On Security of TrustZone-M-Based IoT Systems

Abstract

Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension designed specifically for MCUs, is an emerging hardware security technique fortifying software security of MCU-based IoT devices. This article introduces a comprehensive security framework for IoT devices using TrustZone-M-enabled MCUs, in which device security is protected in five dimensions, i.e., hardware, boot-time software, runtime software, network, and over-the-air (OTA) update. Along developing the framework, we also present the first security analysis of potential runtime software security issues in TrustZone-M-enabled MCUs. In particular, we explore the feasibility of launching stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against nonsecure callable (NSC) functions in the context of TrustZone-M. We validate these attacks using SAM L11, a microchip MCU with TrustZone-M and provide defense mechanisms in the runtime software dimension of the proposed framework. The security framework is implemented with a full-fledged secure and trustworthy air quality monitoring device using SAM L11 as its MCU.