Logo: to the web site of Uppsala University

uu.sePublications from Uppsala University
Planned maintenance
A system upgrade is planned for 10/12-2024, at 12:00-13:00. During this time DiVA will be unavailable.
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Towards Trustworthy and Secure Internet of Things Devices: Using hardware-assisted Trusted Execution and Automated Certification
Uppsala University, Disciplinary Domain of Science and Technology, Mathematics and Computer Science, Department of Information Technology. RISE Research Institutes of Sweden, Stockholm, Sweden.
2022 (English)Doctoral thesis, comprehensive summary (Other academic)
Description
Abstract [en]

The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. 

TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software.

Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant with standards, bearing potential for seamless integration into existing and forthcoming IoT standards and incorporates assurance guarantees with minimal addition to the existing digital certificate.

Lastly, we contribute a software update architecture based on well-vetted standards, proposing token-based access control. The architecture relies on a compact message encoding format to encode the software manifests, providing authorized updates while ensuring small code and message sizes suitable for resource-constrained IoT devices. The experimental evaluations of the proposed solutions in well-defined IoT use-cases, reveal the feasibility of their integration in existing devices with minimal effort. Furthermore, the performance analysis in each case, demonstrates execution overhead at par with system operations. 

The overall contribution of this dissertation advances the security of resource-constrained heterogeneous IoT devices, with substantial impact in the academic and industrial community. Since TrustZone-M and TPM 2.0 are in the preliminary stages of adoption in the IoT domain, these enhancements and contributions are well-timed for efficient integration, while looking forward to the effective pay-off in the near future.

Place, publisher, year, edition, pages
Uppsala: Acta Universitatis Upsaliensis, 2022. , p. 54
Series
Digital Comprehensive Summaries of Uppsala Dissertations from the Faculty of Science and Technology, ISSN 1651-6214 ; 2206
Keywords [en]
Internet of Things, IoT device security, Trusted Execution Environments, Trusted Platform Module, TPM 2.0, IoT Certification, Assurance, TrustZone-M, TEE, Secure software updates, X.509
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:uu:diva-487067ISBN: 978-91-513-1638-3 (print)OAI: oai:DiVA.org:uu-487067DiVA, id: diva2:1705967
Public defence
2022-12-13, 4101, Lägerhyddsvägen 1, Uppsala, 13:15 (English)
Opponent
Supervisors
Available from: 2022-11-16 Created: 2022-10-24 Last updated: 2022-11-16
List of papers
1. ShieLD: Shielding Cross-zone Communication within Limited-resourced IoT Devices running Vulnerable Software Stack
Open this publication in new window or tab >>ShieLD: Shielding Cross-zone Communication within Limited-resourced IoT Devices running Vulnerable Software Stack
2022 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, p. 1-1Article in journal (Refereed) Published
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-486893 (URN)10.1109/tdsc.2022.3147262 (DOI)
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2022-10-24
2. TEE-Watchdog: Mitigating Unauthorized Activities within Trusted Execution Environments in ARM-Based Low-Power IoT Devices
Open this publication in new window or tab >>TEE-Watchdog: Mitigating Unauthorized Activities within Trusted Execution Environments in ARM-Based Low-Power IoT Devices
2022 (English)In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122, Vol. 2022, p. 1-21Article in journal (Refereed) Published
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-486897 (URN)10.1155/2022/8033799 (DOI)
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2022-10-24
3. EU Cybersecurity Act and IoT Certification: Landscape, Perspective and a Proposed Template Scheme
Open this publication in new window or tab >>EU Cybersecurity Act and IoT Certification: Landscape, Perspective and a Proposed Template Scheme
2022 (English)In: IEEE Access, E-ISSN 2169-3536, Vol. 10, p. 129932-129948Article in journal (Refereed) Published
Abstract [en]

