Secure Intermittent Computing Protocol: Protecting State Across Power Loss

Archanaa S. Krishnan Charles Suslowicz Daniel Dinu Patrick Schaumont

Virginia Tech Virginia Tech Virginia Tech Virginia Tech
Blacksburg, VA, USA Blacksburg, VA, USA Blacksburg, VA, USA Blacksburg, VA, USA
[email protected] [email protected] [email protected] [email protected]

Abstract—Intermittent computing systems execute long-

running tasks under a transient power supply such as an
energy harvesting power source. During a power loss, they
save intermediate program state as a checkpoint into write-
efficient non-volatile memory. When the power is restored, the
system state is reconstructed from the checkpoint, and the
long-running computation continues. We analyze the security
risks when power interruption is used as an attack vector, and
we demonstrate the need to protect the integrity, authenticity,
confidentiality, continuity, and freshness of checkpointed data.
We propose a secure checkpointing technique called the Se-
cure Intermittent Computing Protocol (SICP). The proposed
protocol has the following properties. First, it associates every
checkpoint with a unique power-on state to checkpoint replay.
Second, every checkpoint is cryptographically chained to its
predecessor, providing continuity, which enables the program- Figure 1: Contents of microcontroller (MCU) memory including the check-
mer to carry run-time security properties such as attested point, CKP, of an intermittent system which is vulnerable to an adversary
program images across power loss events. Third, SICP is and state diagram of such a system under replay attack. An adversary is
atomic and resistant to power loss. We demonstrate a prototype able to repeatedly overwrite the new CKP2 with the stale CKP1 forcing
implementation of SICP on an MSP430 microcontroller, and continued re-execution of the code between ON2 and ON3 .
we investigate the overhead of SICP for several cryptographic
kernels. To the best of our knowledge, this is the first work to a cryptographic algorithm, leading to loss of confidentiality.
provide a robust solution to secure intermittent computing. Second, the adversary can tamper the checkpoint and take
control over the embedded system after power is restored.
Keywords-intermittent computing, secure checkpoints, em-
bedded systems, atomicity, continuity Third, when the same checkpoint can be restored infinitely,
the adversary can force repeated execution of the same
I. I NTRODUCTION section of code, as illustrated in Figure 1. A system moves
through a sequence of activities symbolized through ON-
Conventional embedded systems respond to power loss states, during which a checkpoint is generated and stored in
by losing its volatile state variables and rebooting from the non-volatile memory. During a power transition after ON2 ,
initial state when power is restored. Embedded devices pow- if an adversary records and restores CKP1, the section of
ered by energy harvesters, where power loss is a fact of life, code in ON2 is repeated.
utilize intermittent computing techniques to ensure forward
Objectives: We identify four fundamental objectives,
progress of long-running applications [1–5]. Such systems
which will be achieved by SICP, to address these risks. For
create checkpoints, snapshots of the volatile program state
an intermittent system, the first three objectives pertain to
stored in non-volatile memory, which includes the CPU
its security and the last objective pertains to its availability.
registers, stack, peripheral states and all the application vari-
ables that are necessary to restore the program state. When 1) Information Security: Information security ensures the
the power is restored, the program state is reconstructed confidentiality, integrity, and authenticity of check-
from the checkpoint and the program continues execution. pointed data.
If we treat power loss as an adversarial event, unprotected 2) Freshness: Freshness assures the system that the
checkpoints pose a significant risk. checkpoint to be restored is the most recent checkpoint
Risks of Checkpoints: When the checkpoint data may and not a replayed checkpoint.
be accessed by the adversary, for example, through the 3) Continuity: Application continuity is the assurance that
microcontroller debug interface, the adversary can exploit an application will resume execution from where it left
the checkpoints in several ways, as listed in Figure 1. off after a power loss without modification.
First, the adversary can read the checkpoint data, which 4) Atomicity: Atomicity guarantees that the protocol op-
reveals sensitive information such as the internal state of erations do not leave the intermittent system with an

978-3-9819263-2-3/DATE19/2019
c EDAA 728
 Target
Type of Related Essential properties
Platform
solution Work
C I A Freshness Continuity Atomicity
Intermittent [1–4] - - - - - - Embedded
computing Ghodsi [5]  - - - - - device
NVM memory Conventional
iNVM [6], SPE [7]  - - - - -
encryption computer
ICE [8]   -   - Conventional
State
Ariadne [9]   -    computer with
continuity
Memoir [10]   -    protected module
Secure SECCS [11]    - - - Embedded
checkpoints SICP(this work)       devices
C: Confidentiality, I: Integrity, A: Authenticity.

Table I: Comparison of the essential properties of SICP with related work

invalid state in the event of power loss during protocol

execution.
Related Work: Table I compares the essential properties
of some of the latest work related to checkpoints. So far,
none of the intermittent computing proposals has considered
checkpoint security [1–4], except one [5], which only con-
siders confidentiality and does not detect checkpoint replay.
In-band memory encryption techniques have been proposed
for conventional computers [6, 7], which introduce a con- Figure 2: The architectural assumptions and memory model for SICP
illustrating the assumed attacker model with two capabilities - (1) control
stant encryption overhead that is less suited for embedded power supply to the device and (2) view and modify tamnper sensitive
devices. non-volatile memory during power-off periods.
Current conventional computers are equipped with module
isolation mechanisms, such as Intel SGX and ARM Trust- solution that can be utilized by any embedded device with
Zone, that also require state continuity guarantees in case non-volatile memory. It does not require dedicated secure
of system crashes and power loses. ICE [8], Ariadne [9] hardware support such as protected modules to guarantee
and Memoir [10] were designed to provide state continuity the essential properties. We believe our solution is the first
to these computers. Although these solutions guarantee most to provide comprehensive security to the checkpoints of an
of the essential properties, they are not designed for resource embedded device.
constrained embedded devices. Organization: Section II explains the design and pro-
SECCS, a secure context saving solution, only provides vides a brief overview of SICP, while Section III describes
confidentiality and integrity of checkpoints in non-volatile the protocol in detail. Section IV demonstrates the feasibility
memory using a hardware module [11]. It does not consider of the SIC Protocol through a prototype implementation
replay of checkpoints or availability of the intermittent on an MSP430 microcontroller, followed by our results in
device. As a result, SECCS does not ensure freshness of Section V. We conclude with Section VI.
checkpoints and is not an atomic solution.
Contributions: We propose the Secure Intermittent II. D ESIGN
Computing Protocol, referenced as the SIC Protocol or SICP. Threat Model: We assume an I/O attacker model, with
It guarantees all the essential properties listed in Table I two capabilities, illustrated in Figure 2. First, the adversary
by the following considerations. First, SICP incorporates has complete control of the power supplied to the device.
freshness to checkpoints in the form of a nonce to detect This gives the adversary the ability to arbitrarily stop the
replay of checkpoints illustrated in Figure 1. Second, SICP execution of the target program. Second, the adversary
protects the information security of checkpoints using a de- has access to the majority of the device memory during
vice unique key. Third, all checkpoints are cryptographically power-off periods except for a small portion of non-volatile
linked to preserve the application continuity across power memory, which is tamper free. The adversary can view and
loss. Continuity guarantees the order of the sequence of modify the device memory to read, tamper, or replay check-
checkpoints and preserves the run-time security properties points except within the tamper free region. We assume a
in intermittent systems. Finally, SICP uses multiple stored protected embedded software execution environment which
states to guarantee atomic checkpoint generation and restora- provides execution integrity and memory protection when
tion, making SICP itself resilient to power loss. Unlike the device is powered on. The feasibility of this assumption
the other state continuity solutions listed in Table I, this has been demonstrated by recent efforts in attestation and
protocol is designed for embedded systems. It is a bare metal isolation for microcontrollers [12]. We do not deal with the

Design, Automation And Test in Europe (DATE 2019) 729

 Algorithm 1 INITIALIZE
Require: K
1: Q ← nonce()
2: TB ← nonce()
3: STATE ← 0
4: RA ← Q
5: SA ← AEADencr (STATE , TB , RA , K )
6: TA ← AEADauth (SA , TB , RA , K )

power-on state of the device. The nonce is stored in tamper-

free non-volatile memory to prevent checkpoint replay. It
introduces freshness to the state, even if the application
state is identical to a previous power cycle. For example,
in Figure 3, a new nonce R2 is associated with ON2 even
though the device is in the same application state as in ON1 .
Information security of the checkpointed data is pro-
tected using Authenticated-Encryption with Associated-Data
(AEAD) [13]. The encryption function takes the plain text
Figure 3: Example of the SIC Protocol. (1) The system is cleared by checkpoint, STATE , a nonce, Ri , and non-confidential as-
the factory reset() operation. A fresh nonce, Ri is associated with each sociated data, Ti as input to generate the resultant encrypted
power-on state. (2) The first valid state save packet, SS1 , is created by the checkpoint, Si , and an authentication tag, Ti . Si and Ti are
INITIALIZE. On power loss, (3) WIPE clears the volatile STATE and
upon subsequent power up, (4) RESTORE validates the latest state save stored in the device’s tamper sensitive non-volatile memory.
packet, SS1 , restores the program state, and generates a new state save Similarly, the encrypted checkpoint is decrypted and restored
packet SS2 . (5) During program execution, REFRESH is called to create onto STATE when power is restored. With this structure, a
a new checkpoint SS3 , overwriting the oldest state save packet, SS1 .
secure checkpoint contains a tuple of Ri , Si , and Ti , which
mitigation of side channel and fault injection attacks which we call a state save packet, SSi .
are beyond the scope of this work. The atomicity objective is satisfied using two state save
Architectural Assumptions: Based on the above threat packets, SSA and SSB . They are updated in an alternating
model, SICP requires certain basic capabilities from the manner, as shown in Figure 3, to keep one packet valid at
microcontroller architecture, illustrated in Figure 2. The all times. SICP is made resilient to power loss by atomic
SICP architecture contains three types of memory. Volatile generation and restoration of checkpoints.
memory holds the volatile program state and is erased upon The continuity objective is satisfied by using the au-
power loss. Tamper-sensitive non-volatile memory stores the thentication tag from the previous state save packet as the
secure checkpoints created from run-time program state. associated data in the AEAD operations to generate the next
This non-volatile memory does not possess any tamper- state save packet. For example, in Figure 3, T1 is used as
resistance and represents the vast majority of the system’s associated data to compute T2 , which in turn is used as
non-volatile memory. SICP also requires a small tamper- associated data to compute T3 . This process, referred as
free non-volatile memory to store SICP variables that need tag-chaining, cryptographically chains all the checkpoints
tamper-free storage. At a 128-bit security level, SICP utilizes together in a chronological order. Thus, authentication tags
48 bytes of tamper-free storage for two 128-bit nonces protect the authenticity and integrity of checkpoints as well
and a 128-bit secret key. The size of tamper free memory as the order of the checkpoints.
must be minimized to reduce hardware cost and complexity. Functions: SICP uses the following functions in its
Finally, we assume that the microcontroller has a residual implementation. factory reset() restores the device to manu-
power source which provides a small, finite energy supply facturer settings and loads a device unique key. nonce() gen-
when the regular power source is interrupted. This residual erates a unique and fresh nonce. abort() flags a violation of
power source can, for example, be provided through power SICP. AEADencr () encrypts a checkpoint and AEADdecr ()
conditioning capacitors. We assume that the residual power decrypts it. AEADauth () generates the authentication tag.
source can be physically protected and can provide the Typically, the AEAD interface for encryption/decryption
minimum required energy to finish writing a 128-bit value returns both the ciphertext/plaintext and authentication tag.
to non-volatile memory and wipe sensitive program state. They are separated here into AEADencr (), AEADdecr ()
and AEADauth () to provide clarity in protocol description.
A. SICP Operation
III. SIC P ROTOCOL
Figure 3 illustrates a working scenario of SICP. An inter-
mittent system moves through a series of power transitions, SICP is defined as a collection of four algorithms:
represented by ON-states and OFF-states. The freshness INITIALIZE, REFRESH, RESTORE and WIPE, de-
objective is satisfied by assigning a nonce, Ri , to each fined as follows.

730 Design, Automation And Test in Europe (DATE 2019)

Algorithm 2 REFRESH and RESTORE an atomic operation. The feasibility of this assumption is
Require: K , STATE , Si , Ri , Ti , where i ∈ {A, B} discussed in Section IV-A using the residual power source.
operation ∈ {REFRESH, RESTORE} RESTORE: RESTORE is called upon every power-
1: Q ← nonce()
2: if TA = AEADauth (SA , TA , RA , K ) then up, except immediately after a factory reset(), restores the
3: if operation = RESTORE then most recent valid STATE of the microcontroller. This func-
4: STATE ← AEADdecr (SA , TA , TB , RA , K ) tion operates in the same manner as REFRESH with the
5: end if
6: RB ← Q difference listed on lines 4 and 12 of Algorithm 2. If
7: SB ← AEADencr (STATE , TA , RB , K ) there is a valid state save packet, the AEADdecr () function
8: TB ← AEADauth (SB , TA , RB , K ) decrypts the ciphertext to restore it in STATE, otherwise,
9: else
10: if TB = AEADauth (SB , TA , RB , K ) then the program is aborted. SICP documents every power event
11: if operation = RESTORE then in the sequence of checkpoints by generating a new state
12: STATE ← AEADdecr (SB , TB , TA , RB , K ) save packet upon every power-up. For example, if SSB is
13: end if
14: RA ← Q valid, SB is decrypted and restored in STATE , SSA is
15: SA ← AEADencr (STATE , TB , RA , K ) updated with this STATE, a new nonce, Q and TB . At the
16: TA ← AEADauth (SA , TB , RA , K ) end of RESTORE, SSA is made valid, invalidating SSB .
17: end if
18: else Thus, SICP ensures that no two different ON-states of the
19: abort() device are represented by the same element in the sequence
20: end if of checkpoints.
If the stored state is tampered during power-off, the
INITIALIZE: This function is called the first time conditional checks on lines 2 and 10 fail, which flags a
the device is powered on and is detailed in Algorithm 1. security exception and calls abort(). At a minimum, this
It is used to generate the first state save packet of the function should either end program execution or clear the
application, SSA , following a factory reset(). Since the first device memory and restart the device.
state save packet has no previous authentication tag to
WIPE: WIPE must be called as soon as power loss
use for associated data, the tag, TB , is initialized with
is detected and the device is about to shut down. It clears
a nonce before it is used to generate SSA . This ensures
transient information such as the program variables stored
a unique chain of tags after each factory reset(). Finally,
as plain text using the residual power source. The function
STATE is overwritten with zeros to ensure future tests for
must overwrite the sections of non-volatile memory that
factory reset() fail and INITIALIZE is only executed once
contain sensitive data, STATE. Volatile memory is wiped
after a factory reset().
to prevent cold-boot style attacks [14]. The residual power
REFRESH: Since the process of generating and restor- source must have sufficient power to finish this operation
ing a checkpoint is similar, they are both described in one otherwise the protocol will fail to protect the confidentiality
procedure, Algorithm 2. REFRESH can be called at any of checkpoints. The specific implementation of WIPE will
point by the application when the device is powered-on after be device dependent. Section IV-A outlines our implemen-
INITIALIZE has finished generating the first valid state tation’s approach.
save packet. A state save packet is valid if it satisfies the
following conditions. First, its nonce, Ri , must match the IV. I MPLEMENTATION
nonce used in the AEADencr and AEADauth operations. To evaluate the SIC Protocol, we establish an intermit-
Second, the associated data used in these AEAD operations tent system and implement SICP to secure the system’s
must match the tag of the previously valid state save packet. checkpoints. We use a modified version of TI’s Compute
This ensures that at any point, only one state save packet is Through Power Loss (CTPL) utility [15] as the intermittent
valid. computing solution. The proof-of-concept implementation
REFRESH will determine which is the latest state save is created on an MSP430FR5994 Launchpad development
packet, to update the alternating state save packet. For board [16], which is equipped with 256kB of on-chip non-
example, if SSA was the latest packet to be refreshed, volatile ferroelectric RAM (FRAM). We use two different
then when REFRESH is called again, line 2 in Algorithm AEAD schemes. First, a software implementation of block
2 would be true. Correspondingly, the microcontroller will cipher based EAX [17], provided by the Cifra [18] crypto-
start updating SSB by first updating RB and then SB . As graphic library. Second, K ETJE v2, specifically K ETJE S R, a
long as TB is not updated, SSB does not yet contain a lightweight one-pass AEAD scheme, from the Keccak Code
valid state save packet and SSA remains valid. As soon Package (KCP) [19].
as TB is updated, it simultaneously invalidates SSA and
makes SSB the latest valid state save packet. This write to A. Secure Intermittent Computing Support
TB makes REFRESH atomic. The implementation of SICP Figure 4 illustrates the working of our implementation of
makes an explicit assumption regarding the tag update in SICP. The CTPL utility is modified to support user declared
lines 8 and 16 of Algorithm 2. The tag update must be system checkpoints and to invoke the protocol functions

Design, Automation And Test in Europe (DATE 2019) 731

Figure 4: Our implementation of SICP. (1) SICP checks for factory reset() and calls (2) INITIALIZE or (3) RESTORE to populate STATE in non-volatile
memory. RESTORE(4) inspects the non-volatile memory for a valid state save packet by checking the authentication tags, restoring it (6) if one is found or
invoking main() (5) if one does not exist. Program execution will then continue normally until power is lost or another checkpoint is created by calling
secureCheckpoint() which in turns calls (7) REFRESH to generate a new checkpoint.

INITIALIZE REFRESH RESTORE

Method
Time Energy Time Energy Time Energy
Component Size (B) (ms) (μJ) (ms) (μJ) (ms) (μJ)
Checkpoint Support 2532 Checkpoint Support 0.032 0.033 14.4 12.6 14.1 12.8
EAX (HW) 3938 EAX(HW) 0.061 0.039 355.2 263.2 455.2 332.3
K ETJE S R 3336 K ETJE S R 0.073 0.044 1912.1 15433.3 1301.4 10011.2

Table II: Executable Size Overhead Table III: Energy and time overhead for SICP

within the checkpoint and startup process. INITIALIZE vice’s Vcc . This is accomplished with MSP430FR5994’s
and RESTORE are called automatically during system ADC12 B analog-to-digital converter, measuring Vcc against
startup, as shown in Figure 4. WIPE is also automatically the system’s Vref as described in TI’s FRAM Utilities [15].
triggered upon power loss. Only RESTORE is called during The MSP430FR5994 development board’s unmodified im-
program execution by the user declared checkpoint func- plementation, including one 10μF capacitor and three 100nF
tion secureCheckpoint(). The application code calls capacitors, has sufficient residual energy to consistently
secureCheckpoint() which in turn invokes REFRESH overwrite up to 16kB of memory following the trigger [16].
to generate a secure checkpoint. When Vcc falls below Vref , ADC12 B triggers the overwrite
Atomicity Support: The atomicity of the of STATE and SRAM via direct-memory-access using the
secureCheckpoint() function is ensured by using residual power source.
two state save packet buffers, SSA and SSB . All changes
to non-volatile memory are made to the alternate buffer, V. R ESULTS
such that the most recent state save packet remains valid We demonstrate SICP’s feasibility and measure the cost in
until the newly computed tag is ready. Once the new tag terms of energy, time and code size overhead incurred to pro-
computation is complete and stored in a temporary buffer, tect a sequence of checkpoints. We have utilized reference
the sic_copyTag() function is called to overwrite implementations for both AEAD designs. EAX(HW), which
the previous tag and set the newly created checkpoint as is a hybrid hardware AEAD primitive, is obtained by sub-
the only valid checkpoint in an atomic operation. This is stituting the software block cipher operations within EAX
achieved by disabling all interrupts for the copy duration of with the MSP430FR5994’s AES hardware accelerator [16].
48 cycles and relying on the residual energy of the device The comparison between the performance of the different
to ensure that even if power is lost, the copy operation AEAD schemes is specific to our protocol implementation
will complete before the system stops operating. Thus, and is not an evaluation of the different AEAD construc-
secureCheckpoint() completes the protocol operation tions themselves. All measurements were taken when the
without incident, ensuring the availability of the intermittent microcontroller was operating at 1 MHz and use a state size
device. of 2kB, a reasonable region for applications on a resource
nonce(): A majority of the nonces used in this protocol constrained device. The energy and time overhead of SICP
are provided by a 128-bit counter that is initialized to a functions must be measured separately when SSA and when
random number during the INITIALIZE process and incre- SSB are the valid state because the authenticity of SSA is
mented each time a new nonce is requested. The exception always checked first in the protocol. The two measurements
is for the nonce for TB in the INITIALIZE function. This are then averaged to present the following results.
nonce is generated randomly to ensure that no two different Overhead: Table II provides an estimate of the ex-
uses of a device create the same pattern of tags, even if the pected growth of a program’s memory footprint when sup-
exact same code is executed following a factory reset(). port for each component is added to the system. EAX(HW)
WIPE: The implementation of the WIPE operation and K ETJE SR represent the executable size overhead for
requires detection of power loss by monitoring the de- SICP functions along with their respective cryptographic

732 Design, Automation And Test in Europe (DATE 2019)

kernels. The energy and time overhead are listed in Table III. [3] M. Hicks, “Clank: Architectural Support for Intermittent
SICP with EAX(HW) achieves lower overhead compared to Computation,” in Proc. of the 44th Annual Inter. Symposium
K ETJE S R because of its two-pass structure and the use of on Computer Architecture, ISCA 2017, 2017, pp. 228–240.
[4] S. C. Bartling, S. Khanna, M. P. Clinton, S. R. Summer-
hardware accelerated AES module. In all cases, the overhead felt, J. A. Rodriguez, and H. P. McAdams, “An 8MHz 75
incurred by the checkpointing system is constant and is listed microa/MHz zero-leakage non-volatile logic-based cortex-m0
under Checkpoint Support in Table II and III. mcu soc exhibiting 100vdd=0v with lt;400ns wakeup and
Analysis: Even though K ETJE S R is a lightweight sleep transitions,” in ISCC2013, Feb 2013, pp. 432–433.
AEAD scheme, it still generates significant overhead within [5] Z. Ghodsi, S. Garg, and R. Karri, “Optimal checkpoint-
ing for secure intermittently-powered IoT devices,” in 2017
SICP compared to a hardware accelerated version of EAX IEEE/ACM Inter. Conf. on Computer-Aided Design (ICCAD),
both in terms of energy and time. This highlights the Nov 2017, pp. 376–383.
advantage of hardware accelerated cryptographic modules [6] S. Chhabra and Y. Solihin, “i-NVMM: A secure non-volatile
within SICP. Even with a hardware accelerated AEAD main memory system with incremental encryption,” in 38th
primitive, SICP takes considerable time and energy to secure Inter. Symp. on Computer Architecture (ISCA 2011, 2011, pp.
177–188.
the checkpointed state, which highlights the need for effi- [7] S. Kannan, N. Karimi, O. Sinanoglu, and R. Karri, “Security
cient, lightweight AEAD primitives. The latest advantages Vulnerabilities of Emerging Nonvolatile Main Memories and
in technology scaling does not apply to non-volatile mem- Countermeasures,” IEEE Trans. on Computer-Aided Design
ories. FRAM, one of the most energy efficient non-volatile of Integrated Circuits and System, vol. 34, no. 1, pp. 2–15,
memories, is only available in 130nm technology. Advances Jan 2015.
[8] R. Strackx, B. Jacobs, and F. Piessens, “ICE: A passive, high-
in non-volatile memory technologies will help improve the speed, state-continuity scheme,” in Proc. of the 30th Annual
performance of the protocol. Computer Security Applications Conf., ser. ACSAC ’14. New
SICP does not provide any backdoor for the attacker. For York, NY, USA: ACM, 2014, pp. 106–115.
example, if an adversary tries to repeatedly cut power to [9] R. Strackx and F. Piessens, “Ariadne: A minimal approach to
the device during protocol operations, the device continues state continuity,” in 25th USENIX Secur. Symposium (USENIX
Security 16). Austin, TX: USENIX Association, 2016, pp.
operation without any glitches because of the atomicity 875–892.
guarantees of the protocol. Similarly, if an adversary tries [10] B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M.
to emulate a factory reset(), they will be left with a de- McCune, “Memoir: Practical state continuity for protected
vice with a clean memory and newly loaded key. Since a modules,” in 2011 IEEE Symp. on Secur. and Priv., May 2011,
factory reset() wipes all the device memory, any sensitive pp. 379–394.
[11] E. Valea, M. D. Silva, G. D. Natale, M. Flottes, S. Dupuis,
information the adversary wishes to recover will be unavail- and B. Rouzeyre, “SECCS: SECure Context Saving for IoT
able to the attacker. devices,” in 13th Inter. Conf. on Design & Techn. of Integrated
Systems In Nanoscale Era, DTIS 2018, 2018, pp. 1–2.
VI. C ONCLUSION [12] J. Noorman, J. V. Bulck, J. T. Mühlberg, F. Piessens,
This paper was motivated by the lack of appropriate se- P. Maene, B. Preneel, I. Verbauwhede, J. Götzfried, T. Müller,
curity features incorporated in existing intermittent systems. and F. Freiling, “Sancus 2.0: A Low-Cost Security Architec-
ture for IoT Devices,” ACM Trans. Priv. Secur., vol. 20, no. 3,
The Secure Intermittent Computing Protocol addresses the pp. 7:1–7:33, Jul. 2017.
security of intermittent systems across periods of power loss [13] P. Rogaway, “Authenticated-encryption with associated-data,”
and its implementation highlights the heavy computational in Proc. of the 9th ACM Conf. on Computer and Communi-
cost required to secure a stored system state. It is a generic cation Security, CCS 2002, 2002, pp. 98–107.
protocol that can be used on top of any intermittent com- [14] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson,
W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum,
puting solution to secure its checkpoints. Our work demon- and E. W. Felten, “Lest we remember: Cold boot attacks
strated the need for future work in lightweight cryptographic on encryption keys,” in Proceedings of the 17th USENIX
kernels that can support AEAD schemes. In the future, a Security Symposium, July 28-August 1, 2008, San Jose, CA,
platform could be developed with a low latency non-volatile USA, 2008, pp. 45–60.
memory and the necessary hardware acceleration to support [15] MSP MCU FRAM Utilities, 2017. [Online].
Available: http://software-dl.ti.com/msp430/msp430\
secure storage of larger system states. public\ sw/mcu/msp430/FRAM\ Utilities/latest/exports/
Acknowledgements: This work was supported in part FRAM-Utilities-UsersGuide.pdf
by NSF grant 1704176 and SRC GRC Task 2712.019. [16] MSP430FR58xx, MSP430FR59xx, MSP430FR68xx, and
MSP430FR69xx Family User’s Guide, 2012, no.
R EFERENCES SLAU678M. [Online]. Available: http://www.ti.com/lit/ug/
[1] G. Berthou, T. Delizy, K. Marquet, T. Risset, and G. Salagnac, slau367o/slau367o.pdf
“Peripheral state persistence for transiently-powered sys- [17] M. Bellare, P. Rogaway, and D. Wagner, The EAX Mode of
tems,” in Global Internet of Things Summit, GIoTS 2017, Operation. Berlin, Heidelberg: Springer Berlin Heidelberg,
Geneva, Switzerland, June 6-9, 2017, 2017, pp. 1–6. 2004, pp. 389–407.
[2] H. Jayakumar, A. Raha, W. S. Lee, and V. Raghunathan, [18] J. Birr-Pixton, “Cifra: Cryptographic primitive collection,”
“QuickRecall: A HW/SW Approach for Computing across https://github.com/ctz/cifra, 2017.
Power Cycles in Transiently Powered Computers,” JETC, [19] G. Bertoni, J. Daemen, M. Peeters, G. V. Assche, and R. V.
vol. 12, no. 1, pp. 8:1–8:19, 2015. Keer, “Keccak code package,” 2017.

Design, Automation And Test in Europe (DATE 2019) 733