Security engineering for embedded systems – theSecFutur vision

[Vision Paper]

Sigrid GürgensFraunhofer SIT

Darmstadt, Germanyguergens@sit.fraunhofer.de

Carsten RudolphFraunhofer SIT

Darmstadt, Germanyrudolph@sit.fraunhofer.de

Antonio MañaUniversity Malaga, Spain

amg@lcc.uma.es

Simin Nadjm-TehraniLinköping University, Sweden

simin.nadjm-tehrani@liu.se

ABSTRACTSecurity is usually not in the main focus in the developmentof embedded systems. However, strongly interconnected em-bedded systems play vital roles in many everyday processesand also in industry and critical infrastructures. Therefore,security engineering for embedded systems is a disciplinethat currently attracts more interest. This paper presentsthe vision of security engineering for embedded systems for-mulated by the FP7 project SecFutur [1].

Categories and Subject DescriptorsD.2.1 [Software Engineering]: Requirements/Specifications—Methodologies, tools; C.3 [Computer Systems Organi-zation]: Special-purpose and application-based systems—Real-time and embedded systems

General TermsDesign, Security

KeywordsSecurity engineering, embedded systems

1. INTRODUCTIONThis paper describes a long-term vision on security en-

gineering for embedded systems. Parts of this vision willbe realized in the European research project SecFutur, butthe scope of the discipline of security engineering is muchwider than what can be achieved within one research project.Therefore, we publish this vision early in the project and askresearchers in the field of embedded systems as well as soft-ware and security engineering to interact with SecFutur in

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.S&D4RCES 2010 September 14, 2010, Vienna, Austria.Copyright 2010 ACM 978-1-4503-0368-2 ...$10.00.

order to make strong and efficient security solutions avail-able to the developers of complex embedded systems in away that higher assurance can be achieved and specific se-curity requirements are met.

2. MOTIVATIONThe focus of system engineering for embedded systems

usually lies on resource-efficiency, cost reduction and func-tionality. Non-functional properties, if considered in the de-velopment of embedded systems, are mainly concerned withsafety or performance. Security issues are either neglected,added as an afterthought or minimized due to cost or effi-ciency conditions in the development. One important rea-son for this situation is that in the past many embeddedsystems only had very restricted connectivity and operatedin controlled environments. Thus, security was usually suffi-ciently provided by physical protection of the embedded de-vices. This situation has dramatically changed. Evolutionof embedded systems towards devices connected via Inter-net, wireless communication or other interfaces as well as thetrend towards always growing numbers of devices (Internetof Things) requires a re-consideration of embedded systemsengineering processes. It is no longer possible to achieve therequired level of security by adding security measures latein the development process. Security engineering needs tobe part of the development in all stages of the process.

From a security point of view embedded devices are ba-sically systems owned by a certain entity and operated ina potentially hostile environment. Hence requirements thatcould be assumed to be met by systems using physically pro-tected devices need to be revisited. Possible examples caninclude non-repudiation of data, time or status of devicescontrolling sensor networks, legal requirements for calibra-tion and gauging devices, security of payment systems or theenforcement of a particular behaviour of remote-controlleddevices. A variety of specific international and national reg-ulations and standards are relevant for such devices. Manyof them require protection against manipulations.

Currently, a security engineering process for embeddedsystems that takes these considerations into account doesnot exist. However, a lot of building blocks are already avail-able to be included in such a process. These building blocks

mainly provide efficient cryptographic algorithms, hardwaresecurity anchors or protection against some side-channel at-tacks. Many of them work on standard hardware and donot require additional expensive extensions or excessive re-sources. However, most existing building blocks only pro-vide very basic security mechanisms for specific embeddeduse cases. The integration of these mechanisms in order tosatisfy more complex security requirements is not trivial,and errors in applying or combining solutions can result ina low overall security of the system.

