Hitchhiker's Guide to Secure Checkpointing on Energy-Harvesting Systems

The rise of energy-harvesting techniques hastens battery independence for the world's most energy-efficient devices. However, the unpredictability and scarcity of harvested energy mandates intermittent computation. Intermittent computation enables correct forward progress of long-running applications by bridging short bouts of computation with checkpoints. Checkpoints save the intermediate application state to non-volatile memory so that it can be restored and resumed post power cycle. Intermediate state storage opens the door to data at rest attacks as attackers can read, modify, and replay checkpointed state to undermine system security. Secure checkpointing approaches address the threat of attacker-accessible intermediate program state. This paper surveys the state-of-the-art secure checkpointing techniques, creating a unified threat model, taxonomy and analysis of defenses, and threat-specific defense recommendations that build on the state-of-the-art. This survey serves as a guide for any energy harvesting systems researcher or developer to existing secure checkpointing techniques and highlights the need for future work.


INTRODUCTION
In the next two years, Internet of Things (IoT) devices are going to generate 79 zettabytes of data [51].This data finds its use in government, defense, healthcare, transportation, manufacturing, IT, and telecommunications industries, making security IoT device security critical.Conventional (i.e., battery-powered) IoT devices can rely on conventional security solutions, such as cryptography, to protect their data.However, batteries are prohibitive to a smart dust future, because batteries lag computation in scaling [29].
Energy-harvesting enables devices to replace batteries with energy extracted from their surroundings, including sunlight [45], wind [34], and radio waves [30,45,63].Unfortunately, the nature of energy harvesting leads to insufficient power supply for longrunning applications.To address the challenge of long-running computation over frequent power interruptions, researchers propose intermittent computing techniques [6, 7, 13, 23, 27, 36-38, 43, 44, 59, 60].Intermittent computation saves program state in a checkpoint, either periodically or before a power loss.Restoring the program state from the checkpoint and resuming execution, ensures forward progress.However, checkpointing intermediate state of cryptographic algorithms opens the door to unconventional security threats [46,47].
Given the importance of security checkpointed intermediate state, researchers propose a range of defenses.Unfortunately, understanding defense applicability and effectiveness is hindered by disparate threat models, disparate protections, and disparate levels of hardware support.Some recent studies survey the checkpointing techniques in existence [48] and inspect the security of energy harvesting networks [55].However, these studies differ from our work in certain key aspects.In [48], the authors exhaustively analyze and compare the functionality of prior checkpointing techniques pertaining to energy harvesting devices under various energy sources, but they lack a security analysis of the surveyed techniques.[55] on the other hand provides an extensive survey of the threats faced and defenses applicable to energy harvesting networks, but only very briefly examines the security of checkpointing techniques and does not consider most of the existing checkpoint defenses.In this paper, we break down the state-of-the-art secure checkpoint approaches and examine them based on their threat models, protection mechanisms, security properties, hardware prerequisites, and performance overheads.We provide a comprehensive guide for anyone who is looking to incorporate these defenses into their batteryless systems or IoT devices and insights on open problems.
This paper makes the following technical contributions: • We inspect the threats posed to the secure checkpointing techniques and postulate a cohesive threat model that we feel best fits the current and future IoT deployments ( §4, §3).• We qualitatively compare the existing defenses with respect to their security guarantees and performance overheads ( §5).• We provide a defensive analysis given various threats and outline the hardware prerequisites for each secure checkpointing technique ( §5.1, §6).• Finally, we recommend the appropriate defenses best suited to the application they intend to protect ( §6).

