PUF for the Commons: Enhancing Embedded Security on the OS Level

TL;DR

This paper integrates SRAM-based physically unclonable functions into the RIOT IoT operating system, providing a secure, device-unique fingerprinting method that enhances embedded device security through extensive real-world testing.

Contribution

It introduces a generic method to incorporate SRAM PUFs into RIOT OS, supported by large-scale real-world data, demonstrating improved security for constrained IoT devices.

Findings

SRAM PUFs provide over 128-bit device-unique keys.

Secure random seeds from SRAM PUFs offer 256-bit security.

The approach resists moderate attack scenarios.

Abstract

Security is essential for the Internet of Things (IoT). Cryptographic operations for authentication and encryption commonly rely on random input of high entropy and secure, tamper-resistant identities, which are difficult to obtain on constrained embedded devices. In this paper, we design and analyze a generic integration of physically unclonable functions (PUFs) into the IoT operating system RIOT that supports about 250 platforms. Our approach leverages uninitialized SRAM to act as the digital fingerprint for heterogeneous devices. We ground our design on an extensive study of PUF performance in the wild, which involves SRAM measurements on more than 700 IoT nodes that aged naturally in the real-world. We quantify static SRAM bias, as well as the aging effects of devices and incorporate the results in our system. This work closes a previously identified gap of missing statistically significant sample sizes for testing the unpredictability of PUFs. Our experiments on COTS devices of 64 kB SRAM indicate that secure random seeds derived from the SRAM PUF provide 256 Bits-, and device unique keys provide more than 128 Bits of security. In a practical security assessment we show that SRAM PUFs resist moderate attack scenarios, which greatly improves the security of low-end IoT devices.