3. OBJECTIVES OF A NEW SECURITY EN-GINEERING PROCESS

The main objective of security engineering shall be to sup-port the development of dependable and secure embeddedsystems with predictable properties. The SecFutur projectwill develop a new security engineering process that can flex-ibly integrate security solutions into an overall frameworkfor the hardware platform based design process and thatcan be incorporated into the existing design process witha minimum amount of changes. Security solutions will beprovided in terms of security building blocks that integrateexisting hardware and software security mechanisms in or-der to address complex security requirements as mentionedin the previous section. Figure 1 visualizes the main re-quirements for a security engineering process. The followinglist highlights four main goals a security engineering processshould target and summarizes the vision of the SecFuturproject with respect to these four statements:

Goal 1: Adequate support for embedded system developersto make informed security design decisions in the de-velopment process of embedded systems. As embed-ded systems will be more and more interconnected andbecome parts of the different ICT networks, higher se-curity for embedded systems also means increased trustin embedded areas of Future Internet technology.↪→ The envisioned security engineering process willsupport the exploration of the security design spacewith respect to particular security requirements of em-bedded systems, based on characteristics and restric-tions of available hardware and software. Users willbe supported in realizing trustworthiness of a systemthroughout its life cycle by creation of meaningful andcontextual interactions, tailor-made to the embeddedservices through the SecFutur development processand tools. This also has to include increased supportfor fulfillment of legal requirements e.g. for calibrationand gauging of measurement devices.

Goal 2: Embedded systems development in most cases can-not rely on expensive taylor-made hardware and soft-ware in order to achieve high security. Therefore, asecurity engineering process needs to enable efficientdevelopment of secure embedded systems on the basisof existing hardware and software.↪→ This will be achieved by providing security build-ing blocks for embedded systems, each implementing aspecific complex non-functional property using provenefficient methods.

Security building blocks for

embedded systems

Resource-efficient

security building blocks

Low-cost security

design solutions

Secure identification

of devices and users

Support of application-

driven security engineering

Remote system

validation

Authenticity of

device behaviour

Protection of

secrets on high

level of securitySecure applications

for heterogeneous

embedded

systems

Software for security

and reliability

Figure 1: Main elements of a security engineeringprocess for embedded systems

Goal 3: Security always needs to be seen relative to partic-ular security requirements. Therefore, it is essential toprovide application driven security engineering of em-bedded systems.↪→ In order to aim at the application view of se-curity, the security engineering process will considerall stages of the development of embedded systems,and will demonstrate how application specific require-ments are captured by combinations of security build-ing blocks at different phases of the development pro-cess.

Goal 4: Security engineering can only be useful if applyingthe process indeed significantly increases the securityand thus the overall quality of future designed embed-ded systems.↪→ This will be achieved by exact specification ofsecurity requirements and then using validated or ver-ified security building blocks made available throughthe security engineering process. Furthermore, the en-gineering itself needs to be complemented by tools forsecurity validation and testing.

4. APPLICATION DOMAINSEmbedded systems underpin developments in many tech-

nical areas such as automotive, avionics, telecommunica-tions, plant automation, medical systems, and consumerelectronics. Embedded devices create revenues for their own-ers and have essential roles in critical scenarios; hence theircorrect functioning is essential. Communication links as wellas embedded devices themselves are increasingly subject toattacks already known from other IT infrastructures. Tra-ditional protection based on physical separation from ma-licious environments is no longer sufficient. One reason isthat an increasing number of embedded devices are equippedwith communication interfaces and communicate via opennetwork infrastructures (e.g. Internet, wireless, peer-to-peer),and helpful advances in user control such as comfortablebrowser-based configuration introduce new attack vectors,specifically if the devices are used in systems of systems. Innetworked embedded devices with interfaces to informationinfrastructures, dependable cooperative reasoning may in-

duce emerging security requirements in systems of systems.Mobility leads to new kinds of attack scenarios such as phys-ical transportation of malware from one part of a system intoanother part across firewalls and other protection means.