BACKGROUND
Energy-harvesting devices are subject to frequent, unexpected power cycles, which compels the device to save software state before power loss and restore that state when sufficient energy is available.Checkpointing software state to non-volatile memory (NVM) allows for the completion of long-running computation across power cycles, otherwise, software is doomed to continual restarts without completion.Figure 1 illustrates how checkpointbased intermittent computation enables the completion of a longrunning program.
Intermittent computation techniques differ in the frequency and size of checkpoints.They range from very frequent checkpoints in systems that use non-volatile majority gates (NV-MGs) [44] to continuous checkpoints [13,36,38,59] in systems with persistent main memory, to just-in-time checkpointing solutions [6,7,27,43,60] in mixed-volatility systems.Regardless of frequency or size, all intermittent computation techniques, in one way or another, require storing the intermediate application state in NVM to ensure forward progress.
Flash is a popular NVM choice among traditional just-in-time checkpointing approaches [43].However, due to the high cost of writes to flash and their limited lifetime, they are ill-suited for the more checkpoint-heavy continuous checkpointing approaches.Another popular NVM choice is Ferroelectric RAM (FRAM), which offers low-power and high-endurance, high-speed writes.In addition to the performance gains, due to its lower-power writes, identical in power consumption to reads, FRAM is more resistant to differential power analysis attacks [25].The polarization characteristic and faster write times, make it much more difficult to physically or electronically monitor the internal data in FRAM [1,25].It is also the stronger NVM against data corruption by electric fields and radiation [25].Flash-based checkpoints require more data to be buffered up in the SRAM, increasing the challenges of keeping potentially sensitive data in place.Notwithstanding the superior performance and security of FRAM, the pervasiveness of flashbased devices and higher read rates plus clock frequencies, make it the more popular choice among developers when it comes to just-in-time checkpointing.

AVENUES OF ATTACK
The first step in creating a unified threat model that we can use to compare existing secure checkpointing approaches is to understand the attacker.An important aspect of the attacker is the level of access they have to the energy harvesting device.Existing works point to two broad classes of attack: (1) conventional, software-based attacks and (2) hardware-based attacks enabled by the deployments of IoT devices deeply, within society.
A software-level attacker has the following capabilities: • Time-multiplexed software (TMS) that runs on the device at a different time than the victim application.Timemultiplexed software has ungoverned access to system resources (e.g., non-volatile memory) as well as opening the door to both short-and long-term data retention attacks [22,39,40].• Vetted co-resident software (VCRS) modules loaded on the device according to defense specifications.• Unvetted co-resident software (UCRS) modules loaded on the device surreptitiously, i.e., through a buffer overflow as part of a code injection or code reuse attack [10-12, 49, 58].Co-resident software has access to both data in non-volatile and volatile memory and is potentially able to interpose on the victim application.
A hardware-level attacker has the following capabilities: • Bus snooping (BS): the attacker can hook probes to the PCB traces to monitor communication between the microcontroller and external memory chips.This precludes defensive approaches relying on external memory for plaintext checkpoint storage.• Debugger access (DA): the attacker has the ability to connect a debugger to the victim system.They can use this access to load programs, monitor victim application execution, and inspect memory.• Fine-grain power control (FGPC): the attacker can control the exact duration of victim application execution by modulating the energy available to the victim device.The attacker can also leverage their control of the victim's power to induce fault's into its execution.• Direct Memory Access (DMA): the attacker can leverage any DMA they have via the system-on-chip or PCB to access the victim's memory.We consider a more powerful, i.e., nation-state adversary out of scope.Thus, we assume that the attacker will not destroy the device in an attempt to uncover the secrets buried within.Additionally, we consider addressing power, timing, or electromagnetic sidechannel attacks as orthogonal to secure checkpointing: a defender will handle those threats, as required, by augmenting the selected secure checkpointing approach (e.g., use a constant time and power cryptographic implementation).

