I. INTRODUCTION
Traditional computer systems have focused on controls based on the identity of users of running programs. But cyberphysical systems (CPSs) running on tiny scale systems (TSSs) execute small-scale software without any user support and have very restricted resources. Furthermore, they do not feature any resource protection scheme. Hence, a single error can compromise the complete system and make TSSs vulnerable against a broad variety of malicious software. For a secure implementation of a TSS application a security architecture must be built similar to those of desktop applications. Technologies to build such a security architecture include small interfaces, access-control schemes, tunneling, secure booting, effective resource control, and virtual machines [1] . Although TSSs process a tiny volume of data and their applications are clearly defined and mostly simple, a tiny number of individual activities can be always identified. The presented concept for building a security architecture for TSSs is based on a tailor-made secure isolation of software activities. Due to the predefined nature of TSS applications a compile-and run-time co-design can be used. By using compile-time optimizations an implementation of a complex security architecture becomes feasible.
The rest of the document is structured as follow, section II provides state of the art of memory isolation on TSSs. In section III the concept of the security architecture is presented. The document concludes with a short summary and the current status of the PhD work.
II. STATE OF THE ART
The implementation of security architectures on TSSs became into the focus of research in the last few years. Nevertheless, the investigation of safety concepts is as old as embedded systems. The concept of software-based fault isolation (SFI) was developed more than 20 years ago [2] and is still used in deeply embedded systems to build safety critical applications [3] . Safety-related approaches are mostly built on extensible systems using safe languages [4] , [5] . Due to the performance drawback of software approaches hardware-based concepts are developed as well [6] , [7] .
But all safety-related approaches assume that the system is running software, which do not deliberately bypass safety mechanisms. Systems infected by malicious software need secure mechanisms, which are protected by a trustworthy instance. Such an instance can be focused on highly critical components as the system stack [8] or must more generally be based on small interfaces provided by a small trusted computing base [1] such as µ-kernels systems [9] , [10] .
A secure software-based isolation can only be enforced by a decoupling of the software from the underlying hardware. Such a decoupling can be implemented by an instruction set architecture (ISA) virtualization [11] . But available approaches on TSSs emulate a tiny virtual ISA [12] , [13] only. On these systems the emulated software must be written in a dialect of a programming language, which comes with a reduced function set. An approach for hardening common software on TSS is still missing.
III. CONCEPT
Although security became key in CPSs within the last recent years a security architecture on TSSs based on strong technologies is still missing. In the following a concept of such an architecture shall be drafted.
A. Tailor-made dataspaces
We introduce the concept of dataspaces to unify the different hardware resources of a TSS. A unique representation of resources will significantly simplify a memory protect scheme under fulfilling the requirements for TSS applications. The authors of [14] define a dataspace as an unstructured data container that contains any type of data. Due to the memory mapped I/O method used in TSSs all types of hardware resources can be described by dataspaces. An adaption of the concept of dataspaces on TSSs is illustrated by Figure 1 . The address space will be organized by dataspaces, which can be assigned to regions of a software activities. A software activity can grant the regions it owns to another software activity to implemented shared memories.
A software activity accesses a physical resource by accessing a region associated with a dataspace. A dataspace is attached to a region of a software activity and includes permissions allowed or forbidden on physical resources. Furthermore, we introduce granting for implementing shared memory between software activities. A software activity can grant a region that it owns to any other software activity. The region can be used to share resources between software activities. The software activity gets the same rights on the dataspace but does not get any access on the dataspace management. Only a region owner can modify access rights and can revoke a granted region.
The implementation of dataspaces on TSSs requires a memory protection unit (MPU) with a flexible segment size. Paging with fix-size pages is not suitable due to its crossgrained memory structuring. Especially the registers of IO resources cannot be efficient organized by paging. The tailormade dataspaces require a tailor-mode MPU.
B. Security Nucleus
Access control schemes can be applied on dataspaces, whereby a trustworthy instance must make a decision to grant or reject an access request. An efficient and flexible implementation can be based on an MPU managed by a µ-kernel, which contains at least the three basic primitives: address spaces, threads and inter-process communication (IPC), and unique identifiers.
In an adaptation to TSSs not all of these three primitives are necessary. A security nucleus, less flexible than a µ-kernel, must provide dataspace management and unique identifiers only. As mentioned before IPC can be implemented by region granting within the context of software activities and a flexible thread management is superfluous due to the static nature of TSS applications. Furthermore, due to the fact that dynamic memory allocation is mostly not available or necessary on TSSs and the memory layout of TSS applications is mostly fixed at compile time, a dataspace management can be reduced to a minimal feature set.
Whereas an efficient implementation of a security nucleaus can only be realized by a hardware-based MPU, such an approach requires a new processing core or at least a hardware extension. A software-based approach can be used on offthe-shelf components instead, which reduces development cost and time in a significant manner. Due to the advantages and drawbacks of both concepts approaches for the hardwarebase as well as for the software-base implementation are investigated in the following.
1) Hardware-based security nucleus:
A tailor-made MPU for TSSs has to consider the limited resources of these systems. The silicon footprint and the performance of the MPU have a direct impact on the power consumption of the microcontroller. Therefore, the concept must be simple but powerful enough to minimize the performance drawback. Dataspaces and unique identifiers can be managed by software. But the hardware must control any memory access. This control requires a matching of the access rights of the addressed dataspace and the current software activity. Access rights are typically stored in tables, which are located in a dedicated memory section. Figure 2 shows a possible integration of an MPU in a TSS. Due to fact that low power microcontrollers use a single address space for addressing memory and peripheral units as well, an MPU can be placed between the processing core and the physical resources. To enforce memory isolation on each memory access the MPU has to match access rights and software activity. Therefore, both must be stored close to the MPU. The addressed dataspace can be identified by gathering the address from the address bus and in case of an access violation an interrupt can be raised and the data transfer can be aborted. We have developed an MPU for TSSs that is integrated in an MSP430 as shown in Figure 2 . The MPU provides a single cycle table lookup by using a rights lookaside buffer [15] . The segments descriptors and the current software activity ID are store in the MPU to avoid additional memory traffic. Due to the reduced complexity of TSSs applications the number of segments and software activity IDs are be limited to a number that can be handled by a small logical block. The segments have a flexible size to take the address layout of TSSs into account. Furthermore, a segment can be granted by group identifiers to implement IPC.
2) Software-based security nucleus: Virtualization in embedded systems as introduced by Heiser [16] does not make sense in the context of TSSs. Due to the limited resources a native virtualization cannot be implemented without a significant performance drawback. But the concept of ISA emulation can be used for implementing a software-based security nucleus (SecN). Similar to the hardware-based approach a softwarebased SecN can enforce software isolation by controlling each memory access during instruction emulation.
Instruction emulation needs a lot of computational power that is usually not available on TSSs. But most of the TSSs do not use their full system's performance. Therefore, the drawback of emulation can be simple reduced by increasing the system's clock speed. But emulation needs a magnitude more of performance so that a simple clock speedup is adequate for some few applications only. An alternative approach uses a partial emulation, that emulates critical operations only. This approach is similar to SFI. Critical operations are wrapped by a monitor or trap code that performs an access control operation in front of the memory access. But this approach requires program code modifications before the application is running the first time. These modifications can be done at compile time, which requires a secure software deployment, or at run time, which requires additional code and memory capabilities on the system. The number of critical operations depends significantly on the software implementation. Especially function calls and dynamic memory objects are implemented by critical operations. To minimize the needed monitor or trap code additional modifications can be done in front of the monitor or trap code insertion. These modifications techniques are also used within the context of safety critical applications and are already proven there. But these modification techniques can be very complex and should be done at compile time.
C. Software activities access control
In a TSS a software activity is similar to a user activity. It is executed within a context as seen as a role to perform a specific task. Furthermore, software activities in their roles use software functions as operations on dataspaces. Hence, the organization of software on TSSs similar to the core of the role-based access control (RBAC) model defined by R. Sandhu [17] will allow the description of a very fine-grained access control on physical resources.
The specific characteristics of TSSs allow a pre-compile time description of the security role set including users, roles, operations, and objects. By using source code annotations the security role set can be tightly coupled with the functional set of the TSS application. A tool chain extension can be used to setup dataspaces and software activities as described by the security role set at compile time. Therefore, a dynamic setup can be reduced to a minimum and done during system's boot strap.
IV. CONCLUSION AND FUTURE WORK
The presented work illustrates a concept for applying well-known technologies to build a security architecture on tiny scale systems (TSSs). A security nucleus (SecN) was introduced to implement small interfaces and access control on tailor-made dataspaces. Furthermore, the application of the RBAC model on TSS software was presented. A hardwarebased implementation of the SecN could already presented in a previous publication. Recently, work on the softwarebased SecN and the RBAC description are in progress. The implementation will be used to evaluate the drawback on resources and performance of the final concept.
