An important but often neglected safety aspect of our society’s critical infrastructure involves the security of embedded software. Embedded components in critical domains were often designed decades ago with an emphasis on operational safety: robustness and correct operation under benign conditions. Security — the correct functioning of the component in the presence of attackers — used to be of very limited concern.
Software security assurance relies on techniques such as security testing, architecture and design analysis, code reviews and inspections. The effectiveness of these techniques is known to be dependent on the size and complexity of the target. Yet, even embedded control software in critical infrastructure, e.g. in medical devices, smart factories, in the smart grid or in smart automotive vehicles, often comprises millions of lines of code. Here, “smart” typically means that safety-critical functionality interacts with business logic or even infotainment, increasing the critical code base even further: we have seen hight-impact cyber attacks where “non-critical” software components posed as entry points for an all-out system compromise. In all the above domains.
Verification and Validation
The thorough verification and validation of such an extended safety-critical code base requires novel approaches to be done efficiently and cost-effectively, in particular when security is to be considered. In the past years, our team of researchers at imec-DistriNet have been working towards an approach to the security-conscious design of embedded control systems that leads to a substantial reduction of the size of these system’s critical software stack. This reduction then allows for a “divide and conquer” strategy to test and validate the software. Our work relies on strong software component isolation which is implemented in hardware. Similar to Intel SGX or ARM TrustZone, we have developed Sancus, a lightweight embedded Protected Module Architecture (PMA) to guarantee authenticity, integrity and confidentiality properties of control software that runs on 16-bit microcontrollers. In difference to commonly used isolation mechanisms (security rings, processes, sandboxing, etc.), the above architectures protect software components even from misbehaving or malicious system software, creating “safe harbours” for critical code to execute while relying on a hardware-only Trusted Computing Base (TCB) only.
We have worked on a number of compelling use cases for this technology, specifically secure smart metering infrastructure and secure and AUTOSAR-compliant CAN-based automotive control systems. In these scenarios, deliberate software design and software component isolation resulted in a reduction of the runtime software TCB from over 50 kLOC per microcontroller to often less than 1 kLOC. This reduced TCB includes components of a critical distributed application and even critical device drivers, but excludes the operating system and support libraries. The system software is still necessary for the functioning of the system but an attacker who controls, e.g. the OS, cannot harm the security of the protected application beyond availability. Importantly, the TCB reduction allows us to apply thorough testing and even formal verification to the application code.
Security for Embedded Control Systems
Our results can be related to other trusted computing architectures such as SGX or TrustZone. Of course, different PMA architectures implement different security primitives and have limitations, which are being addressed in ongoing research. In particular, we are currently looking into challenges with respect to interacting protected modules that run on heterogeneous hardware architectures, providing availability and real-time guarantees, and on ensuring the absence of vulnerabilities and runtime errors in protected software modules. To the best of our knowledge, Sancus is the only readily available PMA for embedded applications. Our hardware extensions, a C compiler, a deployment tool chain, and a growing corpus of example applications are all available under open source licenses.
About the Author
Jan Tobias Muehlberg works as a research manager at imec-DistriNet, KU Leuven (BE). His is active in the fields of software security, and formal verification and validation of software systems, specifically for embedded systems and low-level operating system components. Tobias is particularly interested in security architectures for safety-critical embedded systems and for the Internet of Things. You can find out more about Jan and his publications here.