Hardware Security For IoT Identity Assurance Submitted

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO.
8, AUGUST 2021 1
Hardware security for IoT identity assurance

André Cirne∗ , Patrı́cia R. Sousa∗ , João S. Resende† , Luı́s Antunes∗
∗ Faculty of Science - University of Porto † NOVA School of Science and Technology
Abstract—The widespread use of Internet of Things (IoT) IoT devices are known to be insecure and the development
devices makes their security a priority. Among the different of security solutions is considered one of its open research
security challenges, identity and authentication mechanisms rise challenges [7], [8]. This problem is caused by a generalized
as the most important. Identity and authentication in IoT are
limited by the device’s computation capabilities and are more lack of security standards, along with the desire for inexpen-
susceptible to physical attacks than common computers and sive systems, which means security is not a priority in their
servers. Regardless, identity and authentication mechanisms are development [9]–[11].
essential for a secure system. Among the different security challenges in this field [12],
Researchers have pointed out that hardware, the source of [13], device identity is one of the most fundamental to create
these limitations, may also be the solution to overcome these
challenges. Systems may include hardware-based cryptographic a secure system. Authentication refers to the confirmation of
implementations to overcome computation and energy limita- the origin of an object or person, in this case, often related to
tions. On the other hand, the addition of security hardware can the verification of its identity. Thus, identity management is
increase the resilience of a device against hardware and software the basis for secure authentication methods for IoT. Without
attacks. these premises it is not possible to design a secure IoT
Our work aims to support these claims by exploring the phys-
ical attacks and other challenges that identity and authentication system, as we lose the ability to access control resources in a
are subject to and analyzing possible technologies that may solve system or guarantee the veracity of information received from
these issues. a device [14]. Despite these facts, the issues we mentioned
For achieving this goal, we preformed a threat analysis to earlier limit the implementation of identity and authentication
the IoT identity and used it to guided us through the research. mechanisms, which make them custom, lacking peer review,
For each technology, we identified: known security attacks,
employed countermeasures, advantages and disadvantages for and using slow or outdated cryptographic algorithms that do
identity assurance. Additionally, we surveyed the literature for not offer the best security.
examples of these technologies supporting the device’s identity. Furthermore, IoT devices are more susceptible to physical
Finally, we were able to create an objective comparison attacks than other devices, which has consequences for the
between the different technologies and identified challenges that creation of IoT authentication and identity systems. Unlike
are hampering the extensive use of hardware-based identity and
authentication systems in IoT.
computers and servers, IoT devices are more likely to be
deployed in unprotected locations where the attacker can have
Index Terms—IoT, device’s identity, identity, hardware-based unrestricted physical access. A simple example is a smart
identity, hardware trust anchors, hardware attacks
meter placed inside the customer’s home. His electric bill
depends on the measurements of that device, which means
I. I NTRODUCTION that he is the person most motivated to tamper with the smart
The Internet of Things is an environment of interconnected meter and has unrestricted access to it.
devices that uses the Internet to share data. Virtually any device Approaching this problem in a general way, we can con-
can be connected to the network. Smartphones, wearables, clude that protection against physical attacks is fundamental
motion sensors, cars, and smart home appliances are just a for the production of secure IoT devices. These devices have
few examples of connected devices today. The number of two parts: software and hardware. The software implements
Internet of Things (IoT) devices connected to the Internet all the logic of the device, while the hardware supports its
continues to grow [1] and our daily lives already depend on execution and enables interactions with the physical world,
them. In fact, they are even replacing us in factories, farms, which means that there is a relationship between them, as
and other jobs [2]. This trend will not decrease and, on the the software runs on top of the hardware. Regarding vulner-
contrary, continues to increase, driven by the emergence of abilities, the industry has many tools to help us find them in
more modern technologies emerging, such as 5G [3], Big software, such as code auditors, fuzzers, debuggers, and static
Data [4] or Fog Computing [5], that enable better connectivity analyzers, but there are fewer for hardware vulnerabilities.
to end devices, increasing network bandwidth, storage and For this reason, hardware vulnerabilities are more difficult and
computing resources. Therefore, an increase in the number of slower to solve then their software counterparts [15].
Internet of Things (IoT) devices is foreseeable in the coming To counterbalance, a root of trust is essentially a security
years [3]. process that starts with an immutable (unchangeable) hardware
With the arising of these devices, the need for strong identity ingrained into the IoT device. A root of trust is an
security policies and controls in the IoT life-cycle urges [6]. immutable process or identity used as the first entity in a chain
of trust. For the most critical applications, a hardware root of
Manuscript received April 19, 2021; revised August 16, 2021. trust can be an important building block for more secure IoT
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 2
devices. Regardless, this creates a hardware trust anchor. To the best of our knowledge, this research is the first that
This type of construction has multiple advantages, namely connects these two realities, identity and hardware security,
guaranteeing the security of the device’s identity from software analyzing threats from physical security to identity, identifying
and physical attacks, and enabling high assurance systems, due potential countermeasures, and mapping them to technologies
to the higher level of resilience it offers. that can be used to support the implementation of new solu-
As these anchors are implemented at the hardware level, tions.
there may be the wrong perception that even if the device’s
software is fully compromised, the attacker will not be able to
B. Contributions
compromise these primitives [16]. However, if the design can
not effectively resist to hardware attacks, hackers can easily Our work aims to provide a comprehensive analysis of
obtain the secrets of the entire chip. Attackers can use the hardware trust anchors that can be used to support the im-
secrets to crack identity authentication and data encryption and plementation of identity systems for IoT devices. In summary,
steal product design know-how, causing application security the contributions of this research are:
problems. • Threat analysis of physical risks to the IoT identity,
Therefore, there is a big demand for the implementation of which includes a definition of security assets, goals, threat
hardware-level security features [15]–[18]. actors, threats and hardware countermeasures.
• Analysis of different technologies that can be used as
A. Related Research Overview hardware trust anchors, containing their advantages and
Over the years, several literature reviews have been pub- disadvantages, security concerns and examples of their
lished on hardware security and identity that bear similarities use to support device identity.
to our work. • Discussion of challenges for adopting hardware trust
Yang et al. [19] reviewed different technologies that can be anchors and future research directions.
used to support the identification and authentication of IoT de-
vices. Throughout their review, Yang et al. explored how each C. Outline
technology can be used as a building block for new systems
The rest of this article is structured as follows:
and potential security attacks on those technologies. Our work
The Section I-A describes similar research papers on hard-
also explores technologies with the same goal, but we include
ware security and device identity, and how we differ from
more technologies like Trusted Execution Environment (TEE)s
them. Section II gives a brief introduction to identity and
and secure elements. Furthermore, unlike our work, Yang et
authentication and their state of development regarding IoT.
al. do not compare the technologies presented.
The Section III lists the different research challenges that can
Shepard et al. [20] reviewed technologies that allow safe
be retrieved from the literature related to the device identity
and reliable execution according to the needs of IoT sys-
and authentication process, and the IV section elaborates
tems. During their analysis, they defined a threat model and
a threat analysis focused on physical risks to the device
evaluation criteria, focusing on the IoT use case, which was
identity. In Section V, we enumerate and analyze the different
used to compare the different technologies. While our work
technologies that can be used to support device identity. The
follows a similar approach, we explore identity assurance via
Section VI compares the different technologies and relates
hardware security, which means that our analysis includes
them to the research challenges and security threats identified
other technologies, different threats, and requirements.
earlier. Finally, Section VIII provides a summary of our
Ehret et al. [21] have more generalized coverage of this
research.
topic. His research focused on hardware-based security tech-
niques related to IoT devices. This research goes through the
different components of a IoT device and presents their hard- II. T RADITIONAL VS I OT- BASED I DENTITY M ANAGEMENT
ware security threats and possible mitigations. Hu et al. [22] One of the challenges of IoT is identity management and the
followed the same research direction, but generalized further effective implementation of secure authentication mechanisms.
by presenting systems hardware security threats and their These two are fundamental characteristics to design a system
countermeasures. In addition, they reviewed security tools that with security by default, as both are security primitives to
can be used to verify device security, for example, to analyze implement further features [13].
at the hardware level how information flows within the board Identity is a specific set of features that allow unique
or to check if the device implementation respects its intended identification of an entity (something or someone). There
design. Contrarily to these works, our work analyzes the use are countless implementations regarding the field of applica-
of hardware security for a specific purpose, supporting the tion [23]. For example, a human identity could be a fingerprint
identification and authentication of IoT devices. In addition, or a social security number. In the case of IoT, it can be a serial
we present a threat analysis specifically for this purpose and number or a cryptographic key.
relate each threat to its identity assets. We also cover the Authentication is the ability of an entity to prove that it
different countermeasures for each security threat and map is genuinely the entity it claims to be. Thus, authentication
them onto the technologies presented. attests to the identity of an entity. In cryptography, authenti-
Compared to these previous works, our research is intrin- cation has two main classes: data source authentication and
sically different from the research mentioned in this section. entity authentication. Authentication of data origin refers to
information exchanges where it is necessary to ensure that the Based on the federated model principles, multiple protocols
information and its source are immutable. As a result, data support their implementation, such as SAML [30], OpenID
source authentication implies data integrity. In contrast, entity connect [31], and full-fledged IdM systems, as Keycloak [32]
authentication is the corroboration of identity and does not and Shibboleth [33]. These are just a few examples of imple-
include any message other than the claim to be a particular mentations, there are other frameworks and systems, but the
entity [24]. ones presented here are the most widespread [34].
Depending on the literature, entity authentication is syn- Security Assertion Markup Language (SAML) [30] is a
onymous with identification or self-concept. For authors who XML-based protocol to exchange authentication and autho-
consider identification an independent notion, identification rization data between a SP and a IdP, even when they are
is claiming a specific identity without presenting irrefutable part of different authentication domains. This protocol relies
evidence of this claim [24], [25]. In this work, we will treat on the SAML Assertion message, a XML containing all the
authentication and entity identification as synonyms. information required by the SP about the entity and crypto-
Related to identity and identification, we have Identity graphically signed by the IdP. The SP uses the IdP’s public key
Management (IdM), which is the process of managing identity to check the veracity of the message. Shibboleth [33] leverages
information and providing authentication and access control to the SAML protocol to implement a complete IdM solution,
information systems. IdM systems handle the relation between featuring federated Single Sign-On (SSO) capabilities.
different parties, entities, Service Provider (SP), and Identity OpenID Connect [31] is an authentication and authorization
Provider (IdP). The entity is the one that claims an identity. framework, which is implemented on top of the OAuth 2.0
The SP provides a service to the entity, and, finally, the IdP authorization framework [35] by adding an identity layer that
has three main functions, entity registration, identity storage, allows the exchange of identity information [31]. The protocol
and authentication, which means it is responsible for the uses a REST API to delegate conditional access to entity data.
enrollment of new entities and also the authentication process The entity obtains an Access Token from the IdP that SP uses
whenever an entity needs to access a service [26], [27]. This to access its identity information. Keycloak [32] is an example
fact makes the IdP the core component of an IdM. of a IdM system based on OpenID Connect.
On a IdM, an entity can have multiple identities charac- The growing number of online users and accounts has
terized by different identifiers organized in three categories: driven the evolution of IdM models to be user-centric. Both
something that only the entity and the IdP knows, such as protocols are examples of this paradigm. The user controls
a password; something that the entity owns, such as a serial the information exchanged between SP and IdP, which allows
number; and some physical characteristic of the entity, like users to have different identifiers linked to their identity,
fingerprints [26]. which can be shared with SPs according to their consent.
With the growth of IdM systems, they started to follow Furthermore, this paradigm is being explored to create SSO
the isolated model - the traditional identity model in which experiences. The user only needs to authenticate once and will
SP and IdP functions merge, therefore, identification and have access multiple services without having to re-enter their
authentication are done directly in the SP itself. credentials [36].
Isolated models are a management burden for organizations
Research continues to follow the user-centric paradigm,
with multiple services, implying identities for each entity [27].
addressing privacy issues, such as a lack of control over
In the case of human identity, multiple credentials are required,
personal data dissemination [37]. Others move away from
decreasing user usability and weakening overall security. To
the classic centralized model and make decentralized IdMs
respond to these problems, IdM systems began to simplify the
focusing on preserving user privacy [38]–[40].
user experience and its management, introducing the so-called
centralized model. With the emergence of IoT devices, the need for specific
In the centralized model, the SP is separated from the IdP. IoT IdM solutions has also increased [41]. IoT devices are
Herewith, different SPs can use the same IdP for authentica- inherently different from humans because there is a lack of
tion, and the entity has a single identity across multiple servers, identifiers, which makes it difficult to develop solutions.
which also eases its management. Lam et al. [42] listed four types of characteristics that can
Despite the advances made by the centralized model and its be used to identify a IoT device: inheritance, association,
paradigms, there are still two problems. IdP servers struggle knowledge and context; inheritance is the most hardware-
to scale, as the increase in the number of identities implies an dependent and immutable, and context is the most hardware-
increase in the compute and storage requirements. Also, the independent, but changeable.
centralized model does not support inter-domain authentica- The inheritance category is like human biometrics identi-
tion, which is a usability problem for large enterprises [27]. fiers. It includes information dependent on the device’s hard-
The federated model solves these issues by integrating ware and unique for each device. An example of an identifier
multiple IdPs in a single authentication domain - the federated of this type is a Physically Unclonable Functions (PUF) (more
authentication domain. This model is implemented by setting a details in Subsection V-F).
group of agreements, standards, and technologies that enable a The association category uses relationships between devices
SP to recognize identities from other authentication domain’s that are critical to their functioning. For example, if a wearable
IdP or the creation of maps between identities from different needs a connection to a smartphone to communicate with the
IdPs [27]–[29]. Internet, the smartphone can be an identifier for the wearable.
The knowledge category is similar to the ”something you storage available due to the inherent cost or expertise required
know” for humans. However, the level of assurance is very to implement these features [17]. Therefore, if we want to
different. A human can memorize a password and does not continue to use solutions that rely on standard cryptographic
need to save it anywhere else. On the other hand, a device algorithms, IoT must be assisted by hardware components
needs a mechanism to store the password securely, which that ease their execution and create the necessary security
implies risks. conditions.
Lastly, the context category uses IoT-based sensing data
as identifiers. Context-aware computing connects much in- III. H ARDWARE - BASED I OT I DENTITY C HALLENGES
formation found in the real world to the intelligence of the
environment. For example, sensor readings produced by GPS Since the beginning of IoT, device identity has been pointed
sensors can be considered raw sensor data. Since we put the out as an open research challenge [12], [49]. Assessing the re-
data from the GPS sensors in such a way that it represents a quirements stated in the Section II, we can highlight three main
geographic location, we call it context information. However, it research opportunities for identity management: Lightweight
is necessary to consider the quality of context, which depends Cryptography [7], [8], [12], [49], Object Identification [8],
on the quality of the physical sensor, the context data, and [12], [41], [43], [49], and Secure Storage [43], [49], [50].
the quality of the delivery process. So, these identifiers can One of the limiting factors in IoT is its restricted re-
have relatively less quality than others and introduce some sources, which limits the implementation of identity and
challenges, such as when a device has an owner and multiple authentication mechanisms. Several authors point out that
users or when the interactions with the devices change over Lightweight Cryptography can solve this problem [7], [8],
time. Both produce changes in the identifiers that make them [12] as lightweight cryptography is an encryption algorithm or
difficult to use [42]. protocol designed with restricted devices in mind. This type of
Regardless of the identifiers used to authenticate a device, solution is evaluated according to requirements such as energy
there is no universal identifier for IoT devices, which is a consumption, implementation size, RAM, and computational
barrier to developing perfect IoT solutions. Although each power [51]. Lightweight cryptography does not necessarily
resource on the Internet has a unique domain name or a imply a trade-off in security efficiency. Some researchers try
public IP managed by international organizations, this does to develop new approaches to cryptographic problems while
not exist in IoT, as each manufacturer has its standards and respecting device constraints, and others use known algorithms
protocols. Therefore, in the short term, it is unlikely that a and protocols and try to reduce them to meet the requirements
universal solution to this problem will emerge [43]. However, of constrained devices [51].
researchers are developing ways to authenticate and identify Before designing any security system, it is necessary to be
IoT devices. able to identify each device. An ideal identification solution
Most IoT systems use cryptographic-based entity authen- should reflect the device’s characteristics in its identification
tication, which means that device identifiers are used in process [12]. For example, following the idea that IoT devices
conjunction with cryptographic algorithms to enable identity can connect to the Internet anytime and anywhere, the device
verification [44], [45]. identity should reflect these properties [52]. Also, regard-
An example of this type of authentication is Attribute-Based ing this issue, IoT promises that devices will communicate
Authentication schemes, in which device attributes are used to seamlessly regardless of manufacturer. However, the lack of
generate a secret key in a public-key encryption scheme. Every standardization undermines this idea. Therefore, creating a
time the device needs to authenticate, it encrypts a challenge vendor-independent identifier is a priority to overcome this
sent by the server with its key. The server will then decrypt this problem.
message using the expected attributes to reproduce the device Therefore, the challenge of Object Identification is being
key, and if it can retrieve its challenge from the encrypted addressed through two different approaches. First, researchers
message, the device will be authenticated [42]. and international organizations are trying to create a global
There are also systems using other approaches. For example, naming scheme that multiple manufacturers can use and be
the use of private keys and Public Key Infrastructure (PKI) able to identify a device, even when it is not connected
certificate for each device [46], or adapted versions of IdM directly to the Internet (for example, a sensor that connects
systems to the IoT, mainly when it is necessary to authenticate to a gateway via Bluetooth ) [49], [52]. On the other hand,
devices and users [47]. researchers are exploring how we can define identity by
Beyond that, researchers are working on blockchain-based analyzing the necessary resources and available technologies.
solutions [13], [34]. These aim to create fault-tolerant IdMs, For solving the object identification challenge, the need
enabling unique identifiers to promote interoperability among for Secure Storage resources increases. As we stated pre-
different brands of devices [34]. viously in this section, many identities require the storage
As we stated earlier, most protocols rely on asymmetric of cryptographic keys, and independent of the method used,
cryptography and assume the availability of secure storage, the identity needs to be stored securely on the device. There-
which brings limitations for use in IoT. Asymmetric encryp- fore, researchers are looking for ways to solve this problem,
tion is too heavy for low-end IoT processors, which makes from creating encrypted storage to dynamically generating
encryption operations slow and energy-intensive [19], [48]. cryptographic keys using the intrinsic characteristics of the
On the other hand, almost all IoT devices do not have secure device [25], [50].
In summary, identity in IoT has two ways to overcome this the device, the user image can be an embedded Operating
challenge, either by using existing IdM systems and mak- System (OS) or a bare-metal application [55]. If the user image
ing devices capable of handling computationally demanding is an embedded OS, the operating system will manage the
cryptographic algorithms or by starting to employ new IdM different processes, events, and a hardware abstraction layer.
systems that exploit lightweight cryptography. Either way, Besides, the embedded OS is also responsible for running the
hardware can be part of the solution. applications. On the other hand, if a bare-metal application
Any of the technologies presented in this work may be is loaded, the application will need to handle and interact
used to support these research challenges. The relationship with the hardware directly. The choice between an operating
between the two is further developed in the Section VI, system or a bare-metal application will depend on the device’s
where we compare the different technologies and analyze their capabilities.
advantages and disadvantages for each research challenge. Software and hardware depend on each other, and the
device will not function correctly if one of these parts is
IV. H ARDWARE - BASED I OT I DENTITY T HREAT A NALYSIS faulty. If the software stack is compromised, it does not
As stated earlier in this paper, IoT devices are more likely mean the hardware was compromised. Contrariwise, hardware
to sustain physical attacks. This trend can be hampered by attacks compromise software. Moreover, an existent Over-the-
developing devices resilient to this type of attack, which means air (OTA) update can always patch software vulnerabilities.
that the component and design of devices must be protected On the other hand, hardware vulnerabilities require a new
from physical attacks. hardware revision to solve them, so there will be devices that
A threat analysis is a process to identify the security will never be fixed [56].
requirements for the component of each device. This analysis Hardware attacks require specialized knowledge and tools.
is based on various characteristics, such as potential intruders, Therefore, devices that do not require high assurance do not
attacks, and device assets. minimize these risks. Furthermore, security certifications that
Developing a detailed threat profile provides organizations address these threats do not assess whether the risks are fully
with a clear illustration of the threats they face and allows mitigated but assess whether the device has countermeasures
them to implement a proactive incident management program to disrupt and delay the attacker [57].
that focuses on the threat component of risk [53]. This threat Any device’s components can be an entry point to com-
analysis starts with defining the context of the IoT environment promise its identity. However, attacks on software will not
that will be assessed and will follow a threat profile that directly affect the device’s identity but rather the authentication
includes information about critical assets, actors and threats protocol or will require lateral movement and further exploits
to evaluate the requirements for secure hardware-based IoT to attack the device’s identity.
identity management. As this work focuses on identity assurance through hard-
ware, we will only consider identity threats related to hard-
ware, which means hardware attacks, and attacks that can be
A. Context Environment mitigated by hardware. These threats will help us to define the
IoT devices have two major components: hardware and soft- security features and capabilities of the components mentioned
ware. Physical attacks target the device’s hardware. However, in Section V. Moreover, during this analysis, we assume
a hardware attack will affect the device’s software due to the the attacker has complete access to the physical device and
relationship between hardware and software. unlimited time to perform the attack.
As with any computer, IoT hardware has a CPU that
provides computation capabilities, RAM to hold program
storage, Read Only Memory (ROM) to store the boot program B. Assets
connected by a CPU bus, and multiple buses to hold pe- In a threat analysis, an asset is something that has value to
ripherals, like persistent storage. However, unlike computers, the company and must be protected. For example, in the case
IoT devices include all these components on a single chip of a pay-TV network, there is a smart card with a decryption
called System On a Chip (SoC) [54], depending on the key that will control access to the network. In this case,
system’s purpose. For example, it may have multiple WiFi this smart card is an asset as it is crucial to the company
and Bluetooth radios or general-purpose buses like I2C and revenue [58].
SPI. Finally, but not least, an IoT device has its Printed Our threat analysis does not have a specific product, so
Circuit Board (PCB), which provides pads to solder different we will only focus on the technical assets needed to achieve
components and offers a reliable electrical connection between identity and authentication. Any of our assets will require
them. confidentiality and integrity, which means the assets must be
IoT devices need firmware to function. Firmware is an kept hidden from attackers, and attackers must not be able to
embedded-software in a piece of hardware. The first soft- modify them. We are not considering its availability because
ware to run on a device is the bootloader. The bootloader we assume that the attacker has physical access to the device,
can be in the SoC, on an on-chip ROM - programmed which means that for this type of attacker, making a service
during production - or in external memory. The bootloader unavailable is the same as disconnecting it from power.
is responsible for initializing the different components and As we stated at the beginning of Section II, identifiers must
transferring the execution to the user image. Depending on support the identity of a IoT device. We have listed four
identifiers: context, association, knowledge, and inheritance. C. Actors

