Secure Code Updates for Mesh Networked Commodity Low-End Embedded Devices

  • Florian KohnhäuserEmail author
  • Stefan Katzenbeisser
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9879)


Mesh networked low-end embedded devices are increasingly used in various scenarios, including industrial control, wireless sensing, robot swarm communication, or building automation. Recently, more and more software vulnerabilities in embedded systems are disclosed, as they become appealing targets for cyber attacks. In order to patch these systems, an efficient and secure code update mechanism is required. However, existing solutions are unable to provide verifiable code updates for networked commodity low-end embedded devices. This work presents a novel code update scheme which verifies and enforces the correct installation of code updates on all devices in the network. After update distribution and installation, devices mutually attest and verify each others’ software state. Devices being in an untrustworthy state are excluded from the network. In this way, the scheme enforces software integrity as well as software up-to-dateness on all devices in the network. Issuing a secure code update, the network operator is able to learn the identity of all trustworthy and all untrustworthy devices. We demonstrate that the proposed scheme is applicable to a wide range of existing commodity low-end embedded systems. Furthermore, we show that the scheme is practically usable in networks with tens of thousands of devices.



This work has been co-funded by the LOEWE initiative (Hesse, Germany) within the NICER project and the DFG as part of project P3 within CROSSING.


  1. 1.
    Secure Code Updates for Mesh Networked Commodity Low-End Embedded Devices –Full Version.
  2. 2.
    Armknecht, F., Sadeghi, A.R., Schulz, S., Wachsmann, C.: A security framework for the analysis and design of software attestation. In: ACM SIGSAC Conference on Computer & Communications Security (CCS) (2013)Google Scholar
  3. 3.
    Asokan, N., Brasser, F., Ibrahim, A., Sadeghi, A.R., Schunter, M., Tsudik, G., Wachsmann, C.: SEDA: scalable embedded device attestation. In: ACM SIGSAC Conference on Computer & Communications Security (CCS) (2015)Google Scholar
  4. 4.
    Atmel: Atmel ATmega640/V-1280/V-1281/V-2560/V-2561/V Datasheet (2014)Google Scholar
  5. 5.
    Beer, D.: Curve25519 and Ed25519 for low-memory systems (2014).
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Crypt. Eng. 2, 77–89 (2012)CrossRefzbMATHGoogle Scholar
  8. 8.
    Brasser, F., El Mahjoub, B., Sadeghi, A.R., Wachsmann, C., Koeberl, P.: TyTAN: tiny trust anchor for tiny devices. In: Design Automation Conference (DAC) (2015)Google Scholar
  9. 9.
    Butterworth, J., Kallenberg, C., Kovah, X., Herzog, A.: Bios chronomancy: fixing the core root of trust for measurement. In: ACM SIGSAC Conference on Computer & Communications Security (CCS) (2013)Google Scholar
  10. 10.
    Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., Antipolis, S.: A large-scale analysis of the security of embedded firmwares. In: USENIX Security (2014)Google Scholar
  11. 11.
    De Clercq, R., Uhsadel, L., Van Herrewege, A., Verbauwhede, I.: Ultra low-power implementation of ECC on the ARM Cortex-M0+. In: Design Automation Conference (DAC) (2014)Google Scholar
  12. 12.
    Dong, W., Chen, C., Bu, J., Liu, W.: Optimizing relocatable code for efficient software update in networked embedded systems. ACM Trans. Sens. Netw. (TOSN) 11(2), 22–34 (2014)Google Scholar
  13. 13.
    Eldefrawy, K., Tsudik, G., Francillon, A., Perito, D.: SMART: secure and minimal architecture for (establishing dynamic) root of trust. In: NDSS (2012)Google Scholar
  14. 14.
    Francillon, A., Nguyen, Q., Rasmussen, K.B., Tsudik, G.: Systematic treatment of remote attestation. In: IACR Cryptology ePrint Archive (2012)Google Scholar
  15. 15.
    Freesale Semiconductor: Using the Kinetis Flash ExecuteOnly Access Control Feature - 6.3 Entry into execute-only code on the ARM Cortex-M4 core (2015)Google Scholar
  16. 16.
    Hagedorn, A., Starobinski, D., Trachtenberg, A.: Rateless deluge: over-the-air programming of wireless sensor networks using random linear codes. In: IEEE International Conference on Information Processing in Sensor Networks (2008)Google Scholar
  17. 17.
    Hanna, S., Rolles, R., Molina-Markham, A., Poosankam, P., Fu, K., Song, D.: Take two software updates and see me in the morning: the case for software security evaluations of medical devices. In: Proceedings of the 2nd USENIX Workshop on Health Security and Privacy (HealthSec) (2011)Google Scholar
  18. 18.
    He, D., Chen, C., Chan, S., Bu, J.: SDRP: a secure and distributed reprogramming protocol for wireless sensor networks. IEEE Ind. Electron. 59, 4155–4163 (2012)CrossRefGoogle Scholar
  19. 19.
    Karame, G.O., Li, W.: Secure erasure and code update in legacy sensors. In: Conti, M., Schunter, M., Askoxylakis, I. (eds.) TRUST 2015. LNCS, vol. 9229, pp. 283–299. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  20. 20.
    Katzenbeisser, S., Kocabaş, Ü., Rožić, V., Sadeghi, A.-R., Verbauwhede, I., Wachsmann, C.: PUFs: myth, fact or busted? a security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  21. 21.
    Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: TrustLite: a security architecture for tiny embedded devices. In: ACM European Conference on Computer Systems (2014)Google Scholar
  22. 22.
    Kovah, X., Kallenberg, C., Weathers, C., Herzog, A., Albin, M., Butterworth, J.: New results for timing-based attestation. In: IEEE Security and Privacy (S&P) (2012)Google Scholar
  23. 23.
    Kulkarni, S., Wang, L.: Energy-efficient multihop reprogramming for sensor networks. ACM Trans. Sens. Netw. (TOSN) 5, 16 (2009)Google Scholar
  24. 24.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28, 119–134 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Law, Y.W., Zhang, Y., Jin, J., Palaniswami, M., Havinga, P.: Secure rateless deluge: pollution-resistant reprogramming and data dissemination for wireless sensor networks. EURASIP J. Wirel. Commun. Network. 2011, 5–22 (2011)Google Scholar
  26. 26.
    Li, Y., McCune, J.M., Perrig, A.: VIPER: verifying the integrity of PERipherals’ firmware. In: ACM SIGSAC Conference on Computer & Communications Security (CCS) (2011)Google Scholar
  27. 27.
    Mackay, K.: Micro-ECC.
  28. 28.
    Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., Piessens, F.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: USENIX Security (2013)Google Scholar
  29. 29.
    Park, H., Seo, D., Lee, H., Perrig, A.: SMATT: smart meter ATTestation using multiple target selection and copy-proof memory. Computer Science and its Applications, vol. 203, pp. 875–887. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Perito, D., Tsudik, G.: Secure code update for embedded devices via proofs of secure erasure. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 643–662. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Rios, B.: Owning a Building: Exploiting Access Control and Facility Management Systems. Black Hat ASIA (2014)Google Scholar
  32. 32.
    Rossi, M., Bui, N., Zanca, G., Stabellini, L., Crepaldi, R., Zorzi, M.: SYNAPSE++: code dissemination in wireless sensor networks using fountain codes. IEEE Trans. Mob. Comput. 9, 1749–1765 (2010)CrossRefGoogle Scholar
  33. 33.
    Schrijen, G.J., van der Leest, V.: Comparative analysis of SRAM memories used as PUF primitives. In: Conference on Design, Automation & Test in Europe (DATE) (2012)Google Scholar
  34. 34.
    Seshadri, A., Luk, M., Perrig, A.: SAKE: software attestation for key establishment in sensor networks. Distributed computing in sensor systems. LNCS, vol. 5067, pp. 372–385. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Seshadri, A., Luk, M., Perrig, A., van Doorn, L., Khosla, P.: SCUBA: secure code update by attestation in sensor networks. In: Proceedings of the 5th ACM workshop on Wireless security, ACM (2006)Google Scholar
  36. 36.
    Texas Instruments: Stellaris LM4F120H5QR Microcontroller Data Sheet (2013)Google Scholar
  37. 37.
    Texas Instruments: Software IP Protection on MSP432P4xx Microcontrollers -10.1 Interrupt Handling in IP Protected Secure Zone (2015)Google Scholar
  38. 38.
    Ugus, O., Westhoff, D., Bohli, J.M.: A ROM-friendly secure code update mechanism for WSNs using a stateful-verifier \(\tau \)-time signature scheme. In: Proceedings of the Second ACM Conference on Wireless Network Security, ACM (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Security Engineering GroupTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations