Hardware/Software Co-designed Security Extensions for Embedded Devices

  • Maja MalenkoEmail author
  • Marcel Baunach
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11479)


The rise of the Internet of Things (IoT) has dramatically increased the number of low-cost embedded devices. Being introduced into today’s connected cyber-physical world, these devices now become vulnerable, especially if they offer no protection mechanisms. In this work we present a hardware/software co-designed memory protection approach that provides efficient, cheap, and effective isolation of tasks. The security extensions are implemented into a RISC-V-based MCU and a microkernel-based operating system. Our FPGA prototype shows that the hardware extensions use less than 5.5% of its area in terms of LUTs, and 24.7% in terms of FFs. They impose an extra 28% of context switch time, while providing protection of shared on-chip peripherals and authenticated communication via shared memory.


Memory protection Resource protection Inter-task communication RISC-V MPU 



This work was conducted within the Lead-Project “Dependable Internet of Things in Adverse Environments”, subproject “Dependable Computing” (funded by TU Graz).


  1. 1.
    embOS: Real-Time Operating System User Guide and Reference Manual. SEGGER Microcontroller GmbH (2018)Google Scholar
  2. 2.
    ARM Limited. ARM Security Technology - Building a Secure System using TrustZone Technology (2009)Google Scholar
  3. 3.
    Barry, R.: FreeRTOS reference manual: API functions and configuration options. Real Time Engineers Limited (2009)Google Scholar
  4. 4.
    Baunach, M.: Towards collaborative resource sharing under real-time conditions in multitasking and multicore environments. In: ETFA, pp 1–9. IEEE (2012)Google Scholar
  5. 5.
    Brasser, F.F. Mahjoub, B.E., Sadeghi, A.R., Wachsmann, C., Koeberl, P.: Tytan: tiny trust anchor for tiny devices. In: DAC, pp. 34:1–34:6. ACM (2015)Google Scholar
  6. 6.
    Berkay Celik, Z., McDaniel, P., Tan, G.: Soteria: automated IoT safety and security analysis. In: 2018 USENIX Annual Technical Conference (USENIX ATC 2018), Boston, MA, pp. 147–158. USENIX Association (2018)Google Scholar
  7. 7.
    Checkoway, S. et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, Berkeley, CA, USA, p. 6. USENIX Association (2011)Google Scholar
  8. 8.
    Costan, V., Lebedev, I., Devadas, S.: Sanctum: minimal hardware extensions for strong software isolation. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, pp. 857–874. USENIX Association (2016)Google Scholar
  9. 9.
    Defrawy, K.E., Perito, D., Tsudik, G., et al.: Smart: secure and minimal architecture for (establishing a dynamic) root of trust. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium, pp. 5–8 (2012)Google Scholar
  10. 10.
    Heiser, G., Elphinstone, K.: L4 microkernels: the lessons from 20 years of research and deployment. ACM Trans. Comput. Syst. 34(1), 1:1–1:29 (2016)CrossRefGoogle Scholar
  11. 11.
    Humayed, A., Lin, J., Li, F., Luo, B.: Cyber-physical systems security-a survey. IEEE Internet Things J. 4, 1802–1831 (2017)CrossRefGoogle Scholar
  12. 12.
    Koeberl, P., Schulz, S., Sadeghi, A.-R., Varadharajan, V.: Trustlite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems, EuroSys 2014, New York, NY, USA, pp. 10:1–10:14. ACM (2014)Google Scholar
  13. 13.
    Maene, P., Götzfried, J., de Clercq, R., Müller, T., Freiling, F.C., Verbauwhede, I.: Hardware-based trusted computing architectures for isolation and attestation. IEEE Trans. Comput. 67, 361–374 (2018)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Noorman, J. et al.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C., pp. 479–498. USENIX (2013)Google Scholar
  15. 15.
    Patrignani, M., Agten, P., Strackx, R., Jacobs, B., Clarke, D., Piessens, F.: Secure compilation to protected module architectures. ACM Trans. Program. Lang. Syst. 37(2), 6:1–6:50 (2015)CrossRefGoogle Scholar
  16. 16.
    Waterman, A., Lee, Y., Asanović, K.: The RISC-V instruction set manual volume i: User-level ISA version 2.2. Technical report, EECS Department, University of California, Berkeley, May 2017Google Scholar
  17. 17.
    Waterman, A., Lee, Y., Asanović, K.: The RISC-V instruction set manual volume ii: Privileged architecture version 1.10. Technical report, EECS Department, University of California, Berkeley, May 2017Google Scholar
  18. 18.
    Zhang, T., Guan, N., Deng, Q., Yi, W.: Start time configuration for strictly periodic real-time task systems. J. Syst. Archit. 66(C), 61–68 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institute of Technical InformaticsGraz University of TechnologyGrazAustria

Personalised recommendations