Author:
Ákos Milánkovich, Security Analyst at SEARCH-LAB
The ever-growing Internet of Things (IoT) ecosystem presents a double-edged sword: while it enables groundbreaking applications, it also expands the attack surface for malicious actors. Ensuring that all devices in an IoT system adhere to a robust security baseline is crucial to prevent attackers from exploiting weaker links. This is precisely the challenge that CROSSCON addresses. The CROSSCON Security Stack we develop is a modular, portable, and vendor-independent IoT security stack. It provides trusted services with high assurance across diverse hardware architectures and TEEs.
Security Testing Methodology
At CROSSCON, robust security evaluation is the cornerstone of releasing secure implementations. This process is guided by security requirements defined in WP1 and implemented through the MEFORMA methodology, which ensures comprehensive security testing across the stack.
MEFORMA Framework in Practice
The MEFORMA methodology, detailed in D5.3, outlines a customer-centric approach that extends beyond simple pass/fail evaluations by offering actionable insights for improvement. It consists of four main phases:
- Preparation Phase: Defines the evaluation plan, including scope, objectives, and test cases. Threat models are based on D1.5, enriched by Protection Profiles for a thorough assessment.
- Evaluation Phase: Executes the defined tests to identify vulnerabilities and assess their potential impact.
- Documentation Phase: Consolidates findings and provides detailed mitigation recommendations.
- Review Phase: Verifies the implemented fixes through regression testing, ensuring security gaps are addressed.
Continuous Evaluation with Delta Certification
To complement MEFORMA, CROSSCON integrates the Delta Certification approach using the DeltAICert tool, enabling continuous security evaluation by focusing on software changes. Key benefits include:
- Incremental security assessments to verify that updates do not introduce new vulnerabilities.
- Automated evidence collection and change detection through comparison with previous baselines.
- Streamlined decision-making for re-certification, focusing only on security-critical modifications.
This approach, described in D5.3, aligns with CROSSCON’s emphasis on efficient, resource-aware security practices, ensuring minimal testing redundancy.
A Comprehensive Testbed for IoT Security
Security and functional testing are conducted within CROSSCON’s testbed environment, which mirrors real-world IoT deployment scenarios. The testbed includes key hardware such as Raspberry Pi 4, FPGA boards, and STM32L4 microcontrollers. Jenkins orchestrates automated builds and continuous integration, ensuring:
- Realistic simulation of device interactions.
- Compatibility with diverse configurations.
- Comprehensive logging for detailed analysis.
The testbed setup accelerates the feedback loop, allowing for continuous security verification and updates.
Testing Highlights from Key Components
CROSSCON Hypervisor
The CROSSCON Hypervisor supports static partitioning and per-VM TEE services. Security testing will focus on CPU and memory isolation, secure interrupt handling, and I/O access control. Security measures will be validated using threat models adapted from industry standards to detect inter-VM interference and unauthorized access attempts.
Bare-Metal TEE and Control Flow Integrity (CFI)
The Bare-Metal TEE will go under rigorous evaluation of its MPU and non-MPU variants. Tests included control flow validation using Flashadow and uIPS mechanisms to prevent Return-Oriented Programming (ROP) and Data-Oriented Programming (DOP) attacks. The CFI mechanisms will be tested for resilience against attempts to hijack execution flow.
Perimeter Guard and System-on-Chip (SoC) Protection
The Perimeter Guard (PG) enhances hardware resource sharing without compromising isolation. Tests will verify state protection during domain transitions and timing attack resistance and evaluations will be carried out to prove secure arbitration of shared resources, preventing unauthorized inter-domain access.
PUF-Based Authentication
The PUF (Physically Unclonable Function) component will be assessed for resistance to challenge-response pair (CRP) table discovery, denial-of-service (DoS) attacks, and time
desynchronization exploits. Rate-limiting mechanisms and synchronization protocols will also be tested to ensure robust authentication, even under attack.
Secure FPGA Provisioning
FPGA provisioning will be tested for bitstream integrity, resource allocation, and secure configuration. TAfpga, responsible for managing virtual FPGAs, will be tested for enforcing encryption and rejected unauthorized bitstreams, ensuring safe reconfiguration.
Transparency and Dissemination
CROSSCON prioritizes transparency in its security practices. The results of security testing and functional validation will be published in deliverable D3.6 and on the CROSSCON GitHub repository before the project concludes in September 2025. By openly sharing findings, CROSSCON fosters trust and collaboration across the IoT community.
Conclusion
By integrating MEFORMA, DeltAICert, and a robust testbed, CROSSCON sets a new benchmark for IoT security testing. The project’s commitment to continuous evaluation, combined with the modularity and transparency of its security stack, paves the way for a more secure and interoperable IoT ecosystem. As the project advances, CROSSCON remains dedicated to empowering stakeholders with resilient and open security solutions.