An important but often neglected safety aspect of our society's critical infrastructure involves the security of embedded software in contexts such as the Internet of Things, smart cities or the smart grid. In this talk I will present an approach to the security-conscious design of embedded control systems. Our work is based on Sancus, a lightweight Trusted Computing platform and Protected Module Architectures (PMA, think of Intel SGX, but for 16-bit MCUs) and guarantees authenticity, integrity and confidentiality properties of event-driven distributed embedded applications.

Relying on a hardware-only Trusted Computing Base (TCB), Sancus makes it possible to protect individual software modules of an application against attacks from other modules or even from a malicious or misbehaving operating system. Component isolation further leads a reduction of the size of these system's (security-) critical software stack, which allows us to analyse, test and even to formally verify critical modules in isolation.

We have worked on a number of compelling use cases for this technology, focusing on smart grid infrastructure and on an AUTOSAR-compliant security framework for automotive bus systems. In these scenarios we observe a substantial reduction of the runtime software TCB (from 50 kLOC to less than 1 kLOC) while maintaining real-time responsiveness and adding protection against a wide range of network and software attacks.

Sancus is the only open-source Trusted Computing architecture currently available; hardware descriptions as well as infrastructure software are freely available. We believe that this is essential to allow for the independent validation of the underlying security primitives and to establish trust in the platform and in systems built on top of it.