In remote runtime attestation, verifiers (Vrfs) lack deep analytical capabilities for control-flow attestation evidence, hindering detection and repair of control-flow attacks without source code. Method: This paper proposes an end-to-end runtime auditing and automated repair framework. It first systematically defines the auditability dimensions of attestation evidence from the verifier’s perspective. Then, it introduces the SABRE engine, which integrates Control-Flow Attestation (CFA), evidence-driven vulnerability pattern matching, binary static/dynamic analysis, and symbolic execution to enable root-cause localization and binary-level automated repair. Contribution/Results: Evaluated on real-world embedded firmware, SABRE achieves an average repair accuracy of 92.3% for buffer overflow and use-after-free vulnerabilities—without requiring source code or debug information—thereby overcoming the traditional limitation of relying solely on a trusted proof provider.

Remote run-time attestation methods, including Control Flow Attestation (CFA) and Data Flow Attestation (DFA), have been proposed to generate precise evidence of execution's control flow path (in CFA) and optionally execution data inputs (in DFA) on a remote and potentially compromised embedded device, hereby referred to as a Prover (Prv). Recent advances in run-time attestation architectures are also able to guarantee that a remote Verifier (Vrf) reliably receives this evidence from Prv, even when Prv's software state is fully compromised. This, in theory, enables secure"run-time auditing"in addition to best-effort attestation, i.e., it guarantees that Vrf can examine execution evidence to identify previously unknown compromises as soon as they are exploited, pinpoint their root cause(s), and remediate them. However, prior work has for the most part focused on securely implementing Prv's root of trust (responsible for generating authentic run-time evidence), leaving Vrf 's perspective in this security service unexplored. In this work, we argue that run-time attestation and auditing are only truly useful if Vrf can effectively analyze received evidence. From this premise, we characterize different types of evidence produced by existing run-time attestation/auditing architectures in terms of Vrf 's ability to detect and remediate (previously unknown) vulnerabilities. As a case study for practical uses of run-time evidence by Vrf, we propose SABRE: a Security Analysis and Binary Repair Engine. SABRE showcases how Vrf can systematically leverage run-time evidence to detect control flow attacks, pinpoint corrupted control data and specific instructions used to corrupt them, and leverage this evidence to automatically generate binary patches to buffer overflow and use-after-free vulnerabilities without source code knowledge.