ATTACK OUTCOMES
The second step in understanding the attacker is to identify their goal; no matter how the attacker accesses checkpoint data, they have a desired outcome of their attack.This paper focuses on the vulnerabilities arising from checkpointing, as without protecting against these foundational threats, all other security protections for energy harvesting devices (e.g., communication) are not trustworthy.Taking inspiration from existing attacks [46,47], we broaden and categorize the major threats to intermittent computation checkpoints as follows: • Exfiltration: Unprotected checkpoints, whether it be at rest, in transit, or during creation, allow an attacker to uncover secrets by using their NVM access (see §3) to read the checkpoint directly.Beyond uncovering secrets within the checkpoint, exfiltrating checkpoints exposes the intermediate state of cryptographic algorithms, which significantly weakens their security [46,47], making it practically feasible to brute force the key.Confidentiality prevents intermediate state exfiltration.• Replay: An attacker with read and write access to the checkpoint memory region is capable of making multiple copies of checkpoints generated at different points of program execution and reloading those checkpoints to replay the program from an attacker-controlled point [46,47].This enables the creation of side channels leaking sensitive information about the program state.Freshness prevents checkpoint replay.• Modification: An attacker with write access to the NVM is capable of modifying the checkpointed state [46,47].When the device restores the checkpoint in the next power cycle, the program resumes with attacker-controlled state.This is a critical concern for cryptographic algorithms as carefully inserted faults in the intermediate state of algorithms (e.g., RSA) reveal otherwise secret information [5].Checkpoint modification also enables differential fault analysis [17,19] to reveal secrets otherwise prevented by maintaining confidentiality.The attacker may also modify checkpoints to configure the device or by software-level security protections [9].Integrity prevents checkpoint modification.• Denial-of-Service Attackers can use their physical access to the device to control its power.This enables them to interrupt software execution at any time by grounding the power pin(s) of the device.When this occurs during checkpoint creation, a corrupt checkpoint results.Without mitigation, this leads to buffer overflows during checkpoint restoration and can be a path to fault injection.Availability prevents state corruption.1 • Counterfeiting: An attacker with write access to the NVM is also capable of loading entirely synthetic checkpoints rather than making modifications to existing ones.This is valuable if the attacker wants to trick the device into using the wrong key.Authenticity prevents checkpoint counterfeiting.
Based upon these attack outcomes, we uncover five security properties required to secure checkpoints and protect intermittent computation: • Confidentiality is preventing the attacker from either accessing or making sense of the checkpoint.• Integrity ensures that the attacker does not tamper with the checkpoint.• Authenticity prevents an attacker from loading checkpoints that the device did not create.• Freshness prevent reordering or replaying checkpoints.
• Availability ensures that there is always a valid checkpoint for the device to restart execution with.Note that this figure presents the properties that the approach attempts to maintain, Table 1 details how well each approach actually does.

SECURITY ANALYSIS
Our analysis of secure checkpointing techniques reveals the existence of two main types of checkpoint isolation techniques: PC-based memory access control (i.e., memory-based isolation) and encryption (i.e., cryptographic-based isolation).Figure 2 illustrates the bifurcation of defenses based on the checkpoint protection technique and also highlights the security properties provided by the respective techniques.
Cryptographic isolation utilizes cryptographic algorithms to encrypt, decrypt, or compute authentication tags for the checkpoints.Optimal Checkpointing [18] uses the lightweight PRINCE block cipher to encrypt the checkpoints during context saving and restoration phases.Optimal Checkpointing uses cryptography for only providing confidentiality to checkpoints and does not confer integrity, authenticity, freshness, or availability of checkpoints.In addition to confidentiality, SECCS [56,57] offers integrity of checkpoints by storing them with their Hash-based Message Authentication Code (HMAC) tag.SECCS does not include support for maintaining the freshness or availability of checkpoints.An attacker is capable of making copies of the older encrypted checkpoints with their respective HMAC signature and PUF challenge from the NVM, writing them to the device's NVM at their will, and powering up the device to a previous state, successfully performing replay attacks.To address this issue, Secure Application Continuity (SAC) [52] devise checkpoint refresh and restore routines which use a MAC for generating authentication tags and an incremental nonce for freshness.To ensure the availability of checkpoints, SAC uses a double-buffering checkpoint approach which creates checkpoints in an alternating manner and restores the most recent valid checkpoint state of the two.SAC leverages hardware-accelerated AES and software-based encryption schemes to generate a hash of the program state, secret key, nonce, and authentication tag of the previous checkpoint using the MAC.SICP [32,47] extends SAC to also account for the confidentiality of checkpoints using Authenticated Encryption with Associated Data (AEAD).Optimized SICP [31,47] enhances SICP to reduce its energy and time overhead by discarding the re-encryption of checkpoints using a nonce during the restore phase as well as substituting the verification of checkpointed state during refresh and restore with a 1-bit flag for checking the most recent valid checkpoint.
In contrast to cryptographic isolation, memory isolation leverages either existing or custom Program-Counter (PC) based memory access control mechanisms to prevent the attacker from being able to access the checkpoint.SIA [16] relies on existing Memory Protection Unit (MPU) features available on some mid-range microcontrollers [2,26,54] in conjunction with services like remote attestation, self-attestation, and secure communication between the software provider and the software module deployed on the actual device, to provide confidentiality and integrity of checkpoints.Other approaches replace the MPU with ARM TrustZone to provide confidentiality and integrity without added functionality for the availability of checkpoints [3,62].Even though the TrustZonebased approaches do not ensure the availability of checkpoints, invalid program states are rare, and it significantly outperforms the hardware and software cryptographic isolation techniques in terms of energy and time overhead, due to the reduced cost of not performing encryption and decryption.Physical separation inherently provides freshness of checkpoints, as an attacker with no access to the checkpoint image cannot make copies of it for replay purposes.MPI [21] extends the security guarantees of its custom software hypervisor to also offer the availability of checkpoints by using a double-buffering checkpoint approach similar to SECCS, SAC, SICP, and optimized SICP.

Shortcomings
After comparing each defense's threat model and security properties, it is now possible to evaluate their security in a unified way.Table 1 qualitatively compares how each secure checkpointing technique fulfills each security guarantee.Optimal Checkpointing [18] uses a PRINCE cipher to encrypt checkpoints.However, the PRINCE block cipher is susceptible to cryptanalysis attacks [28,50] which lie well below the operational complexity of 2 80 required for a practical cryptanalytic attack [4].In addition to this weakness, Optimal Checkpointing does not mention the key storage facility for the PRINCE cipher.For hardcoded keys, the adversary can brute force

Defense Strategy C I F A
Optimal Checkpointing [18] SECCS [56,57] SAC [52] SICP [32,47] Optimized SICP [31,47] SIA [16] MPI [21] ARM TrustZone [3,62] Table 1: Qualitative analysis of security guarantees each secure checkpointing technique provides to its checkpoints.Symbols-STRONG, WEAK and NONE. the 16-byte segments of the device image to reveal the key and use automated tools to uncover obfuscated keys.The confidentiality can be improved by using a stronger encryption algorithm like AES, but it adds 84% run time over compared to the PRINCE cipher and the problem of secret key storage remains.Even worse, Optimal Checkpointing requires an off-chip non-volatile memory for checkpoints which makes it susceptible to bus snooping attacks.SECCS [56,57] uses a stream cipher with a unique Physically Unclonable Function (PUF) derived secret key for every encryption and decryption session which ensures that leaking one session key does not compromise the confidentiality of the subsequent checkpoints.SAC [52], SICP [32,47], and Optimized SICP [31,47] propose storing the key in a tamper-free memory area, but such a hardware feature is not standard in the low-end microcontrollers that support intermittent computation.
More importantly, the cryptographic isolation-based checkpoint defenses do not protect the active state of the device, including the checkpoint generation and restoration APIs.Even though they mention that side-channel or fault injection attacks are beyond the scope of their threat model, a realistic threat model dictates that the security designers include such provisions.A softwarelevel adversary is capable of carrying out code injection or reuse attacks [10-12, 49, 58] to modify the checkpoint APIs themselves or exploit bugs in the software module to corrupt the checkpoint process and even leak the tamper-free data like secret keys and nonce by escalating privileges, which compromises all the security guarantees of the entire defensive mechanism.Also, the possibility of using direct memory access (DMA) and interrupts further weakens the security of the cryptography-based schemes as an attacker is capable of accessing the plaintext in the device's main memory/register state upon power-up.
Cipher-based isolation fundamental weaknesses: Beyond only addressing the security of checkpoint data while it is at rest in non-volatile memory, the state of the art suffers from other limitations.First, is the key source; we recommend the approach of SECCS-inspired approaches of a PUF.Instead of using a PUF to generate session keys (which is actually easier as it side-steps the problem of dealing with noise inherent to PUFs), we advocate using a single key as it ensures checkpoints are readable across power cycles.Second, the PRINCE cipher needs to be replaced with a more secure cipher that is still efficient and that also provides integrity.Third, there needs to be a deployable solution to provide freshness.
Even though memory isolation techniques consider softwarelevel attackers in their threat models, they do not necessarily fulfill their security objectives.SIA [16] leverages a Memory Protection Unit (MPU) to isolate the software modules from malicious software running on the device, but the access control mechanisms of such isolation are exploitable.Control flow hijacking disables the MPU to bypass its memory isolation guarantees, whereas exploits exist that escalate the privileges to access the isolated memory [64].SIA does provide resilience against malicious code modifications and buffer overflow attacks [8,14,15,20,61] through slow attestation, but it is a power-intensive process and the authors recommend using it once a week, which leaves enough window for an attacker to leak the secrets and compromise the security.MPI [21] on the other hand relies on a software-based Trusted Computing Module (TCM) to maintain its memory access controls.However, their TCM physically exists at the same privilege level as the rest of the device software.Although this suffices to protect against remote adversaries who load their software via the TCM's loader/verifier, it does not consider adversaries who are capable of maliciously loading their software on the device.Buffer overflow attacks [8,14,15,20,61] bypass the TCM's loader/verifier to deploy malicious code.The attacker also possesses the ability to use the debugger to read the contents of the access-controlled memory as there is no hardware support to ensure physical separation, TCM only provides logic domain separation.The attacker is then capable of copying the software image, performing a factory reset, reprogramming the device, and then reloading the software image in a modified context to get unauthorized access to the logically isolated memory, breaking all its security guarantees.When it comes to TrustZonebased approaches [3,62], off-the-shelf TrustZone-M devices do not come with persistent RAM technologies like FRAM which offers better security against hardware and electronic tampering [1,25] of checkpoints compared to Flash.Also, it is worth mentioning that fault injection attacks like Clkscrew [53] and long-term data remanence attacks like UnTrustZone [40] break the security guarantees of ARM TrustZone by pausing the trusted execution in a controlled manner to reveal its internal state.Nevertheless, ARM TrustZone offers a reliable physical isolation-based secure checkpointing solution for the threat models considered in this study.
PC-based isolation fundamental weaknesses: PC-based isolation is a superior solution in terms of performance and security protection compared to cryptographic-based isolation.That being said, there remain opportunities to improve on the state of the art.The first area of improvement is addressing both short-and longterm data remanence attacks.The second area of improvement is the development of a lightweight variant of ARM TrustZone that is deployable to energy harvesting devices.The third area of improvement is providing availability.
We also qualitatively compare the performance of secure checkpointing approaches based on the time, energy, and area overhead.Table 2 highlights the results of our qualitative analysis for each approach.We consider anything below 40% to be low overhead and anything above 100% to be high for time and energy overhead comparison with respect to insecure checkpointing.For area overhead, we consider a memory footprint below 25KB to be low.We

Defense Strategy Time Energy Area
Optimal Checkpointing [18] SECCS [56,57] -* SAC [52] ** SICP [32,47] Optimized SICP [31,47] SIA [16] MPI [21] ARM TrustZone [3,62] Table 2: Comparison of time, energy, and area overheads of each secure checkpointing technique compared to insecure checkpointing.Symbols-HIGH, MEDIUM and LOW.*SECCS does not report any time overhead figures for comparison.**SAC has a medium memory footprint with the software implementation of cryptographic algorithm Chaskey [42] and no optimization enabled.also consider the gate-level footprint of the custom hardware implementations (implementations for which pre-existing hardware support does not exist).Optimal Checkpointing [18] optimizes the number of checkpoints for an application by training a Q-learning model offline and uses an online Q-table to make the decision to checkpoint or progress on the go depending on the battery level, the stochastic behavior of harvested energy, time from the previous checkpoint and expected time to program completion.This Q-table consumes a significant part of the available non-volatile memory.It requires about 40% of a 64KB NVM for storing a Q-table corresponding to an average speedup of 30% compared to continuous checkpointing [35].
SECCS [56,57] requires additional hardware support for a PUF, True Random Number Generator, stream cipher, and hash-based message authentication code modules.This makes its area overhead very high, equivalent to 28,295 gates (consider the ARM Cortex-m0 has a maximum gate count of 25,000 [41]).Consequently, it incurs a significant energy cost of 48% for checkpointing.SAC [52], SICP [32,47], and Optimized SICP [31,47] entail the highest time and energy overheads of all secure checkpointing techniques as they incorporate an elaborate software-based or hardware-accelerated double buffering checkpointing approach which involves the generation of authentication tags (for all the three techniques) as well as encryption/decryption of checkpoint state (only for SICP and Optimized SICP) for every checkpoint generation/restoration call.
Compared to cryptography-based checkpoint defenses, memory isolation techniques offer much better performance as they do not require encryption or decryption of checkpoints, save for MPI [21] as it relies on a software-based hypervisor.Even though MPI's overhead of checkpointing is very low, it entails a significant overall overhead due to its computationally heavy hypervisor calls.Consequently, evaluation of MPI renders its forward progress performance worse compared to the no checkpointing scenario in an application with a high number of dynamic jumps and no optimization enabled.However, it performs significantly better than the encryption-based defenses and insecure checkpointing scenario in regard to forward progress, upon enabling compiler optimizations as well as when the underlying application contains fewer dynamic addressing mode instructions.
The only option to secure checkpoints in energy harvesting devices lacking PC-based memory access control is cryptographicbased isolation.Table 3 highlights the specific hardware prerequisites for each secure checkpointing approach.Cryptographic-based isolation techniques require a facility for on-chip key storage.This facility needs to be on on-chip because any off-chip key storage mechanism is susceptible to bus snooping attacks [24,33].One way to circumvent this problem is using a source of on-chip randomness with a fuzzy extractor to generate the secret key.Unlike the session keys used by SECCS [56,57], we advocate using a single PUF-derived key to ensure that checkpoints are valid across power cycles.Note that while a PUF solves the storage problem, the defender must ensure that the attacker never gains access to the PUF, otherwise they can reproduce the key.
In addition to a single, PUF-derived key we advocate replacing the PRINCE cipher with an authenticated encryption scheme.If hardware acceleration for AES is available, we recommend AES-GCM; if not, we recommend ChaCHa20-Poly1305 due to its superior performance to AES and superior security to PRINCE.Employing authenticated encryption allows the use of either internal or external memory for checkpoint ciphertext while maintaining confidentiality, integrity, and authenticity-albeit against only data-at-rest attackers that cannot access the PUF.To provide availability we advocate incorporating a double buffering of checkpoints.Providing freshness remains challenging as it requires a physically isolated location to store a checkpoint counter to compare the loaded checkpoint to-which is not generally available on energy harvesting devices.
When PC-based memory access control is supported by the hardware, memory isolation-based checkpointing techniques are preferred due to increased security and performance.SIA [16] provides this through a Memory Protection Unit (MPU) which is not common on energy harvesting devices and susceptible to access control disabling and privilege escalation exploits [64].Also, it requires additional cryptographic accelerator support for low-overhead secure attestation features.
ARM TrustZone-M offers a reasonable amount of security with little performance overhead.The main limitations of ARM Trust-Zone is its complexity and its backing non-volatile memory.Even the lightest weight TrustZone variant is too large for the smallest energy harvesting devices, leaving room for a more tailored trusted execution environment that trades some performance degradation for reduced hardware complexity.In addition to complexity, current TrustZone devices use Flash as their non-volatile memory.Research shows that Flash's write endurance and slow write/erase times are antithetical to intermittent computation [60].Most intermittent computation systems use FRAM as their source of non-volatile memory [6,7,27,38,59].We advocate either combining FRAM with a lightweight trusted execution environment or combining cryptographic-and PC-based isolation.
We view Texas Instruments MSP430 devices with FRAM and Intellectual Property Encapsulation (IPE) as the most promising way forward for high-performance and secure checkpoints in intermittent computation systems.IPE is a special case of MPU-based memory isolation where the MPU snoops on the memory address bus to maintain physical separation from both on-and off-chip sources.The only way to disable IPE is through a mass erase of the device.Thus, we feel MSP430 IPE represents the best physical isolation technique for deployability on existing checkpointing approaches.