Context is a technique that allows identifying a device by
Many techniques presented throughout this section require
analyzing the way the device relates to other devices and the
expensive equipment, in-depth system knowledge, and exe-
environment that is associated with it. Regarding association,
cution time. Therefore, not all are within reach of all threat
it is to something that device can possess for one or two-factor
actors. A threat actor is someone, either a person or a group,
authentication, such as a hardware token. By contrast, knowl-
who poses a threat [59]. Threat actors can be adapted accord-
edge and inheritance rely solely on the device’s characteristics
ing to their capabilities and motivation. The capabilities of
to create an identity. The inheritance category uses hardware
threat actors are the combination of resources and knowledge
characteristics to identify a device and the knowledge category
available to carry out an attack. The threat actor’s motivation is
encompass the information that only the device knows, such as
the level of desire to perform some action and the expectations
an authentication token or cryptographic key. Therefore, these
(confidence) of success [60]. The threat actor’s motivation
last two identifiers are prone to be compromised by hardware
level is related to the time it takes to succeed. A less motivated
attacks.
attacker will quickly give up on the target if the device has
For the inheritance identifier, the attacker may try to clone too many countermeasures that require time to circumvent.
the Integrated Circuit (IC) design to steal its identity. There- IoT devices have five main threat actors: criminal enter-
fore, the confidentiality of the IC design must be protected. prises, industrial competition, nation-states, ethical hackers,
On the other hand, attackers may also try to tamper with and lay attackers [56]. Criminal enterprises are motivated by
the device to bypass security features, so the IC design must the financial gain they can get from an attack. Typically,
protect its integrity. these organizations look for vulnerabilities that enable solid
business cases. For example, Remote Code Execution (RCE)
In addition to the IC design, an attacker needs to have access vulnerabilities in IoT devices to increase the ability of botnets
to the device’s firmware to clone it. Furthermore, the attacker to perform Distributed Denial of Service (DDoS) attacks. Due
may reverse engineer the firmware to find software vulnera- to the nature of these organizations, the budget for these
bilities that can compromise the authentication mechanisms. attacks is high, but their criminal status limits the human
Therefore, keeping the firmware confidential will difficult the resources they can hire and the equipment they can buy.
cloning process and the vulnerabilities discovery. Industrial competitors aim to collect information about a
Regarding firmware integrity, the main security goal is to competing device, which means they reverse engineer the
make it impossible for unauthorized code to run on the device. device. This attacker will employ skilled professionals and
This can be developed into three attack vectors. The attacker have an ample budget to acquire all the resources needed to
must not be able to change firmware when stored on persistent carry out an attack.
storage. If persistent storage is compromised, the device must Nation-states have motivations such as espionage, countert-
not execute any instructions that could have been tampered errorism, and sabotage. This group has all the necessary means
with. Finally, the attacker must not be able to induce temporary to carry out complex attacks, with the best and most significant
changes in the execution of instructions. amount of professionals, tools, and time to plan attacks.
Finally, knowledge identifiers, depending on the device, can Lay attackers are usually individuals or small groups who
be authentication tokens, passwords, cryptographic keys, or hack to extort money from companies or gain a reputation.
other information. During this work, we will refer to them as Typically, these groups have limited resources and expertise, so
identity data. they will look for another target if they find countermeasures.
Ethical hackers are driven by a curiosity about how a
In the case of cryptographic keys, it is essential to highlight system works or by the possibility of monetary reward. Unlike
that even if the system does not use them directly as an lay attackers, they will not try to make money illegally but
identifier, they can be used internally to keep information through legal initiatives, such as bug bounties. They may have
secure or authenticate data traffic. Therefore, the keys must the expertise to carry out complex attacks, but they have a
be protected regardless of their type. For public keys, the limited budget and time. At the same time, they can gain
goal is to maintain their integrity; for private keys, it is to access to more expensive equipment through universities and
ensure their confidentiality. Public keys are used to verify hackerspaces. When compared to other attackers, they pose
signatures and encrypt information. Therefore, if a public key a different kind of risk. Ethical hackers are not trying to
is changed, it can disrupt the signature verification process, harm a company, but if not dealt with properly, they can
leading to various attacks, from Man-In-The-Middle (MITM) affect consumers’ trust in a company because if a vulnerability
to malicious updates of OTA. The private and asymmetric of a known company is disclosed before it is resolved or
keys are used to identify the device or decrypt important properly explained by the company, defamation can result, and
information. Therefore, if an attacker compromises their con- customers may no longer trust the company. The motivation
fidentiality, they could spoof the device’s identity or MITM and capabilities of each attacker are summarized in Table I.
communications. In this table, the attacker’s capability is analyzed using two
To conclude, devices must maintain three secure assets: CI characteristics, knowledge and resources, classified as low,
design, firmware and identity data to protect the device’s moderate, and extensive.
identity and authentication capabilities. The motivation was classified as low, high, and extreme,
according to the perseverance level of each aggressor. These dissolve the chip package. With decapsulation, the attacker
characteristics directly impact the attacks that each attacker partially dissolves the package keeping the chip functional. Al-
can carry out. ternatively, depackaging completely removes the chip package
Capability
and makes it non operational. Depacking enables the attacker
Threat actors Motivation to delayering the chip. PCBs and chips have different layers
Knowledge Resources
Criminal
Moderate Moderate High with electrical circuits, so by delayering, the attacker will
enterprise polish off individual layers of the chip to better analyze them.
Industry
Extensive Extensive High These techniques are used to allow the reverse engineering
competition
Nation-states Extensive Extensive Extreme of the device. Once a chip is exposed, an attacker can use
Ethical high-resolution images or Scan Electron Microscope (SEM)
Moderate Moderate High
hackers
Layperson to analyze it. Moreover, by applying delayering techniques,
Low Low Low an attacker can analyze multiple chip layers [64].
attackers
TABLE I Both decapsulation and SEM can be hampered by active
S UMMARY OF THREAT ACTORS CHARACTERIZATION metal shields [65] or a defensive PCB design pattern [66],
[67]. An active metal shield is a metal conductive layer in
the PCB that shields critical circuit elements. Depending on
D. Threats the shield, it can be a simple conductive layer or a meander
Hardware attacks can be divided into two main categories, of conductive lines with resistance sensors attached that will
non-invasive and invasive attacks, according to the physical detect tampering, from physically probing to decapsulation
impact on the device. Non-invasive attacks do not require attempts [65]–[68]. In terms of defensive PCB design, there
any preparation of the device to be performed, which means are multiple techniques that can be employed. For instance,
the attacker can access all required components without any critical signals can be routed on deeper layers of the PCB
modification of the device and does not leave any tamper evi- and overlapped by other electrical paths that their destruction
dence. By contrast, invasive attacks require the removal of the would disrupt the device’s operation [66], [67].
chip package and target the components inside. Such attacks These techniques can also be applied to reverse engineer-
require expensive tools, complex techniques, and operating at ing embedded memory to extract stored information. The
a miniature scale. Many times these attacks also imply the information stored on a masked ROM can be decoded, after
destruction of the chip. decapsulation, with an optical microscope. Moreover, it is also
In addition to these categories, some authors also proposed possible to use techniques such as microprobing to monitor
an intermediary class between the non-invasive and invasive buses to extract information or even bypass encrypted buses
attacks, called semi-invasive attacks [61], [62]. Semi-invasive by reverse engineering the chip design [69].
attacks are a subset of invasive attacks that imply the removal Micropobing is the act of attaching probes inside a chip
of the chip package but do not require contact with its internal to measure (side-channel attacks and eavesdropping) or in-
lines, decreasing its complexity. For the simplicity of this ject voltage (voltage glitching) into an electrical line. This
work, we will not distinguish these attacks from invasive technique expects a decapsulated chip, which means it is
attacks. an invasive technique and sometimes requires the creation
Another way to organize the attacks is in terms of similar- of probe pads with Focused Ion Beam (FIB) [56]. FIB is a
ities in the objective of the attack. This taxonomy originates beam of ions that can either remove parts of a chip or deposit
three main classes of attack [62]: reverse engineering, fault material. With this technique, an attacker can cut or reroute
injection, and side-channel attacks and eavesdropping, each wires at a nanometer scale. As microprobing, FIB equipment
containing multiple attack techniques (Figure 1). is expensive and requires special knowledge to be performed.
In addition to describing possible threats, during this Despite its complexity, when successfully performed, it can
section, we will also present the countermeasures a device circumvent many hardware security measures, such as active
can take to difficult their exploitation. These countermeasures shields. FIB can be used to tamper with a chip or support
can either be in software or hardware. However, our main other attacks [56], [70]. Micropobing will always depend on
focus will be hardware countermeasures. the success of the chip decapsulation. Moreover, a defensive
PCB design that makes accessing critical signals difficult can
Reverse engineering hamper microprobing techniques.
Reverse engineering is analyzing a fully functional system and For an attacker that is trying to reverse engineering
developing a set of specifications describing the system [63]. firmware, he first needs to obtain it from the device. An
In IoT, there are two susceptible targets to reverse engineering, attacker can leverage its access to the device’s hardware and
the actual hardware (components and PCB) and its firmware. perform a PCB or logical attack.
With these attacks, the attacker’s goal is to totally understand The PCB interconnects the different components of the
the device’s inner workings, find vulnerabilities, or clone the device. So, to extract the firmware, the attacker can connect
device. directly to the persistent external storage with probes or
The attacker employs the most invasive techniques to re- desolder the memory and then use a debug tool to read it. If the
verse engineer the device’s hardware. Decapsulation, depack- attacker is able to read the firmware, he probably can write a
aging and delayering are processes that use chemicals to tampered version of the firmware in the device. Another option
Fig. 1. Hardware attacks taxonomy
can be to analyze the different PCB connections and discover type of attack is documented by Colin O’Flyn [71], which
possible features that electrical connections can unlock. SoCs with a paper clip, performed a power glitch to a Philips Hue
can often be booted with some security features disabled by Bridge 2.0’s Electrically Erasable Programmable Read-Only
grounding or pulling up logical pins. Memory (EEPROM) to interrupt the communication between
Logical attacks exploit logical interfaces to communicate the memory module and processor. With this fault, he was able
directly with the device’s firmware, bypassing all hardware to interact with the bootloader shell that is locked. However,
security features. Commonly, IoT devices have exposed logical the majority of these attacks are more complex. For instance,
ports like Joint Test Action Group (JTAG), Serial Wire De- force the processor to jump the execution of an instruction.
bug (SWD) or Universal asynchronous Receiver/Transmitter Usually, voltage glitching is a non-invasive technique. How-
(UART), which allow direct interaction with the firmware or ever, it can also be performed at a nanometer scale by
even attaching a debugger. These ports can be disabled in attacking voltage lines inside a chip (microprobing). As we
software, regardless, the majority of the times they are enabled. stated before, this technique makes the attack invasive since it
If an attacker can communicate successfully with the JTAG or requires decapsulation of the chip.
SWD interface, it will be able to extract the firmware and Electromagnetic disturbances are when an attacker generates
interact with its execution. If it is UART, depending on the electromagnetic (EM) signals and directs them to cause faults.
exposed software and device’s settings, it may require further This is possible because changes in a magnetic field near a
exploitation to obtain the device’s firmware. chip induce alterations in the voltage, which can temporarily
After having access to the device firmware, the reverse cause flips in the logical levels of a data line.
engineering process is similar to software. The process is the Optical disturbances leverage the fact that when a transistor
same, but researchers need to know the device architecture is illuminated with a photon intense light pulse, it conducts
and how the firmware interacts with the hardware, which is current, which can be used to generate localized faults. This
often overlooked in other forms of reverse engineering due to attack requires decapsulation of the component and lasers to
the abstraction provided by operating systems. emit light pulses.
Fault injection attacks jeopardize the code integrity of the
Fault injection device by executing the code in an unintended way. These
Fault injection is an attack that induces processing errors in a attacks are momentary and not persistent by nature but can
processor, forcing the processor to jump the execution of an be leveraged to produce persistent errors, for instance, by
instruction or change the content of a register. attacking the storage interface [72]. Overall, fault injection
There are multiple ways to create these faults. The more attacks require knowledgeable and highly motivated attackers
common ones are voltage glitching and electromagnetic and since these attacks need to be tuned by experimentation
optical disturbances ( also called laser glitching). These attacks according to the target hardware, which is time-consuming.
are non-invasive, with the exception of optical disturbances, Moreover, electromagnetic and optical disturbances involve
which are invasive attacks. They all have the same objective; high voltages and lasers, which can hurt the attacker if the
however, the attack vector changes. necessary safety measures are not taken.
Voltage glitching is when an attacker causes a fast change Generally, devices can prevent this type of attack by apply-
in a device’s component to affect its operation. Usually, ing software or hardware countermeasures. In terms of soft-
this attack is executed against a power supply or a clock ware, there are multiple recommendations that developers may
signal. This attack does not imply any invasive process. It is follow. For instance, random delays can be added to the code
carried outside the component’s package without any physical to deflect exploitation, or critical information may be checked
modification. This kind of attack aims to push the hardware multiple times during execution (for instance, two copies of the
to induce an error in the software. A simple example of this same information stored in different memory regions) to detect
any exploitation attempt [73]. The duplication principle may power analysis, which enabled attackers to upload a malicious
also be applied to hardware. For example, the device can have OTA update [83].
the same function implemented in multiple places and compare To prevent these attacks, boards may use voltage regulators
their output to detect tampering attempts. Nevertheless, this to keep their power consumption steady independently of
type of approach is expensive [68]. the operations that are running. Nevertheless, attackers may
Besides these general countermeasures, there are also bypass this by probing inside the chip (microprobing) [75].
specific techniques for each threat. Devices may have This process would require decapsulation.
voltage sensors or monitor the clock signal to detect Integrated circuits in operation emit electromagnetic waves.
voltage glitching attacks [74], [75]. Power or clock lines The principle behind electromagnetic analysis is very similar
are scattered throughout the PCB. Therefore, any attack to power analysis. It is possible to identify events by analyzing
attempt will propagate over these lines, making the attack the electromagnetic signals around a device with electromag-
easily detectable. On the other hand electromagnetic attacks netic probes. Furthermore, in the case of electromagnetic
are localized, which makes them difficult to detect [76]. analysis, we can also identify the location of a specific activity
EM sensors may be used to detect electromagnetic fault by locating the source of that radiation, which is not possible
injections [75], [77]. However, their placement must be in power analysis. Finally, similar to power analysis, there
properly analyzed due to their limited range. On the other are multiple techniques to analyze these measures. The main
hand, electromagnetic fault injections can be avoided by ones are Simple Electromagnetic Analysis and Differential
using an active metal shield that protects the SoC from Electromagnetic Analysis, which are similar to their power
electromagnetic waves and optical disturbances [68], [78]. analysis counterparts [79].
Optical emission analysis studies emitted photons by tran-
Side-channel attacks sistors that change state. Once again, there are two main
Side-channel attacks are non-invasive attacks that aim to techniques, simple and differential analysis [84], which can be
extract secrets from a system by measuring and analyzing used to retrieve cryptographic keys. Additionally, optical emis-
physical parameters like time, power or electromagnetic emission analysis allows attackers to locate the emission source of
sions [79]. The majority of these attacks require the plaintext this photon, which means it can support reverse engineering
and correspondent ciphertext to be known by the attackers. efforts. Finally, these attacks require direct observation of the
Timing attacks exploit data-dependent execution time differ- different components of the chip. Therefore the chip needs to
ences to uncover secret data [79]. For example, in a password be decapsulated. Moreover, these attacks require custom build
check, if a system compares the password inserted by an tools to be performed, increasing the knowledge required to
attacker with the correct password character by character, an execute this kind of attack [56], [85].
attacker could measure the time it takes from the password A possible mitigation for electromagnetic and optical emis-
being inserted to the feedback received. With these measure- sion analysis is to use an active metal shield to protect critical
ments, an attacker could reduce the effort of a brute-force components. In the previous subsection, we explained that
attack by brute-forcing each password character thanks to these shields hinder EM and optical injections. Additionally,
the different execution times depending on each number of this type of shield prevents emissions generated inside the
correct characters in his input. Depending on the target, this package from propagating to the outside, thus, preventing
attack could be performed by timing responses on its software leakages [68], [86].
interface [80] or measuring CPU cycles [81]. The developer Similar to injections, some software measures, such as ran-
must mitigate this threat at the software level by ensuring the dom delays during execution, can be implemented to decrease
same response time independently of the input correctness. the risk of successful side-channel attacks [73].
The power consumption of a processor depends on its Side-channel attacks mainly affect the confidentiality of
current activity, mainly when there are changes in the state identity data. The actors that perform these attacks have
of its components. A precise measurement of the power con- extensive knowledge of statistical analysis and the target’s
sumption allows an attacker to identify the current instruction cryptographic implementations. Regarding resources, both
and estimate changes of bits in memory [61]. Many power time, power, and electromagnetic emission analysis require the
analysis techniques can be used to attack cryptographic sys- same equipment, an oscilloscope, and the necessary probes.
tems. However, the two primary techniques are Simple Power By contrast, optical emission analysis requires specialized
Analysis (SPA) and Differential Power Analysis (DPA) [61]. equipment and decapsulation of the chip.
SPA relies on the direct observation of power consump-
tion and requires the attacker’s specific knowledge about the Eavesdropping
cryptographic algorithm implementation to succeed. DPA is Depending on the device’s design, an attacker could eaves-
a technique that does not require this previous knowledge. It drop on information from the buses connecting the different
leverages statistical analysis to extract information from a data device’s components. This technique could be invasive or
set of power traces [82]. Despite not requiring too expensive non-invasive, depending on the attack scale and if the buses
equipment, power analysis requires a skilled attacker. are exposed or not. In a non-invasive form, this attack only
An example of an attack using this technique was when a requires a logic analyzer, which is not expensive depending on
group of researchers extracted the cryptographic keys used to the number of probes. If an invasive approach is required, an
encrypt and verify firmware updates of a smart bulb through attacker must use microprobing [87]. Either way, the attacker
needs to be able to reverse engineering the signals and convert produce authentication challenges, among other things. There
them to meaningful information. are two random number generators types: True Random Num-
The simpler forms of this attack can be prevented by a ber Generator (TRNG) and Pseudorandom Number Gnerator
defensive PCB design, which means critical signals should not (PRNG). However, for cryptographic operations, PRNGs are
be routed on the top or bottom layer of the PCB. This way, the not recommended because of their lack of entropy [88].
attacker is forced to be invasive and perform more complex TRNG is a random number generator that can generate ran-
techniques such as decapsulation and microprobing to reach dom numbers, without any periodicity, from physical sources.
the same goal, eavesdropping on a signal. Nevertheless, if the The TRNGs are distinguished from the PRNGs, used in
signal is critical to the device, the designer should evaluate its most systems, by the quality of the generated numbers. A
encryption [67]. PRNG uses algorithms to generate a sequence of numbers
that depends on the initial seed given to the algorithm. The
E. Summary numerical sequence of a PRNG is deterministic, which means
Multiple attacks based on hardware can compromise the de- that an attacker can calculate the PRNG sequence if the seed
vice’s identity and authentication capabilities. Throughout this is known. Therefore, the seed must be random.
section, we analyzed the different security objectives to keep On IoT devices, seed generation have limited entropy
the IoT identity and authentication secure. At the same time, sources, and attackers can have physical access to the device,
we listed the attacks that may be used to compromise these allowing them to disrupt these sources. Therefore, TRNG can
devices and detailed their requirements regarding knowledge be used to overcome these problems by extracting entropy
and resources. These facts have a direct repercussion in which from the device environment, such as electronic noise [19].
attack a specific threat actor may employ. Examples of these electronic noises are the variations of
Table II summarizes the different attacks by mapping the signals generated by electronic oscillators, which can be
requirements needed by the attacker to be successfully. Also, sampled, filtered for possible interference and quantified as
it identifies the compromised assets and outlines the hardware digital bits [89]. However, this construction requires several
countermeasures. In this table, we included microprobing and oscillators to produce a high quality number [88], which
FIB as they can be applied to multiple attacks and will impact increases production cost and energy consumption [19].
its requirements. Electronic noise can suffer external interference, affecting
During Section V, we will use the countermeasures iden- the quality of the generated numbers. Therefore, researchers
tified in this section to assess the level of security of each have been using quantum theory to support new TRNG
technology against hardware attacks. constructs to solve these problems. In quantum mechanics,
each choice is random and independent of the other. Based on
V. H ARDWARE T RUST A NCHORS T ECHNOLOGIES this, researchers have been using light pulses and analyzing
We have identified six technologies that can be used as each photon’s choice or using the time between an element’s
building blocks to overcome today’s open research challenges radioactive decay to create TRNGs [90].
IoT, True Random Number Generator (TRNG)s, ROMs, 1) Security attacks and countermeasures:
crypto accelerators, secure elements, TEEs, and PUFs. For TRNGs, as a component, is normally embedded in a device.
each technology, we look at its advantages and disadvantages Therefore, it does not include security countermeasures and
for supporting device identity, the existing security attacks and delegates them to the device. Depending on the type of
countermeasures that are typically implemented, and finally, TRNG, some attacks leverage the environment bias of these
the systems where they have already been used to support components to generate weak numbers. For instance, Ring
device identity. Oscilator (RO)s based TRNGs can be biased with EM fault
Before analyzing each one, we must reflect on their nature injections [90], at the same time, attackers can perform EM
and how they relate. We can differentiate two distinct groups side-channel analysis to retrieve information about its internal
in these technologies: basic and composite building blocks. state [91].
Base blocks provide elementary resources, and composite 2) Advantages and disadvantages for identity assurance:
blocks provide multiple resources, which means they can be IoT suffers from a lack of available entropy. Therefore
broken down into smaller building blocks. For example, a TRNGs can be the solution to provide high entropy numbers
TRNG is a base block as it only provides random numbers. On in an IoT platform.
the other hand, a secure element is a composite building block On the other hand, TRNGs have several disadvantages. They
because it provides various features such as cryptographic increase the cost of the device and its power consumption.
operations and random number generation, which are provided Moreover, common TRNGs that do not use quantum physics
by base blocks, namely a cryptographic coprocessor and are susceptible to environmental biases, which means threat
TRNG. actors with physical access to the device can take advantage
of this fact and attack the generated numbers.
A. True Random Number Generator 3) Implementations:
Encryption is the foundation of identity and authentication TRNGs are included as a base component of other more
solutions. These systems rely on unpredictable and unre- complex. For instance, any identity system that uses a Trusted
producible key streams to generate cryptographic keys and Platform Module (TPM) or Secure Element (SE) will inher-
Identity assets Required capabilities

