Hui DONG,Ying-zi SHI,Jian-gang LU

DOI: https://doi.org/10.3969/j.issn.1671-7848.2004.z1.039

2004-01-01

Abstract:Based on advanced Microprocessors MPC8260 and real-time operating system VxWorks, a high-performance embedded computing control platfonn is proposed to meet the increased requirements of complexity and real time in intelligent control systems. DSP array and FPGA is also designed for high-speed parallel signal processing. This platfonn can be used in communication, intelligent robot, military aircrafts, radar and medical imaging instruments etc.

Hiroaki Inoue

DOI: https://doi.org/10.48550/arXiv.1006.5572

2010-06-29

Abstract:Recent proliferation of embedded systems has generated a bold new paradigm, known as open embedded systems. While traditional embedded systems provide only closed base applications (natively-installed software) to users, open embedded systems allow the users to freely execute open applications (additionally-installed software) in order to meet various user requirements, such as user personalization and device coordination. Key to the success of platforms required for open embedded systems is the achievement of both the scalable extension of base applications and the secure execution of open applications. Most existing platforms, however, have focused on either scalable or secure execution, limiting their applicability. This dissertation presents a new secure platform using multi-core processors, which achieves both scalability and security. Four techniques feature the new platform: (1) seamless communication, by which legacy applications designed for a single processor make it possible to be executed on multiple processors without any software modifications; (2) secure processor partitioning with hardware support, by which Operating Systems (OSs) required for base and open applications are securely executed on separate processors; (3) asymmetric virtualization, by which many OSs over the number of processors are securely executed under secure processor partitioning; and (4) secure dynamic partitioning, by which the number of processors allocated to individual OSs makes it possible to be dynamically changed under secure processor partitioning.

Distributed, Parallel, and Cluster Computing

Roshan G. Ragel,Jude A. Ambrose,Sri Parameswaran

DOI: https://doi.org/10.48550/arXiv.1511.01946

2015-11-06

Abstract:Security of embedded computing systems is becoming of paramount concern as these devices become more ubiquitous, contain personal information and are increasingly used for financial transactions. Security attacks targeting embedded systems illegally gain access to the information in these devices or destroy information. The two most common types of attacks embedded systems encounter are code-injection and power analysis attacks. In the past, a number of countermeasures, both hardware- and software-based, were proposed individually against these two types of attacks. However, no single system exists to counter both of these two prominent attacks in a processor based embedded system. Therefore, this paper, for the first time, proposes a hardware/software based countermeasure against both code-injection attacks and power analysis based side-channel attacks in a dual core embedded system. The proposed processor, named SecureD, has an area overhead of just 3.80% and an average runtime increase of 20.0% when compared to a standard dual processing system. The overhead were measured using a set of industry standard application benchmarks, with two encryption and five other programs.

Hardware Architecture

CHEN Wen-zhi,XIE Cheng,SHI Jiao-ying

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.09.016

2005-01-01

Abstract:For implementation of complex embedded system models on operating system, a new embedded operating system kernel based on model-driven architecture called Pcanel was proposed. When the kernel provided a component-based runtime environment, finely granular component was defined as basic entity, . and component frameworks were taken as the architecture for controlling component computation. Abstract computation models in design phase were mapped on the component frameworks to solve functional problems of embedded systems,and the component frameworks controlled the executions of components to solve non-functional problems. In the transition system,the control flow of compenent was separated from computation flow by introducing a formal transition system of state and action in Pcanel, and the composition of frameworks was implemented in a formal recursive way. Experimental results indicate that Pcanel can be flexibly applied in complex embedded systems. With resriction on the component model,the composition and verification of components can be achieved more easily.

Hesham Almatary,Michael Dodson,Jessica Clarke,Peter Rugg,Ivan Gomes,Michal Podhradsky,Peter G. Neumann,Simon W. Moore,Robert N. M. Watson

DOI: https://doi.org/10.48550/arXiv.2206.02852

2022-06-11

Abstract:Existing high-end embedded systems face frequent security attacks. Software compartmentalization is one technique to limit the attacks' effects to the compromised compartment and not the entire system. Unfortunately, the existing state-of-the-art embedded hardware-software solutions do not work well to enforce software compartmentalization for high-end embedded systems. MPUs are not fine-grained and suffer from significant scalability limitations as they can only protect a small and fixed number of memory regions. On the other hand, MMUs suffer from non-determinism and coarse-grained protection. This paper introduces CompartOS as a lightweight linkage-based compartmentalization model for high-end, complex, mainstream embedded systems. CompartOS builds on CHERI, a capability-based hardware architecture, to meet scalability, availability, compatibility, and fine-grained security goals. Microbenchmarks show that CompartOS' protection-domain crossing is 95% faster than MPU-based IPC. We applied the CompartOS model, with low effort, to complex existing systems, including TCP servers and a safety-critical automotive demo. CompartOS not only catches 10 out of 13 FreeRTOS-TCP published vulnerabilities that MPU-based protection (e.g., uVisor) cannot catch but can also recover from them. Further, our TCP throughput evaluations show that our CompartOS prototype is 52% faster than relevant MPU-based compartmentalization models (e.g., ACES), with a 15% overhead compared to an unprotected system. This comes at an FPGA's LUTs overhead of 10.4% to support CHERI for an unprotected baseline RISC-V processor, compared to 7.6% to support MPU, while CHERI only incurs 1.3% of the registers area overhead compared to 2% for MPU.

Cryptography and Security

Xia Zhou,Jiaqi Li,Wenlong Zhang,Yajin Zhou,Wenbo Shen,Kui Ren

DOI: https://doi.org/10.1145/3492321.3519573

2022-01-01

Abstract:Bare-metal embedded systems usually lack security isolation. Attackers can subvert the whole system with a single vulnerability. Previous research intends to enforce both privilege isolation (to run application code at the unprivileged level) and resource isolation for global variables and peripherals. However, it suffers from partition-time and execution-time over-privilege issues, due to the limited hardware resources (MPU regions) and the improper way to partition a program. In this paper, we propose operation-based isolation for bare-metal embedded systems. An operation is a logically independent task composed of an entry function and all functions reachable from it. To solve the partition-time over-privilege issue, we utilize the global variables shadowing technique to reduce the needed MPU regions to confine the access of the global variables. To mitigate the execution-time over-privilege issue, we split programs into code compartments (called operation) that only contain necessary functions to perform specific tasks, thereby removing the resources needed by unnecessary functions. We implement a prototype called OPEC, which contains an LLVM-based compiler and a reference monitor. The compiler partitions a program and analyzes the resource dependency for each operation. With the hardware-supported privilege levels and MPU, the reference monitor is responsible for enforcing the privilege and resource isolation at runtime. Our evaluation shows that OPEC can achieve the security guarantees for the privilege and resource isolation with negligible runtime overhead (average 0.23%), moderate Flash overhead (average 1.79%), and acceptable SRAM overhead (average 5.35%).

Yuanyuan Zhang,Dawu Gu,Fangyong Hou,Mengqi Zeng,Tao Cheng

DOI: https://doi.org/10.1080/15501320802575161

IF: 1.938

2009-01-01

International Journal of Distributed Sensor Networks

Abstract:Propose a secure architecture for embedded systems by adding a secure engine to processors. This secure engine provides data confidentiality and integrity, which ensures data cannot be comprehended and modified outside CPU or SoC. Galois/Counter Mode is introduced in our secure engine, which can generate ciphertext and its message authentication code(MAC) simultaneously. Moreover, we introduce several schemes to reduce memory latency and prompt system performance. Evaluation results reveals that our scheme advances in both security and performance than former security architectures for embedded systems.

Sufyan Samara,Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1007/978-3-642-15234-4_11

2010-01-01

Abstract:This paper presents a novel flexible, dependable, and reliable operating system design for distributed reconfigurable system on chip. The dependability and reliability are achieved by integrating online model checking technique. Each OS service has different implementations which are further partitioned into small blocks. This operating system design allows the OS service to be adapted at runtime according to the given resource requirements and response time. Such adaptable services may be required by real time safety-critical applications. The flexibility introduced in executing adaptable OS services also gives rise to a potential safety problem. Thus, online model checking is integrated to the operating system so as to improve the dependability, reliability, and fault tolerance of these adaptable OS services.

D. Tian,Dongyan Xu,Arslan Khan

DOI: https://doi.org/10.1109/SP46215.2023.10179285

2023-05-01

Abstract:Embedded systems comprise of low-power microcontrollers and constitute computing systems from IoT nodes to supercomputers. Unfortunately, due to the low power constraint, the security of these systems is often overlooked, leaving a huge attack surface. For instance, an attacker compromising a user task can access any kernel data structure. Existing work has applied compartmentalization to reduce the attack surface, but these systems either incur a high runtime overhead or require major modifications to existing firmware. In this paper, we present Embedded Compartmentalizer (EC), a comprehensive and automatic compartmentalization toolchain for Real-Time Operating Systems (RTOSs) and baremetal firmware. EC provides the Embedded Compartmentalizer Compiler (ECC) to automatically partition firmware into different compartments and enforces memory protection among them using the Embedded Compartmentalizer Kernel (ECK), a formally verified microkernel implementing a novel architecture for compartmentalizing firmware using intra-kernel isolation. Our evaluation shows that EC is 1.2x faster than state-of-the-art systems and can achieve up to 96.2% ROP gadget reduction in firmwares. EC provides a low-cost, practical, and effective compartmentalization solution for embedded systems with memory protection and debug hardware extension.

Engineering,Computer Science

Pascal Nasahl,Robert Schilling,Mario Werner,Stefan Mangard

DOI: https://doi.org/10.1145/3433210.3453112

2021-05-24

Abstract:To ensure secure and trustworthy execution of applications in potentially insecure environments, vendors frequently embed trusted execution environments (TEE) into their systems. Applications executed in this safe, isolated space are protected from adversaries, including a malicious operating system. TEEs are usually build by integrating protection mechanisms directly into the processor or by using dedicated external secure elements. However, both of these approaches only cover a narrow threat model resulting in limited security guarantees. Enclaves nested into the application processor typically provide weak isolation between the secure and non-secure domain, especially when considering side-channel attacks. Although external secure elements do provide strong isolation, the slow communication interface to the application processor is exposed to adversaries and restricts the use cases. Independently of the used approach, TEEs often lack the possibility to establish secure communication to peripherals, and most operating systems executed inside TEEs do not provide state-of-the-art defense strategies, making them vulnerable to various attacks. We argue that TEEs, such as Intel SGX or ARM TrustZone, implemented on the main application processor, are insecure, especially when considering side-channel attacks. In this paper, we demonstrate how a heterogeneous multicore architecture can be utilized to realize a secure TEE design. We directly embed a secure processor into our HECTOR-V architecture to provide strong isolation between the secure and non-secure domain. The tight coupling of the TEE and the application processor enables HECTOR-V to provide mechanisms for establishing secure communication channels between different devices. We further introduce RISC-V Secure Co-Processor (RVSCP), a security-hardened processor tailored for TEEs. To secure applications executed inside the TEE, RVSCP provides hardware enforced control-flow integrity and rigorously restricts I/O accesses to certain execution states. RVSCP reduces the trusted computing base to a minimum by providing operating system services directly in hardware.

Liam Tyler,Ivan De Oliveira Nunes

DOI: https://doi.org/10.1109/tcad.2024.3444691

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Micro-controller units (MCUs) implement the de facto interface between the physical and digital worlds. As a consequence, they appear in a variety of sensing/actuation applications from smart personal spaces to complex industrial control systems and safety-critical medical equipment. While many of these devices perform safety- and time-critical tasks, they often lack support for security features compatible with their importance to overall system functions. This lack of architectural support leaves them vulnerable to run-time attacks that can remotely alter their intended behavior, with potentially catastrophic consequences. In particular, we note that, MCU software often includes untrusted third-party libraries (some of them closed-source) that are blindly used within MCU programs, without proper isolation from the rest of the system. In turn, a single vulnerability (or intentional backdoor) in one such third-party software can often compromise the entire MCU software state. In this article, we tackle this problem by proposing, demonstrating security, and formally verifying the implementation of UCCA: an Untrusted Code Compartment Architecture. UCCA provides flexible hardware-enforced isolation of untrusted code sections (e.g., third-party software modules) in resource-constrained and time-critical MCUs. To demonstrate UCCA's practicality, we implement an open-source version of the design on a real resource-constrained MCU: the well-known TI MSP430. Our evaluation shows that UCCA incurs little overhead and is affordable even to lowest-end MCUs, requiring significantly less overhead and assumptions than the prior related work.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Ofir Shwartz,Yitzhak Birk

DOI: https://doi.org/10.48550/arXiv.1803.03951

2018-03-11

Abstract:In this work we present the Secure Machine, SeM for short, a CPU architecture extension for secure computing. SeM uses a small amount of in-chip additional hardware that monitors key communication channels inside the CPU chip, and only acts when required. SeM provides confidentiality and integrity for a secure program without trusting the platform software or any off-chip hardware. SeM supports existing binaries of single- and multi-threaded applications running on single- or multi-core, multi-CPU. The performance reduction caused by it is only few percent, most of which is due to the memory encryption layer that is commonly used in many secure architectures. We also developed SeM-Prepare, a software tool that automatically instruments existing applications (binaries) with additional instructions so they can be securely executed on our architecture without requiring any programming efforts or the availability of the desired program`s source code. To enable secure data sharing in shared memory environments, we developed Secure Distributed Shared Memory (SDSM), an efficient (time and memory) algorithm for allowing thousands of compute nodes to share data securely while running on an untrusted computing environment. SDSM shows a negligible reduction in performance, and it requires negligible and hardware resources. We developed Distributed Memory Integrity Trees, a method for enhancing single node integrity trees for preserving the integrity of a distributed application running on an untrusted computing environment. We show that our method is applicable to existing single node integrity trees such as Merkle Tree, Bonsai Merkle Tree, and Intel`s SGX memory integrity engine. All these building blocks may be used together to form a practical secure system, and some can be used in conjunction with other secure systems.

Cryptography and Security,Hardware Architecture,Distributed, Parallel, and Cluster Computing,Operating Systems

C. C. Gursoy,M. Jenihhin,A. S. Oyeniran,D. Piumatti,J. Raik,M. Sonza Reorda,R. Ubar

DOI: https://doi.org/10.1109/DDECS.2019.8724642

2020-09-24

Abstract:The identification of safe faults (i.e., faults which are guaranteed not to produce any failure) in an electronic system is a crucial step when analyzing its dependability and its test plan development. Unfortunately, safe fault identification is poorly supported by available EDA tools, and thus remains an open problem. The complexity growth of modern systems used in safety-critical applications further complicates their identification. In this article, we identify some classes of safe faults within an embedded system based on a pipelined processor. A new method for automating the safe fault identification is also proposed. The safe faults belonging to each class are identified resorting to Automatic Test Pattern Generation (ATPG) techniques. The proposed methodology is applied to a sample system built around the OpenRisc1200 open source processor.

Hardware Architecture

Nobuyuki Yamasaki,Hiroyuki Chishiro,Keigo Mizotani,Kikuo Wada

DOI: https://doi.org/10.1007/978-4-431-56594-9_24

2018-07-21

Abstract:Distributed real-time systems such as automated factories, space-crafts, and robots are generally built with a set of hardware and software components designed for specific control functions with time constraints. Various key technologies including real-time processing architecture, real-time communication, a DVFS (Dynamic Voltage and Frequency Scaling) mechanism, and a real-time operating system are required to build these applications. A humanoid robot, which the authors have chosen as an authors’ target application, requires a very small controller that consists of an SiP (System-in-Package), which is composed of an SoC (System-on-Chip), DRAMs, flash memories, and power units. In this chapter, the authors present the fundamental technology on dependable SoCs and SiPs for embedded real-time systems. In particular, D-RMTP (Dependable Responsive MultiThreaded Processor), real-time operating systems, and the co-design of SoC and SiP are introduced.

Matteo Busi,Job Noorman,Jo Van Bulck,Letterio Galletta,Pierpaolo Degano,Jan Tobias Mühlberg,Frank Piessens

DOI: https://doi.org/10.48550/arXiv.2001.10881

2020-01-29

Abstract:Computer systems often provide hardware support for isolation mechanisms like privilege levels, virtual memory, or enclaved execution. Over the past years, several successful software-based side-channel attacks have been developed that break, or at least significantly weaken the isolation that these mechanisms offer. Extending a processor with new architectural or micro-architectural features, brings a risk of introducing new such side-channel attacks. This paper studies the problem of extending a processor with new features without weakening the security of the isolation mechanisms that the processor offers. We propose to use full abstraction as a formal criterion for the security of a processor extension, and we instantiate that criterion to the concrete case of extending a microprocessor that supports enclaved execution with secure interruptibility of these enclaves. This is a very relevant instantiation as several recent papers have shown that interruptibility of enclaves leads to a variety of software-based side-channel attacks. We propose a design for interruptible enclaves, and prove that it satisfies our security criterion. We also implement the design on an open-source enclave-enabled microprocessor, and evaluate the cost of our design in terms of performance and hardware size.

