GAROTA: Generalized Active Root-Of-Trust Architecture

TL;DR

GAROTA is a novel, formally verified active Root-Of-Trust architecture designed for low-end microcontrollers, ensuring secure actions even under malware compromise, demonstrated across sensing, network, and timer applications.

Contribution

It introduces the first clean-slate design of an active RoT for low-end MCUs, with formal verification and practical implementation across diverse application scenarios.

Findings

Guarantees desired actions despite malware compromise

Successfully implemented in sensing, network, and timer contexts

Formally verified for security properties

Abstract

In this paper, we set out to systematically design a minimal active RoT for tiny low-end MCU-s. We begin with the following questions: (1) What functions and hardware support are required to guarantee actions in the presence of malware?, (2) How to implement this efficiently?, and (3) What security benefits stem from such an active RoT architecture? We then design, implement, formally verify, and evaluate GAROTA: Generalized Active Root-Of-Trust Architecture. We believe that GAROTA is the first clean-slate design of an active RoT for low-end MCU-s. We show how GAROTA guarantees that even a fully software-compromised low-end MCU performs a desired action. We demonstrate its practicality by implementing GAROTA in the context of three types of applications where actions are triggered by: sensing hardware, network events and timers. We also formally specify and verify GAROTA functionality and properties.