GAROTA: Generalized Active Root-Of-Trust Architecture
This addresses security for low-end microcontrollers, enabling reliable actions even when compromised, which is incremental as it builds on root-of-trust concepts but applies them to a new, constrained domain.
The paper tackled the problem of designing a minimal active root-of-trust for tiny low-end microcontrollers to guarantee actions in the presence of malware, resulting in GAROTA, which is implemented and formally verified for applications triggered by sensing, network events, and timers.
In this paper, we set out to systematically design a minimal active RoT for tiny low-end MCU-s. We begin with the following questions: (1) What functions and hardware support are required to guarantee actions in the presence of malware?, (2) How to implement this efficiently?, and (3) What security benefits stem from such an active RoT architecture? We then design, implement, formally verify, and evaluate GAROTA: Generalized Active Root-Of-Trust Architecture. We believe that GAROTA is the first clean-slate design of an active RoT for low-end MCU-s. We show how GAROTA guarantees that even a fully software-compromised low-end MCU performs a desired action. We demonstrate its practicality by implementing GAROTA in the context of three types of applications where actions are triggered by: sensing hardware, network events and timers. We also formally specify and verify GAROTA functionality and properties.