S The Security MicroVisor: A Formally-Verified Software-Based Security Architecture for the Internet of Things

Abstract

The Internet of Things (IoT) is shaped by the increasing number of low-cost Internet-connected embedded devices that are becoming ubiquitous in every aspect of modern life. With their cost-sensitive design, integrating hardware-based security mechanisms into such devices is undesirable. Therefore, securing these devices is a particularly difficult challenge, especially, due to their growing popularity as attack targets, via remote malware infestations. The vast majority of such devices are bare-metal, where they execute programs in fully-accessible and unprotected memories without any operating system and even without including any form of security. This is beside the fact that IoToperating systems offer little or no protection. This paper addresses this problem through the concept of a Security MicroVisor (S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V), which provides embedded devices that lack hardware-based memory protection units with memory isolation using software virtualisation and assembly-level code verification. More specifically, our contribution is two-fold. First, we propose S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V as a software-based memory isolation technique. We then formally verify the software architecture, written in C, to prove that it is memory-safe and crash-free. Second, we propose a software-based remote attestation, as an example of a fundamental security service that can be implemented on top of S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V, to detect malware-infected devices. We first describe the design and implementation of S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V. Then, we highlight the formal verification of software architecture, and characterize the remote attestation protocol. We evaluate the S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V implementation using an 8-bit AVR microcontroller that is widely used in IoT devices. Evaluation results show that S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">μ</sub> V provides strong security guarantees while maintaining extremely low overhead in terms of memory footprint, performance, and power consumption. Furthermore, we extend the performance evaluation also to the remote attestation scheme, illustrating its limited overhead.