Threats Identity data Firmware IC design Hardware Countermeasure
Knowledge Resources Motivation
Confidentiality Integrity Confidentiality Integrity Confidentiality Integrity
- Voltage sensors
Voltage glitching No No No Yes No No Moderate Low High
- Clock signal sensors
- Multiple voltage sensors
EM disturbances No No No Yes No No Moderate Moderate High - Active metal shield
- EM sensor
Optical disturbances No No No Yes No No Extensive Extensive High - Active metal shield
Timing attacks No Yes No Yes No No Moderate Low High
Power analysis Yes No No No No No Moderate Low High - Voltage monitoring
EM emissions analysis Yes No No No No No Moderate Low High - Active metal shield
Optical emission analysis Yes No No No No No Extensive Extensive High - Active metal shield
- Active metal shield
SEM No No No No Yes No Extensive Extensive High
- Defensive PCB design
- Active metal shield
Decapsulation No No No No Yes Yes Extensive Extensive High
- Defensive PCB design
Depackaging No No No No Yes Yes Extensive Extensive High - Defensive PCB design
Delaying No No No No Yes Yes Extensive Extensive High - Defensive PCB design
PCB level attacks Yes Yes Yes Yes No No Low Low Low
Logical interface attacks Yes Yes Yes Yes No No Low Low Low
Eavesdropping Yes Yes Yes Yes No No Moderate Low Low - Defensive PCB design
Microprobing N.A. N.A. N.A. N.A. N.A. N.A. Extensive Extensive High - Defensive PCB design
FIB N.A. N.A. N.A. N.A. N.A. N.A. Extensive Extensive High
TABLE II
R ELATION BETWEEN THREATS , ASSETS AND REQUIRED CAPABILITIES
ently use a TRNG since TRNGs are fundamental part of these can be uncovered to irradiate the floating-gates [93]. Floating-
components. gate OTPs follow the same working principle of floating-gate
An example of the explicitly use of TRNGs in identity memories but have the floating-gates shielded to ensure they
systems is the work of Yang Su et al., in which a decen- are not reset by radiation.
tralized machine identifier for electric vehicles was developed Eletric-Fuse (eFuse) OTP memory is constructed with a set
employing a TRNG module for the generation of the vehicle of fuses that are blown to represent data. This operation is
identification [92]. done by applying a high voltage to the fuse, which can be
done in the field [97]. The working principle behind an eFuse
B. Masked ROM and OTP memories is electromigration, the process by which material is gradually
transported in a conductor. eFuses are constituted by conduc-
Non-Volatile Memory (NVM) is a type of memory used
tive metal lines that, when exposed to high voltages, resistance
in devices to store information persistently. There are multi-
increases and makes the circuit open due to electromigra-
ple families of NVM which differentiate themselves by the
tion [98]. However, in terms of data retention, electromigration
employed technology and the number of times they can be
introduces disadvantages. eFuses are susceptible to re-growth
rewritten. Among the different types, the ones that only allow
issues, where metal lines unintentionally connect, changing the
a single write operation may be used in a system to support
stored data [99].
security operations. For instance, it can be used to implement
Anti-fuse OTP memory is similar to the Fuse OTP but
a Root-Of-Trust (RoT) or store public keys [93].
uses an anti-fuse on its construction. An anti-fuse is an
There are four types of one-time writable memories, masked
electronic component that, when unaltered, does not conduct
ROMs, floating-gate One-Time-Programmable (OTP)s, fuses
electrical current, but after being exposed to a high voltage, it
OTPs, and anti-fuses OTPs. These last three are called OTP
becomes conductive. This change is used to store information
memories because they can be programmed in the field,
permanently in memory [97].
offering more flexibility than a masked ROM, which can only
be set during fabrication [94]. 1) Security attacks and countermeasures:
Masked ROMs have the information hardwired in the chip The main objective of read-only memories is to make
design, which means the data to store needs to be known data unchangeable. With the exception of floating gate OTPs,
before the production of the component since its electrical there are no known attacks to this part. As we stated before,
connections are rearranged to represent the information that since floating gate OTPs are based on floating-gate memories,
needs to be stored. The significant advantage of this type of attackers may try to bypass its shield and expose it to UV
memory is its low production cost when a large amount of radiation to be able to write it again [100]. eFuses suffer from
memories storing the same information is required. At the the re-growth issues, but we have not found any literature
same time this is a disadvantage for small deployments [93], exploiting this fact to create an attack to compromise the OTP.
[95]. On the other hand, since these memories have information
Floating-gate memory is a type of memory that leverages that can be interesting to an attacker, it is essential to assess
floating-gate transistors to store information, allowing them to how easy it is to retrieve the stored information. The presented
be reprogrammed and erasable in the field [96]. memories have very similar protection levels. To retrieve the
Floating-gate memories can be erased by exposing them to information, an attacker must depackage and delaying the chip
a source of Ultraviolet (UV) radiation. This is possible since and then use an high-resolution optical microscope to read
the packages of these memories have a quartz window that its information manually [69], [100]–[102]. Another option is
to use an SEM to retrieve the information. However, this is Examples of GPPs with crypto acceleration are the Intel
not possible on anti-fuse OTPs [98]. All these techniques are CPUs with the AES-NI instruction set [107] and ARM CPUs
invasive, requiring expensive equipment and manual work to with the ARMv8 Cryptography Extension [108].
retrieve the memory data. Hardware crypto coprocessors are a logic devices or hard-
To mitigate these risks, device designers employ active ware modules dedicated to executing cryptographic operations.
shields protecting the memories that will erase their content These coprocessors cannot be programmed are entirely depen-
or damage the device if any tampering attempt is detected. dent on a processor to operate, to the point of not having any
Nevertheless, if not backed up by batteries, this kind of storage to store secrets. However, these components are more
protection will only work if the device is power-on. Therefore flexible than GPPs with crypto acceleration, enabling reconfig-
it will not stop offline attacks. uration of the algorithms, since they are typically implemented
2) Advantages and disadvantages for identity assurance: on top of Field-Programmable Gate Array (FPGA)s [106].
Masked ROM and OTP memories are cheap options to store A crypto processor is an independent processor that is spe-
information that can only be read. Despite that, they also cialized in cryptographic operations. In contrast to GPPs, these
have several security risks which cannot be ignored for high processors protect their secret keys. The keys are typically
assurance deployments. An attacker with physical access to the generated inside the processor, stored in a dedicated memory,
device can replace these with similar ones but with different and transported in a dedicated bus. All these measures are
content since devices do not have mechanisms to ensure the implemented to ensure that the system can only interact with
integrity of the memory itself. Moreover, for each memory the key by performing a cipher or decipher operation [106],
type, specific attacks can be leveraged to change the content [109]. Nevertheless, countermeasures against more intrusive
of these memories [101], [103]. Therefore, masked ROM and attacks will vary according to the mode.
OTP memories bring advantages for systems that require a An example of a crypto processor that can be found in the
low-security assurance level. However, if these components majority of the computers is the TPM.
are used for other assurance levels, their security risks need Hardware TPMs are secure crypto processors that im-
to be mitigated. plement a specification that the Trusted Computing Group
3) Implementations: (TCG) created to establish trust in a computation system.
Masked ROM and OTP memories are used as building Namely, hardware TPMs must have the appropriate hardware
pieces for more complex systems. The most common use of protections to provide three RoTs, storage, measurement, and
these memories is to provide a RoT, which is why they are reporting [110], [111].
included in most SEs (Subsection V-D) [104]. More recently, TPMs have registers to store measurements of each soft-
researchers have been using these components as RoT in ware that runs during the boot process of a system. These
the Arm Trust Zone system (Subsection V-E) as they do measurements provide a chain of trust, allowing detection of
not provide a default secure way to store information [105]. any tampering attempt of the boot process. In addition to that,
Another use for these memories is to enable and disable they have a set of asymmetric key pairs which can be used
features in a device. For instance, many SoCs use fuses to for encryption and signing [110]
disable debug capabilities, such as a JTAG or UART port [17]. These two features allow the production of signed reports
of the system’s software configuration and, at the same time,
decipher data only when the system matches a specific state,
C. Crypto accelerators which is the base for Trusted Computing.
Crypto accelerators offer a high throughput in cryptographic TPMs offer a secure random number generator and cryp-
operations. These components may or may not include coun- tographic engines according to their version. For instance,
termeasures against known attacks and are mentioned in the the most recent version, 2.0, offers RSA, ECC and AES
literature with multiple names, such as a custom processor and cryptography engines. All these features are backed up by
crypto array [106]. We will follow the Bossuet et al. [106] tampering-resistant hardware. [112]
taxonomy and present four types of components: General Finally, a crypto array is a crypto accelerator where we
Purpose Processor (GPP)s with crypto acceleration, hardware have multiple cryptographic processing elements that work
crypto coprocessors, crypto processors, and crypto arrays. together with a GPP to provide a fast parallel computation
GPPs with crypto acceleration are Central Processing Unit of cryptographic algorithms. The primary use of these com-
(CPU)s that have dedicated instructions for cryptographic ponents is VPNs, which require handling multiple ciphered
operations. These specialized instruction sets allow programs connections simultaneously [106]. Therefore, they are neither
to take advantage of dedicated hardware for cryptographic directed nor used in IoT since they do not need to handle
operations, which is faster than running these operations on multiple connections simultaneously.
a general-purpose hardware. However, this type of solution 1) Security attacks and countermeasures:
does not offer any other feature, which means it depends on Generally, crypto accelerators do not offer security counter-
the GPP for secure storage and preventing hardware attacks. measures to prevent hardware attacks, since they are included
The crypto acceleration in these GPPs is usually imple- in more complex systems. Thus, this group of components has
mented using specialized Arithmetic Logic Units inside the been targeted by multiple attacks. For example, it is known
GPP to provide a low overhead connection to the GPP using that Intel AES-NI is vulnerable to voltage glitching [113] and
internal buses. side-channel attacks [114]. An example of an attack against
crypto coprocessors is the power fault injection attack against tion operations with the cloud. As a bonus, this coprocessor
the coprocessor presented in the PlayStation Vita [115]. also offers storage for cryptographic keys, which was used
Regardless, some of these components may offer security to store the authentication keys [118]. Another example is the
features. For instance, usually, TPMs use the same processors use of TPMs. Due to its widespread, multiple solutions include
of SEs. Therefore they inherit features like active metal shields this technology as a way to attest its boot and store its device’s
and voltage monitors. cryptographic keys [119]–[121]
Despite this, it is important to remember that the level of
protection of TPMs will vary. By definition of the TCG, TPMs
D. Secure elements
need to be certified with Common Criteria Evaluation Level 4,
which means the component is methodically designed, tested, A Secure Element (SE) is a tamper-resistant component
and reviewed against the TCG security profile [116]. The TCG that offers a set of security primitives, such as managing
security profile defines that TPMs must be protected against secrets or running applications securely [122]. This type of
physical hacking attempts. In addition to the Common Criteria, component cannot be easily forged or copied and has a unique
TPMs are certified with the FIPS 140-3 certification [117]. identifier [123].
This certification has multiple assurance levels. Level 1 of The concept of SEs was introduced by the GlobalPlatform,
this certification does not require any specific physical security an initiative of different industry stakeholders to create spec-
mechanism and level 2 requires that the component shows evi- ifications and standardization for secure components [122].
dence of any tampering attempt on the plaintext cryptographic These components are also commonly called smart cards. In
keys and critical security parameters. Mechanisms to detect this work, we will use these two nomenclatures interchange-
and respond to physical attacks are only enforced in level 3 ably.
of the certification [117]. Typically, TPMs are certified with There are three main form factors for SEs: Universal Inte-
level 1 or 2, which means that TPM designers do not need to grated Circuit Card (UICC), which can be found in credit cards
have protections against invasive attacks but instead need to and sim cards, in a microSD form factor, and an embedded
make the component tamper evident. chip in the device, the so-called embedded Secure Element
2) Advantages and disadvantages for identity assurance: (eSE) [124].
One of the limitations of implementing security features in A SE is a SoC with an independent CPU, RAM, EEPROM,
IoT devices is that we have a limited development budget and and ROM in a small form factor. For reference, inexpensive
minimal hardware in terms of computation capabilities. There- smart cards have 12 to 144 kilobytes of EEPROM storage, 6
fore, crypto accelerators can be the solution when devices do kilobytes of RAM, and 200 kilobytes of ROM [125]. More-
not have the capability to run cryptographic algorithms. over, current smart cards have different interfaces to interact
GPPs with crypto acceleration are the cheapest and easiest with the world. Initially, they used serial communication, but
way to include crypto acceleration in an IoT device since nowadays, with the proliferation of smartphones is common
it is not a separated component but instead embedded in to find smart cards with Near-Field Communication(NFC) or
the device’s main CPU of the device. To benefit from these even Bluetooth interfaces [126].
capabilities, developers only need to ensure that their operat- However, SEs differ from common embedded systems as
ing system and cryptographic libraries use these specialized they have multiple layers of defense. For instance. an attacker
instruction sets [17]. Thus, making it easy to integrate at the trying to decapping the SE’s package would find an active
software level with the rest of the system. current-carrying layer, that in the case of being break would
Another way, but requiring more adaptation, is to use crypto destroy the information carried by the card [104]. To mitigate
processors. These components are independent components probing attacks, SE employs ciphered bused between the
that must be added to the device and connected to a general- different components, and many times the, PCB paths are
purpose bus. At the software level, these components typically scrambled to difficult any attempt of reverse engineering [127].
provide a software stack that can be used to leverage their SEs are susceptible to Side Channel and Fault Injection
capabilities. attacks. The preferred attack vector is power analysis, for side
Finally, cryptographic coprocessors are the one that brings channel attacks in SEs is power analysis [128].
more disadvantages. It requires low-level integration with Usually, SEs mitigate these attacks in software, designing
access to GPP’s internal buses. However, it has the advantage cryptographic algorithms that have constant execution time
of being reconfigurable if needed. or introducing random delays in execution (for instance, in a
3) Implementations: stream of bytes when XORed with a key, the operation is not
GPPs with crypto acceleration are common in commercial performed in a sequential order but in a random order) [104].
processors. As we stated before, AES-NI and ARMv8 Cryp- On the other hand, fault injection attacks can be mitigated
tography Extension are examples of this. Thus, there are many by detecting or hampering the attacks. SEs employ sensors to
IoT identity systems that, intended or not, already leverage this detect fault conditions, like unusual events in the voltage or
extension to accelerate their operations. clock supplied to the card. In addition to these, they can also
Crypto-coprocessors and crypto processors are used to ac- implement some software measures. Checksums prevent in-
celerate cryptographic operations when limited controllers are duced changes in memory. Random delays can hinder attacks,
used. For example, Pearson et al. used a microchip crypto- and execution or variable redundancy, where we have multiple
graphic coprocessor to accelerate authentication and encryp- copies of the same information in multiple places, can be used
to detect tamper attempts. Each SE’s manufacturer employs also have active metal shields that hinder some side-channel
the measures he considers necessary to achieve the required attacks, as explained in Subsection IV-D [104].
assurance level. In addition to these measures, smart cards are designed
In the past, as SEs were mainly used for a single application, to discourage reverse engineering. Critical parts of the SE
the application and operating system were developed together internal design are randomized, and the active metal shield
and stored in ROM. However, this approach makes the de- also hamper invasive attacks or SEM [104].
velopment difficult since developers need specific knowledge The security features of SEs are guaranteed by two certifica-
about the smart card intrinsics. At the same time, the final tions, the Common Criteria and FIPS 140-3 [117]. Normally,
product would be dependent on the specific smart card model SEs are certified with the assurance level 6 of the Common
and could not receive updates because it was stored on Criteria, which implies a semiformally verified and tested
ROM. Nowadays, smart cards deploy the operating system and design with a security profile created for this purpose [130],
the applications independently to overcome these limitations. and level 3 of the FIPS 140-3, which enforces tampering
Smart card operating systems are minimal, provide hardware protection and response to attacks [117].
abstraction to applications, and are typically deployed in ROM, 2) Advantages and disadvantages for identity assurance:
which means they cannot be changed after production. On Including SEs in IoT devices enables very constrained
the other hand, applications use the Application Program- devices to overcome their hardware limitations to perform
ming Interface (API)s provided by the operating system and security operations. SE offers high-security assurance with low
are stored in Electrically-Erasable Programmable Read-Only energy consumption. Moreover, depending on the application,
Memory (EERPOM), which means they can be changed over there are different types of smart cards. In a more complex
time. Moreover, many smart card operating systems support setup, a device can leverage multiple application cards, to have
virtualization, enabling the deployment of multiple applica- various applications inside the SE. In simpler systems, smart
tions in the same smart card independently [129]. cards that only offer a limited set of features can be used.
The GlobalPlatform standards have contributed significantly
No matter the choice, smart cards are not expensive. Mul-
to creating multi-application smart cards, promoting security
tiple application cards are sold for two dollars at the time of
and inter-operability independently of the operating system.
this writing.
From the wide range of standards, it is important to highlight
the GlobalPlatform Card Specification. This specification de- On the other hand, depending on the system design, the
fines a set of logical components that enable secure multi- device may need to store a PIN to unlock smart card func-
application smart cards and the different procedures and APIs tionalities. Therefore, in a production system, using a SE
to manage and install applications in the card. Moreover, the will require other security mechanisms to solve this problem.
GlobalPlatform Card Specification details how we can manage Moreover, even with different form factors, adding a SE means
the communication from the outside world to a specific adding another component, increasing the device’s size and
application in multi-application environments [129]. complexity. Finally, if a SE application needs to be created,
Smart card models offer a set of security primitives backed the development team will need to get familiarized with a new
up by specialized hardware coprocessors. Normally, this list technology and development kit.
includes asymmetric and symmetric cryptographic algorithms, 3) Implementations:
hash functions, and a true random number generator. The list SEs have been used by multiple researchers and solutions to
of available algorithms will vary depending on the smart card securely store a cryptographic key that identifies devices and
model [104]. offload cryptographic operations [131]–[133]. For instance,
1) Security attacks and countermeasures: Even though SEs in academia, Jeon et al. [132] proposed SEs in LoRaWAN
have limited computing power and memory capacity, their nodes to prevent leaks of communication keys used in the
security requirements are high. SE’s threat model expects the LoRaWAN protocol. At the same time, in the industry, for
information stored inside the card is kept secure even if the example, Bosch security cameras use SE to store cryptographic
attacker has unlimited access. Thus, smart cards employ all keys and handle updates securely [133].
the countermeasures we presented in Subsection IV-D. Other researcher have leveraged the fact that some SEs
SEs use multiple anomaly sensors to detect unintended have Near Field Communication (NFC) interfaces to develop
execution conditions such as temperature, voltage, clock, and solutions that support remote identification and local identifi-
electromagnetic variations. If an unusual condition is detected, cation [134], [135]. An operator can physically identify the
the SE will react to it. Depending on the devices and the sensor device using a smartphone with NFC, mitigating problems
in question, the device can automatically reset itself or halt its related to labels that could be tampered with or even eaves-
execution until the working condition are regularized [104]. dropped on by an attacker [135].
Over the years, multiple side-channel attacks have been reg- The use of SEs in military Unmanned Aerial Vehicle
istered against smart cards. Because of this, SE’s software is (UAV)s has also been studied. Any information stored in a
designed with multiple lines of defense to prevent information military UAV must be kept secure, even if the enemy captures
leakages, such as constant execution time for cryptographic the UAV. With the current development of autonomous UAV
operations, memory masking when critical information is fleets, researchers have proposed the inclusion of a SE in each
present in memory, and a randomize manipulation of data drone from the fleet and use it to store any information that
given by the user. In addition to software countermeasures, SE would compromise its mission or the rest of the fleet [136].
E. Trusted Execution Environment of the underlying TEE implementation [123]. Finally, they also
A Trusted Execution Environment (TEE) is a set of software introduced the concept of Trusted User Interface API. As we
and hardware that provides isolated execution and storage mentioned before,TEE’s applications often require user input,
environments from the main operating system. Its primary and that is why trusted paths are included in the architecture
objective is to assure information security and privacy even of a TEE. The GlobalPlatform tries to evade this problem by
if the device is compromised [137]. promoting an input/output peripheral inside the TCB [139].
A fundamental concept in TEEs is the Trusted Computing GlobalPlatform TEE System Architecture specifica-
Base (TCB), which is the set of software and hardware tion [137] proposes three different architectures: a scheme
components that are explicitly trusted to ensure the security with shared memory with the REE and an isolated component
properties expected from a TEE [138], which means the inside the SoC where the TEE operates; an architecture
TCB is the RoT of these platforms. The TCB defines two where all resources are shared with the REE but there is an
environments, TEE and Rich Execution Environment (REE). isolation level between the two environments; an architecture
The TEE is the execution environment provided by the where an External Security SoC is introduced in the device
TCB, and REE is the execution environment provided by the and communicates with the main SoC to provide the TEE
untrusted components [123]. capabilities.
There are five security features that TEEs must implement: 1) Hardware-based TEE enabling technologies:
isolated execution, secure storage, remote attestation, secure TEE is a general concept. Thus, there are multiple im-
provisioning, and trusted path [138]. plementations, each one with its caveats and approaches.
Isolated execution allows applications to run in complete This subsection analyzes two TEE-enabling technologies,
isolation from other code, which means they have their own ARM TrustZone [140] and Intel Software Guard Extensions
address space and system resources. This can be implemented (SGX) [141], which were chosen due to their availability in
in multiple ways, from isolation at the OS, using a hypervisor the market and openness to third-party development.
or a parallel environment with separated components. However, it is essential to highlight that at the time
Secure storage provides confidentiality and integrity to the of writing, the version of the Intel SGX detailed here is
data, even when the device is powered off. Once again, deprecated in consumer-grade CPUs. Only server-grade CPUs
depending on the assurance level required, the isolation can be will continue to support it [142]. Moreover, there are rumours
assured by the OS. However if the OS is compromised, this of a new version of Intel SGX, but details are scarce, and its
isolation is not guaranteed. Therefore, strong constructions of future is uncertain [143].
secure storage use a separate component that ensures access
control independently of the OS. Due to the small amount of
ARM TrustZone
storage available in the RoT, it usually stores cryptographic
keys that are then used to decipher the rest of the data. With ARM TrustZone [140] is a set of hardware security exten-
this, as the data is encrypted, it can be stored in an untrusted sions in a wide range of Arm processors, from the cheaper and
storage. Nevertheless, with this kind of solution, it is critical less capable processors to the expensive ones. This technology
to prevent the rollback of data to a previous version. allows an application to run either in a secure state (TEE) or
Remote attestation allows the remote verification of the a non-secure state(REE). The processor executes exclusively
message origin. At the same time, it attests that the TEE loaded in one of these states at a given time. The underlying system
correctly. This means that remote attestation will only attest if assures a secure context switch between the two states and
the TEE’s firmware is correctly loaded. Hence protecting the controls access to its resources. This construction does not
device against persistent treats but does not defend against a have separate hardware for each environment. Nevertheless,
run-time compromise or does not inform if the device is not the secure monitor guarantees its separation at the hardware
working properly. level.
Secure provisioning is the capability of sending data to a The secure monitor is a component that manages the context
specific TEE, maintaining secrecy and integrity in the com- switch between the two worlds, REE and TEE. Depending
munication. This mechanism is normally used to offer secure on the processor generation, the secure monitor can be an
updates or change settings in the device, leveraging remote independent component inside the processor or implemented
attestation and cryptographic keys unique to each device. directly on the processor logic [144].
Finally, trusted path enables secure access to physical pe- Even though ARM TrustZone is intended as a security
ripherals. For instance, if an application running inside a TEE technology, it can also work as a virtualization technology
requires access to a keyboard for user interaction, it must be supported by hardware [144]. This means that each execution
impossible to interfere in the connection between the TEE and environment may have its OS. This flexibility brings advan-
keyboard in any way, including any attempt of eavesdropping tages for the developer. Depending on the application, the
the connection. developer may create a software library that resides in the
Similar to SEs, the GlobalPlatform initiative has a crucial TEE and is called from the REE or use a Secure OS for the
role in establishing TEE standards. They propose TEE’s archi- TEE [123]. In these cases, the TEE’s OS is specially designed
tectures, define APIs to communicate from REE’s applications for this purpose, having a reduced set of features to keep the
with applications running inside the TEE and promote the TCB as small as possible. On the other hand, the REE uses a
development of TEE applications that can run independently common OS.
Developers typically do not implement applications directly have multiple types, from ones mapped to the enclave address
on ARM TrustZone but instead use a TEE that leverages the space to metadata used in its lifecycle [141].
ARM TrustZone, and acts as a development framework for If an EPC needs to be stored in an untrusted memory,
their application. The GlobalPlatform standards boost this pro- SGX will cipher and sign it, to assure its confidentiality and
cess since ARM TrustZone implements multiple GlobalPlat- integrity. The only time an untrusted application can write to
form standards, which enable interoperability among different the PRM is during the loading stage of an application to the
TEEs [145]. Examples of TEEs used with ARM TrustZone enclave, when the application is copied and EPC pages are
are the OP-TEE [146], SierraTEE and Open-TEE [147]. allocated. This process is cryptographically hashed and then
Nevertheless, sharing the same hardware components bring used for software attestation.
risks. REE applications can try to interfere with TEE applica- The enclave’s virtual memory is not the only memory that
tions. Applications may try interfering with the TEE execution lives inside the EPCs. The enclave has the option to have
by creating interrupts to force context switches, creating a memory mapped from the outside in its virtual memory.
denial-of-service (DoS) or performing side-channel attacks to This allows enclaves to use existent libraries from the non-
the shared CPU cache. secure world or act as a library for processes outside the
To mitigate DoS attacks, ARM TrustZone allows the con- enclave. In these cases, non-enclave software cannot access
figuration of interrupt prioritization to rank first the secure PRM memory [141].
world’s interrupts. Unfortunately, the developer must activate In any context switching from an enclave to an application
this feature specifically [144]. outside the enclave, the CPU, to avoid data leakage, saves
ARM TrustZone CPUs share their cache between applica- its state to a predefined area and cleans its registers before
tions from both worlds, which means both compete for the transferring execution.
use of cache. Even though a non-secure world application Intel SGX enclaves run at the lowest privilege level possible
cannot access to a cache assigned to a secure-world application (user mode). Therefore, enclave application development is
due to a tag bit that signs to which world the cache is similar to non-enclave applications. The developer has a set of
assigned. Regardless, this can yield different attacks, from a libraries that can use and a Software Development Kit (SDK)
rootkit that evades introspection [148], to multiple side channel to compile and deploy the application [154]. Nevertheless,
attacks that by monitoring cache activity are able to retrieve multiple SDKs work on the Intel-provided SDK to facilitate
cryptographic secrets from the rich world [149]–[151]. the development of secure SGX applications [155], [156].
Arm TrustZone secure world has full access to the memory The security restrictions applied to SGX enclaves are the
of the untrusted world. This fact introduced a new class of same as non-enclave applications. Enclaves will not be able
attacks called BOOMERANG attacks [152]. These vulnera- to interact directly with computer devices [141]. Regardless,
bilities enable an application, from the non-secure world, to having software that no one can access is also a security prob-
exploit a TEE application to access a portion of memory which lem. Current anti-virus scan executables, files, and memory
it does not have access. looking for patterns that indicate malicious activity. Therefore,
Finally, ARM TrustZone neither specifies a RoT for their SGX technology can evade these analyses, which means if a
TEEs not a secure storage method. Therefore, the system malicious actor lives inside an enclave, he will not be detected.
designer is responsible for bringing a solution to these In terms of physical security, even though the SGX threat
problems. This difficult the development of solutions based model excludes physical attacks targeting the CPU chip and
of TrustZone applications. At the same, it may produce a lack side-channel attacks, it considers attacks to the DRAM, its
of authenticity and integrity guarantees in devices that do not bus, and debugging ports [157].
offer separate hardware modules for these functions [144], Attacks on CPU chips are complex and require expensive
[153]. equipment. Therefore they are less common. The intrinsic
characteristics of SGX are not publicly known. However,
Intel Software Guard Extensions researchers have analyzed patents related to the Intel SGX
Intel SGX is a set of Intel CPU instructions that provide and concluded that some countermeasures exist to increase the
integrity and confidentiality to computation, even when an difficulty of attacks against the CPU chip [141]. For instance,
attacker compromises privileged software such as the kernel is possible that existent keys are hardcoded with fuses in the
or the hypervisor [141]. The base of Intel SGX is a trusted CPU circuit, or PUFs are used to generate them.
container, also called an enclave, that is protected by trusted Intel SGX is affected by multiple side-channel attacks,
hardware, and its integrity can be attested remotely. The some of which are specific to Intel processors. Enabling
enclave will only install applications signed by a trusted these attacks, we have two processor features, hyper-threading,
party, which is currently Intel. Each enclave can have multiple and speculative execution, that try to optimize the processor
applications, and a CPU may have multiple enclaves. execution.
The enclave data and code are stored in the Processor Hyper-threading divides physical cores into multiple log-
Reserved Memory (PRM), a subset of DRAM restricted to ical cores, which share resources like cache and execution
enclaves. Inside the PRM, there is an Enclave Page Cache units [158]. Speculative execution is an optimization technique
(EPC), which is divided into multiple pages. Each page can for optimizing an instruction pipeline.
be assigned to a single enclave. An enclave has multiple EPC Multiple steps must be run sequentially to execute instruc-
pages and cannot read pages assigned to others. A page can tions in a CPU, each taking one clock cycle. The processor im-
proves the performance of these steps by doing them in parallel related to Arm TrustZone [169]. This amount of vulnerabil-
for different instructions since they are executed in different ities is a consequence of the level of knowledge required
parts of the CPU. If a branch instruction is encountered, the to develop a TEE. As we stated before, Arm TrustZone is
processor will only know the next instruction after executing it, a bare-metal technology that developers use to create their
which would cause a performance hit, by stalling the pipeline. TEE implementations, which means many of the features are
With speculative execution, the processor will choose one of implemented by the developer. Therefore, most vulnerabilities
the execution flows and start loading its instructions into the compromise TEE’s implementations and not the Arm Trust-
pipeline. After executing the branch instruction, the processor Zone directly [170].
will discard or use the loaded instructions, according to the On the hardware side of the TEE, side-channel attacks
branch result [159]. are the main class of attacks affecting TEEs. Among them,
These optimizations were leveraged with architecture prob- cache-based attacks appear as a specific attack against TEEs.
lems to create multiple attacks against SGX. Branch prediction Side-channel attacks on the processor cache are made by a
attacks exploit information leaks in the component responsible malicious application running in the untrusted world, sharing
for predicting the execution flow before a branch instruction. the same processor core with the TEE application. This
Lee et al. [159] was the first to introduce this attack, and other malicious application fills the processor cache with its data and
authors [155] used their research to extract a private key that waits for the TEE application to run and evict its data from
was stored inside an enclave. the cache. Afterward, the malicious application will access
Also, related to the speculative execution, in 2018, two the same data and measure the time it takes to access the
vulnerabilities were discovered affecting applications outside information. As access to information stored in the CPU’s
the enclave, Spectre [160] and Meltdown [161]. In addition to cache is faster than RAM, the application can figure out
the speculative execution, these vulnerabilities exploited out- accesses patterns of the TEE, and with that and knowledge
of-order execution to execute unintended instructions. Initially, about the TEE’s code, it can extrapolate information about
the vulnerabilities were not able to affect SGX enclaves, but the TEE’s execution [156]. Using these principles, multiples
with further research and adaptation, researchers attacked SGX attacks were developed, jeopardizing both Intel SGX and Arm
enclaves with the same principles [162], [163]. TrustZone [149]–[151], [171], [172].
Finally, in 2019, Microarchitectural Data Sampling(MDS) Despite that, TEEs are also vulnerable to other types of side-
was introduced, a new class of attacks enabling the bypass of channel and physical attacks. The literature states that Intel
common security boundaries like processes, virtual machines, SGX and Arm TrustZone do not have protection against EM,
and enclaves by exploiting flaws in undocumented buffers to power analysis attacks, or fault injections [141], [144]. For
leak information [164]–[166]. both technologies, we found research performing in practice
Fortunately, the vulnerabilities presented here can be fixed these attacks. Bukasa et al. [173] analyzed EM attacks against
through a microcode update to the processor [156]. Arm TrustZone, and Chen et al. [174] performed a voltage
SGX sets a RoT that ensures the confidentiality and integrity glitch attack on an Intel SGX enclave. Both researchers were
of the TEE. Only enclaves properly signed can be installed. At able to recover cryptographic keys from a TEE.
the same time, SGX provides attestation capabilities. Regard- Intel SGX threat model excludes physical threats to the
less, these two features are not supported by hardware. Each device security due to the inherent cost of hardening a general-
SGX-enabled CPU has a privileged enclave, called Quoting purpose CPU. Despite that, the threat model includes threats
Enclave, installed by Intel that is responsible for measuring against the bus connecting the Random Access Memory
the data and code loaded to each enclave and offers remote (RAM) to the CPU due to the likelihood of eavesdropping
attestation capabilities. The measurements provided by the attacks. Therefore, any data that SGX needs to store in RAM
Quoting Enclave are very similar to the ones provided by is properly ciphered and signed. Regardless, information inside
TPMs. Despite that, the signature algorithms are different and the internal CPU buses is transmitted in clear [141], [175].
are not implemented in tamper-resistant hardware [167].
Therefore, in essence, TEEs offer interesting security fea-
2) Security attacks and countermeasures:
tures to increase resilience against software attacks. Even
As we stated before, generally, TEEs share their hardware
so, TEEs do not have protection against the majority of the
resources with the rest of the computation environment, which
physical attacks, and, if compromised, they can be used as a
brings security risks. In this subsection, we will analyze
persistence method for attackers [138].
these consequences, that affect both TEEs implementations
presented before. 3) Advantages and disadvantages for identity assurance:
First of all, TEEs do not protect against software vulner- The significant advantage of TEE for identity assurance
abilities, which means if the TEE or SDK implementation is the fact that it allows the creation of a secure execution
has a security flaw, this will impact the security of this environment without additional hardware. Therefore, less cost
TEE. Since the introduction of TEE’s, both technologies have and power consumption. Nevertheless, as we saw earlier, Arm
been affected by software vulnerabilities. Bulck et al. [168] TrustZone requires further adaptation to assure RoT, which
discovered multiple vulnerabilities affecting Intel SGX SDKs. may include additional hardware.
Regarding Arm TrustZone TEE’s, researchers have discovered TEEs can offer a greater performance when compared with
several software vulnerabilities [144]. When writing this ar- solutions such as SEs [176], in terms of CPU, RAM, and
ticle, the NIST vulnerability database had 73 vulnerabilities storage capabilities. For instance, Arm TrustZone enabled
CPUs can offer RAM in the gigabyte range , in comparison, erate and store cryptographic keys compared with EEPROM
SEs have RAM in the kilobyte range. solutions that offer the same assurance level [188].
Similar to other technologies, developers need to dominate PUF’s constructions are evaluated according to two metrics,
a new software stack to develop solutions using TEEs. intra-distance and inter-distance. Intra-distance is the hamming
Finally, it is imperative that developers precisely understand distance between two responses from the same PUF instance
this technology’s limitations, as it does not defend against using the same challenge. Inter-distance is the hamming dis-
every physical attack and introduces new risks due to the tance between two responses from different PUF instances
sharing of components with the non-secure world. when the same challenge is applied [16]. On top of these
4) Implementations: metrics, researchers can also analyze the PUF’s reproducibility
TEE solutions have been mainly used to store cryptographic and uniqueness.
keys, provide remote attestation, identity, and ensure the The distribution of the response intra-distance gives us the
security and resilience of the application even if the device is PUF reproducibility. PUFs are not mathematical functions be-
compromised. Most of the solutions are based on public key cause a single input (challenge) can generate multiple outputs
cryptography, in which each device has a private key used to due to physical environment changes and random noise in
identify the device. the response generation [189]. Therefore, reproducibility is an
There are multiple solutions following these principles. For essential characteristic of a PUF-based system. Furthermore,
instance, Ling et al. [177] developed a system that provides PUF solutions employ fuzzy extractors to handle these varia-
secure boot and remote attestation for IoT devices, leveraging tions and return a stable response [189].
Arm TrustZone. This research uses ROM and eFuses, to The distribution of the response inter-distance analyzes the
overcome the secure storage limitation of the Arm TrustZone uniqueness of a PUF. When challenged with the same input,
and ensure the security of a RoT. different PUFs should produce distinct responses. The re-
Another example is from Lesjak et al. [176], which im- sponses’ inter-distance should ideally be 50% to be considered
plemented two authentication systems, one using an Arm a true random generator [188].
TrustZone enabled CPU and the other with a SE, to analyze A PUF that is reproducible and unique is also identifiable.
the advantages and disadvantages of each construction. Finally, This means that using a PUF response to identifying a device
they propose a hybrid system that combines Arm TrustZone is feasible because its response is unique and stable [16].
and SE to overcome the security risks of the Arm TrustZone. In addition to these characteristics, another set of features
Wang et al. [178] implemented a similar solution with defines PUFs, namely being tamper-resistant, unclonable and
Intel SGX to create a lighter solution for remote attestation unpredictable.
compared with TPMs, with the added befit of offering a secure Tamper-resistance is the capability of resisting attempts of
environment to run applications. unauthorized physical modifications to leak information or
Durand et al. [179] developed a lightweight communication bypass some security protection. Because PUF constructions
system backed up by hardware. However, since Intel SGX rely on measurements of physical features, any slight variation
CPUs are too expensive for most IoT devices, they used a provokes a change in its response. Therefore any attempt to
secure element in the device and an Intel SGX enclave in the tampering a PUF would cause a noticeable change in its CRPs,
server to receive the device communications securely. ultimately originating a new PUF instance [16].
More recent researchers are trying to integrate device iden- PUFs are also unclonable because of these precise measure-
tity, based on TEEs, with blockchain technology [180], [181]. ments. In any cloning attempt, the attacker would not be able
to reproduce all the PUF characteristics since they result from
physical variations during the manufacturing process [16].
F. PUFs Another characteristic that differentiates PUFs, from a se-
PUFs are physical systems that, given a specific input ( a curity standpoint, is their predictability. Based on this charac-
challenge), produce a string of bits, the response [182]. The teristic, there are two types of PUFs, Weak and Strong PUFs.
response is unique and unpredictable because it depends on This property depends on the resilience of a system against
the unique hardware characteristics of each device that are a an attacker that tries to predict all CRPs [190], [191]. Strong
consequence of the physical world variations during the man- PUFs are the ones that, even when exposed for an extended
ufacturing process [183]. The challenge and the corresponding period to an attacker, it is impossible to predict their responses
response are called a Challenge- Response-Pair (CRP) [184]. to a challenge. All the other constructions that do not meet this
Depending on the type of PUF, it can be configurable or not, requirement are considered Weak PUFs [16].
which means that any change in the challenge will induce a Strong PUFs have a large set of CRP, which prevents
change in the response [16]. the creation of a database with all possible pairs. Even if
The concept of PUF is generic to include systems from attackers know a large subset of CRPs, they cannot predict
different application fields. Regardless, there are still construc- unknown ones. Moreover, if the attacker physically possesses
tions that are not called PUF because they were designed the PUF, the Strong PUF security is not compromised [188],
outside the field of hardware security engineering [16]. [192]. By contrast, Weak PUFs may have a single CRP. Thus,
Many authors consider PUFs as one of the technologies that the security system is compromised if an attacker obtains its
can help IoT overcome the device identity challenges [185]– response [188], [193]. Moreover, most Weak PUFs have a
[187] due to the promise of a cheaper and safer way to gen- single CRP, allowing cloning of the device [192].
Strong PUFs offer higher security guarantees than Weak compared with other methods to store cryptographic keys like
PUFs. However, some Strong PUF constructions have become antitampering EEPROM, at the same time, it requires less
vulnerable to modeling attacks, due to the emergence of new circuit space and energy to operate [188].
technologies. These attacks require a considerable amount of Moreover, Strong PUFs, when are able to resist to mod-
CRPs to model the PUF response. Researchers have known eling attacks, provide lightweight authentication and identifi-
about these attacks since the beginning of this research field. cation protocols that not rely on heavy cryptographic algo-
Nevertheless, with the advancement of machine learning tech- rithms [207].
niques, Strong PUF constructions that were known as secure, PUFs promise a way to securely manage device identity,
are now considered vulnerable to these attacks [194]–[198]. protected against invasive attacks like key extraction or any
These attacks have been the focus of recent research. This attempt of tampering. However, as we saw earlier, both Secure
leads some authors to suggest that Strong PUFs are still an and Weak PUFs have potential vulnerabilities, as we stated
open research challenge and require further development to before. Thus, the system using this technology should beware
meet the expected security features that are being jeopardize of these risks and accept them.
by these attacks [16], [199], [200]. In addition, most systems based on Strong PUFs assume the
1) Security attacks and countermeasures: server, where the CRPs are stored, is secure [208]. However,
PUFs promise a security improvement in the storage of for some use cases, this risk is unacceptable. If the server
cryptographic keys since it eliminates potential offline attacks is compromised, the confidentiality of all CRPs pairs is
when the information is not being used. PUFs do not have jeopardized, which means the attacker can authenticate itself
countermeasures against physical attacks, given that any at- as any device.
tempt to inject a fault or tamper with the device would induce 3) Implementations:
changes in the PUF’s response. Despite that, depending on In the field of identity assurance, we can see the use of PUFs
the construction, PUFs may be vulnerable to side-channel in two fields, generation of secure keys and authentication.
attacks or reverse engineering with the objective of modeling Namely, Strong PUFs are used for authentication and Weak
the PUF’s response [201]. For instance, Different Delay-based PUFs for key generation [188].
PUFs, such as the Arbiter PUF, which explore delays between For authentication, the typical protocol has the following
two competing signal paths, can be vulnerable to power-side construction, after a PUF is manufactured, it is submitted to
channel analysis [201] and optical side-channel attacks [202], multiple Challenges in a secure environment to ensure CRP
and RO PUFs are vulnerable to electromagnetic side-channel confidentiality. Known CRPs are then securely stored and used
attacks [203]. for device authentication. Each challenge is only used once,
It is argued that PUFs resist to reverse engineering attempts to mitigate replay attacks [200], [209].
due to their complexity [16]. Still, Nedospasov et al. [204] This type of authentication protocol has been used since
attacked SRAM PUFs with SEM, a reverse engineering tech- the rise of this technology. Early examples are Gasend et al.’
nique, as a way to model its responses. SRAM PUFs exploit Silicon PUF [210] and Lim et al.’ Arbiter-Based PUF [211].
that after a power-on/power-off cycle, a memory cell has However, the threat model of these early implementations
the same probability of being set as a 0 or 1. At the same was too strict, and because of that, they were vulnerable to
time, each cell tends to keep the same behavior over power modeling attacks [212].
cycles [205]. As the state of each cell can be observed To hamper modeling attacks, the next iteration of PUF
with SEM, its CRPs may be retrieved. SRAM PUFs have constructions started using one-way functions applied to the
the advantage of being a low-cost solution and simple to PUF response to prevent direct access to the PUF CRP [209],
implement [206]. On the other hand, these advantages also [213]–[215]. This type of PUF is generally known as Control
ease the attacker’s work, given that it decreases the PUF’s PUF. Once again, further research discovered vulnerabilities in
complexity. this type of construction due to reversible one-way functions
Even though we listed several attacks against common and pattern matching [195], [216].
PUFs, these can be overcome by an improved design or coun- Current research is working on improving existent construc-
termeasures. For instance, Nedospasov et al. [204] propose tions, making them resilient to modeling attacks. The main
that new SRAM PUF constructions have an asynchronous reset approach is to close the PUF interface by implementing mutual
mechanism of its memory cells to decrease the information ex- authentication [217]–[220].
posure, and Merli et al. [203] suggest multiple changes in the There is also research trying to prevent modeling attacks,
RO PUF design to decrease the emanation of electromagnetic at the same time, it improves the authentication protocol.
radiations. Chatterjee et al. [221] and Qureshi et al. [208] developed
In summary, while the inherited dependency on physical solutions that don’t assume a secure CRP database, which
characteristics protects PUFs against tampering attempts, it means that even if the server responsible for the authentication
does not protect against side-channel attacks. Therefore, side- is compromised, the CRPs are not because they are not stored
channel attacks must be mitigated with additional countermea- in clear text.
sures. Ebrahimabadi et al. [222] go further to mitigate the eaves-
2) Advantages and disadvantages for identity assurance: dropping of CRPs and modeling attacks. They created an
In general, PUFs are considered a possible solution for authentication protocol that scrambles and divides the com-
IoT key management due to being a cheaper solution when munications between the server and a node (the device with
a PUF that needs to be authenticated) into multiple packets. databases depend on the resilience of the PUF against se-
These packets are sent through multiple nodes to obscure the curity attacks. Nevertheless, when correctly employed, this
actual destination of the message. With that, the authors expect technology answers the needs of constrained IoT devices when
that attackers cannot relate the CRPs with a specific device, an energy-efficient way to authenticate a device is necessary
so it will be impossible to perform a modeling attack. without requiring intensive computation. On the other hand,
Hang et al. [223] use the classic authentication protocol PUF-based key generation works a security primitive for
with Strong PUFs. However, they combine multiple PUFs on existent identity and authentication systems. Therefore, it does
the same device to create a fingerprint that changes if any of not solve the need for heavy computation, but it offers a cheap
the device’s components is tampered. This construction uses and secure way to generate and store unique secret keys.
a Configurable RO PUF as a hardware security primitive and
a latch structure to extend the key space of the responses, VI. D ISCUSSION
increasing its resilience. This solution uses the same style of
authentication protocol, where we have a server that stores The different hardware technologies presented in this re-
multiple CRPs and then queries them. search can be used to help the development of IoT identity
On the other hand, Weak PUFs used in IoT systems do not systems. However, they are very different in the way they can
try to replace traditional authentication systems. But instead, support them. Furthermore, regardless of its usefulness for
they attempt to improve the storage of cryptographic keys on identity systems, the designer needs to analyze its strengths
a cheap IoT device. A Weak PUF generates the same secret and weaknesses to decide which technology should be in-
key every time the device is running. Therefore, this key does cluded in a device.
not need to be stored, which mitigates the risk of an attacker The main concerns during this assessment are how the tech-
extracting the key when the device is not running. nologies can benefit the system and contribute to overcoming
For this generation process to be reliable, the secret key the IoT identity challenges, the advantages and disadvantages
extraction from a Weak PUF response requires an extra step, of each technology and, finally, what security countermeasures
a helper data algorithm 1 . Any change on the cryptographic they have. In this section, we will analyze and compare the
key is not acceptable for most encryption protocols. Thus, this technologies presented earlier. We will focus on these points
algorithm allows the extraction of a secret key from a noisy to assist any system developer who wants to create a system
or not uniform response [224], [225]. with an identity based on hardware primitives.
The generation process of a secret key from a Weak PUF In Section III, we list three challenges to developing an
normally has two phases, the enrollment and the reconstruc- identity system: lightweight encryption, object identification,
tion. The enrollment happens when we want to create a new and secure storage. The technologies analyzed can be used to
secret key, and the reconstruction is when we need to obtain overcome these challenges or at least circumvent them.
the same secret key after its creation. Each encryption accelerator, SEs and TEEs can provide
During the enrollment phase, from a PUF response, it is ways to get around the need for lightweight encryption al-
generated a secret key and helper data. The key has to be kept gorithms. All these technologies can run cryptographic algo-
secret, but the helper data does not, and can be stored in non- rithms optimally, making these operations faster and more
secure NVM. The reconstruction phase uses the helper data, energy efficient. Among these technologies, it is essential
that was obtained before, to generate the same secret key given to highlight the cryptographic instruction sets (a subtype of
a another PUF response from the same PUF [226], [227]. the cryptographic accelerator), as they have the potential to
The first practical work using PUFs to securely manage normalize the implementation of cryptographic algorithms in
cryptographic keys was done by Škorić et al. [226] and hardware. Strong PUFs and TRNGs, not so directly, also con-
Suh et al. [228]. Over the years, new research on this topic tribute to the research challenge in lightweight cryptography.
emerged. Some of this research used new types of PUFs to TRNGs do not provide a way to run cryptographic algorithms
generate secrets [205], [229], and others focused on creating optimally. Instead, they provide a way to get high entropy
re-configurable PUFs that enable the change of secret keys numbers, which is essential for any asymmetric encryption
over time [227], [230], [231]. In this type of research, we can scheme. PUFs can be exploited for lightweight authentication
also see the use of Strong PUFs due to the amount of CRPs systems, easing the need for cryptographic algorithms.
that allow the generation of multiple keys on the same PUF Regarding object identification, Intel SGX and SEs offer an
instance [224]. isolated execution environment and secure storage capabili-
Lastly, researchers have been developing PUF-based sys- ties that can be exploited to create object identification sys-
tems capable of generating a shared key among different tems. Another technology with similar possibilities is TPMs.
resource-constrained devices to enable multiparty communi- However, the developer is limited to the features offered
cation [232]. by the TPM specification. Taking a different approach, we
In summary, there are two main approaches to enhance have strong PUFs, which have CRPs entirely dependent on
authentication and identity on IoT devices using PUFs, the device’s hardware characteristics, which can be used to
lightweight authentication protocols using CRP databases and uniquely identify a device. Also, strong PUFs self-destruct on
secret key generation. Authentication protocols with CRP any tampering attempt.
Finally, masked ROM and OTP memories provide read-
1A fuzzy extractor is a specific type of helper data algorithm [224]. only memories that can store RoTs. Regardless, they do not
Technologies Lightweight Cryptography Object Identification Secure Storage

TRNG •
Masked ROM •
Floating gate OTP •
Masked ROM and OTP memories
Fuse OTP •
Antifuse OTP •
Crypto Instruction Sets •
Crypto accelerators Crypto Coprocessors •
Crypto Processor • • •
Secure element • • •
Intel SGX • • •
TEE
Arm TrustZone •
PUF • •
TABLE III
T ECHNOLOGIES AND RESEARCH CHALLENGES
protect data at rest, which other technologies like Intel SGX countermeasures by default. In any case, it is important to
and SEs do. TPMs and PUFs can also ease the challenge of mention that with the exception of ARM TrustZone, these
secure storage. However, they offer a limited set of features. components are base building blocks, which means the device
TPMs can only store cryptographic keys, and weak PUFs are designer is responsible for installing of physical security
even more limited and cannot import cryptographic keys that countermeasures.
are generated outside of PUF. Table III summarizes all this Despite the security countermeasures, physical security is
information. not perfect, mainly against reverse engineering attempts. If
Each of the technologies that may support the device’s the attacker spends enough time, he will be able to bypass the
identity will relate to identity assets and, as a consequence, implemented countermeasures. The majority of these counter-
are critical to achieve any security goal (Subsection IV-B). For measures do not eliminate risks but rather increase the attack
instance, we have stated that masked ROM and OTP memories complexity and time to succeed.
do not provide countermeasures to protect data at rest. This Table V summarizes the different countermeasures that are
means that identity data and firmware have their confidentiality commonly available in the presented technologies.
at risk, given that an attacker can read the stored information Each of the technologies that may support the device’s
when the device is turned off [69], [98], [100]. The other four identity will report to identifying assets and, as a consequence,
technologies featuring secure storage (TPM, SE, Intel SGX, are critical to achieving any security goal (Subsection IV-B).
and PUF) have countermeasures to protect data at rest and For instance, we have stated that masked ROM and OTP
some even during its execution. memories do not provide countermeasures to protect data at
Intel SGX ciphers the information every time it needs to rest. This meaManyns that identity data and firmware have
leave the CPU package, but besides that, it does not have their confidentiality at risk, given that an attacker can read the
any further security countermeasure to prevent physical attacks stored information when the device is turned off [69], [98],
against confidentiality and integrity of the identity data and [100]. The other four technologies featuring secure storage
firmware, which means it is vulnerable to fault injection (TPM, SE, Intel SGX, and PUF) have countermeasures to
attacks [233] and side-channel attacks. protect data at rest and some even during its execution.
By contrast, TPMs and SEs have several countermeasures Intel SGX ciphers the information every time it needs to
to prevent fault-injections and side-channel attacks. SEs are leave the CPU package, but besides that, it does not have any
known to have the most complete set of security features, and further security countermeasures to prevent physical attacks
TPMs benefit from this fact since their design is many times against the confidentiality and integrity of the identity data
based on SE’s design but with some compromises considering and firmware, which means it is vulnerable to fault injection
that the security assurances of a TPM are not as demanding attacks [233] and side-channel attacks.
as the ones of a SE [234]. By contrast, TPMs and SEs have several countermeasures
PUFs distinguish themselves from other technologies in to prevent fault injections and side-channel attacks. SEs are
terms of security, considering they do not have physical secu- known to have the most complete set of security features, and
rity countermeasures. The risk of fault injections is neglectable TPMs benefit from this fact since their design is many times
because any attempt would alter the PUF’s response, making based on SE’s design but with some compromises considering
it unusable. However, side-channel attacks and reverse engi- that the security assurances of a TPM are not as demanding
neering attempts would not affect its response. Researchers as the ones of a SE [234].
consider that PUFs are too complex to be vulnerable to these PUFs distinguish themselves from other technologies in
attacks, which in many cases is true, but it can also be a terms of security, considering they do not have physical secu-
careless assumption for some constructions [204]. rity countermeasures. The risk of fault injections is neglectable
Looking at the remaining technologies, ARM TrustZone, because any attempt would alter the PUF’s response, making
crypto accelerators, and TRNGs do not have any security it unusable. However, side-channel attacks and reverse engi-
Masked ROM Crypto accelerators