Thus, identification of devices, control over the opera-tional state of a device, security of the communication be-tween devices, or even non-repudiation of actions taken at aparticular time, are security requirements that are becomingincreasingly important in today’s embedded scenarios; at thesame time these requirements are not supported by existingcombinations of hardware and software. Furthermore, withthe exception of mobile platforms, security issues are typi-cally neglected in current research and development projectsinvolving embedded systems.

Complex application scenarios like plant automation, re-mote metering, or critical communication depend on the se-cure and reliable operation of each single embedded compo-nent involved. Additionally, Future Internet thinking meansto plan beyond specific pre-planned applications of intelli-gent devices.

The following paragraphs introduce some concrete areasand their particular security challenges. These use casesshow the scope of the work in the SecFutur project.

4.1 Multi-service gatewaysDomain

Security of the digital home. Service gateways. SOHO(small office, home) protection and network protection.

Use Case DescriptionThis use case focuses on the home and small businesses net-works where Operators/ISPs foresee an important emergingmarket. In this environment the Operator provides someembedded hardware to be installed in customer’s home. Thishardware, named usually a Service Gateway or Home Gate-way, is the key element connecting the home network andthe broadband network, and acting as a service platform inthe digital home. Such a gateway will also serve as the basisfor various additional services such as supporting smart gridapplications within advanced energy distribution and con-trol infrastructures. All these facts make it the main targetof the use case.

Security ChallengesThe Service Gateway is an embedded hardware which playsa critical role for various different services and therefore de-mands many security features. Any threat affecting thisnode is potentially harmful to the customer and/or opera-tor. It shall be protected to assure both the security of thecustomer and the operator networks and data. This meansproviding features like protecting Service Gateway againstunauthorized modification, controlling the security status ofthe hardware and installed software, and enhancing the se-curity features of the services. Also, all the communicationsinvolving the Service Gateway must be secured, providingconfidentiality, integrity and privacy. In this sense, identi-fying the devices by the operator network is an importantaspect to be achieved. Last but not least, the strategic po-sition of this device allows to consider it as a starting pointto inspect the traffic flowing through for threat detectionand prevention. This includes modeling the user’s networktraffic in order to detect anomalies such as bot-nets.

4.2 Legal calibration requirementsDomain

Metering devices with legal calibration requirementsUse Case Description

Devices for measurement (e.g. of electricity consumption,of petrol consumption in petrol stations, etc.) are subjectto strict legal and technical requirements. One example ofsuch devices are electronically calibrated devices for electric-ity consumption measurement. A successful licensing of thedesign of measurement devices is based on licensing proce-dures that are based on experiences with existing implemen-tations.

Security ChallengesNew technical approaches for the development of measure-ment devices need suitable adaptations of the regulationsfor the design licensing. This holds in particular for ap-proaches that are based on a purely electronic implementa-tion of security and dependability. Security requirements inthis domain include credibility and reliability of the mea-surement devices. The fulfillment of these requirements iscontrolled and attested to by national calibration authori-ties. A license issued in one EU member state is valid inall other member states. Basis of the credibility of meteringdevices is the trust of the general public in the dependabilityof the measuring-technical systems. The public interest inthe dependability and security of measuring devices is high,without sufficient actions being taken to ensure their de-pendability and security, electronic measuring instrumentscannot be accepted as device according to legal regulations.Additionally, legal aspects of gauging have to be adaptedto support the use of advanced technology in a secure anddependable way. Another considerable advantage of digitalelectronic metering devices is the ability to serve multipleclients with one device. For this the individual data andprocedures of the clients have to be isolated from each otherin a very reliable way. Without proof of sufficient securitymechanisms this advantage cannot be achieved. in particu-lar, legal regulations concerning data protection have to befulfilled.