CONCLUSION
We survey state-of-the-art works catering to the security of checkpointing techniques in energy-harvesting devices.We find the protection schemes fall under one of the two categories: cryptographic or PC-based memory isolation.Our comparative study of the adopted threat models reveals that most of the secure checkpointing techniques do not consider an adversary with physical access which is a common occurrence in real-world IoT deployments.To design a reliable intermittent computing defense, one must consider a real-world adversarial model that is practical for both vendors and software providers in terms of deployment, flexibility, and energy consciousness.We hope our work inspires research in this direction and acts as a tool guide for any vendor looking to incorporate secure checkpointing techniques in their energy-harvesting devices.

ACKNOWLEDGMENTS
The project depicted is sponsored by the Defense Advanced Research Projects Agency.The content of the information does not necessarily reflect the position or the policy of the Government, and no official endorsement should be inferred.Approved for public release; distribution is unlimited.

Figure 1 :
Figure 1: A long-running application executed completely and correctly across power cycles via checkpoint-based intermittent computation.

Figure 2 :
Figure 2: Classification of secure checkpoint approaches based on the checkpoint isolation technique and the security properties offered by each of them.Here, C represents confidentiality, I represents integrity and authenticity, F represents freshness, and A represents the availability of checkpoints.Note that this figure presents the properties that the approach attempts to maintain, Table1details how well each approach actually does.