726},
  keywords={},
  doi={10.1109/ACCESS.2020.2969768}}

@inproceedings{Usman:2023:Attestation-Assurance-Arguments,
author = {Usman, Ahmad B. and Cole, Nigel and Asplund, Mikael and Boeira, Felipe and Vestlund, Christian},
title = {Remote Attestation Assurance Arguments for Trusted Execution Environments},
year = {2023},
isbn = {9798400701009},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3579988.3585056},
doi = {10.1145/3579988.3585056},
abstract = {Remote attestation (RA) is emerging as an important security mechanism for cyber-physical systems with strict security requirements. Trusted computing at large and Trusted Execution Environments (TEEs) in particular have been identified as key technologies to enable RA since they ideally allow retaining some element of control over remote devices despite them being compromised at the OS level. Unfortunately, sometimes it is claimed that TEEs provide RA support without really substantiating how this support is provided. In this paper we build the assurance arguments for RA to carefully map how secure RA depends on underlying security properties and how these in turn can be provided by TEE capabilities. We base our security analysis of RA on existing literature on security requirements for RA and use Goal Structuring Notation (GSN) as the method to build the security arguments. Our analysis identifies the set of TEE properties (as described in the GlobalPlatform standard) that are needed to support RA, and which goals that cannot be mapped to TEE implementations, and therefore require other forms of evidence for RA to be trusted at the top level.},
booktitle = {Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems},
pages = {33--42},
numpages = {10},
keywords = {trusted execution environments, assurance, globalplatform, cps, goal structuring notation, remote attestation},
location = {Charlotte, NC, USA},
series = {SaT-CPS '23}
}

@article{Horne--attack,
author = {Horne, Ross and Mauw, Sjouke and Tiu, Alwen},
year = {2017},
month = {06},
pages = {57-86},
title = {Semantics for Specialising Attack Trees based on Linear Logic},
volume = {153},
journal = {Fundamenta Informaticae},
doi = {10.3233/FI-2017-1531}
}

@inproceedings{Howard1969TheFN,
	author = {William A. Howard},
	title = {The formulae-as-types notion of construction},
	year = {1969}}

@misc{kretz2024evidence,
      title={Evidence Tampering and Chain of Custody in Layered Attestations}, 
      author={Ian D. Kretz and Clare C. Parran and John D. Ramsdell and Paul D. Rowe},
      year={2024},
      eprint={2402.00203},
      archivePrefix={arXiv},
      primaryClass={cs.CR}
}

@inproceedings{Fritz:2023:framework, 
author = {Fritz, Anna and Alexander, Perry}, 
title = {A Framework for Policy Based Negotiation}, 
year = {2023}, isbn = {978-3-031-33169-5}, 
publisher = {Springer-Verlag}, 
address = {Berlin, Heidelberg}, 
url = {https://doi.org/10.1007/978-3-031-33170-1_13}, 
doi = {10.1007/978-3-031-33170-1_13}, 
abstract = {Semantic remote attestation is a process for gathering and appraising evidence to determine the state of a remote system. Remote attestation occurs at the request of an appraiser or relying party and proceeds with a target system executing an attestation protocol that invokes attestation services in a specified order to generate and bundle evidence. The appraiser may then reason about the evidence to establish trust in the target’s state. Attestation Protocol Negotiation is the process of establishing a mutually agreed upon protocol that satisfies the appraiser’s desire for comprehensive information and the target’s desire for constrained disclosure. Here we explore formalization of negotiation focusing on a definition of system specifications through manifests, protocol sufficiency and soundness, policy representation, and negotiation structure. By using our formal models to represent and verify negotiation’s properties we can statically determine that a provably sound, sufficient, and executable protocol is produced.}, 
booktitle = {NASA Formal Methods: 15th International Symposium, NFM 2023, Houston, TX, USA, May 16–18, 2023, Proceedings}, 
pages = {207–223}, 
numpages = {17}, 
location = {Houston, TX, USA} }

@InProceedings{Appel:comp,
author="Appel, Andrew W.",
editor="Barthe, Gilles",
title="Verified Software Toolchain",
booktitle="Programming Languages and Systems",
year="2011",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="1--17",
abstract="The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machine-checked proofs that the assertions claimed at the top of the toolchain really hold in the machine-language program, running in the operating-system context, on a weakly-consistent-shared-memory machine.",
isbn="978-3-642-19718-5"
}

@book{Enderton:logic,
  author         = {Herbert B. Enderton},
  editor         = {},
  publisher      = {Academic Press},
  title          = {A mathematical introduction to logic},
  year           = {2001}
}

@article{Horne:Attack,
author = {Horne, Ross and Mauw, Sjouke and Tiu, Alwen},
year = {2017},
month = {06},
pages = {57-86},
title = {Semantics for Specialising Attack Trees based on Linear Logic},
volume = {153},
journal = {Fundamenta Informaticae},
doi = {10.3233/FI-2017-1531}
}

@article{Jhaware:attack,
author = {Jhawar, Ravi and Kordy, Barbara and Mauw, Sjouke and Radomirovic, Sasa and Trujillo-Rasua, Rolando},
year = {2015},
month = {03},
pages = {},
title = {Attack Trees with Sequential Conjunction},
volume = {455},
isbn = {978-3-319-18466-1},
journal = {IFIP Advances in Information and Communication Technology},
doi = {10.1007/978-3-319-18467-8_23}
}