A Platform Security Framework for Tiny Embedded Devices



Tiny embedded devices are increasingly deployed in critical control infrastructures, medical support systems and privacy-sensitive consumer products. On the lower end of the design scale, such a device may consist of a low-cost System on Chip (SoC) with around 100,000 gate equivalents including on-chip memory and basic peripherals. Such platforms will typically support a simple firmware and software environment tailored to the particular usage scenario. Supervisor/usermode separation as well as memory protection based on range/permission registers or simple memory lock bits may be available. However, advanced hardware security mechanisms such as virtualization or secure co-processors are typically too expensive in terms of silicon real estate or power consumption.

TrustLite Security Framework

Figure 1: TrustLite Security FrameworkThe TrustLite security framework comprises a set of complementary hardware protection mechanisms to provide flexible and efficient software isolation on low-cost embedded devices. We introduce an Execution-Aware Memory Protection Unit (EA-MPU) as the core component of TrustLite, providing programmable yet OS-independent isolation of software modules at runtime.


Combined with a Root of Trust, such as Secure or Measured Boot, a range of trusted computing and attestation schemes can be realized depending on the required level of assurance and flexibility. Additional components for Secure Exception Handling, secure Inter-Process Communication (IPC) and secure peripheral I/O can be included to support sophisticated usages like secure user input and secure execution of 3rd party (untrusted) code.


Advanced Software Security with Execution-Aware Memory Protection

Memory Protection Units (MPUs) providing hardware-enforced memory access control are available on a variety of embedded platforms today. MPUs typically allow permissions to be applied to specific memory ranges which are then appropriately enforced. For example, a data region might be marked as read/ write, while a code region would be marked as executable.

TrustLite extends traditional MPU designs by evaluating not only the permissions applied to a particular memory region but also the currently executing instruction address. The resultant execution-aware MPU (EA-MPU) allows us to bind code and data regions into software modules with security guarantees enforced in hardware and independently of the OS. Depending on the desired assurance level, the EA-MPU access rules can be set in hardware, initialized during Secure Boot or by a trusted system service at runtime.

In this way, TrustLite enables the secure isolation of software modules independently of the OS or other runtime software. As illustrated by the extended software stack shown below, this facilitates the provisioning of various security-sensitive services to platforms with otherwise low security assurance, as it is typically the case due to severe cost constraints and fast development cycles.



Implementation and Future Work

The TrustLite hardware extensions have been implemented on the Intel® Siskiyou Peak research architecture. Siskiyou Peak is a 32-bit, 5-stage pipeline, single-issue processor design targeted primarily at embedded applications. The processor is organized as a Harvard architecture with separate buses for instruction, data and memory-mapped I/O spaces. A simple software stack was implemented to initialize the EA-MPU and interact with security services on the platform. Our performance evaluation shows that this additional hardware is very competitive.


Figure 3: Proof of Concept using 1:43 scale model cars illustrating the TrustLite conceptIn order to tangibly showcase how TrustLite can protect critical software components from attack by untrusted software we demonstrate a simulated exploit on an automotive telematics system. The demonstration incorporates real-time control of 1:43 scale model cars (Figure 3) and illustrates how the EA-MPU can enforce access control of critical software services and hardware features. In this case the EA-MPU ensures that only authorized services can access the critical throttle control functions, regardless of compromised software in the platform‘s OS and remote management (telematics) interface.


In our further research we are exploring the various usages and extensions of the TrustLite security framework, evaluate low-cost cryptographic primitives, and investigate lightweight yet scalable protocols for secure interaction and management of TrustLite platforms.



Additional Resources




Steffen SchulzPatrick Koeberl