4.3 Ad-hoc mesh communicationDomain

Secure Ad-hoc wireless mesh communication for crisis man-agement

Use Case DescriptionInteroperability and robustness of secure communication forblue light organizations even in the case of infrastructurecommunication blackout (i.e. collape of 3G and mobile com-munication) demand for new easily deployable ad-hoc com-munications for data-, voice-, video- and sensor-information.

Security ChallengesReliable information dissemination and authenticity of in-formation is crucial in crisis management communication.In addition to the need for communication security and au-thenticity, ease of deployment dramatically increases thechallenges of information security. Therefore the commu-nication system needs to cope with mobility, robustness andad-hoc trusted network establishment. Additionally, effec-tive blue light organization communication equipment shall

be open in terms of future applications and will be basedon standard communication links such as WLAN becauseof future bandwidth needs. Therefore, crisis managementcommunication has to cope with the challenge of generalCOTS based complex embedded systems and inherent highsecurity needs. By designing sound security architecturesand measures we aim to resolve these conflicts of objectives.The security challenges lie in the support for ease of deploy-ment and interoperability in order to increase the potentialfor saving lives.

5. INNOVATION TOWARDS SECURITY EN-GINEERING FOR EMBEDDED SYSTEMS

This section describes the short term approach and partlylong-term vision to be realized during the next years by Sec-Futur and other related research and development.

1. The first key innovation is a new security engineeringprocess and supporting tools especially tailored for theneeds of embedded systems. It first provides a modelframework for security aspects of embedded systemswhich can be integrated into existing engineering pro-cesses for embedded systems. Then, it supports thedeveloper in identifying security requirements basedon the model very early in the development processof embedded applications and systems. Finally, thedeveloper is guided step-by-step through design deci-sions regarding security requirements to be addressedand considering restrictions to resources for the under-lying devices and communication links. Non-securityrelated design decisions and restrictions to the designspace can be incorporated into the process at any level.

2. The second innovation will be a set of security buildingblocks for embedded systems running on establishedhardware platforms like 8051, ARM, AVR, 68k/Cold-fire, Intel x86, 68HC12,and other 8/16/32-Bit-CPUs.By making use of existing hardware trust anchors (Trus-ted Platform Module (TPM), ARM TrustZone or M-Shield), these building blocks will provide assurancewith respect to secure system states. As embeddedsystems require a tight integration of soft- and hard-ware, security building blocks will combine hardwaretrust anchors with suitable existing software securitymechanisms. Furthermore, they will allow for means toisolate different applications owned by different stake-holders but running on the same platform. Novel se-curity mechanisms for wireless communication in theevent of existing infrastructure overloads such as ener-gy-efficient reliable manycast on top of commodity de-vices will be considered as a building block.

3. Finally, the security engineering process needs to becomplemented by a set of tools for security valida-tion and testing to be used during design time, afterre-configuration, evolution and updates, as well as atrun-time for security monitoring. The tools will relyon existing validation and test tools and extend themwith respect to security properties and also with re-spect to conditions and requirements imposed by se-curity building blocks used in a specific embedded tar-get of evaluation. The results will be demonstrated on

three show cases in the area of set-top boxes, meteringvalidation, and crisis management.

6. RELATED WORKThe focus of the embedded systems industry and research

community in the last decade has been on the reduction ofcosts, down-sizing and faster time to market through ef-ficient design processes and tools. This has led to bothexplosion of the embedded market and a drive for highermarket shares by aiming for higher reliability and quality.However, embedded systems have been physically protectedfrom massive security threats to such an extent that secu-rity attributes like confidentiality, integrity, and availabilityhave hardly been regarded as a central feature in the designof such systems.

However, security engineering approaches for embeddedsystems can build on a large body of work in IT Security.In particular, a large variety of security mechanisms alreadyexists and is ready to be deployed for embedded systems.These include hardware mechanisms such as crypto pro-cessors and TPMs, and software libraries. This is partic-ularly true for embedded systems using standard architec-tures (e.g. resource-efficient PC architectures such as 8051,ARM, AVR, MIPS, PowerPC, 68k/Coldfire, Intel x86, 68H-C12, C167). Remarkably, only in very few areas securitymechanisms are included into embedded systems’ develop-ment, and if so, they are tailored to specific applications.This was partly caused by the fact that traditionally embed-ded system development was much stronger concentrated onresolving safety and cost issues. These constraints will havea modified impact by supporting the design process of em-bedded systems in order to allow for the development ofhighly secure systems.

Even though embedded systems are becoming prevalentin the every day life of all citizens of the European union,there is not much focus on security-driven requirements ofembedded systems [19]. Marwedel [12] pays a little attentionon dependability requirements, more or less an exception ofits kind. On the other hand, we are getting to a point where“networked and embedded systems security” is appearing onthe agenda of major conferences with a distinct software pro-file (e.g. EMSOFT). Similarly, major textbooks on securityare no longer entirely focusing on host and network security.For example the latest revision of Security Engineering byRoss Anderson [5] has several chapters devoted to the ba-sic vulnerabilities of devices and systems used for banking,metering, and wireless mobile communication, signaling theincreasing importance of this area.

Several concepts have been introduced as the central ele-ment for the definition of a development process for highlydynamic and heterogeneous systems with embedded elements.The component-based approach [10, 11, 16] has proven tobe very appropriate for the type of scenarios relevant in em-bedded systems.

The main interest of component composition is to buildnew systems from their requirements by systematically com-posing reusable components. In general, this concept is notappropriate to represent security solutions because securitymechanisms can not always be represented as units that canbe connected to the rest of the system by means of well de-fined interfaces. This makes the research towards securityengineering equally challenging and important. Many se-curity mechanisms are not about “what” but about “how”.

In fact, software components are good abstractions of func-tional elements, but security is a non-functional aspect. Be-ing a system level concern it resembles safety or timelinessproperties that are cross-cutting concerns [8, 18]. Finally,the use of components in embedded scenarios introduces im-portant issues related to the fact that the systems are inher-ently distributed, heterogeneous and not under the controlof a single entity.

There is very little work concerning the full integrationof security and systems engineering from the earliest phasesof software development. Although several approaches havebeen proposed for some integration of security, there is cur-rently no comprehensive methodology to assist developersof security sensitive systems. Lack of support for securityengineering in approaches for software systems developmentis usually seen as a consequence of: (i) security requirementsbeing generally difficult to analyze and model, and (ii) devel-opers lacking expertise in secure software development. Allthis becomes a special concern when considering complex se-curity requirements such as those associated to applicationsin e-commerce, e-government and e-health scenarios.

Existing approaches are not comprehensive enough in thesense that they focus either on some special stage of de-velopment, e.g. on design or implementation, or on a spe-cific security aspect such as access control. Moreover, theytypically offer no guidance on how they can be integratedinto current component or model based system developmentmethods. Empirical studies confirm this view [13, 9]. Nec-essary are comprehensive and integrative approaches sup-porting the integration of security and systems engineering.Thus, work can build on results of the FP6 project SEREN-ITY [2] which provides strong results on security engineeringfor applications in Ambient Intelligence environments.

One of the most interesting approaches for introducing se-curity in development cycle is presented by Dimitrakos et al.[7]. Model Driven Security is a specialization of the MDAapproach that proposes a modular approach combining lan-guages for modelling system design with languages for mod-elling security. Dimitrakos et al. introduce an applicationfor constructing systems from process models by combininga UML-based process design language with a security mod-elling language for formalizing access control requirements.They are able to automatically generate security architec-tures for distributed applications from models in the com-bined language. There are more commercial tools like “TheArcStyler MDA-SecurityTM Cartridge” [14] that capturesthe skills of security experts and makes them available forpersons who need to deliver secure systems.

