research-article

A Modular End-to-End Framework for Secure Firmware Updates on Embedded Systems

Authors:

Charalambos Konstantinou,

Maria K. MichaelAuthors Info & Claims

ACM Journal on Emerging Technologies in Computing Systems (JETC), Volume 18, Issue 1

Article No.: 3, Pages 1 - 19

https://doi.org/10.1145/3460234

Published: 29 September 2021 Publication History

Abstract

Firmware refers to device read-only resident code which includes microcode and macro-instruction-level routines. For Internet-of-Things (IoT) devices without an operating system, firmware includes all the necessary instructions on how such embedded systems operate and communicate. Thus, firmware updates are essential parts of device functionality. They provide the ability to patch vulnerabilities, address operational issues, and improve device reliability and performance during the lifetime of the system. This process, however, is often exploited by attackers in order to inject malicious firmware code into the embedded device. In this article, we present a framework for secure firmware updates on embedded systems. This approach is based on hardware primitives and cryptographic modules, and it can be deployed in environments where communication channels might be insecure. The implementation of the framework is flexible, as it can be adapted in regards to the IoT device’s available hardware resources and constraints. Our security analysis shows that our framework is resilient to a variety of attack vectors. The experimental setup demonstrates the feasibility of the approach. By implementing a variety of test cases on FPGA, we demonstrate the adaptability and performance of the framework. Experiments indicate that the update procedure for a 1183-kB firmware image could be achieved, in a secure manner, under 1.73 seconds.

References

[1]

Haji Akhundov, Erik Sluis, Said Hamdioui, and M. Taouil. 2019. Public-key based authentication architecture for IoT devices using PUF. In CSEIT. 353–371.

[2]

Zigbee Alliance. 2019. Zigbee Cluster Library. https://zigbeealliance.org/developer_resources/zigbee-cluster-library/.

[3]

Aydin Aysu, Ege Gulcan, Daisuke Moriyama, Patrick Schaumont, and Moti Yung. 2015. End-to-end design of a PUF-based privacy preserving authentication protocol. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 556–576.

[4]

Zachry Basnight, Jonathan Butts, Juan Lopez Jr., and Thomas Dube. 2013. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection 6, 2 (2013), 76–84.

[5]

An Braeken. 2018. PUF-based authentication protocol for IoT. Symmetry 10, 8 (2018), 352.

[6]

Urbi Chatterjee, Vidya Govindan, Rajat Sadhukhan, Debdeep Mukhopadhyay, Rajat Subhra Chakraborty, Debashis Mahata, and Mukesh M. Prabhu. 2018. Building PUF-based authentication and key exchange protocol for IoT without explicit CRPs in verifier database. IEEE Transactions on Dependable and Secure Computing 16, 3 (2018), 424–437.

[7]

Wenjie Che, Mitchell Martin, Goutham Pocklassery, Venkata K. Kajuluri, Fareena Saqib, and Jim Plusquellic. 2017. A privacy-preserving, mutual PUF-based authentication protocol. Cryptography 1, 1 (2017), 3.

[8]

Brice Colombier, Lilian Bossuet, Viktor Fischer, and David Hély. 2017. Key reconciliation protocols for error correction of silicon PUF responses. IEEE Transactions on Information Forensics and Security 12, 8 (2017), 1988–2002.

Digital Library

[9]

Common Vulnerabilities and Exposures (CVE®) List, The MITRE Corporation. 2017. CVE-2017-5698. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5698.

[10]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. In 23rd USENIX Security Symposium (USENIX Security 14). 95–110.

Digital Library

[11]

Ang Cui, Michael Costello, and Salvatore Stolfo. 2013. When firmware modifications attack: A case study of embedded exploitation. Columbia, Academic Commons (2013).

[12]

Quang Do, Ben Martini, and Kim-Kwang Raymond Choo. 2019. The role of the adversary model in applied security research. Computers & Security 81 (2019), 156–181.

[13]

Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam Smith. 2008. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing 38, 1 (2008), 97–139.

Digital Library

[14]

D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (1983), 198–208. https://doi.org/10.1109/TIT.1983.1056650.

