Low-level software security.

With the rising popularity of the IoT (Internet of Things), the use of small, low-power embedded devices is rapidly increasing. Unfortunately, these kind of devices often lack the security features we are grown used to in the domain of desktop and server computing. However, in a context where multiple mutually distrusting stakeholders are able to share an IoT infrastructure to process sensitive data, the lack of, for example, basic software isolation is becoming increasingly irresponsible. Finding secure yet inexpensive ways to protect those low-end devices is therefore becoming more and more critical.

The first part of this thesis proposes Sancus, an inexpensive security architecture for resource-constrained IoT devices. We start with accurately defining our context; the kind of systems we want to protect and the attacker model we will use. Then, we introduce Sancus' design in enough detail for interested parties to be able to create alternative implementations. Next, our own implementation, based on the TI MSP430 architecture, is described and evaluated in terms of hardware cost and software overhead. We conclude this part by giving an overview of related work and a comparison of Sancus with the most relevant alternative architectures.

In the second part, we discuss some applications of the Sancus architecture. The first application shows how to use a small number of protected Sancus modules to attest the state of a large unprotected software base. This can be used when adapting the whole software base to make use of Sancus' features is for some reason infeasible. We then show, in our second application, how Sancus can be used to provide security guarantees for distributed applications that use I/O devices. We provide a deployment and attestation technique that gives high assurance that if a distributed application produces an output, there must have been a sequence of physical input events that, when processed by the application as specified in its source code, produces the observed output event.

We conclude this thesis with a discussion of some of the design decisions of Sancus and ways to improve the architecture. We show how to improve the secure communication primitive, how to employ public-key cryptography, and how to overcome some of the inflexibilities in Sancus' design.