{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:25:36Z","timestamp":1774448736736,"version":"3.50.1"},"reference-count":51,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2021,2,25]],"date-time":"2021-02-25T00:00:00Z","timestamp":1614211200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The Internet of Things (IoT) ecosystem comprises billions of heterogeneous Internet-connected devices which are revolutionizing many domains, such as healthcare, transportation, smart cities, to mention only a few. Along with the unprecedented new opportunities, the IoT revolution is creating an enormous attack surface for potential sophisticated cyber attacks. In this context, Remote Attestation (RA) has gained wide interest as an important security technique to remotely detect adversarial presence and assure the legitimate state of an IoT device. While many RA approaches proposed in the literature make different assumptions regarding the architecture of IoT devices and adversary capabilities, most typical RA schemes rely on minimal Root of Trust by leveraging hardware that guarantees code and memory isolation. However, the presence of a specialized hardware is not always a realistic assumption, for instance, in the context of legacy IoT devices and resource-constrained IoT devices. In this paper, we survey and analyze existing software-based RA schemes (i.e., RA schemes not relying on specialized hardware components) through the lens of IoT. In particular, we provide a comprehensive overview of their design characteristics and security capabilities, analyzing their advantages and disadvantages. Finally, we discuss the opportunities that these RA schemes bring in attesting legacy and resource-constrained IoT devices, along with open research issues.<\/jats:p>","DOI":"10.3390\/s21051598","type":"journal-article","created":{"date-parts":[[2021,2,26]],"date-time":"2021-02-26T04:36:24Z","timestamp":1614314184000},"page":"1598","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":47,"title":["State-of-the-Art Software-Based Remote Attestation: Opportunities and Open Issues for Internet of Things"],"prefix":"10.3390","volume":"21","author":[{"given":"Sigurd Frej Joel J\u00f8rgensen","family":"Ankerg\u00e5rd","sequence":"first","affiliation":[{"name":"DTU Compute, Technical University of Denmark (DTU), 2800 Kgs. Lyngby, Denmark"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4974-9739","authenticated-orcid":false,"given":"Edlira","family":"Dushku","sequence":"additional","affiliation":[{"name":"DTU Compute, Technical University of Denmark (DTU), 2800 Kgs. Lyngby, Denmark"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9575-2990","authenticated-orcid":false,"given":"Nicola","family":"Dragoni","sequence":"additional","affiliation":[{"name":"DTU Compute, Technical University of Denmark (DTU), 2800 Kgs. Lyngby, Denmark"}]}],"member":"1968","published-online":{"date-parts":[[2021,2,25]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and Other Botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Fernandes, E., Jung, J., and Prakash, A. (2016, January 22\u201326). Security Analysis of Emerging Smart Home Applications. Proceedings of the 2016 IEEE Symposium on Security and Privacy SP \u201916, San Jose, CA, USA.","DOI":"10.1109\/SP.2016.44"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"2702","DOI":"10.1109\/COMST.2019.2910750","article-title":"Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations","volume":"21","author":"Neshenko","year":"2019","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_4","first-page":"272","article-title":"SWATT: SoftWare-based ATTestation for embedded devices","volume":"2004","author":"Seshadri","year":"2004","journal-title":"Proc. IEEE Symp. Secur. Privacy"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1095809.1095812","article-title":"Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems","volume":"39","author":"Seshadri","year":"2005","journal-title":"Operating Syst. Rev. (ACM)"},{"key":"ref_6","unstructured":"Sailer, R., Zhang, X., Jaeger, T., and van Doorn, L. (2004, January 9\u201313). Design and Implementation of a TCG-based Integrity Measurement Architecture. Proceedings of the 13th Conference on USENIX Security Symposium SSYM\u201904, San Diego, CA, USA."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2171","DOI":"10.1002\/sec.1162","article-title":"A Remote Attestation Protocol with Trusted Platform Modules TPMs in Wireless Sensor Networks","volume":"8","author":"Tan","year":"2015","journal-title":"Sec. Commun. Netw."},{"key":"ref_8","unstructured":"Eldefrawy, K., Tsudik, G., Francillon, A., and Perito, D. (2012, January 5\u20138). SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust. Proceedings of the 19th Annual Network & Distributed System Security Symposium NDSS \u201912, San Diego, CA, USA."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Brasser, F., El Mahjoub, B., Sadeghi, A.R., Wachsmann, C., and Koeberl, P. (2015, January 8\u201312). TyTAN: Tiny trust anchor for tiny devices. Proceedings of the 52nd Design Automation Conference, San Francisco, CA, USA.","DOI":"10.1145\/2744769.2744922"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Arthur, W., and Challener, D. (2015). A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security, Apress.","DOI":"10.1007\/978-1-4302-6584-9"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Yiu, J. (2015). ARMv8-M Architecture Technical Overview, ARM. ARM White Paper.","DOI":"10.1016\/B978-0-12-803277-0.00002-3"},{"key":"ref_12","unstructured":"Koetsier, J. (2020, December 31). Battery-Free IoT: These Tiny Printable Computers Harvest Energy From Radio Waves. Available online: https:\/\/www.forbes.com\/sites\/johnkoetsier\/2021\/12\/28\/battery-free-iot-these-tiny-printable-computers-harvest-energy-from-radio-waves\/."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1145\/353323.353383","article-title":"Reflection as a Mechanism for Software Integrity Verification","volume":"3","author":"Spinellis","year":"2000","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_14","unstructured":"Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., and Piessens, F. (2013, January 14\u201316). Sancus: Low-Cost Trustworthy Extensible Networked Devices with a Zero-Software Trusted Computing Base. Proceedings of the 22nd USENIX Conference on Security, Washington, DC, USA."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Koeberl, P., Schulz, S., Sadeghi, A.R., and Varadharajan, V. (2014, January 14\u201316). TrustLite: A security architecture for tiny embedded devices. Proceedings of the 9th European Conference on Computer Systems EuroSys \u201914, Amsterdam, The Netherlands.","DOI":"10.1145\/2592798.2592824"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Ammar, M., Crispo, B., and Tsudik, G. (2020, January 21\u201325). SIMPLE: A Remote Attestation Approach for Resource-constrained IoT devices. Proceedings of the 2020 ACM\/IEEE 11th International Conference on Cyber-Physical Systems (ICCPS), Sydney, Australia.","DOI":"10.1109\/ICCPS48487.2020.00036"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"885","DOI":"10.1109\/TDSC.2019.2928541","article-title":"S\u03bcV\u2014The Security MicroVisor: A Formally-Verified Software-Based Security Architecture for the Internet of Things","volume":"16","author":"Ammar","year":"2019","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"ref_18","unstructured":"Asokan, N., Brasser, F., Ibrahim, A., Sadeghi, A.R., Schunter, M., Tsudik, G., and Wachsmann, C. (2015, January 12\u201316). SEDA: Scalable Embedded Device Attestation. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security CCS \u201915, Denver, CO, USA."},{"key":"ref_19","unstructured":"Ambrosin, M., Conti, M., Ibrahim, A., Neven, G., Sadeghi, A.R., and Schunter, M. (2016, January 24\u201328). SANA: Secure and Scalable Aggregate Network Attestation. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security CCS \u201916, Vienna, Austria."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"10240","DOI":"10.1109\/JIOT.2019.2936988","article-title":"SHeLA: Scalable Heterogeneous Layered Attestation","volume":"6","author":"Rabbani","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Ambrosin, M., Conti, M., Lazzeretti, R., Masoom Rabbani, M., and Ranise, S. (2018). PADS: Practical Attestation for Highly Dynamic Swarm Topologies. arXiv.","DOI":"10.1109\/SIoT.2018.00009"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Kohnh\u00e4user, F., B\u00fcscher, N., and Katzenbeisser, S. (2018, January 4\u20138). SALAD: Secure and Lightweight Attestation of Highly Dynamic and Disruptive Networks. Proceedings of the 2018 on Asia Conference on Computer and Communications Security ASIACCS \u201918, Incheon, Korea.","DOI":"10.1145\/3196494.3196544"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"8372","DOI":"10.1109\/JIOT.2019.2917223","article-title":"ESDRA: An Efficient and Secure Distributed Remote Attestation Scheme for IoT Swarms","volume":"6","author":"Kuang","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Abera, T., Bahmani, R., Brasser, F., Ibrahim, A., Sadeghi, A., and Schunter, M. (2019, January 24\u201327). DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous System. Proceedings of the 26th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA.","DOI":"10.14722\/ndss.2019.23420"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Conti, M., Dushku, E., and Mancini, L.V. (2019, January 10\u201313). RADIS: Remote Attestation of Distributed IoT Services. Proceedings of the 6th IEEE International Conference on Software Defined Systems (SDS 2019), Rome, Italy.","DOI":"10.1109\/SDS.2019.8768670"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"3123","DOI":"10.1109\/TIFS.2020.2983282","article-title":"SARA: Secure Asynchronous Remote Attestation for IoT Systems","volume":"15","author":"Dushku","year":"2020","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Armknecht, F., Sadeghi, A.R., Schulz, S., and Wachsmann, C. (2013, January 4\u20138). A Security Framework for the Analysis and Design of Software Attestation. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany.","DOI":"10.1145\/2508859.2516650"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2988546","article-title":"Attestation in Wireless Sensor Networks: A survey","volume":"49","author":"Steiner","year":"2016","journal-title":"ACM Comput. Surv."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"2447","DOI":"10.1109\/COMST.2020.3008879","article-title":"Collective Remote Attestation at the Internet of Things Scale: State-of-the-art and Future Challenges","volume":"22","author":"Ambrosin","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1109\/TC.2017.2647955","article-title":"Hardware-Based Trusted Computing Architectures for Isolation and Attestation","volume":"67","author":"Maene","year":"2018","journal-title":"IEEE Trans. Comput."},{"key":"ref_31","unstructured":"Gross, T., and Sfyrakis, I. (2020). A Survey on Hardware Approaches for Remote Attestation in Network Infrastructures. arXiv."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Abera, T., Asokan, N., Davi, L., Koushanfar, F., Paverd, A., Sadeghi, A.R., and Tsudik, G. (2016, January 5\u20139). Invited\u2014Things, Trouble, Trust: On Building Trust in IoT Systems. Proceedings of the 53rd Annual Design Automation Conference, Austin, TX, USA.","DOI":"10.1145\/2897937.2905020"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.infsof.2015.03.007","article-title":"Guidelines for conducting systematic mapping studies in software engineering: An update","volume":"64","author":"Petersen","year":"2015","journal-title":"Inf. Software Technol."},{"key":"ref_34","unstructured":"Kitchenham, B., and Charters, S. (2020, December 31). Guidelines for Performing Systematic Literature Reviews in Software Engineering; Technical Report Tech. Rep. EBSE 2007-001, 2007. Available online: http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download;jsessionid=70111084BAF5EF968EC49A763F3F07AC?doi=10.1.1.117.471&rep=rep1&type=pdf."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1145\/2133375.2133377","article-title":"Return-oriented programming: Systems, languages, and applications","volume":"15","author":"Roemer","year":"2012","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1109\/TMC.2005.44","article-title":"Soft tamper-proofing via program integrity verification in wireless sensor networks","volume":"4","author":"Park","year":"2005","journal-title":"IEEE Trans. Mobile Comput."