Cryptography and Security

Zichen Zhou,Bo Yin,Renhao Fan,Tao Liu,Bin Xu,Xiang Wang

2011-01-01

Abstract:Most embedded systems present a number of software vulnerabilities, such as buffer overflow, while the physical attacks are becoming popular as well. This paper presents a series of novel architectural-enhanced security solutions. The automated compiler extracts the intrusion model for intrusion detection and secure tag of each main memory segment at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed schemes don't change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can eliminate a wide range of common software and physical attacks with low performance penalties and minimal overheads.

Wei Hu,Tianzhou Chen,Qingsong Shi,Gang Wang,Nan Zhang,Jijun Ma,Yi Lian

DOI: https://doi.org/10.4304/jsw.4.10.1053-1060

2009-01-01

Journal of Software

Abstract:System-on-chip (SOC) has provided more powerful functions for embedded systems. Scratchpad memory (SPM), which is software-controlled on-chip memory, is used in embedded systems to reduce the speed gap between the processors and the memory and the power consumption of memory. ChipOS, a novel operating system on chip with information security support for embedded system, is proposed in this paper. It has a microkernel residing in SPM. This microkernel can execute absolutely. And it can also encapsulate the processor resources and provide virtual resources to general operating system (GPOS). At the same time, ChipOS can provide information security service through the encapsulation. The experimental results show that ChipOS has better response time and lower power consumption compared with GPOS and the security framework of ChipOS will protect GPOS with flexibility.

Julio C. B. Mattos,Luigi Carro

DOI: https://doi.org/10.1145/1284480.1284564

2007-01-01

Abstract:The growing complexity of embedded systems has claimed for more software solutions in order to reduce the time-to-market. However, while this software decrease the development time of the embedded system functionalities , it must at the same time help the handling of the embedded systems tight constraints, like energy, power and memory availability. Object orientation is now a common technique to write maintainable code, but its application to the embedded systems domain is withhold by the overhead in terms of memory, performance and code size. This paper introduces a methodology to explore object-oriented embedded software improving different levels in the software design, while dealing with different embedded systems requirements (power, memory area and performance). The proposed approach transforms the original OO code into an optimized code allowing the automatic configuration of a solution for a specific application. Experimental results with an MP3 player show a large design space exploration with different solutions in terms of performance, energy and memory.

Fardin Abdi,Chien-Ying Chen,Monowar Hasan,Songran Liu,Sibin Mohan,Marco Caccamo

DOI: https://doi.org/10.48550/arXiv.1705.01520

2017-05-04

Abstract:Many physical plants that are controlled by embedded systems have safety requirements that need to be respected at all times - any deviations from expected behavior can result in damage to the system (often to the physical plant), the environment or even endanger human life. In recent times, malicious attacks against such systems have increased - many with the intent to cause physical damage. In this paper, we aim to decouple the safety of the plant from security of the embedded system by taking advantage of the inherent inertia in such systems. In this paper we present a system-wide restart-based framework that combines hardware and software components to (a) maintain the system within the safety region and (b) thwart potential attackers from destabilizing the system. We demonstrate the feasibility of our approach using two realistic systems - an actual 3 degree of freedom (3-DoF) helicopter and a simulated warehouse temperature control unit. Our proof-of-concept implementation is tested against multiple emulated attacks on the control units of these systems.

Cryptography and Security

Marc Schink,Johannes Obermaier

DOI: https://doi.org/10.48550/arXiv.1909.05771

2019-09-12

Cryptography and Security

Abstract:The development process of microcontroller firmware often involves multiple parties. In such a scenario, the Intellectual Property (IP) is not protected against adversarial developers which have unrestricted access to the firmware binary. For this reason, microcontroller manufacturers integrate eXecute-Only Memory (XOM) which shall prevent an unauthorized read-out of third-party firmware during development. The concept allows execution of code but disallows any read access to it. Our security analysis shows that this concept is insufficient for firmware protection due to the use of shared resources such as the CPU and SRAM. We present a method to infer instructions from observed state transitions in shared hardware. We demonstrate our method via an automatic recovery of protected firmware. We successfully performed experiments on devices from different manufacturers to confirm the practicability of our attack. Our research also reveals implementation flaws in some of the analyzed devices which enables an adversary to bypass the read-out restrictions. Altogether, the paper shows the insufficient security of the XOM concept as well as several implementations.