Paper 2017/991

Secure Code Updates for Smart Embedded Devices based on PUFs

Wei Feng, Yu Qin, Shijun Zhao, Ziwen Liu, Xiaobo Chu, and Dengguo Feng


Code update is a very useful tool commonly used in low-end embedded devices to improve the existing functionalities or patch discovered bugs or vulnerabilities. If the update protocol itself is not secure, it will only bring new threats to embedded systems. Thus, a secure code update mechanism is required. However, existing solutions either rely on strong security assumptions, or result in considerable storage and computation consumption, which are not practical for resource-constrained embedded devices (e.g., in the context of Internet of Things). In this work, we propose to use intrinsic device characteristics (i.e., Physically Unclonable Functions or PUF) to design a practical and lightweight secure code update scheme. Our scheme can not only ensure the freshness, integrity, confidentiality and authenticity of code update, but also verify that the update is installed correctly on a specific device without any malicious software. Cloned or counterfeit devices can be excluded as the code update is bound to the unpredictable physical properties of underlying hardware. Legitimate devices in an untrustworthy software state can be restored by filling suspect memory with PUF-derived random numbers. After update installation, the initiator of the code update is able to obtain the verifiable software state from device, and the device can maintain a sustainable post-update secure check by enforcing a secure call sequence. To demonstrate the practicality and feasibility, we also implement the proposed scheme on a low-end MCU platform (TI MSP430) by using onboard SRAM and Flash resources.

Available format(s)
Publication info
Preprint. MINOR revision.
Firmware UpdateSecure Code UpdatePhysically Unclonable Function (PUF)Remote AttestationEmbedded Security
Contact author(s)
vonwaist @ gmail com
2017-12-20: revised
2017-10-11: received
See all versions
Short URL
Creative Commons Attribution


      author = {Wei Feng and Yu Qin and Shijun Zhao and Ziwen Liu and Xiaobo Chu and Dengguo Feng},
      title = {Secure Code Updates for Smart Embedded Devices based on PUFs},
      howpublished = {Cryptology ePrint Archive, Paper 2017/991},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.