Digital Library

[15]

Collin Eaton. 2017. Hacked: Energy industry’s controls provide an alluring target for cyberattacks. http://www.houstonchronicle.com/.

[16]

Solon Falas, Charalambos Konstantinou, and Maria K. Michael. 2019. A hardware-based framework for secure firmware updates on embedded systems. In 2019 IFIP/IEEE 27th International Conference on Very Large Scale Integration (VLSI-SoC). IEEE, 198–203.

[17]

Solon Falas, Charalambos Konstantinou, and Maria K. Michael. 2019. Hardware-enabled secure firmware updates in embedded systems. In IFIP/IEEE International Conference on Very Large Scale Integration-System on a Chip. Springer, 165–185.

[18]

Shital Joshi, Saraju P. Mohanty, and Elias Kougianos. 2017. Everything you wanted to know about PUFs. IEEE Potentials 36, 6 (2017), 38–46.

[19]

Ramesh Karri, Ozgur Sinanoglu, and Jeyavijayan Rajendran. 2017. Physical unclonable functions and intellectual property protection techniques. In Fundamentals of IP and SoC Security. Springer, 199–222.

[20]

Rafiullah Khan, Kieran McLaughlin, David Laverty, and Sakir Sezer. 2017. STRIDE-based threat modeling for cyber-physical systems. In 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe). IEEE, 1–6.

[21]

Loren Kohnfelder and Praerit Garg. 1999. The threats to our products. Microsoft Interface, Microsoft Corporation 33 (1999).

[22]

Charalambos Konstantinou, Anastasis Keliris, and Michail Maniatakos. 2016. Taxonomy of firmware Trojans in smart grid devices. In Power and Energy Society General Meeting (PESGM), 2016. IEEE, 1–5.

[23]

Charalambos Konstantinou and Michail Maniatakos. 2015. Impact of firmware modification attacks on power systems field devices. In 2015 IEEE International Conference on Smart Grid Communications. IEEE, 283–288.

[24]

Farinaz Koushanfar, Petros Boufounos, and Davood Shamsi. 2008. Post-silicon timing characterization by compressed sensing. In 2008 IEEE/ACM International Conference on Computer-Aided Design. IEEE Press, 185–189.

Digital Library

[25]

Cyber Independent Testing Lab. 2019. Binary Hardening in IoT products. https://cyber-itl.org/2019/08/26/iot-data-writeup.html.

[26]

Andrijan Mocker. 2019. Tuya: Revised update process hacked again. https://www.heise.de/.

[27]

Brendan Moran, Milosch Meriac, Hannes Tschofenig, and David Brown. 2019. A firmware update architecture for Internet of Things devices. Internet-Draft draft-Moran-suit-architecture-02, IETF (2019).

[28]

Thomas Popp. 2009. An introduction to implementation attacks and countermeasures. In 2009 7th IEEE/ACM International Conference on Formal Methods and Models for Co-Design. IEEE, 108–115.

Digital Library

[29]

Miodrag Potkonjak and Vishwa Goudar. 2014. Public physical unclonable functions. Proc. IEEE 102, 8 (2014), 1142–1156.

[30]

Miodrag Potkonjak, Saro Meguerdichian, Ani Nahapetian, and Sheng Wei. 2011. Differential public physically unclonable functions: Architecture and applications. In 48th Design Automation Conference. 242–247.

Digital Library

[31]

Tara Seals. 2019. Mirai Botnet Sees Big 2019 Growth, Shifts Focus to Enterprises. https://threatpost.com/.

[32]

Saleh Soltan, Prateek Mittal, and H. Vincent Poor. 2018. BlackIoT: IoT Botnet of high wattage devices can disrupt the power grid. In 27th USENIX Security Symposium (USENIX Security 18). 15–32.

Digital Library

[33]

Parker Thompson and Sarah Zatko. 2018. Build safety of software in 28 popular home routers. Cyber-ITL (Dec 2018).

[34]

John Ross Wallrabenstein. 2016. Practical and secure IoT device authentication using physical unclonable functions. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud). IEEE, 99–106.

[35]

V. P. Yanambaka, S. P. Mohanty, E. Kougianos, and D. Puthal. 2019. PMsec: Physical unclonable function-based robust and lightweight authentication in the Internet of Medical Things. IEEE Transactions on Consumer Electronics 65, 3 (2019), 388–397.

Digital Library

Cited By

Alavi SPourvali Moghadam HJahangir A(2025)Beyond botnets: Autonomous Firmware Zombie Attack in industrial control systemsInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2024.10072948(100729)Online publication date: Mar-2025
https://doi.org/10.1016/j.ijcip.2024.100729
Mollah MAzad MZhang Y(2024)Secure Targeted Message Dissemination in IoT Using Blockchain Enabled Edge ComputingIEEE Transactions on Consumer Electronics10.1109/TCE.2024.343682570:3(5389-5400)Online publication date: Aug-2024
https://doi.org/10.1109/TCE.2024.3436825
Liu PCao YYan YWang Y(2024)Firmware Vulnerability Detection Algorithm Based on Matching Pattern-Specific Numerical Features With Structural FeaturesIEEE Access10.1109/ACCESS.2024.337853312(42317-42328)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3378533
Show More Cited By

Index Terms

A Modular End-to-End Framework for Secure Firmware Updates on Embedded Systems
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation
      1. Hardware-based security protocols

Recommendations

Reliable firmware updates for the information-centric internet of things
ICN '21: Proceedings of the 8th ACM Conference on Information-Centric Networking

Security in the Internet of Things (IoT) requires ways to regularly update firmware in the field. These demands ever increase with new, agile concepts such as security as code and should be considered a regular operation. Hosting massive firmware roll-...
SP 800-147. BIOS Protection Guidelines
Towards a green and secure architecture for reconfigurable IoT end-devices
ICCPS '18: Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems

With the advent of the Internet of Things (IoT), objects are becoming smaller, smarter and increasingly connected. IoT devices are being deployed in massive numbers, and the success of this new Internet era is heavily dependent upon the trust and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Journal on Emerging Technologies in Computing Systems

ACM Journal on Emerging Technologies in Computing Systems Volume 18, Issue 1

January 2022

497 pages

ISSN:1550-4832

EISSN:1550-4840

DOI:10.1145/3483339

Editor:
Ramesh Karri
Polytechnic Institute of New York University, USA

Issue’s Table of Contents

Copyright © 2021 Association for Computing Machinery.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 29 September 2021

Accepted: 01 April 2021

Revised: 01 February 2021

Received: 01 October 2020

Published in JETC Volume 18, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Refereed

Funding Sources

EU Horizon 2020 research and innovation programme
Government of the Republic of Cyprus through the Directorate General for European Programmes, Coordination and Development

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
316
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)8

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alavi SPourvali Moghadam HJahangir A(2025)Beyond botnets: Autonomous Firmware Zombie Attack in industrial control systemsInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2024.10072948(100729)Online publication date: Mar-2025
https://doi.org/10.1016/j.ijcip.2024.100729
Mollah MAzad MZhang Y(2024)Secure Targeted Message Dissemination in IoT Using Blockchain Enabled Edge ComputingIEEE Transactions on Consumer Electronics10.1109/TCE.2024.343682570:3(5389-5400)Online publication date: Aug-2024
https://doi.org/10.1109/TCE.2024.3436825
Liu PCao YYan YWang Y(2024)Firmware Vulnerability Detection Algorithm Based on Matching Pattern-Specific Numerical Features With Structural FeaturesIEEE Access10.1109/ACCESS.2024.337853312(42317-42328)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3378533
Hayden BSweeney MHale B(2022)Securing Software Updates under Receiver Radio Frequency Geolocation RiskMILCOM 2022 - 2022 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM55135.2022.10017775(643-648)Online publication date: 28-Nov-2022
https://doi.org/10.1109/MILCOM55135.2022.10017775
Kuruvila AZografopoulos IBasu KKonstantinou C(2021)Hardware-assisted detection of firmware attacks in inverter-based cyberphysical microgridsInternational Journal of Electrical Power & Energy Systems10.1016/j.ijepes.2021.107150132(107150)Online publication date: Nov-2021
https://doi.org/10.1016/j.ijepes.2021.107150

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents