Journal of Hardware and Systems Security

, Volume 3, Issue 4, pp 365–381 | Cite as

An In-depth Study of MPU-Based Isolation Techniques

  • Abderrahmane SensaouiEmail author
  • Oum-El-Kheir Aktouf
  • David Hely
  • Stephane Di Vito


Many attacks have been reported and published targeting constrained embedded systems. Attackers try to exploit vulnerabilities through all possible layers of abstraction. A single vulnerability can be enough to take over the whole device and change its intended behavior. Hardware/software isolation architectures implemented in embedded devices provide access control mechanisms to establish a protected execution environment and guarantee the behavior of the running applications. They enforce the boundaries to stop a malicious flaw from propagating from one application to others, especially those that are critical. They represent a form of resilience to different exploits. This paper provides a detailed study of existing memory protection unit-based isolation architectures for lightweight devices and defines four important criteria to evaluate and compare architectures from both academia and industry. Outcomes of this work will help developers and hardware designers to find balance between performance and security.


Memory protection Isolation Security software and hardware Performance evaluation Trusted computing Survey 



  1. 1.
    Kate Temkin MS (2018) Fusee Gelee exploitGoogle Scholar
  2. 2.
    (2018) Shofel2 exploitGoogle Scholar
  3. 3.
    de Clercq R, Verbauwhede I (2017) A survey of hardware-based control flow integrity (CFI). CoRR abs/1706.07257:Google Scholar
  4. 4.
    2017 I (2017) Intel control-flow enforcement technology previewGoogle Scholar
  5. 5.
    Qualcomm Technologies I (2017) Pointer authentication on ARMv8.3Google Scholar
  6. 6.
    Davi L, Hanreich M, Paul D, et al (2015) HAFIX: Hardware-Assisted Flow Integrity eXtension. 2015 52nd ACM/EDAC/IEEE Des Autom Conf 1–6Google Scholar
  7. 7.
    Karger PA, Schell RR (2002) Thirty years later: lessons from the multics security evaluation. ACSAC, InGoogle Scholar
  8. 8.
    ARM (2015) uVisor. GitHub ReposGoogle Scholar
  9. 9.
    Levy AA, Campbell B, Ghena B, et al (2017) Multiprogramming a 64kB computer safely and efficiently. In: SOSPGoogle Scholar
  10. 10.
    Brasser FF, Mahjoub B El, Sadeghi A-R, et al (2015) TyTAN: tiny trust anchor for tiny devices. 2015 52nd ACM/EDAC/IEEE Des Autom Conf 1–6Google Scholar
  11. 11.
    Noorman J, Agten P, Daniels W, et al (2013) Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: USENIX Security SymposiumGoogle Scholar
  12. 12.
    eChronos (2018) eChronosGoogle Scholar
  13. 13.
    Koeberl P, Schulz S, Sadeghi A-R, Varadharajan V (2014) TrustLite: a security architecture for tiny embedded devices. EuroSys, InCrossRefGoogle Scholar
  14. 14.
    Kumar R, Kohler E, Srivastava MB (2007) Harbor: software-based memory protection for sensor nodes. 2007 6th Int Symp Inf Process Sens Networks 340–349Google Scholar
  15. 15.
    NVD (2015) NVD. NISTGoogle Scholar
  16. 16.
    Shu R, Wang P, Gorski SA et al (2016) A study of security isolation techniques. ACM Comput Surv 49(50):1-50:37Google Scholar
  17. 17.
    Szekeres L, Payer M, Wei T, Song DX (2013) SoK: eternal war in memory. IEEE Symp Secur Priv 2013:48–62Google Scholar
  18. 18.
    Song Y (2017) On control flow hijacks of unsafe rustGoogle Scholar
  19. 19.
    Papp D, Ma Z, Buttyán L (2015) Embedded systems security: threats, vulnerabilities, and attack taxonomy. 2015 13th Annu Conf Privacy, Secur Trust 145–152Google Scholar
  20. 20.
    Larsen P, Homescu A, Brunthaler S, Franz M (2014) SoK: automated software diversity. IEEE Symp Secur Priv 2014:276–291Google Scholar
  21. 21.
    Tock (2015) TockOS. GitHub ReposGoogle Scholar
  22. 22.
    Clements AA, Almakhdhub NS, Bagchi S, Payer M (2018) ACES: automatic compartments for embedded systems. In: USENIX Security SymposiumGoogle Scholar
  23. 23.
    Levy AA, Campbell B, Ghena B et al (2017) The case for writing a kernel in rust. APSys, InCrossRefGoogle Scholar
  24. 24.
    Clements AA, Almakhdhub NS, Saab KS et al (2017) Protecting bare-metal embedded systems with privilege overlays. IEEE Symp Secur Priv 2017:289–303Google Scholar
  25. 25.
    LLVM (2015) Add support for embedded position-independent code (ROPI/RWPI). LLVMGoogle Scholar
  26. 26.
    Nilsson F, Adolfsson N (2017) A rust-based runtime for the internet of thingsGoogle Scholar
  27. 27.
    Hunt G, Letey G, Nightingale E (2017) The seven properties of highly secure devicesGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Abderrahmane Sensaoui
    • 1
    • 2
    Email author
  • Oum-El-Kheir Aktouf
    • 2
  • David Hely
    • 2
  • Stephane Di Vito
    • 1
  1. 1.Maxim IntegratedLa CiotatFrance
  2. 2.University of Grenoble Alpes, Grenoble INP, LCISGrenobleFrance

Personalised recommendations