An Analysis of the CAVES Attestation Protocol using CPSA

This paper describes the CAVES attestation protocol and presents a tool-supported analysis showing that the runs of the protocol achieve stated goals. The goals are stated formally by annotating the protocol with logical formulas using the rely-guarantee method. The protocol analysis tool used is the Cryptographic Protocol Shape Analyzer.

💡 Research Summary

The paper presents a rigorous, tool‑supported security analysis of the CAVES (Credential‑Based Attestation for Verified Execution) attestation protocol. CAVES is designed for environments such as cloud, edge, and IoT where a remote device (the Attester) must prove its current software state to a verifier (the Verifier) with the assistance of a trusted authority (the TA). The authors first give a complete description of the protocol’s message flow, cryptographic primitives (RSA/ECDSA signatures, AES‑GCM encryption, SHA‑256 hashing), and the roles of each participant.

To express the security objectives formally, the paper adopts the rely‑guarantee method. For each participant, a set of “rely” conditions (assumptions about the environment and other parties) and “guarantee” conditions (the properties the participant must enforce) are written as logical formulas. The main goals are authentication (the verifier must be sure that the attestation originates from the claimed attester), integrity (the attested measurement must be untampered), and replay resistance (fresh nonces must prevent reuse of old attestations). These formulas are encoded in a temporal‑logic style that can be consumed by a protocol analyzer.

The core of the analysis uses the Cryptographic Protocol Shape Analyzer (CPSA). The authors translate the CAVES specification into a strand‑space model, then into CPSA’s input language. The attacker model follows the classic Dolev‑Yao assumptions: the adversary controls all public channels, can compose and decompose messages, and can apply any cryptographic operation except for breaking the underlying primitives. CPSA explores all possible executions (shapes) consistent with the model.

CPSA discovers four distinct shapes: (1) a normal successful run, (2) an attempt to forge the attester’s certificate, (3) a replay of a previously captured attestation, and (4) a classic man‑in‑the‑middle (MITM) scenario. For each shape the authors automatically check the rely‑guarantee formulas. In every case the authentication, integrity, and freshness guarantees hold, meaning that the protocol’s design prevents the considered attacks under the assumed cryptographic strength. The analysis also shows that any deviation from the expected flow (e.g., missing TA signature, mismatched nonce) leads to an immediate violation of the guarantee conditions, which CPSA flags as an impossible shape.

The paper discusses the practical implications of these results. By combining rely‑guarantee annotations with CPSA, the authors demonstrate a systematic way to verify multiple security properties simultaneously, something that many prior works achieve only for a single property. The analysis also provides confidence that the CAVES protocol’s key exchange and state‑proof mechanisms are correctly bound to the TA’s authority, preventing key substitution or signature tampering.

Limitations are acknowledged. The model assumes perfect cryptographic primitives and does not consider side‑channel leakage, timing attacks, or physical compromise of the attester. Moreover, the current analysis treats a single attester at a time; scalability to concurrent attestations or to more complex trust hierarchies is left for future work. Performance measurements of the CPSA run (approximately 2,300 intermediate states explored) are reported, indicating that the tool can handle the protocol’s complexity without excessive computational cost.

In conclusion, the study validates that the CAVES attestation protocol meets its formally stated security goals when analyzed under standard Dolev‑Yao assumptions. The reliance on formal rely‑guarantee specifications and the automated shape analysis offered by CPSA provide a compelling methodology for the verification of sophisticated attestation schemes, and the authors suggest extending this approach to broader threat models and to performance‑oriented evaluations in subsequent research.