EMBEDDED PROCESSING ARCHITECTURES FOR SECURITY

In the past, embedded systems tended to perform one or a few fixed functions.
The trend is for embedded systems to perform multiple functions and
also to provide the ability to download new software to implement new or
updated applications in the field, rather than only in the more controlled environment
of the factory. While this certainly increases the flexibility and
useful lifetime of an embedded system, it poses new challenges in terms
of the increased likelihood of attacks by malicious parties. An embedded
system should ideally provide required security functions, implement them
efficiently and also defend against attacks by malicious parties. We discuss
these below, especially in the context of the additional challenges faced
by resource-constrained embedded systems in an environment of ubiquitous
networking and pervasive computing.

Figure 1 illustrates the architectural design space for secure embedded
processing systems. Different macro-architecture models are listed in the
first row, and described further below. These include embedded general purpose
processor (EP) vs. application-specific instruction set processor
(ASIP) vs. EP with custom hardware accelerators connected to the processor
bus, etc.). The second row details instruction-set architecture and
micro-architecture choices for tuning the base processor where appropriate.
The third row articulates security processing features that must be chosen
or designed. For example, choosing the functionality to be implemented
by custom instructions, hardware accelerators or general-purpose instruction
primitives. The fourth row involves selection of attack-resistant features
in the embedded processor and embedded system design. These protect
against both software attacks and physical attacks.
This may include an enhanced memory management unit to manage a secure
memory space, process isolation architecture, additional redundant circuitry
for thwarting power analysis attacks, and fault detection circuitry.

Figure 1: Architectural design space for secure information processing

Attacks on Secure Embedded Systems

At the top level, attacks are classified into three main categories based on their functional objectives.

• Privacy attacks: The objective of these attacks is to gain knowledge of sensitive information stored,
  communicated, or manipulated within an embedded system.
• Integrity attacks: These attacks attempt to change data or code associated with an embedded system.
• Availability attacks: These attacks disrupt the normal functioning of the system by mis-appropriating
  system resources so that they are unavailable for normal operation.

A second level of classification of attacks on embedded systems is based on the agents or means used to
launch the attacks. These agents are typically grouped into three main categories as shown in Figure 1:

Figure 1: Taxonomy of attacks on embedded systems

1. Software attacks : which refer to attacks launched through software agents such as viruses,
   trojan horses, worms, etc.
2. Physical or Invasive attacks : which refer to attacks that require physical intrusion into the system
   at some level (chip, board, or system level).
3. Side-channel attacks : which refer to attacks that are based on observing properties of the system
   while it performs cryptographic operations, e.g., execution time, power consumption, or behavior in the
   presence of faults.

The agents used to launch attacks may either be passive in the sense that they do not interfere in any
manner with system execution (e.g., merely probe or observe certain properties), or may actively
interfere with the target system’s operation. Integrity and availability attacks require interference
with the system in some manner, and hence can be launched only through active agents.

It bears mentioning that, although we have classified attacks into various categories for the sake of
understanding. In practice, attackers often use a combination of various techniques to achieve their
objectives. For example, physical attacks may be used as a pre-cursor to side-channel attacks
(removing a chip’s packaging before observing the values on global wires within the chip). Our
classification is also by no means exhaustive, nor is it intended to be — the ingenuity of attackers
who invariably come up with new schemes to break security is arguably the greatest challenge to
tamper-resistant design.