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Molva, R., Tsudik, G., and Westhoff, D. (2005). Remote Software-Based Attestation for Wireless Sensors In Security and Privacy in Ad-hoc and Sensor Networks, Springer.","DOI":"10.1007\/11601494"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Ahn, S., and Chong, K. (2007). Requirements Change Management on Feature-Oriented Requirements Tracing, Springer.","DOI":"10.1109\/ICHIT.2008.206"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Yang, Y., Wang, X., Zhu, S., and Cao, G. (2008, January 10\u201312). Distributed Software-based Attestation for Node Compromise Detection in Sensor Networks. Proceedings of the 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007), Beijing, China.","DOI":"10.1109\/SRDS.2007.31"},{"key":"ref_40","unstructured":"AbuHmed, T., Nyamaa, N., and Nyang, D.H. (December, January 30). Software-based remote code attestation in wireless sensor network. Proceedings of the GLOBECOM - IEEE Global Telecommunications Conference, Honolulu, HI, USA."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Jin, X., Putthapipat, P., Pan, D., Pissinou, N., and Makki, S.K. (2010, January 6\u201310). Unpredictable software-based attestation solution for node compromise detection in mobile WSN. Proceedings of the 2010 IEEE Globecom Workshops, GC\u201910, Miami, FL, USA.","DOI":"10.1109\/GLOCOMW.2010.5700307"},{"key":"ref_42","unstructured":"Zhang, D., and Liu, D. (July, January 28). DataGuard: Dynamic Data Attestation in Wireless Sensor Networks. Proceedings of the 2010 IEEE\/IFIP International Conference on Dependable Systems & Networks (DSN), Chicago, IL, USA."},{"key":"ref_43","first-page":"25","article-title":"Lightweight attestation scheme for wireless sensor network","volume":"8","author":"Kiyomoto","year":"2014","journal-title":"Int. J. Secur. Its Appl."},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"20799","DOI":"10.3390\/s150820799","article-title":"Towards a low-cost remote memory attestation for the smart grid","volume":"15","author":"Yang","year":"2015","journal-title":"Sensors"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"1059","DOI":"10.1016\/j.adhoc.2010.08.011","article-title":"SAKE: Software attestation for key establishment in sensor networks","volume":"9","author":"Seshadri","year":"2011","journal-title":"Ad Hoc Netw."},{"key":"ref_46","unstructured":"Seshadri, A., Luk, M., Perrig, A., van Doorn, L., and Khosla, P. SCUBA: Secure Code Update By Attestation in Sensor Networks. Proceedings of the 5th ACM Workshop on Wireless Security."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Pietro, R.D., Ma, D., Soriente, C., and Tsudik, G. (2008, January 6\u20138). POSH: Proactive co-Operative Self-Healing in Unattended Wireless Sensor Networks. Proceedings of the 2008 Symposium on Reliable Distributed Systems, Naples, Italy.","DOI":"10.1109\/SRDS.2008.23"},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Gritzalis, D., Preneel, B., and Theoharidou, M. (2010). Secure Code Update for Embedded Devices via Proofs of Secure Erasure. Computer Security\u2014ESORICS 2010, Springer.","DOI":"10.1007\/978-3-642-15497-3"},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"67809","DOI":"10.1109\/ACCESS.2018.2878995","article-title":"A Remote Attestation Security Model Based on Privacy-Preserving Blockchain for V2X","volume":"6","author":"Xu","year":"2018","journal-title":"IEEE Access"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"6133","DOI":"10.1109\/TII.2020.2963910","article-title":"A Trust-Based Team Formation Framework for Mobile Intelligence in Smart Factories","volume":"16","author":"Fortino","year":"2020","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Castelluccia, C., Francillon, A., Perito, D., and Soriente, C. (2009, January 9\u201313). On the difficulty of software-based attestation of embedded devices. Proceedings of the ACM Conference on Computer and Communications Security, Chicago, IL, USA.","DOI":"10.1145\/1653662.1653711"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/5\/1598\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:28:17Z","timestamp":1760160497000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/5\/1598"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,25]]},"references-count":51,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2021,3]]}},"alternative-id":["s21051598"],"URL":"https:\/\/doi.org\/10.3390\/s21051598","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,25]]}}}