A further very active area of research is security engineer-ing based on patterns [15, 17]. The Open Group is preparinga book on the subject [3]. Research into investigating a tem-plate for security patterns that is tailored to meet the needsof secure system development has been recently reported byCheng et al. [6], where the UML notation is used to repre-sent structural and behavioral aspects of design, and formalconstraints to the patterns are used to enable verification.However, security patterns are often not precisely describedand therefore, automated tools for classification, selectionand composition are not yet available.

One basic standard for security engineering is the Sys-tems Security Engineering Capability Maturity Model (SSE-CMM) [4]. The model highlights the relationship betweensecurity engineering and systems engineering, regarding the

former as an integral part of the latter rather than as an endto itself.

This overview shows that, based on the variety of differentapproaches, several special security properties can be con-sidered separately more or less rigorously in the developmentprocess. In contrast to these approaches, it will be neces-sary to provide an integrated security engineering processwith tool support which allows rigorous treatment of secu-rity and reliability requirements and makes existing securitysolutions available for security engineering.

7. CONCLUSIONSThis paper describes the vision of security engineering for

embedded systems. Some parts of this vision will be re-alized by running research and development projects, butobviously there are many open issues and there is the needfor synchronisation and co-operation between the differentprojects and research directions. The goal of this paper isto encourage discussion and cooperations.

8. REFERENCES[1] http://www.secfutur.eu.

[2] http://www.serenity-project.eu.

[3] http://www.opengroup.org/security/gsp.htm.

[4] Systems security engineering capability maturitymodel (sse-cmm), model description document,version 3.0.http://www.sse-cmm.org/model/ssecmmv2final.pdf.

[5] R. Anderson. Security Engineering: A Guide toBuilding Dependable Distributed Systems. Wiley, 2008.

[6] B. H. Cheng, S. Konrad, L. A. Campbell, andR. Wassermann. Using security patterns to model andanalyze security requirements. Technical ReportMSU-CSE-03-18, Department of Computer Science,Michigan State University, 2003.

[7] T. Dimitrakos, D. Raptis, B. Ritchie, and K. Stolen.Model based security risk analysis for webapplications. In In Proc. Euroweb 2002, 2002.

[8] J. Elmqvist, S. Nadjm-Tehrani, and M. Minea. Safetyinterfaces for component-based systems. In Proceedingsof the 24th International Conference on ComputerSafety, Reliability and Security (SAFECOMP), 2005.

[9] J. Jurjens. Towards development of secure systemsusing umlsec. In Lecture Notes in Computer Science,volume 2029, 2001.

[10] D. Llewellyn-Jones, M. Merabti, Q. Shi, andB. Askwith. Utilising component composition forsecure ubiquitous computing. In Proceedings of 2ndUK-UbiNet Workshop, 2004.

[11] H. Mantel. On the composition of secure systems. InProc. of IEEE Symposium on Security and Privacy,2002.

[12] P. Marwedel. Embedded System Design.Springer-Verlag New York, Inc., Secaucus, NJ, USA,2006.

[13] A. Mana and G. Pujol. Towards formal specification ofabstract security properties. Technical report,University Malaga, 2008.

[14] I. Objects. ArcStyler Cartridge guide for ArcStylerVersion 3.x for MDA-security.http://www.interactive-objects.com/products/mda-extensions/mda-security-with-arcstyler.

[15] M. Schumacher and U. Roedig. Security engineeringwith patterns. In Pattern Languages of Programs2001, 2001.

[16] Q. Shi and N.Zhang. An effective model forcomposition of secure systems. Journalof-Systems-and-Software, 43(3), 1998.

[17] C. Steel, R. Nagappan, and R. Lai. Core Securitypatterns. Pearson Education Inc., 2006.

[18] A. Tesanovic, S. Nadjm-Tehrani, and J. Hansson.Component-Based Software Development forEmbedded Systems - An Overview on CurrentResearch Trends, chapter Modular Verification ofReconfigurable Components. Springer Verlag, 2005.

[19] F. Vahid and T. Givargis. Embedded System Design:A Unified Hardware/Software Introduction. J. Wileyand Sons, 2002.