Abstract
A significant fraction of Internet-connected computing devices is infected with malware. With the increased connectivity and software extensibility of embedded and industrial devices, this threat is now also relevant for our industrial infrastructure and our personal environments. Since many of these devices interact with remote parties for security-critical or privacy sensitive transactions, it is important to develop security architectures that allow a stakeholder to assess the trustworthiness of a computing device, and that allow such stakeholders to securely execute software on that device. Over the past decade, the security research community has proposed and evaluated such architectures. Important and promising examples are protected software module architectures. These architectures support the secure execution of small protected software modules even on devices that are malware infected. They also make it possible for remote parties to collect trust evidence about a device; the remote party can use the security architecture to collect measurements that give assurance that the device is in a trustworthy state.
In this paper we outline the essential ideas behind this promising recent line of security research, and report on our experiences in developing several protected module architectures for different types of devices.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Pieter Agten, Raoul Strackx, Bart Jacobs, and Frank Piessens: Secure compilation to modern processors, In: IEEE 25th Computer Security Foundations Symposium (CSF 2012), p. 171-185.
Niels Avonds: Implementation of a State-of-the-Art Security Architecture in the Linux Kernel. Master thesis KU Leuven, 2013.
Karim El Defrawy, Aurélien Francillon, Daniele Perito, and Gene Tsudik: SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2012).
Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil D. Gligor, and Adrian Perrig: TrustVisor: Efficient TCB Reduction and Attestation. In: IEEE Symposium on Security and Privacy 2010, p. 143-158.
Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki: Flicker: an execution infrastructure for tcb minimization. In: EuroSys 2008, p. 315-328.
Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank Piessens: Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base, In: 22nd USENIX Security symposium, 2013.
Bryan Parno, Jacob R. Lorch, John R. Douceur, James Mickens, and Jonathan M. McCune: Memoir: Practical State Continuity for Protected Modules. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, p. 379-394.
Raoul Strackx, Frank Piessens, and Bart Preneel: Efficient isolation of trusted subsystems in embedded systems, In: SecureComm 2010, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering: Security and Privacy in Communication Networks, volume 50, p. 1-18, 2010.
Raoul Strackx, Frank Piessens: Fides: Selectively hardening software application components against kernel-level or process-level malware, In: Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), p. 2-13.
John Viega, and Hugh Thompson: The state of embedded-device security (spoiler alert: It’s bad). In: IEEE Security & Privacy Magazine, volume 10, issue 5, 2012, p. 68-70.
Yves Younan, Wouter Joosen, and Frank Piessens: Runtime countermeasures for code injection attacks against C and C++ programs, In: ACM Computing Surveys, volume 44, issue 3, p. 1-28, 2012.
Acknowledgments
This work has been supported in part by the Intel Lab’s University Research Office. This research is also partially funded by the Research Fund KU Leuven, and by the EU FP7 project NESSoS. With the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).
Raoul Strackx holds a PhD grant from the Agency for Innovation by Science and Technology in Flanders (IWT).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Fachmedien Wiesbaden
About this chapter
Cite this chapter
Strackx, R., Noorman, J., Verbauwhede, I., Preneel, B., Piessens, F. (2013). Protected Software Module Architectures. In: Reimer, H., Pohlmann, N., Schneider, W. (eds) ISSE 2013 Securing Electronic Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-03371-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-658-03371-2_21
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-03370-5
Online ISBN: 978-3-658-03371-2
eBook Packages: Computer ScienceComputer Science (R0)