Skip to Main content Skip to Navigation

An In-Depth Study and Implementation of Protection Mechanisms For Embedded Devices Running Multiple Applications

Abstract : Looking at the speed by which embedded systems technologies are advancing, there is no surprise the attacks' number is rising. Many applications are written quickly in a low-level language to keep up with industry pace, and they contain a variety of bugs. Bugs can be used to break into a device and to run malicious code. Reviewing code becomes more and more complex and costly due to its size. Another factor complicating code review is the use of on-the-shelf libraries. Even a detailed code review does not guarantee a bug-free application.This thesis presents an architecture to run securely untrusted applications on the same platform. We assume that the applications contain exploitable bugs, even the operating system can be exploited. We also assume that attackers can take control of In/Out hardware components (e.g., Direct Memory Access (DMA)). The device is trusted when the architecture guarantees that attackers cannot compromise the whole device and access sensitive code and data. Even when an application is compromised, our architecture guarantees a strong separation of multiple components: hardware and software. It ensures the authenticity and integrity of embedded applications and can verify their state before any sensitive operation. The architecture guarantees, for local and remote parties, that the device is running properly, and protect against software attacks.First, we study multiple attack vector and isolation and attestation architectures. We present multiple software attack vectors, and we define the security features and properties that these architectures need to ensure. We provide a detailed description of fifteen existing architectures in both academia and industry, and we compare their features. Then, we provide an in-depth study of five lightweight architectures where we give a comparison of performance, size, and how they behave against software-based attacks. From these studies, we draw our security objectives for lightweight devices: multi-layer isolation, attestation, upgradability, confidentiality, small size with a negligible run-time overhead and ease-of-use.Then, we design hybrid isolation and attestation architecture for lightweight devices. The so-called Toubkal offers multi-layered isolation; the system is composed of three layers of isolation. The first one is at the hardware level to separate In/Out components from each other. The second one is at the security monitor level; our study shows that there is a strong need to create a real separation between the security monitor and all the rest. Finally, the third layer is at the application level.However, isolation itself is not sufficient. Devices still need to ensure that the running application behaves as it was intended. For this reason, Toubkal provides attestation to be able to check the state of a device at any-time. It guarantees that a software component or data were not compromised.Finally, we prove the correctness of the security properties that Toubkal provides. We modeled Toubkal as a finite state machine and used computer-aided formal verification to prove the security properties. Then, we evaluated Toubkal's overhead. The results show that Toubkal overhead is small and fit for lightweight devices.
Document type :
Complete list of metadatas

Cited literature [101 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Thursday, August 27, 2020 - 1:46:08 PM
Last modification on : Friday, August 28, 2020 - 3:19:36 AM


Version validated by the jury (STAR)


  • HAL Id : tel-02923713, version 1




Abderrahmane Sensaoui. An In-Depth Study and Implementation of Protection Mechanisms For Embedded Devices Running Multiple Applications. Embedded Systems. Université Grenoble Alpes [2020-..], 2020. English. ⟨NNT : 2020GRALM002⟩. ⟨tel-02923713⟩



Record views


Files downloads