Evolution of Embedded Platform Security Architecture & XANDAR Project
The realisation and prototyping of networked embedded technologies and safety-critical systems require a computing hardware usually available in the form of an embedded platform. From the functional-safety and cybersecurity perspective, the attack surface and security perimeter of such embedded platforms heavily rely on the underlying defence mechanisms supported by the platform. Therefore, it is essential to review and better understand the evolution of embedded security platform architectures.
The evolution of embedded security platform architecture has been guided by technological advancements and a cause and effect of developing domain-specific system design challenges , , , . These requirements include realisation of mix-critical applications, broader connectivity, a need for safety and security leading to wider adoption and availability of embedded multiprocessing platforms , , . Though where these computing platform advancements brought benefits, they have exposed platforms to wide-range safety and security challenges due to increased connectivity, system attack surface and processor micro-architecture vulnerabilities , , , , , .
Figure 1: Evolution of Embedded Platform Security Architecture
The Early Systems were highly constraint in terms of resources, area, memory, performance, power and designed to solve domain-specific problems. Since these early systems had no connectivity, their security requirements were limited to the physical security. However, physically they found vulnerable to unauthorised access and modification to the system. Common example of such platforms is embedded system using a simple 8/16-bit single-core processor with no connectivity.
To address this challenge and unleash their true potential, broader network connectivity had been introduced to the embedded platforms that enabled opportunities for pervasive computing as illustrated in Figure 1. It allowed automation and optimisation of industrial control processes by communicating with other systems using a dedicated/internal private network . Though safe business operations require protection of secret data, thus a Software-based Security approach was introduced that executes symmetric cryptography libraries (AES, DES) as illustrated in Figure 1 to protect data .
Dedicated Cryptographic Engine
With technological advancements, the application requirements started to become complex, computationally expensive and require execution of asymmetric cryptography algorithms for secret key exchange that posed serious performance issues. To circumvent this problem, the computationally intensive cryptography services were offloaded from a host processor to a Dedicated Cryptographic Engine as illustrated in Figure 1.
The realisation of mix-critical automotive and industrial control applications requires multiprocessing. Since the cost of silicon was still expensive and embedded architectures were area and memory constrained, the security architects had introduced Virtualisation-based Security approach. This allows to isolate and segregate computing resources , , . Using virtualisation, a physical processor and platform resources are logically divided into multiple domains as shown in Figure 1. Examples include Arm TrustZone, Intel SGX, Hex-Five MultiZone Security etc.
Hardware-based Trusted Computing
Active involvement of third-party vendors during manufacturing and supply-chain processes had exposed businesses to device identity challenges, leading to wide-range of intellectual property theft, device cloning and counterfeit attacks etc. that severely damages the businesses both financially and morally. To approach this challenge, a Hardware-based Trusted Computing approach was introduced ,  as illustrated in Figure 1. For this purpose, a hardware root-of-trust components that serve an immutable trust anchor is tightly integrated into the platform security architecture. Depending on the design and complexity, it can generate secret keys, store secret keys inside a tamper-proof secure storage and sign to verify digital secrets . In multiprocessing embedded computing platforms, it is used to build chain-of-trust during the boot-up process. Examples include secure boot, secure update, secure debug and remote attestation etc.
Most of existing embedded technologies use one of the five discussed security architecture depending on the domain-specific security requirements.
In XANDAR project, the hardware-based trusted computing approach will be considered for platform security. Though the availability of security defences within a platform is one part of the cybersecurity puzzle. How these security defences are deployed and used is another critical part. Therefore, the is a need for a holistic risk-oriented automotive cybersecurity engineering processes. These processes shall allow adaptation, configuration, and management of security defences to architect a resilient system security architecture which is in-line with the international cybersecurity standards, frameworks and best practises.
 A. Kott and P. Theron, “Doers, Not Watchers: Intelligent Autonomous Agents Are a Path to Cyber Resilience,” in IEEE Security & Privacy, vol. 18, no. 3, pp. 62-66, May-June 2020, doi: 10.1109/MSEC.2020.2983714.
 N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum and N. Ghani, “Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations,” in IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 2702-2733, thirdquarter 2019, doi: 10.1109/COMST.2019.2910750.
 D. Cerdeira, N. Santos, P. Fonseca and S. Pinto, “SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems,” 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1416-1432, doi: 10.1109/SP40000.2020.00061.
 S. Ray, E. Peeters, M. M. Tehranipoor and S. Bhunia, “System-on-Chip Platform Security Assurance: Architecture and Validation,” in Proceedings of the IEEE, vol. 106, no. 1, pp. 21-37, Jan. 2018, doi: 10.1109/JPROC.2017.2714641.
 Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D. Garcia, and Frank Piessens. 2019. A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA, 1741–1758.
 Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre returns! speculation attacks using the return stack buffer. In Proceedings of the 12th USENIX Conference on Offensive Technologies (WOOT’18). USENIX Association, USA, 3.
 Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: reading kernel memory from user space. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, USA, 973–990.
 Machiry, A., Gustafson, E., Spensky, C., Salls, C., Stephens, N., Wang, R., Bianchi, A., Choe, Y.R., Kruegel, C. and Vigna, G., 2017, February. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments. In NDSS.
 Pedro Garcia Lopez, Alberto Montresor, Dick Epema, Anwitaman Datta, Teruo Higashino, Adriana Iamnitchi, Marinho Barcellos, Pascal Felber, and Etienne Riviere. 2015. Edge-centric Computing: Vision and Challenges. SIGCOMM Comput. Commun. Rev. 45, 5 (October 2015), 37–42.
 Thomas Eisenbarth, Tim Güneysu, Christof Paar, Ahmad-Reza Sadeghi, Dries Schellekens, and Marko Wolf. 2007. Reconfigurable trusted computing in hardware. In Proceedings of the 2007 ACM workshop on Scalable trusted computing (STC ’07). Association for Computing Machinery, New York, NY, USA, 15–20.