On the Security of Safety-Critical Embedded Systems: Who Watches the Watchers? Who Reprograms the Watchers?

The increased level of connectivity makes security an essential aspect to ensure that safety-critical embedded systems deliver the level of safety for which they were designed. However, embedded systems designers face unique technological and economics challenges when incorporating security into their products. In this paper, we focus on two of these challenges unique to embedded systems, and propose novel approaches to address them. We first deal with the difficulties in successfully implementing runtime monitoring to ensure correctness in the presence of security threats. We highlight the necessity to implement runtime monitors as physically isolated subsystems, preferably with no (direct) connectivity, and we propose the use of program tracing through power consumption to this end. A second critical aspect is that of remote firmware upgrades: this is an essential mechanism to ensure the continuing security of a system, yet the mechanism itself can introduce severe security vulnerabilities. We propose a novel approach to ensure secure remote upgrades and sketch the details of an eventual implementation. It is our goal and hope that the computer security and embedded systems communities will discuss and evaluate the ideas that we present in this paper, to assess their effectiveness and applicability in practice.