Attack \ Technology TRNG Smart cards TEE PUF
OTP memories Crypto Instruction Sets Crypto Coprocessors Crypto Processor
Voltage sensors No N/A No No Yes* Yes No No
Multiple voltage sensors No N/A No No No Yes No No
Clock signal sensor No N/A No No Yes* Yes No No
Active metal shield No No No No Yes* Yes No No
EM radiation sensor No N/A No No No Yes No No
Voltage monitoring No N/A No No No Yes No No
Defensive PCB design No No No No Yes* Yes No Yes
N/A = Not applicable;
* = Depends on the model
TABLE IV
C OMMON COUNTERMEASURES OF EACH TECHNOLOGY
neering attempts would not affect its response. Researchers level but limited computation power and storage.
consider that PUFs are too complex to be vulnerable to these TEEs also provide an execution environment. However, their
attacks, which in many cases is true, but it can also be a security assumptions are different. Usually, these environments
careless assumption for some constructions [204]. share their hardware with the rest of the system, which
Looking at the remaining technologies, ARM TrustZone, introduces advantages and disadvantages. TEEs are a feature
crypto accelerators, and TRNGs do not have any security of the main CPU, which means it does not require dedicated
countermeasures by default. In any case, it is important to hardware. Regardless, this fact also increases their security
mention that except for ARM TrustZone, these components risks.
are base building blocks, which means the device designer is Moreover, each of the TEEs presented has its own positive
responsible for installing physical security countermeasures. and negative points. Intel SGX enabled processors provide a
Despite the security countermeasures, physical security is RoT and secure storage but are more expensive than Arm
not perfect, especially against reverse engineering attempts. Trust-Zone enabled processors, which are cheaper but do not
If the attacker spends enough time, he can bypass the im- provide secure storage or RoT. On top of that, Arm Trust-Zone
plemented countermeasures. Many countermeasures do not enabled CPUs work at the system level, allowing developers
eliminate risks but rather increase the attack’s complexity and to run an operating system for each execution environment,
time to succeed. increasing the system flexibility and development complexity.
Table V summarizes the different countermeasures that are In contrast, Intel SGX trusted environments are developed
commonly available in the presented technologies. on top of SDKs that abstract the complexity of low-level
operations.
Finally, we can examine each technology’s features and
Finally, PUFs provide a way to generate and store keys
advantages, and disadvantages. To start, TRNGs offer a high-
tiddly dependent on the device’s characteristics. Additionally,
quality entropy source with the cost of adding dedicated
Strong PUFs have the benefit of enabling lightweight cryp-
hardware to the device, which increases the device’s power
tography authentication algorithms. However, independently
consumption. Moreover, due to the physical exposure of
of the PUF type, there are disadvantages. In their majority,
devices to attackers, TRNGs may be vulnerable to environment
PUFs depend on dedicated hardware, which requires low-level
bias.
integration with the system. Moreover, with the exception of
There are four types of ROMs, masked ROM, floating-gate some commercial off-the-shelf products, the majority of the
OTP, eFuse OTP, and anti-fuse OTP. These memories can time, system designers need to build their own PUFs on the
be programmed a single time, after manufacturing, except board, which increases the burden of using this technology.
for masked ROM, which can only be programmed during Table VI summarizes the different advantages and disad-
manufacturing since it stores the information hardwired in vantages of the technologies presented.
its design. Despite this, floating-gate OTPs and eFuse OTPs
have some disadvantages. Floating-gate OTPs are vulnerable VII. L IMITATIONS AND F UTURE D IRECTIONS
to optical attacks and resetting the memory, and eFuse OTPs During this research, we examine many technologies that
have a limited duration of data retention. can be used to support identity and authentication operations in
As stated before, Crypto accelerators offer optimized cryp- IoT. As we have seen, most of them have working prototypes
tographic operations through specialized hardware. Therefore, of identity and authentication systems, and some have already
except for cryptographic instruction sets, every type of crypto been deployed in production. Regardless, we do not see
accelerator is an additional component that needs to be added widespread use of these technologies in IoT devices.
to the device and properly integrated. Crypto-processors and Over the years, the cost of adding specialized hardware has
TPMs typically offer libraries to facilitate their integration with been cited as the reason for the lack of adoption of these
the rest of the system. By contrast, crypto-coprocessors are solutions. However, as other researchers have pointed out [17],
integrated at the CPU level. this is a misconception. Our analysis confirms that there are
In addition to providing optimized cryptographic operations solutions in different price ranges, even for smaller budgets.
and secure storage, SEs offer a secure execution environment Therefore, it is necessary to consider other reasons for the low
independent of the primary system. SEs have a high assurance adoption of these technologies.
Masked ROM Crypto accelerators

Attack \ Technology TRNG Smart cards TEE PUF
OTP memories Crypto Instruction Sets Crypto Coprocessors Crypto Processor
Voltage sensors No N/A No No Yes* Yes No No
Multiple voltage sensors No N/A No No No Yes No No
Clock signal sensor No N/A No No Yes* Yes No No
Active metal shield No No No No Yes* Yes No No
EM radiation sensor No N/A No No No Yes No No
Voltage monitoring No N/A No No No Yes No No
Defensive PCB design No No No No Yes* Yes No Yes
N/A = Not applicable;
* = Depends on the model
TABLE V
C OMMON COUNTERMEASURES OF EACH TECHNOLOGY
Technologies Features Advantages and disadvantages

- Increased power consumption
TRNG High quality entropy source - Risk of environment bias
- Dedicated hardware
+ Hardwired data
Masked ROM Read-only memory
- Programmed during manufacturing
Masked ROM and OTP memories + Programmable after manufacturing
Floating-gate OTP Read-only memory
- Susceptible to UV attacks
+ Programmable after manufacturing
eFuse OTP Read-only memory
- Limited data retention
Anti-fuse OTP Read-only memory + Programmable after manufacturing
+ No additional hardware
Cryptographic Instruction Sets Optimized cryptographic operations
+ Easy integration
Crypto accelerators - Complex integration
Crypto-coprocessors Optimized cryptographic operations
+ Easy integration
Crypto-processor Optimized cryptographic operations
Optimized cryptographic operations + Easy integration
TPM
Secure storage and RoT - Dedicated hardware
Optimized cryptographic operations + High assurance security level
Smart cards Secure execution environment - Dedicated hardware
Secure storage and RoT - Limited computation power
Optimized cryptographic operations + No additional hardware
Intel SGX Secure storage and RoT - Deprecated in Intel Core processors
TEE
Trusted execution environment - Expensive TEE option
+ No additional hardware
+ Cheap TEE option
Optimized cryptographic operations
Arm TrustZone + Flexibility
Trusted execution environment
- Secure storage or RoT nonexistent
- Development complexity
Generation of keys tidly dependent on device’s characteristics - Complex integration
PUF
Lightweight cryptography authentication algorithm - Dedicated hardware
TABLE VI
S UMMARY OF ADVANTAGES AND DISADVANTAGES OF EACH TECHNOLOGY
The disregard for security can be one of the reasons for the RoT. If that does not exist, designers will prefer traditional
lack of adoption of hardware-based solutions. However, some systems over implementing their custom ones with hardware
devices implement adequate software-level protection but do security, which requires experienced staff and is error-prone.
not employ hardware RoTs. Therefore, in these cases, your Therefore, if the promotion of hardware security depends
threat model accepts that the risk of physical attacks or the on the adoption of these mechanisms by SDKs, the lack of
cost of hardware solutions is not worth it when compared to standardization in IoT also affects this challenge. Assume
the value of the information in question. there is no standard hardware-based identity and authenti-
cation framework. In this case, each vendor will implement
Each technology has its library or software stack to interact
a framework, increasing development diversity and effort, as
with it. These are low-level APIs, so if we want to use them to
the developer’s knowledge of a framework does not apply to
support an identity mechanism, we need to build our solution
frameworks from other vendors.
using these libraries.
Finally, the limitations of some technologies may be the
Device designers often do not design a device from scratch, lack of ready-to-use components. For example, in the case of
but instead, use an existing SoC as a foundation for adding PUFs, from the market analysis, we did at the time of writing,
their features. These SoCs include SDKs to make software few off-the-shelf components include or provide a PUF. This
development easier, which means that if there is no support technology is not new and holds many promises for IoT.
for this kind of technology in existing SDKs, it will discourage However, without the availability of off-the-shelf components,
most software designers from devices. Furthermore, even device designers are forced to implement PUFs from scratch,
though the SDK supports the technology in question, it also which is a barrier to their proliferation.
needs to provide an authentication and identity framework that So the cost of hardware security is not necessarily the addi-
uses these technologies and hides the complexity of a hardware tional hardware added to the device, but the cost of integrating
with the rest of the device. To combat this trend, develop- [4] M. Marjani, F. Nasaruddin, A. Gani, A. Karim, I. A. T. Hashem,
ment SDKs should include hardware-based authentication and A. Siddiqa, and I. Yaqoob, “Big iot data analytics: Architecture,
opportunities, and open research challenges,” IEEE Access, vol. 5, pp.
identity frameworks to facilitate the integration of hardware 5247–5261, 2017.
RoTs into new systems. In addition, the standardization of [5] M. Iorga, L. Feldman, R. Barton, M. J. Martin, N. Goren, and
these frameworks should be a priority so as not to create C. Mahmoudi, “Fog computing conceptual model,” Tech. Rep., mar
2018.
diversity between the manufacturers’ frameworks and increase [6] N. Yousefnezhad, A. Malhi, and K. Främling, “Security in product
the learning curve for the use of these technologies. lifecycle of IoT devices: A survey,” vol. 171, p. 102779, dec 2020.
[7] A. R. H. Hussein, “Internet of things (iot): Research challenges
VIII. C ONCLUSION and future applications,” International Journal of Advanced Computer
Science and Applications, vol. 10, no. 6, pp. 77–82, 2019.
IoT devices interact with our personal life and manage [8] H. U. Rehman, M. Asif, and M. Ahmad, “Future applications and
critical infrastructures. Thus, keeping them secure is a priority. research challenges of iot,” in 2017 International conference on infor-
mation and communication technologies (ICICT). IEEE, 2017, pp.
Identity and authentication play a vital role in the security 68–74.
of these devices. Without it, it is impossible to guarantee [9] S. A. Al-Qaseemi, H. A. Almulhim, M. F. Almulhim, and S. R.
the device’s security since we would be unable to assure Chaudhry, “Iot architecture challenges and issues: Lack of standardiza-
tion,” in 2016 Future Technologies Conference (FTC). IEEE, 2016,
the veracity of any information. Nevertheless, identity and pp. 731–738.
authentication are considered open research challenges in IoT. [10] M. Nawir, A. Amir, N. Yaakob, and O. B. Lynn, “Internet of things
Resource-constrained devices, a lack of standardization and (iot): Taxonomy of security attacks,” in 2016 3rd International Con-
ference on Electronic Design (ICED). IEEE, 2016, pp. 321–326.
exposure to physical attacks are only some of the reasons that [11] A. Cirne, P. R. Sousa, J. S. Resende, and L. Antunes, “Iot security
make identity and authentication in IoT so challenging. certifications: Challenges and potential approaches,” Computers &
Over the years, multiple researchers have advocated us- Security, vol. 116, p. 102669, 2022.
[12] Z.-K. Zhang, M. C. Y. Cho, C.-W. Wang, C.-W. Hsu, C.-K. Chen,
ing hardware to undermine these challenges. Regardless, and S. Shieh, “Iot security: ongoing challenges and research opportu-
widespread adoption of hardware technologies supporting nities,” in 2014 IEEE 7th international conference on service-oriented
identity and authentication has not been seen. computing and applications. IEEE, 2014, pp. 230–234.
[13] X. Zhu and Y. Badr, “A survey on blockchain-based identity manage-
During our work, we focused on hardware trust anchors ment systems for the internet of things,” in 2018 IEEE International
and their security features that can be exploited to develop Conference on Internet of Things (iThings) and IEEE Green Computing
new identity and authentication systems. and Communications (GreenCom) and IEEE Cyber, Physical and
Social Computing (CPSCom) and IEEE Smart Data (SmartData).
We analyzed physical risks for IoT identity and identified IEEE, jul 2018.
possible countermeasures. We retrieved that hardware trust [14] K. Chen, S. Zhang, Z. Li, Y. Zhang, Q. Deng, S. Ray, and Y. Jin,
anchors must employ protections, like multiple sensors, active “Internet-of-things security and vulnerabilities: Taxonomy, challenges,
and practice,” Journal of Hardware and Systems Security, vol. 2, no. 2,
metal shields and a defensive PCB design, to protect them- pp. 97–110, 2018.
selves against physical risks. Besides that, we also explored [15] S. Sidhu, B. J. Mohd, and T. Hayajneh, “Hardware security in iot
how challenging these risks are since we cannot mitigate them devices with emphasis on hardware trojans,” Journal of Sensor and
Actuator Networks, vol. 8, no. 3, p. 42, 2019. [Online]. Available:
completely but rather increase the difficulty of an attack. https://ieeexplore.ieee.org/abstract/document/8761062
With these security features and identity challenges in mind, [16] M. Roel, “Physically unclonable functions: Constructions, properties
we reviewed technologies available to designers to develop and applications,” Katholieke Universiteit Leuven, Belgium, 2012.
[17] B. Pearson, L. Luo, Y. Zhang, R. Dey, Z. Ling, M. Bassiouni, and
new identity and authentication systems. In this analysis, we X. Fu, “On misconception of hardware and cost in iot security and
included the following technologies: TRNGs, masked ROMs privacy,” in ICC 2019 - 2019 IEEE International Conference on
and OTP memories, crypto accelerators, secure elements, Communications (ICC), 2019, pp. 1–7.
[18] I. Butun, A. Sari, and P. Österberg, “Hardware security of fog
TEEs and PUFs. end-devices for the internet of things,” Sensors, vol. 20, no. 20, 2020.
We concluded that there are multiple candidate technologies [Online]. Available: https://www.mdpi.com/1424-8220/20/20/5729
that might support new identity and authentication systems, [19] K. Yang, D. Blaauw, and D. Sylvester, “Hardware designs for security
in ultra-low-power IoT systems: An overview and survey,” IEEE Micro,
aiming at different price points. Indeed, these technologies vol. 37, no. 6, pp. 72–89, nov 2017.
can overcome some of the challenges holding back identity [20] C. Shepherd, G. Arfaoui, I. Gurulian, R. P. Lee, K. Markantonakis,
and authentication in IoT by enabling the use of common R. N. Akram, D. Sauveron, and E. Conchon, “Secure and trusted
execution: Past, present, and future - a critical review in the context
cryptographic algorithms in low-power devices and offering of the internet of things and cyber-physical systems,” in 2016 IEEE
resilience against physical attacks. Unfortunately, the complex Trustcom/BigDataSE/ISPA. IEEE, aug 2016, pp. 168–177.
integration process of some of these technologies and the [21] A. Ehret, K. Gettings, B. R. Jordan, and M. A. Kinsy, “A survey on
hardware security techniques targeting low-power soc designs,” in 2019
required knowledge to effectively use them continue to halt IEEE High Performance Extreme Computing Conference (HPEC),
the widespread use of hardware trust anchors in IoT. 2019, pp. 1–8.
[22] W. Hu, C.-H. Chang, A. Sengupta, S. Bhunia, R. Kastner, and H. Li,
R EFERENCES “An overview of hardware security and trust: Threats, countermeasures,
and design tools,” IEEE Transactions on Computer-Aided Design of
[1] A. Nordrum, “(2016). popular internet of things forecast of 50 billion Integrated Circuits and Systems, vol. 40, no. 6, pp. 1010–1038, 2021.
devices by,” 2020. [23] ITU-T, “Y.2720 : Ngn identity management framework,” Tech.
[2] D. Hanes, G. Salgueiro, P. Grossetete, R. Barton, and J. Henry, IoT Rep., 2009. [Online]. Available: https://www.itu.int/rec/dologin pub.
fundamentals: Networking technologies, protocols, and use cases for asp?lang=e&id=T-REC-Y.2720-200901-I!!PDF-E&type=items
the internet of things. Cisco Press, 2017. [24] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of
[3] D. Wang, D. Chen, B. Song, N. Guizani, X. Yu, and X. Du, “From iot Applied Cryptography. CRC Press, dec 2018.
to 5g i-iot: The next generation iot-based intelligent algorithms and 5g [25] R. Maes, PUF-Based Entity Identification and Authentication. Berlin,
technologies,” IEEE Communications Magazine, vol. 56, no. 10, pp. Heidelberg: Springer Berlin Heidelberg, 2013, pp. 117–141. [Online].
114–120, 2018. Available: https://doi.org/10.1007/978-3-642-41395-7 5
[26] P. Angin, B. Bhargava, R. Ranchal, N. Singh, M. Linderman, L. B. [47] R. Román-Castro, J. López, and S. Gritzalis, “Evolution and trends in
Othmane, and L. Lilien, “An entity-centric approach for privacy and iot security,” Computer, vol. 51, no. 7, pp. 16–25, 2018.
identity management in cloud computing,” in 2010 29th IEEE Sympo- [48] K. Zhao and L. Ge, “A survey on the internet of things security,” in
sium on Reliable Distributed Systems. IEEE, oct 2010. 2013 Ninth International Conference on Computational Intelligence
[27] Y. Cao and L. Yang, “A survey of identity management technology,” and Security, 2013, pp. 663–667.
in 2010 IEEE International Conference on Information Theory and [49] R. Roman, P. Najera, and J. Lopez, “Securing the internet of things,”
Information Security. IEEE, dec 2010. Computer, vol. 44, no. 9, pp. 51–58, 2011.
[28] M. Gaedke, J. Meinecke, and M. Nussbaumer, “A modeling approach [50] H. A. Abdulghani, N. A. Nijdam, A. Collen, and D. Konstantas, “A
to federated identity and access management,” in Special Interest study on security and privacy guidelines, countermeasures, threats: Iot
Tracks and Posters of the 14th International Conference on World data at rest perspective,” Symmetry, vol. 11, no. 6, p. 774, 2019.
Wide Web, ser. WWW ’05. New York, NY, USA: Association [51] M. Katagi, S. Moriai et al., “Lightweight cryptography for the internet
for Computing Machinery, 2005, p. 1156–1157. [Online]. Available: of things,” Sony Corporation, vol. 2008, pp. 7–10, 2008. [Online].
https://doi.org/10.1145/1062745.1062916 Available: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.
[29] D. W. Chadwick, Federated Identity Management. Berlin, Heidelberg: 227.8445&rep=rep1&type=pdf
Springer Berlin Heidelberg, 2009, pp. 96–120. [Online]. Available: [52] Z.-K. Zhang, M. C. Y. Cho, Z.-Y. Wu, and S. W. Shieh, “Identifying
https://doi.org/10.1007/978-3-642-03829-7 3 and authenticating iot objects in a natural context,” Computer, vol. 48,
[30] S. Cantor, J. Moreh, R. Philpott, and E. Maler, “Metadata for the oasis no. 08, pp. 81–83, 2015.
security assertion markup language (saml) v2. 0,” 2005. [53] R. F. Rights, “Global information assurance certification paper,” GIAC,
[31] N. Sakimura, J. Bradley, M. Jones, B. De Medeiros, and C. Mortimore, 2003.
“Openid connect core 1.0,” The OpenID Foundation, p. S3, 2014. [54] M. Wolf, Computers as components: principles of embedded computing
[32] D. Divyabharathi and N. G. Cholli, “A review on identity and access system design. Elsevier, 2012.
management server (keycloak),” International Journal of Security and [55] C. Gu, Power On and Bootloader. Berkeley, CA: Apress, 2016, pp. 5–
Privacy in Pervasive Computing (IJSPPC), vol. 12, no. 3, pp. 46–53, 25. [Online]. Available: https://doi.org/10.1007/978-1-4842-1919-5 2
2020. [56] C. O. Jasper van Woudenberg, The Hardware Hacking
[33] S. Cantor and T. Scavo, “Shibboleth architecture,” Protocols and Handbook. Random House LCC US, Dec. 2021. [Online].
Profiles, vol. 10, p. 16, 2005. Available: https://www.ebook.de/de/product/31189064/jasper van
[34] P. R. Sousa, J. S. Resende, R. Martins, and L. Antunes, “The case woudenberg colin o flynn the hardware hacking handbook.html
for blockchain in IoT identity management,” Journal of Enterprise [57] “Security requirements for cryptographic modules,” Tech. Rep., may
Information Management, vol. ahead-of-print, no. ahead-of-print, jun 2001.
2020. [58] K. Markantonakis et al., “Enhancing the conditional access module
[35] D. Hardt, “The OAuth 2.0 Authorization Framework,” RFC 6749, security in light of smart card sharing attacks,” Presentation, Informa-
Oct. 2012. [Online]. Available: https://www.rfc-editor.org/info/rfc6749 tion Security Group Smart Card Centre, Royal Holloway, University of
[36] A. Jøsang and S. Pope, “User centric identity management,” in London. Accessed at on Oct, vol. 20, 2008.
AusCERT Asia Pacific information technology security conference. [59] C. S. Johnson, M. L. Badger, D. A. Waltermire, J. Snyder, and
Citeseer, 2005, p. 77. [Online]. Available: http://citeseerx.ist.psu.edu/ C. Skorupka, “Guide to cyber threat information sharing,” Tech. Rep.,
viewdoc/download?doi=10.1.1.60.1563&rep=rep1&type=pdf oct 2016.
[37] J. Werner, C. M. Westphall, and C. B. Westphall, “Cloud [60] C. L. Smith and D. J. Brooks, “Chapter 3 - security risk management,”
identity management: A survey on privacy strategies,” Computer in Security Science, C. L. Smith and D. J. Brooks, Eds. Boston:
Networks, vol. 122, pp. 29–42, 2017. [Online]. Available: https: Butterworth-Heinemann, 2013, pp. 51–80. [Online]. Available: https:
//www.sciencedirect.com/science/article/pii/S1389128617301664 //www.sciencedirect.com/science/article/pii/B9780123944368000035
[38] S. Y. Lim, P. T. Fotsing, A. Almasri, O. Musa, M. L. M. Kiah, T. F. [61] S. P. Skorobogatov, “Semi-invasive attacks: a new approach to hardware
Ang, and R. Ismail, “Blockchain technology the identity management security analysis,” 2005.
and authentication service disruptor: a survey,” International Journal [62] M. T. Rahman, Q. Shi, S. Tajik, H. Shen, D. L. Woodard, M. Tehra-
on Advanced Science, Engineering and Information Technology, vol. 8, nipoor, and N. Asadizanjani, “Physical inspection & attacks: New fron-
no. 4-2, pp. 1735–1745, 2018. tier in hardware security,” in 2018 IEEE 3rd International Verification
[39] A. Mühle, A. Grüner, T. Gayvoronskaya, and C. Meinel, “A survey on and Security Workshop (IVSW). IEEE, jul 2018, pp. 93–102.
essential components of a self-sovereign identity,” Computer Science [63] M. G. Rekoff, “On reverse engineering,” IEEE Transactions on Sys-
Review, vol. 30, pp. 80–86, 2018. tems, Man, and Cybernetics, vol. SMC-15, no. 2, pp. 244–252, 1985.
[40] Q. Feng, D. He, S. Zeadally, M. K. Khan, and N. Kumar, “A survey [64] R. Torrance and D. James, “The state-of-the-art in ic reverse engi-
on privacy protection in blockchain system,” Journal of Network and neering,” in Cryptographic Hardware and Embedded Systems - CHES
Computer Applications, vol. 126, pp. 45–58, 2019. 2009, C. Clavier and K. Gaj, Eds. Berlin, Heidelberg: Springer Berlin
[41] P. Mahalle, S. Babar, N. R. Prasad, and R. Prasad, “Identity Heidelberg, 2009, pp. 363–381.
management framework towards internet of things (iot): Roadmap [65] R. C. Gilberg, R. M. Knowles, P. Moroney, and W. A. Shumate, “Secure
and key challenges,” in International Conference on Network integrated circuit chip with conductive shield,” Jun. 12 1990, uS Patent
Security and Applications. Springer, 2010, pp. 430–439. [Online]. 4,933,898.
Available: https://sci-hub.se/https://link.springer.com/chapter/10.1007/ [66] S. H. Weingart, “Physical security devices for computer subsystems:
978-3-642-14478-3 43 A survey of attacks and defenses,” in International Workshop on
[42] K.-Y. Lam and C.-H. Chi, “Identity in the internet-of-things (iot): Cryptographic Hardware and Embedded Systems. Springer, 2000,
New challenges and opportunities,” in International Conference on pp. 302–317.
Information and Communications Security. Springer International [67] S. Manich, M. S. Wamser, and G. Sigl, “Detection of probing attempts
Publishing, 2016, pp. 18–26. [Online]. Available: https://link.springer. in secure ics,” in 2012 IEEE International Symposium on Hardware-
com/content/pdf/10.1007/978-3-319-50011-9 2.pdf Oriented Security and Trust. IEEE, 2012, pp. 134–139.
[43] W. Shi, J. Cao, Q. Zhang, Y. Li, and L. Xu, “Edge computing: Vision [68] M. Nagata, “Exploring fault injection attack resilience of secure ic
and challenges,” IEEE internet of things journal, vol. 3, no. 5, pp. chips,” in 2022 IEEE International Reliability Physics Symposium
637–646, 2016. (IRPS). IEEE, 2022, pp. 11C–1.
[44] T. Nandy, M. Y. I. B. Idris, R. Md Noor, L. Mat Kiah, L. S. Lun, N. B. [69] S. Skorobogatov, “How microprobing can attack encrypted memory,” in
Annuar Juma’at, I. Ahmedy, N. Abdul Ghani, and S. Bhattacharyya, 2017 Euromicro Conference on Digital System Design (DSD). IEEE,
“Review on security of internet of things authentication mechanism,” 2017, pp. 244–251.
IEEE Access, vol. 7, pp. 151 054–151 089, 2019. [70] A. Mohammadi, M. Ebrahimi, A. Ejlali, and S. G. Miremadi, “Scfit:
[45] M. El-hajj, A. Fadlallah, M. Chamoun, and A. Serhrouchni, “A survey A fpga-based fault injection technique for seu fault model,” in 2012
of internet of things (iot) authentication schemes,” Sensors, vol. 19, Design, Automation & Test in Europe Conference & Exhibition (DATE).
no. 5, 2019. [Online]. Available: https://www.mdpi.com/1424-8220/ IEEE, 2012, pp. 586–589.
19/5/1141 [71] C. O’Flynn, “Getting root on philips hue bridge 2.0,” 2016.
[46] M.-O. Pahl and L. Donini, “Giving iot services an identity and [72] N. Timmers, A. Spruyt, and M. Witteman, “Controlling pc on arm using
changeable attributes,” in 2019 IFIP/IEEE Symposium on Integrated fault injection,” in 2016 Workshop on Fault Diagnosis and Tolerance
Network and Service Management (IM). IEEE, 2019, pp. 455–461. in Cryptography (FDTC). IEEE, 2016, pp. 25–35.
[73] M. Witteman and M. Oostdijk, “Secure application programming in Ed. Boston: Newnes, 2009, pp. 193–212. [Online]. Available: https:
the presence of side channel attacks,” in RSA conference, vol. 2008. //www.sciencedirect.com/science/article/pii/B9781856175074000152
[74] S. Endo, Y. Li, N. Homma, K. Sakiyama, K. Ohta, and T. Aoki, [96] D. Kahng and S. M. Sze, “A floating gate and its application to memory
“An efficient countermeasure against fault sensitivity analysis using devices,” The Bell System Technical Journal, vol. 46, no. 6, pp. 1288–
configurable delay blocks,” in 2012 Workshop on Fault Diagnosis and 1295, jul 1967.
Tolerance in Cryptography. IEEE, 2012, pp. 95–102. [97] C. M. Maxfield, “Chapter 16 - programmable ics,” in Bebop to the
[75] M. Nagata, T. Miki, and N. Miura, “Physical attack protection tech- Boolean Boogie (Third Edition), third edition ed., C. M. Maxfield,
niques for ic chip level hardware security,” IEEE Transactions on Very Ed. Boston: Newnes, 2009, pp. 213–234. [Online]. Available: https:
Large Scale Integration (VLSI) Systems, vol. 30, no. 1, pp. 5–14, 2021. //www.sciencedirect.com/science/article/pii/B9781856175074000164
[76] L. Zussa, A. Dehbaoui, K. Tobich, J.-M. Dutertre, P. Maurine, [98] R. F. Rizzolo, T. G. Foote, J. M. Crafts, D. A. Grosch, T. O. Leung, D. J.
L. Guillaume-Sage, J. Clediere, and A. Tria, “Efficiency of a glitch Lund, B. L. Mechtly, B. J. Robbins, T. J. Slegel, M. J. Tremblay et al.,
detector against electromagnetic fault injection,” in 2014 Design, “Ibm system z9 efuse applications and methodology,” IBM Journal of
Automation & Test in Europe Conference & Exhibition (DATE), Mar. Research and Development, vol. 51, no. 1.2, pp. 65–75, 2007.
2014, pp. 1–6, iSSN: 1558-1101. [99] H. Divva, A. P. Chavan, and S. Krishnamurthy, “Design and verification
[77] N. Miura, D. Fujimoto, D. Tanaka, Y.-i. Hayashi, N. Homma, T. Aoki, of ecc scheme to optimize area and tester time in otp rom controller,”
and M. Nagata, “A local EM-analysis attack resistant cryptographic in 2019 4th International Conference on Recent Trends on Electronics,
engine with fully-digital oscillator-based tamper-access sensor,” in 2014 Information, Communication & Technology (RTEICT), 2019, pp. 151–
Symposium on VLSI Circuits Digest of Technical Papers, Jun. 2014, pp. 155.
1–2, iSSN: 2158-5636. [100] J.-M. Schmidt, M. Hutter, and T. Plos, “Optical fault attacks on aes: A
[78] Y. Araga, M. Nagata, H. Ikeda, T. Miki, N. Miura, N. Watanabe, threat in violet,” in 2009 Workshop on Fault Diagnosis and Tolerance
H. Shimamoto, and K. Kikuchi, “A Thick Cu Layer Buried in Si in Cryptography (FDTC). IEEE, 2009, pp. 13–22.
Interposer Backside for Global Power Routing,” IEEE Transactions on [101] ——, “Optical fault attacks on aes: A threat in violet,” in 2009
Components, Packaging and Manufacturing Technology, vol. 9, no. 3, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).
pp. 502–510, Mar. 2019. IEEE, 2009, pp. 13–22.
[79] S. Bhunia and M. Tehranipoor, “Chapter 8 - side-channel attacks,” [102] M. Hutle and M. Kammerstetter, “Chapter 4 - Resilience Against
in Hardware Security, S. Bhunia and M. Tehranipoor, Eds. Physical Attacks,” F. Skopik and P. Smith, Eds. Boston: Syngress,
Morgan Kaufmann, 2019, pp. 193–218. [Online]. Available: https: Jan. 2015, pp. 79–112. [Online]. Available: https://www.sciencedirect.
//www.sciencedirect.com/science/article/pii/B9780128124772000137 com/science/article/pii/B9780128021224000043
[80] D. Brumley and D. Boneh, “Remote timing attacks are practical,” [103] S. Skorobogatov, “Physical attacks and tamper resistance,” in Introduc-
Computer Networks, vol. 48, no. 5, pp. 701–716, 2005. tion to Hardware Security and Trust. Springer, 2012, pp. 143–173.
[81] J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestré, J.-J. Quisquater, [104] M. Tunstall, Smart Card Security. Cham: Springer International
and J.-L. Willems, “A practical implementation of the timing attack,” Publishing, 2017, pp. 217–251. [Online]. Available: https://doi.org/10.
in International Conference on Smart Card Research and Advanced 1007/978-3-319-50500-8 9
Applications. Springer, 1998, pp. 167–182. [105] J. Jung, J. Cho, and B. Lee, “A secure platform for iot devices based
[82] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in on arm platform security architecture,” in 2020 14th International Con-
Annual international cryptology conference. Springer, 1999, pp. ference on Ubiquitous Information Management and Communication
388–397. [Online]. Available: https://link.springer.com/content/pdf/10. (IMCOM), 2020, pp. 1–4.
1007/3-540-48405-1 25.pdf
[106] L. Bossuet, M. Grand, L. Gaspar, V. Fischer, and G. Gogniat, “Ar-
[83] E. Ronen, A. Shamir, A.-O. Weingarten, and C. O’Flynn, “Iot goes
chitectures of flexible symmetric key crypto engines—a survey: From
nuclear: Creating a zigbee chain reaction,” in 2017 IEEE Symposium
hardware coprocessor to multi-crypto-processor system on chip,” ACM
on Security and Privacy (SP). IEEE, 2017, pp. 195–212.
Computing Surveys (CSUR), vol. 45, no. 4, pp. 1–32, 2013.
[84] J. Krämer, D. Nedospasov, A. Schlösser, and J.-P. Seifert, “Differential
[107] S. Gueron, “Intel advanced encryption standard (aes) instructions set,”
photonic emission analysis,” in Constructive Side-Channel Analysis
Intel White Paper, Rev, vol. 3, pp. 1–94, 2010.
and Secure Design, E. Prouff, Ed. Berlin, Heidelberg: Springer Berlin
Heidelberg, 2013, pp. 1–16. [108] I. ARM, “Armv8-a architecture reference man-
[85] A. Schlösser, D. Nedospasov, J. Krämer, S. Orlic, and J.-P. Seifert, ual,” URL: https://documentation-service. arm.
“Simple photonic emission analysis of aes,” in International Workshop com/static/60e6f8573d73a34b640e0cee, 2015.
on Cryptographic Hardware and Embedded Systems. Springer, 2012, [109] L. Gaspar, V. Fischer, F. Bernard, L. Bossuet, and P. Cotret, “Hcrypt:
pp. 41–57. a novel concept of crypto-processor with secured key management,”
[86] J. Krämer, “Why cryptography should not rely on physical attack in 2010 International Conference on Reconfigurable Computing and
complexity,” it-Information Technology, vol. 59, no. 1, pp. 53–56, 2017. FPGAs. IEEE, 2010, pp. 280–285.
[87] O. Kömmerling and M. G. Kuhn, “Design principles for tamper- [110] S. A. Rotondo, Trusted Computing Group. Boston, MA: Springer
resistant smartcard processors.” Smartcard, vol. 99, pp. 9–20, 1999. US, 2011, pp. 1331–1331. [Online]. Available: https://doi.org/10.1007/
[88] V. Rozic, B. Yang, W. Dehaene, and I. Verbauwhede, “Highly efficient 978-1-4419-5906-5 498
entropy extraction for true random number generators on fpgas,” in [111] S. L. Kinney, Trusted Platform Module Basics: Using TPM in Embed-
2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC). ded Systems. USA: Newnes, 2006.
IEEE, 2015, pp. 1–6. [112] T. C. Group, “Trusted platform module library part 1:
[89] C. S. Petrie and J. A. Connelly, “A noise-based ic random number Architecture,” Trusted Computing Group, Tech. Rep. 01.59,
generator for applications in cryptography,” IEEE Transactions on Nov. 2019. [Online]. Available: https://trustedcomputinggroup.org/
Circuits and Systems I: Fundamental Theory and Applications, vol. 47, wp-content/uploads/TCG TPM2 r1p59 Part1 Architecture pub.pdf
no. 5, pp. 615–621, 2000. [113] K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss, and
[90] J. Senden, “Biasing a ring-oscillator based true random number gen- F. Piessens, “Plundervolt: Software-based fault injection attacks against
erator with an electro-magnetic fault injuction using harmonic waves,” intel sgx,” in 2020 IEEE Symposium on Security and Privacy (SP).
Master’s thesis, University of Twente, 2015. IEEE, 2020, pp. 1466–1482.
[91] P. Bayon, L. Bossuet, A. Aubert, and V. Fischer, “Electromagnetic [114] S. Saab, P. Rohatgi, and C. Hampel, “Side-channel protections for
analysis on ring oscillator-based true random number generators,” in cryptographic instruction set extensions,” Cryptology ePrint Archive,
2013 IEEE International Symposium on Circuits and Systems (ISCAS), 2016.
2013, pp. 1954–1957. [115] Y. Lu, “Attacking hardware aes with dfa,” arXiv preprint
[92] Y. Su, J. Wu, C. Long, and L. Wei, “Secure decentralized machine arXiv:1902.08693, 2019.
identifiers for internet of things,” in Proceedings of the 2020 The 2nd [116] T. C. Group, “Profile pc client specific trusted platform module tpm
International Conference on Blockchain Technology, 2020, pp. 57–62. family 2.0,” Trusted Computing Group, Tech. Rep. 1.3, Sep. 2021.
[93] M. Barr, “Memory types,” Embedded Systems Programming, vol. 14, [117] “Fips 140-3 - security requirements for cryptographic modules,” Tech.
no. 5, pp. 103–104, 2001. Rep., apr 2019.
[94] U. Gatti, “One-time programmable memories for harsh environments,” [118] B. Pearson, C. Zou, Y. Zhang, Z. Ling, and X. Fu, “Sic 2: Securing
Rad-hard Semiconductor Memories, p. 151, 2019. microcontroller based iot devices with low-cost crypto coprocessors,” in
[95] C. M. Maxfield, “Chapter 15 - memory ics,” in Bebop to the 2020 IEEE 26th International Conference on Parallel and Distributed
Boolean Boogie (Third Edition), third edition ed., C. M. Maxfield, Systems (ICPADS). IEEE, 2020, pp. 372–381.
[119] Z. Zieliski, J. Chudzikiewicz, and J. Furtak, An Approach to [142] A. Rao, “Rising to the challenge - data security with intel
Integrating Security and Fault Tolerance Mechanisms into the Military confidential computing,” Intel, Feb. 2022. [Online]. Available:
IoT. Cham: Springer International Publishing, 2019, pp. 111–128. https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/
[Online]. Available: https://doi.org/10.1007/978-3-030-02807-7 6 Rising-to-the-Challenge-Data-Security-with-Intel-Confidential/post/
[120] R. Toegl, “Tagging the turtle: Local attestation for kiosk computing,” 1353141
in Advances in Information Security and Assurance, J. H. Park, H.-H. [143] M. McReynolds, “Azure announces next generation intel sgx
Chen, M. Atiquzzaman, C. Lee, T.-h. Kim, and S.-S. Yeo, Eds. Berlin, confidential computing vms,” Nov. 2021. [Online]. Available:
Heidelberg: Springer Berlin Heidelberg, 2009, pp. 60–69. https://techcommunity.microsoft.com/t5/azure-confidential-computing/
[121] N. Kuntze, A. Fuchs, and C. Rudolph, “Reliable identities using off-the- azure-announces-next-generation-intel-sgx-confidential-computing/
shelf hardware security in manets,” in 2009 International Conference ba-p/2839934
on Computational Science and Engineering, vol. 2. IEEE, 2009, pp. [144] S. Pinto and N. Santos, “Demystifying arm trustzone: A comprehensive
781–786. survey,” ACM Computing Surveys (CSUR), vol. 51, no. 6, pp. 1–36,
[122] G. Inc, “Introduction to secure elements,” May 2018. 2019.
[Online]. Available: https://globalplatform.org/wp-content/uploads/ [145] H. Yang and M. Lee, “Demystifying arm trustzone tee client api using
2018/05/Introduction-to-Secure-Element-15May2018.pdf op-tee,” in The 9th International Conference on Smart Media and
[123] A. Umar and K. Mayes, Trusted Execution Environment and Host Applications, 2020, pp. 325–328.
Card Emulation. Cham: Springer International Publishing, 2017. [146] T. Firmware, “Open portable trusted execution environment,” 2013.
[Online]. Available: https://doi.org/10.1007/978-3-319-50500-8 18 [Online]. Available: https://www.op-tee.org/
[124] B. Lepojević, D. Simić, and A. Radulović, “Architecture of tsm [147] B. McGillion, T. Dettenborn, T. Nyman, and N. Asokan, “Open-
solutions in systems based on nfc technology,” 2012. TEE – an open virtual trusted execution environment,” in 2015 IEEE
[125] NXP, “P5cx012/02x/40/73/80/144 family,” Jan. 2008. Trustcom/BigDataSE/ISPA. IEEE, aug 2015.
[126] B. Lepojevic, B. Pavlovic, and A. Radulovic, “Implementing nfc [148] N. Zhang, H. Sun, K. Sun, W. Lou, and Y. T. Hou, “Cachekit:
service security–se vs tee vs hce,” in SYMORG Conference, 2014. Evading memory introspection using cache incoherence,” in 2016 IEEE
[127] K. Mayes and T. Evans, Smart Cards and Security for Mobile Commu- European Symposium on Security and Privacy (EuroS&P). IEEE,
nications. Cham: Springer International Publishing, 2017, pp. 93–128. 2016, pp. 337–352.
[Online]. Available: https://doi.org/10.1007/978-3-319-50500-8 4 [149] M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard,
[128] S. Mangard, E. Oswald, and T. Popp, Power analysis attacks: Revealing “{ARMageddon}: Cache attacks on mobile devices,” in 25th USENIX
the secrets of smart cards. Springer Science & Business Media, 2008, Security Symposium (USENIX Security 16), 2016, pp. 549–564.
vol. 31. [150] R. Guanciale, H. Nemati, C. Baumann, and M. Dam, “Cache storage
[129] K. E. Mayes and K. Markantonakis, Smart cards, tokens, security and channels: Alias-driven attacks and verified countermeasures,” in 2016
applications. Springer, 2008, vol. 1. IEEE Symposium on Security and Privacy (SP). IEEE, 2016, pp.
[130] V. Lomne, “Common criteria certification of a smartcard: a technical 38–55.
overview,” in CHES, 2016. [151] N. Zhang, K. Sun, D. Shands, W. Lou, and Y. T. Hou, “Truspy:
[131] E. B. Sanjuan, I. A. Cardiel, J. A. Cerrada, and C. Cerrada, “Message Cache side-channel information leakage from the secure world on arm
queuing telemetry transport (mqtt) security: a cryptographic smart card devices,” Cryptology ePrint Archive, 2016.
approach,” IEEE Access, vol. 8, pp. 115 051–115 062, 2020.
[152] A. Machiry, E. Gustafson, C. Spensky, C. Salls, N. Stephens, R. Wang,
[132] Y. Jeon and Y. Kang, “Implementation of a lorawan protocol processing
A. Bianchi, Y. R. Choe, C. Kruegel, and G. Vigna, “Boomerang:
module on an embedded device using secure element,” in 2019 34th
Exploiting the semantic gap in trusted execution environments.” in
International Technical Conference on Circuits/Systems, Computers
NDSS, 2017.
and Communications (ITC-CSCC), 2019, pp. 1–3.
[153] Z. István, P. Rosero, and P. Bonnet, “Always-trusted iot—making iot
[133] B. S. S. B.V., “Bosch ip video and data security guidebook,”
devices trusted with minimal overhead.”
Bosch, techreport 2.0, Apr. 2021. [Online]. Available:
https://resources-boschsecurity-cdn.azureedge.net/public/documents/ [154] Intel, “linux-sgx,” Github, 2015. [Online]. Available: https://github.
Data Security Guideb Special enUS 9007221590612491.pdf com/intel/linux-sgx
[134] C. Lesjak, T. Ruprechter, J. Haid, H. Bock, and E. Brenner, “A secure [155] A. Nilsson, P. N. Bideh, and J. Brorsson, “A survey of published attacks
hardware module and system concept for local and remote industrial on intel sgx,” arXiv preprint arXiv:2006.13598, 2020.
embedded system identification,” in Proceedings of the 2014 IEEE [156] A. Brandão, J. S. Resende, and R. Martins, “Hardening cryptographic
Emerging Technology and Factory Automation (ETFA), 2014, pp. 1–7. operations through the use of secure enclaves,” Computers & Security,
[135] C. Lesjak, T. Ruprechter, H. Bock, J. Haid, and E. Brenner, “Estado vol. 108, p. 102327, 2021.
— enabling smart services for industrial equipment through a secured, [157] V. Shanbhogue, J. W. Brandt, and J. Wiedemeier, “Protecting informa-
transparent and ad-hoc data transmission online,” in The 9th Interna- tion processing system secrets from debug attacks,” Feb. 10 2015, uS
tional Conference for Internet Technology and Secured Transactions Patent 8,955,144.
(ICITST-2014), 2014, pp. 171–177. [158] G. Chen, W. Wang, T. Chen, S. Chen, Y. Zhang, X. Wang, T.-H.
[136] R. N. Akram, P.-F. Bonnefoi, S. Chaumette, K. Markantonakis, and Lai, and D. Lin, “Racing in hyperspace: Closing hyper-threading side
D. Sauveron, “Improving security of autonomous uavs fleets by using channels on sgx with contrived data races,” in 2018 IEEE Symposium
new specific embedded secure elements-a position paper,” in 2nd on Security and Privacy (SP), 2018, pp. 178–194.
AETOS international conference on “Research challenges for future [159] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado,
RPAS/UAV systems”, Bordeaux, France, 2014. “Inferring fine-grained control flow inside {SGX} enclaves with branch
[137] I. GlobalPlatform, “Tee system architecture,” GlobalPlat- shadowing,” in 26th USENIX Security Symposium (USENIX Security
form Technology, techreport GPD SPE 009, 2018. [On- 17), 2017, pp. 557–574.
line]. Available: https://globalplatform.org/wp-content/uploads/2018/ [160] P. Kocher, J. Horn, A. Fogh, , D. Genkin, D. Gruss, W. Haas,
09/GPD TEE SystemArch v1.1.0.10-for-v1.2 PublicReview.pdf M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and
[138] A. Vasudevan, E. Owusu, Z. Zhou, J. Newsome, and J. M. Y. Yarom, “Spectre attacks: Exploiting speculative execution,” in 40th
McCune, “Trustworthy execution on mobile devices: What security IEEE Symposium on Security and Privacy (S&P’19), 2019.
properties can my mobile platform give me?” in International [161] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh,
conference on trust and trustworthy computing. Springer, 2012, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg,
pp. 159–178. [Online]. Available: https://citeseerx.ist.psu.edu/viewdoc/ “Meltdown: Reading kernel memory from user space,” in 27th USENIX
download?doi=10.1.1.220.220&rep=rep1&type=pdf Security Symposium (USENIX Security 18), 2018.
[139] I. GlobalPlatform, “Trusted user interface api,” Glob- [162] G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai, “Sgxpectre:
alPlatform, techreport GPD SPE 020, Jun. 2013. [On- Stealing intel secrets from sgx enclaves via speculative execution,” in
line]. Available: {https://globalplatform.org/wp-content/uploads/2013/ 2019 IEEE European Symposium on Security and Privacy (EuroS&P).
06/GlobalPlatform Trusted User Interface API v1.0.pdf} IEEE, 2019, pp. 142–157.
[140] T. Alves, “Trustzone: Integrated hardware and software security,” White [163] J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci,
paper, 2004. F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx,
[141] V. Costan and S. Devadas, “Intel sgx explained.” IACR Cryptol. “Foreshadow: Extracting the keys to the intel {SGX} kingdom with
ePrint Arch., vol. 2016, no. 86, pp. 1–118, 2016. [Online]. Available: transient {Out-of-Order} execution,” in 27th USENIX Security Sympo-
http://css.csail.mit.edu/6.858/2020/readings/costan-sgx.pdf sium (USENIX Security 18), 2018, pp. 991–1008.
[164] C. Canella, D. Genkin, L. Giner, D. Gruss, M. Lipp, M. Minkin, [184] B. Škorić, P. Tuyls, and W. Ophey, “Robust key extraction from phys-
D. Moghimi, F. Piessens, M. Schwarz, B. Sunar, J. Van Bulck, and ical uncloneable functions,” in International Conference on Applied
Y. Yarom, “Fallout: Leaking data on meltdown-resistant cpus,” in Cryptography and Network Security. Springer, 2005, pp. 407–422.
Proceedings of the 2019 ACM SIGSAC Conference on Computer [185] G. A. Fink, D. V. Zarzhitsky, T. E. Carroll, and E. D. Farquhar,
and Communications Security, ser. CCS ’19. New York, NY, USA: “Security and privacy grand challenges for the internet of things,”
Association for Computing Machinery, 2019, p. 769–784. [Online]. in 2015 International Conference on Collaboration Technologies and
Available: https://doi.org/10.1145/3319535.3363219 Systems (CTS). IEEE, 2015, pp. 27–34.
[165] S. Van Schaik, A. Milburn, S. Österlund, P. Frigo, G. Maisuradze, [186] Y. Atwady and M. Hammoudeh, “A survey on authentication
K. Razavi, H. Bos, and C. Giuffrida, “Ridl: Rogue in-flight data load,” techniques for the internet of things,” in Proceedings of the
in 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019, International Conference on Future Networks and Distributed
pp. 88–105. Systems, ser. ICFNDS ’17. New York, NY, USA: Association for
[166] M. Schwarz, M. Lipp, D. Moghimi, J. Van Bulck, J. Stecklina, Computing Machinery, 2017. [Online]. Available: https://doi.org/10.
T. Prescher, and D. Gruss, “Zombieload: Cross-privilege-boundary data 1145/3102304.3102312
sampling,” in Proceedings of the 2019 ACM SIGSAC Conference on [187] M. Mamdouh, A. I. Awad, A. A. Khalaf, and H. F.
Computer and Communications Security, 2019, pp. 753–768. Hamed, “Authentication and identity management of ioht devices:
[167] H. Vill, “Sgx attestation process,” 2017. Achievements, challenges, and future directions,” Computers
[168] J. Van Bulck, D. Oswald, E. Marin, A. Aldoseri, F. D. Garcia, and & Security, vol. 111, p. 102491, 2021. [Online]. Available:
F. Piessens, “A tale of two worlds: Assessing the vulnerability of https://www.sciencedirect.com/science/article/pii/S0167404821003151
enclave shielding runtimes,” in Proceedings of the 2019 ACM SIGSAC [188] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical
Conference on Computer and Communications Security, 2019, pp. unclonable functions and applications: A tutorial,” Proceedings of the
1741–1758. IEEE, vol. 102, no. 8, pp. 1126–1141, 2014.
[169] NIST, “National vulnerability database,” 2022. [Online]. [189] H. Kang, Y. Hori, T. Katashita, M. Hagiwara, and K. Iwamura,
Available: https://nvd.nist.gov/vuln/search/results?form type= “Cryptographie key generation from puf data using efficient fuzzy ex-
Basic&results type=overview&query=TrustZone&search type= tractors,” in 16th International conference on advanced communication
all&isCpeNameSearch=false technology. IEEE, 2014, pp. 23–26.
[170] D. Cerdeira, N. Santos, P. Fonseca, and S. Pinto, “SoK: Understanding [190] J. Guajardo, S. S. Kumar, G.-J. Schrijen, and P. Tuyls, “Fpga intrinsic
the prevailing security vulnerabilities in TrustZone-assisted TEE sys- pufs and their use for ip protection,” in International workshop on
tems,” in 2020 IEEE Symposium on Security and Privacy (SP). IEEE, cryptographic hardware and embedded systems. Springer, 2007, pp.
may 2020. 63–80.
[171] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, [191] U. Rührmair, H. Busch, and S. Katzenbeisser, “Strong pufs: models,
and A.-R. Sadeghi, “Software grand exposure:{SGX} cache attacks constructions, and security proofs,” in Towards hardware-intrinsic
are practical,” in 11th USENIX Workshop on Offensive Technologies security. Springer, 2010, pp. 79–96.
(WOOT 17), 2017. [192] U. Rührmair and D. E. Holcomb, “Pufs at a glance,” in 2014 Design,
[172] A. Moghimi, G. Irazoqui, and T. Eisenbarth, “Cachezoom: How sgx Automation & Test in Europe Conference & Exhibition (DATE). IEEE,
amplifies the power of cache attacks,” in International Conference on 2014, pp. 1–6.
Cryptographic Hardware and Embedded Systems. Springer, 2017, pp. [193] D. Nedospasov, J.-P. Seifert, C. Helfmeier, and C. Boit, “Invasive puf
69–90. analysis,” in 2013 Workshop on Fault Diagnosis and Tolerance in
[173] S. K. Bukasa, R. Lashermes, H. L. Bouder, J.-L. Lanet, and A. Legay, Cryptography. IEEE, 2013, pp. 30–38.
“How trustzone could be bypassed: Side-channel attacks on a modern [194] U. Rührmair, F. Sehnke, J. Sölter, G. Dror, S. Devadas, and J. Schmid-
system-on-chip,” in IFIP International Conference on Information huber, “Modeling attacks on physical unclonable functions,” in Pro-
Security Theory and Practice. Springer, 2017, pp. 93–109. ceedings of the 17th ACM conference on Computer and communica-
[174] Z. Chen, G. Vasilakis, K. Murdock, E. Dean, D. Oswald, and F. D. tions security, 2010, pp. 237–249.
Garcia, “{VoltPillager}: Hardware-based fault injection attacks against [195] G. T. Becker, “On the pitfalls of using arbiter-pufs as building blocks,”
intel {SGX} enclaves using the {SVID} voltage scaling interface,” in IEEE Transactions on Computer-Aided Design of Integrated Circuits
30th USENIX Security Symposium (USENIX Security 21), 2021, pp. and Systems, vol. 34, no. 8, pp. 1295–1307, 2015.
699–716. [196] N. Wisiol, C. Mühl, N. Pirnay, P. H. Nguyen, M. Margraf, J.-P.
[175] S. Gueron, “A memory encryption engine suitable for general purpose Seifert, M. van Dijk, and U. Rührmair, “Splitting the interpose puf: A
processors,” Cryptology ePrint Archive, 2016. novel modeling attack strategy,” IACR Transactions on Cryptographic
[176] C. Lesjak, D. Hein, and J. Winter, “Hardware-security technologies for Hardware and Embedded Systems, pp. 97–120, 2020.
industrial iot: Trustzone and security controller,” in IECON 2015-41st [197] A. Vijayakumar and S. Kundu, “A novel modeling attack resistant puf
Annual Conference of the IEEE Industrial Electronics Society. IEEE, design based on non-linear voltage transfer characteristics,” in 2015
2015, pp. 002 589–002 595. Design, Automation & Test in Europe Conference & Exhibition (DATE).
[177] Z. Ling, H. Yan, X. Shao, J. Luo, Y. Xu, B. Pearson, and X. Fu, “Secure IEEE, 2015, pp. 653–658.
boot, trusted boot and remote attestation for arm trustzone-based iot [198] A. Mahmoud, U. Rührmair, M. Majzoobi, and F. Koushanfar, “Com-
nodes,” Journal of Systems Architecture, vol. 119, p. 102240, 2021. bined modeling and side channel attacks on strong pufs.” IACR Cryptol.
[178] J. Wang, Z. Hong, Y. Zhang, and Y. Jin, “Enabling security-enhanced ePrint Arch., vol. 2013, p. 632, 2013.
attestation with intel sgx for remote terminal and iot,” IEEE Transac- [199] A. Vijayakumar, V. C. Patil, C. B. Prado, and S. Kundu, “Machine
tions on Computer-Aided Design of Integrated Circuits and Systems, learning resistant strong puf: Possible or a pipe dream?” in 2016
vol. 37, no. 1, pp. 88–96, 2018. IEEE international symposium on hardware oriented security and trust
[179] A. Durand, P. Gremaud, J. Pasquier, and U. Gerber, “Trusted (HOST). IEEE, 2016, pp. 19–24.
lightweight communication for iot systems using hardware security,” [200] J. Delvaux, R. Peeters, D. Gu, and I. Verbauwhede, “A survey on
in Proceedings of the 9th International Conference on the Internet of lightweight entity authentication with strong PUFs,” ACM Computing
Things, 2019, pp. 1–4. Surveys, vol. 48, no. 2, pp. 1–42, nov 2015.
[180] M. Jianhua, Z. Qiaoyan, and H. Guotian, “Authenticity verification [201] A. Mahmoud, U. Rührmair, M. Majzoobi, and F. Koushanfar, “Com-
scheme based on tee and blockchain,” in 2021 18th International Com- bined modeling and side channel attacks on strong pufs,” Cryptology
puter Conference on Wavelet Active Media Technology and Information ePrint Archive, 2013.
Processing (ICCWAMTIP). IEEE, 2021, pp. 141–144. [202] S. Tajik, E. Dietz, S. Frohmann, H. Dittrich, D. Nedospasov,
[181] T. Weingaertner and O. Camenzind, “Identity of things: Applying C. Helfmeier, J.-P. Seifert, C. Boit, and H.-W. Hübers, “Photonic
concepts from self sovereign identity to iot devices,” The Journal of side-channel analysis of arbiter pufs,” Journal of Cryptology,
The British Blockchain Association, p. 21244, 2021. vol. 30, no. 2, pp. 550–571, Apr 2017. [Online]. Available:
[182] R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, “Physical one-way https://doi.org/10.1007/s00145-016-9228-6
functions,” Science, vol. 297, no. 5589, pp. 2026–2030, 2002. [203] D. Merli, D. Schuster, F. Stumpf, and G. Sigl, “Semi-invasive em
[183] P. Tuyls, B. Škorić, S. Stallinga, A. H. Akkermans, and W. Ophey, attack on fpga ro pufs and countermeasures,” in Proceedings of the
“Information-theoretic security analysis of physical uncloneable func- Workshop on Embedded Systems Security, ser. WESS ’11. New York,
tions,” in International Conference on Financial Cryptography and NY, USA: Association for Computing Machinery, 2011. [Online].
Data Security. Springer, 2005, pp. 141–155. Available: https://doi.org/10.1145/2072274.2072276
[204] D. Nedospasov, J.-P. Seifert, C. Helfmeier, and C. Boit, “Invasive puf [225] A. Shamsoshoara, A. Korenda, F. Afghah, and S. Zeadally, “A survey
analysis,” in 2013 Workshop on Fault Diagnosis and Tolerance in on hardware-based security mechanisms for internet of things,” ArXiv.
Cryptography. IEEE, 2013, pp. 30–38. org, 2019.
[205] A. R. Korenda, F. Afghah, B. Cambou, and C. Philabaum, “A proof [226] B. Škorić, P. Tuyls, and W. Ophey, “Robust key extraction from
of concept SRAM-based physically unclonable function (PUF) key physical uncloneable functions,” pp. 407–422, 2005.
generation mechanism for IoT devices,” in 2019 16th Annual IEEE [227] K. Kursawe, A.-R. Sadeghi, D. Schellekens, B. Skoric, and P. Tuyls,
International Conference on Sensing, Communication, and Networking “Reconfigurable physical unclonable functions - enabling technology
(SECON). IEEE, jun 2019. for tamper-resistant storage,” in 2009 IEEE International Workshop on
[206] C. Böhm, M. Hofer, and W. Pribyl, “A microcontroller sram-puf,” in Hardware-Oriented Security and Trust. IEEE, 2009.
2011 5th International Conference on Network and System Security. [228] G. Suh, C. O'Donnell, I. Sachdev, and S. Devadas, “Design and imple-
IEEE, 2011, pp. 269–273. mentation of the AEGIS single-chip secure processor using physical
[207] D. Mukhopadhyay, “Pufs as promising tools for security in internet of random functions,” in 32nd International Symposium on Computer
things,” IEEE Design & Test, vol. 33, no. 3, pp. 103–115, 2016. Architecture (ISCA'05). IEEE, 2005.
[208] M. A. Qureshi and A. Munir, “PUF-IPA: A PUF-based identity [229] G. E. Suh and S. Devadas, “Physical unclonable functions for device
preserving protocol for internet of things authentication,” in 2020 IEEE authentication and secret key generation,” pp. 9–14, 2007. [Online].
17th Annual Consumer Communications & Networking Conference Available: https://ieeexplore.ieee.org/abstract/document/4261134
(CCNC), IEEE. IEEE, jan 2020, pp. 1–7. [230] I. Eichhorn, P. Koeberl, and V. van der Leest, “Logically reconfigurable
PUFs,” in Proceedings of the sixth ACM workshop on Scalable trusted
[209] K. B. Frikken, M. Blanton, and M. J. Atallah, “Robust authentication
computing - STC '11. ACM Press, 2011.
using physically unclonable functions,” in Lecture Notes in Computer
[231] L. Zhang, Z. H. Kong, and C.-H. Chang, “PCKGen: A phase change
Science. Springer Berlin Heidelberg, 2009, pp. 262–277.
memory based cryptographic key generator,” in 2013 IEEE Interna-
[210] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Silicon physical tional Symposium on Circuits and Systems (ISCAS2013). IEEE, may
random functions,” in Proceedings of the 9th ACM conference on 2013.
Computer and communications security - CCS '02. ACM Press, 2002. [232] J. Zhang and G. Qu, “Physical unclonable function-based key sharing
[211] D. Lim, J. Lee, B. Gassend, G. Suh, M. van Dijk, and S. Devadas, via machine learning for IoT security,” IEEE Transactions on Industrial
“Extracting secret keys from integrated circuits,” IEEE Transactions Electronics, vol. 67, no. 8, pp. 7025–7033, aug 2020.
on Very Large Scale Integration (VLSI) Systems, vol. 13, no. 10, pp. [233] K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, F. Piessens, and
1200–1205, oct 2005. D. Gruss, “Plundervolt: How a Little Bit of Undervolting Can Create
[212] U. Rührmair, F. Sehnke, J. Sölter, G. Dror, S. Devadas, and J. Schmid- a Lot of Trouble,” IEEE Security & Privacy, vol. 18, no. 5, pp. 28–37,
huber, “Modeling attacks on physical unclonable functions,” in Pro- Sep. 2020.
ceedings of the 17th ACM conference on Computer and communica- [234] C. Tarnovsky, “Attacking tpm part 2 a look at the st19wp18 tpm
tions security. ACM Press, 2010, pp. 237–249. device,” 2013.
[213] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Controlled phys-
ical random functions,” in 18th Annual Computer Security Applications
Conference, 2002. Proceedings. IEEE Comput. Soc, 2002.
[214] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Lightweight secure
PUFs,” in 2008 IEEE/ACM International Conference on Computer-
Aided Design. IEEE, nov 2008.
[215] M. Majzoobi, M. Rostami, F. Koushanfar, D. S. Wallach, and S. De-
vadas, “Slender PUF protocol: A lightweight, robust, and secure
authentication by substring matching,” in 2012 IEEE Symposium on
Security and Privacy Workshops. IEEE, may 2012.
[216] J. Delvaux and I. Verbauwhede, “Fault injection modeling attacks on
65 nm arbiter and RO sum PUFs via environmental changes,” IEEE
Transactions on Circuits and Systems I: Regular Papers, vol. 61, no. 6,
pp. 1701–1713, jun 2014.
[217] Ü. Kocabaş, A. Peter, S. Katzenbeisser, and A.-R. Sadeghi, “Con-
verse puf-based authentication,” in Trust and Trustworthy Computing,
S. Katzenbeisser, E. Weippl, L. J. Camp, M. Volkamer, M. Reiter, and
X. Zhang, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012,
pp. 142–158.
[218] M.-D. Yu, M. Hiller, J. Delvaux, R. Sowell, S. Devadas, and I. Ver-
bauwhede, “A lockdown technique to prevent machine learning on
PUFs for lightweight authentication,” IEEE Transactions on Multi-
Scale Computing Systems, vol. 2, no. 3, pp. 146–159, jul 2016.
[219] Y. Gao, H. Ma, S. F. Al-Sarawi, D. Abbott, and D. C. Ranas-
inghe, “PUF-FSM: A controlled strong PUF,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, pp. 1–1,
2017.
[220] A. Braeken, “Puf based authentication protocol for iot,” Symmetry,
vol. 10, no. 8, p. 352, 2018.
[221] U. Chatterjee, V. Govindan, R. Sadhukhan, D. Mukhopadhyay, R. S.
Chakraborty, D. Mahata, and M. M. Prabhu, “Building PUF based
authentication and key exchange protocol for IoT without explicit CRPs
in verifier database,” IEEE Transactions on Dependable and Secure
Computing, vol. 16, no. 3, pp. 424–437, may 2019.
[222] M. Ebrahimabadi, M. Younis, and N. Karimi, “A PUF-based modeling-
attack resilient authentication protocol for IoT devices,” IEEE Internet
of Things Journal, pp. 1–1, 2021.
[223] Z. Huang and Q. Wang, “A puf-based unified identity verification
framework for secure iot hardware via device authentication,” World
Wide Web, vol. 23, no. 2, pp. 1057–1088, 2020.
[224] J. Delvaux, D. Gu, D. Schellekens, and I. Verbauwhede, “Helper data
algorithms for PUF-based key generation: Overview and analysis,”
IEEE Transactions on Computer-Aided Design of Integrated Circuits
and Systems, vol. 34, no. 6, pp. 889–902, jun 2015.

Hardware Security For IoT Identity Assurance Submitted

Uploaded by

Copyright:

Available Formats

Hardware Security For IoT Identity Assurance Submitted

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hardware Security For IoT Identity Assurance Submitted

Uploaded by

Copyright:

Available Formats

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO.

Hardware security for IoT identity assurance

identifiers: context, association, knowledge, and inheritance. C. Actors

Fig. 1. Hardware attacks taxonomy

Identity assets Required capabilities

Technologies Lightweight Cryptography Object Identification Secure Storage

Masked ROM Crypto accelerators

Masked ROM Crypto accelerators

Technologies Features Advantages and disadvantages

You might also like