The vulnerabilities in deployed IoT devices are a threat to critical infrastructure and user privacy. There is ample ongoing research and efforts to produce devices that are secure-by-design. However, these efforts are still far from translation into actual deployments. To address this, worldwide efforts towards IoT device and software certification have accelerated as a potential solution, including UK’s IoT assurance program, EU Cybersecurity Act and the US executive order 14028. In EU, the Cybersecurity Act was launched in 2019 which initiated the European cybersecurity certification framework for Internet and Communications Technology (ICT). The heterogeneity of the IoT landscape with devices ranging from industrial to consumer, makes it challenging to incorporate IoT devices in the certification framework or introduce a European cybersecurity certification scheme solely for IoT. This paper analyses the cybersecurity certification prospects for IoT devices and also places article 54 of the EU Cybersecurity Act in an international perspective. We conducted a comparative study of existing IoT certification schemes to identify potential gaps and extract requirements of a candidate IoT device security certification scheme. We also propose an approach that can be used as a template to instantiate an EU cybersecurity certification scheme for IoT devices. In the proposed template, we identify IoT-critical elements from the article 54 of the Cybersecurity Act. We also evaluate the proposed template using the ENISA qualification system for cybersecurity certification schemes and show its qualification on all criteria.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2022
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-487065 (URN)10.1109/ACCESS.2022.3225973 (DOI)000902043600001 ()
Funder
Swedish Foundation for Strategic ResearchEU, Horizon 2020, 830927
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2023-04-28Bibliographically approved
4. TruCerT: Trusted Certification of IoT Devices Using Continuousand Trustworthy Mechanisms
Open this publication in new window or tab >>TruCerT: Trusted Certification of IoT Devices Using Continuousand Trustworthy Mechanisms
(English)Manuscript (preprint) (Other academic)
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-487064 (URN)
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2022-10-24
5. AutoCert: Automated TOCTOU-secure Digital Certification for IoT with combined Authentication and Assurance
Open this publication in new window or tab >>AutoCert: Automated TOCTOU-secure Digital Certification for IoT with combined Authentication and Assurance
2022 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, p. 102952-102952, article id 102952Article in journal (Refereed) Published
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-487063 (URN)10.1016/j.cose.2022.102952 (DOI)
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2022-10-24
6. AC-SIF: ACE Access Control for Standardized Secure IoT Firmware Updates
Open this publication in new window or tab >>AC-SIF: ACE Access Control for Standardized Secure IoT Firmware Updates
2022 (English)In: SECURWARE 2022: The Sixteenth International Conference on Emerging Security Information, Systems and Technologies / [ed] George O. M. Yee, International Academy, Research and Industry Association (IARIA), 2022, p. 54-62Conference paper, Published paper (Refereed)
Abstract [en]

Globally identifiable, internet-connected embedded systems can be found throughout critical infrastructures in modern societies. Many of these devices operate unattended for several years at a time, which means a remote software update mechanism should be available in order to patch vulnerabilities. However, this is most often not the case, largely due to interoperability issues endemic to the Internet of Things (IoT). Significant progress toward global IoT compatibility has been made in recent years. In this paper we build upon emerging IoT technologies and recommendations from IETF SUIT working group to design a firmware update architecture which (1) provides end-to-end security between authors and devices, (2) is agnostic to the underlying transport protocols, (3) does not require trust anchor provisioning by the manufacturer and (4) uses standard solutions for crypto and message encodings. This work presents the design of a firmware manifest (i.e., metadata) serialization scheme based on CBOR and COSE, and a profile of CBOR Web Token (CWT) to provide access control and authentication for update authors. We demonstrate that this architecture can be realized whether or not the recipient devices support asymmetric cryptography. We then encode these data structures and find that all required metadata and authorization information for a firmware update can be encoded in less than 600 bytes with this architecture.

Place, publisher, year, edition, pages
International Academy, Research and Industry Association (IARIA), 2022
Series
International Conference on Emerging Security Information, Systems and Technologies, E-ISSN 2162-2116
Keywords
ACE, SUIT, COSE, IoT, security
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-487066 (URN)978-1-68558-007-0 (ISBN)
Conference
SECURWARE 2022, The Sixteenth International Conference on Emerging Security Information, Systems and Technologies, 16-20 October 2022, Lisbon, Portugal
Funder
Swedish Foundation for Strategic ResearchEU, Horizon 2020, 830927
Available from: 2022-10-23 Created: 2022-10-23 Last updated: 2023-04-28Bibliographically approved

Open Access in DiVA

UUThesis_Khurshid,A-2022(1500 kB)733 downloads
File information
File name FULLTEXT01.pdfFile size 1500 kBChecksum SHA-512
2f4a5bbba5d47a361d5d201e9dc4486fcb04dba89aa37c9b6d71f788490703200448122fc683a619ccf88172a086aabbb691a7dc41e5e5cc9a6d6a9a1fc37d8e
Type fulltextMimetype application/pdf
omslag(827 kB)62 downloads
File information
File name COVER01.pdfFile size 827 kBChecksum SHA-512
33f668cfd80ee32a3747e5c679db95916f0a67c2bcfa2d92c972b58a3016d78f4fc0df1b9e1975127acfa6096861e1162a256672bb5db7ad32016454df407785
Type coverMimetype application/pdf

Authority records

Khurshid, Anum

Search in DiVA

By author/editor
Khurshid, Anum
By organisation
Department of Information Technology
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 734 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1090 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf