



TUESDAY, SEPTEMBER 23, 2025

## ON THE ENFORCEMENT OF ATTESTABLE AVAILABILITY GUARANTEES FOR ARM-BASED INDUSTRIAL MULTI-TENANT REAL-TIME SYSTEMS

**Edouard Michelin** 

Master's thesis

ENGINEERED TO OUTRUN

#### **Outline**

- 1. Context
- 2. Background
- 3. Goals
- 4. Threat Model
- 5. Design
- 6. Implementation
- 7. Evaluation
- 8. Conclusion



# Industrial Control Systems





## Industrial Control Systems

#### **Industry 4.0**

Digitalization of OT

- → OT & IT convergence
- Automated control and protection
- Remote supervision and control



#### Industrial Control Systems

#### **Industry 4.0**

Digitalization of OT

- → OT & IT convergence
- Automated control and protection
- Remote supervision and control

#### **But:**

- Increased attack surface
- Different requirements and objectives → security gaps



## Industrial Control Systems

#### **Control and Protection Systems**

Control loop

1. Sensing
2. Computing
3. Actuating

Sensor

Every iteration must complete

Protection
system

Actuator

Plant



# Industrial Control Systems





# Industrial Control Systems





## Industrial Control Systems

#### **Current Limitations**

- Closed systems, one solution per device 🔀
- Lack of portability across systems 🗙





## Industrial Control Systems

#### **Current Limitations**

- Closed systems, one solution per device 🔀
- Lack of portability across systems X
- → Provider-centric approach
- → All these solutions are costly
- → Lack of customization
- → Hard to maintain over time
- → Custom hardware explosion





#### **Goals**



## Hard Real-Time Systems

- Tasks have:
  - Period
  - Deadline (= end of period)
  - Execution time
  - Priority
  - Resource requirements (CPU, devices)
- They compete for CPU
- May compete for devices
  - → resource contention
  - → scheduling problems
  - → protocols exist!





Trusted Computing on Arm





Trusted Computing on Arm





Trusted Computing on Arm





# Trusted Computing on Arm





# Trusted Computing on Arm



#### **TrustZone TEE**



## Trusted Computing on Arm

#### **TrustZone TEE**

- Secure world isolated from Non-Secure world
- Partitioning of memory and peripherals
- Communication between worlds via SMC





#### Remote Attestation

#### **Procedure overview**





#### Remote Attestation

#### **Root-of-Trust and Chain-of-Trust**

- Attested device needs a trust anchor (DICE RoT)
- Need to extend trust to the attesting environment (AE)
- A trusted layer receives a valid secret (CDI)
- The AE needs a valid CDI to produce valid evidences
- \* UDS = Unique Device Secret
- \* CDI = Compound Device Identifier
- \* TCI = TCB Component Identifier





#### Remote Attestation





#### Remote Attestation





#### Remote Attestation





#### **Threat Model**

#### From the perspective of TA2





EL0

EL1 SecondStage BootLoader(SSBL/BL2) EL3 DICE

Device A



Device B





























# The Availability Monitor

#### **The Secure Scheduler**

Responsibility: ensure availability of CPU resources





## The Availability Monitor

#### The Secure Scheduler

Responsibility: ensure availability of CPU resources

#### **Share CPU resources:**

- Between critical tasks
- Between S and NS workload, via the World Scheduler

Timer to return control to TCB

Works together with Device Agents





# The Availability Monitor

#### The Device Agents

Responsibility: ensure availability of devices





## The Availability Monitor

#### The Device Agents

Responsibility: ensure availability of devices

#### Spatial isolation:

- Isolate their peripheral at boot time (MMIO, interrupts)
- Ensure device integrity and state confidentiality (monitor every access)





# The Availability Monitor

#### The Device Agents

Responsibility: ensure availability of devices

#### Spatial isolation:

- Isolate their peripheral at boot time (MMIO, interrupts)
- Ensure device integrity and state confidentiality (monitor every access)

#### Temporal isolation:

Ensure bounded access to their resource





# The Availability Monitor

#### **The Device Agents**

Responsibility: ensure availability of devices

#### Spatial isolation:

- Isolate their peripheral at boot time (MMIO, interrupts)
- Ensure device integrity and state confidentiality (monitor every access)

#### Temporal isolation:

Ensure bounded access to their resource

Prevents data leakage and corrupted configuration when switching owner





# The Availability Monitor

#### **The Device Agents**

Responsibility: ensure availability of devices

Sharing between worlds:

 Devices used by secure tasks are mapped to S, otherwise mapped to NS





The Real-Time Tasks

#### The Tasks

AM ensures availability of resources, but we also provide tasks with:

- Confidentiality of code and data at rest and in use (Confidentiality)
- Launch and runtime integrity (Integrity)
- Guaranteed loading (Availability)



#### The Real-Time Tasks

#### The Policies

- Defined and provided by user (separation of powers)
- Collectively define scheduling policy of the system
  - → potential attack vector!!





## The Real-Time Tasks

#### **The Policies**

- Authenticated policies
  - Integrity
  - Authorization
- Replay protection
- Rollback detection
- Denied forwarding mitigation





### The Attestation Engine

#### Responsibility:

- verify AM enforces policies, and
- verify policies allow tasks to run expectedly
- verify correct policy and task are running
- → Real-Time Proof-of-eXecution [1] (RT-PoX)
- → Attestation of availability





## The Attestation Engine

#### **Attestation Process**

- 1. Remote verifier sends challenge and task ID
- 2. Request forwarded by NS server
- 3. Attestation bridge in S forwards to the AE





## The Attestation Engine

#### **Attestation Process**

- 1. Remote verifier sends challenge and task ID
- 2. Request forwarded by NS server
- 3. Attestation bridge in S forwards to the AE
- 4. AE collects claims:
  - o (1) reads AM memory to produce fingerprint of task

#### **FINGERPRINT**

- UUID
- properties (p, e, c, R)
- # missed deadlines
- current state's validity
- is allocated a valid thread?
- has recently run?





### The Attestation Engine

#### **Attestation Process**

- 1. Remote verifier sends challenge and task ID
- 2. Request forwarded by NS server
- 3. Attestation bridge in S forwards to the AE
- 4. AE collects claims:
  - o (1) reads AM memory to produce fingerprint of task
  - o (2) measures read-only sections in task's address space





### The Attestation Engine

#### **Attestation Process**

- 1. Remote verifier sends challenge and task ID
- 2. Request forwarded by NS server
- 3. Attestation bridge in S forwards to the AE
- 4. AE collects claims:
  - o (1) reads AM memory to produce fingerprint of task
  - o (2) measures read-only sections in task's address space
- 5. AE signs (claims, challenge), and produces evidence
- AE sends the evidence to the remote verifier





# **Implementation**

# Setup

- Functional prototype on **TI TMDS64** evaluation kit
- DICE base layer in **U-Boot SPL 2025.01** (SSBL/BL2)
- Google's OpenDICE for reference DICE implementation
- **Arm Trusted Firmware-A v2.12.0** for EL3 Secure Monitor
- OPTEE-OS v4.5 for S-EL1 kernel
- Linux v6.12.17 with PREEMPT\_RT for NS-EL1 kernel





# **Implementation**

# Setup

- Functional prototype on **TI TMDS64** evaluation kit
- DICE base layer in **U-Boot SPL 2025.01** (SSBL/BL2)
- **Google's OpenDICE** for reference DICE implementation
- Arm Trusted Firmware-A v2.12.0 for EL3 Secure Monitor
- OPTEE-OS v4.5 for S-EL1 kernel
- Linux v6.12.17 with PREEMPT\_RT for NS-EL1 kernel





## **Implementation**

#### Some Features

#### **Critical RT Tasks**

- Critical RT tasks implemented as OP-TEE TAS
- TA flag to protect main entry point
- System call to signal job completion



# Performance, Security, Use cases

#### Evaluation on TI TMDS64 evaluation kit

- DICE base layer in **U-Boot SPL 2025.01** (SSBL/BL2)
- Google's OpenDICE for reference DICE implementation
- Arm Trusted Firmware-A v2.12.0 for EL3 Secure Monitor
- **OPTEE-OS v4.5** for S-EL1 kernel
- Linux v6.12.17 with PREEMPT\_RT for NS-EL1 kernel
- 2x application cores (Cortex A53) running at 1.0GHz
- Ethernet ports for network connectivity





### Performance

#### Secure Scheduler breakdown

| Operation Time (μs)                 |     |
|-------------------------------------|-----|
| Task mgt <i>from idle/sleep</i>     | 0.3 |
| Task mgt <i>from preempted task</i> | 3.9 |
| Get next task                       | 0.2 |
| Schedule task                       | 0.4 |



200 samples collected



#### Performance

#### Secure Scheduler Latency (custom cyclictest)







1,000,000 samples each time

Stressor simulates DoS

Scheduling latency acceptable in all cases (below 60µs)



### Performance

### Non-Secure scheduler latency (NS and S tasks competing)



Critical task  $T = (500, 100, C_0, {} {})$ 8,999,999 and 7,199,984 samples collected



### Performance

### Real-Time tasks lifecycle breakdown

Only once,
When first loaded

| Operation          | Description                                               | Time (μs) |
|--------------------|-----------------------------------------------------------|-----------|
| Allocation         | Retrieve the task binary from memory and load it          | 15115     |
| First entry → exit | First entry is done via a specialized TEE_InvokeCommand() | 50        |
| Re-entries → exit  | Subsequent re-entries are done by restoring context       | 4         |

10 samples collected



### Performance

### Analysis of max. frequency for real-time tasks



~110kHz ~= 9µs



### Performance

Performance of the attestation for different tasks size and algorithms



# Security

#### Number of added lines of code in the TCB

| Description               | LoC  |
|---------------------------|------|
| U-Boot SPL                | 773  |
| DICE Engine               | 572  |
| DICE Integration          | 124  |
| Firewall Driver           | 77   |
| Trusted Firmware-A        | 614  |
| World Scheduler           | 470  |
| DICE Service              | 123  |
| OP-TEE SPD                | 21   |
| OP-TEE                    | 2069 |
| Scheduler                 | 953  |
| Device Agents             | 322  |
| Secure Drivers            | 117  |
| <b>Attestation Engine</b> | 325  |
| Memory Management         | 5    |
| Thread Management         | 155  |
| TA Management             | 24   |
| OP-TEE Entry              | 130  |
| Crypto Library            | 38   |

Discarded when entering TFA (BL2 → BL3)



# Security

#### Mitigation of real-world attacks by technique (from MITRE ATT&CK Matrix for ICS)

- Hardcoded credentials leakage
- Illegal program modifications
- Denial of Service (DoS)
- Loss of protection (protection functions illegally disabled)
- Rootkit
- Alter device configuration (e.g., via IO Image)



### **Use Cases**

### Sample industrial setup





### **Use Cases**

#### Remote verifier has:

- AE's public key
- Golden measurements

#### End-to-end remote attestation





#### **Conclusion**

## Summary of contributions

Novelty: ensured and verifiable availability (on open, multiprocessor, off-the-shelf system).

- Availability Monitor (World & Secure schedulers, Device Agents, split-driver design)
- Attestation Engine (availability and integrity measurements)
- Secure provisioning of policies by user
- Confidentiality and integrity of IP
- Prototype implementation
- Evaluation of the architecture (Performance, Security, Use cases)

#### Not shown here

- Survey of (~20) fitting development boards
- Guide to building critical tasks for our scheduler
- Comprehensive background
- Analysis of related works



### Demo

## DICE and scheduling of worlds





