Skip to content

SamuelGerald2005/Secure-Task-Isolation-in-RTOS-for-Embedded-Systems

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Secure Task Isolation in RTOS for Embedded Systems

Overview

This project implements a multi-layered secure embedded architecture on the ESP32 platform using FreeRTOS. The system is designed as a hardened IoT gateway capable of resisting both internal software attacks and external wireless attacks while maintaining deterministic real-time operation.

Unlike conventional IoT security architectures that rely heavily on TLS, BLE pairing, or cloud-side trust enforcement, this implementation demonstrates a lightweight but extremely structured defense-in-depth design directly inside the embedded firmware stack.

Architecture

The system integrates:

  • Secure Boot V2 and eFuse-backed hardware trust
  • Software-enforced MPU-style task isolation
  • Secure IPC with fault containment
  • Authenticated ESP-NOW wireless communication
  • PSA Crypto based HMAC verification
  • Replay prevention and freshness validation
  • Attack simulation and live mitigation
  • Deterministic fault handling under FreeRTOS

The architecture is divided into four independent but interconnected security layers:

  • Layer 1: Hardware Root of Trust + Secure Boot
  • Layer 2: Task Isolation + Software MPU
  • Layer 3: Secure IPC + Internal Attack Containment
  • Layer 4: Wireless Authentication + Replay Protection

System Objectives

  • Firmware Integrity: Ensure only authenticated firmware images execute.
  • Runtime Task Isolation: Prevent rogue tasks from reading or modifying privileged memory regions.
  • Secure Inter-Task Communication: Prevent internal attacks such as queue flooding, buffer corruption, race conditions, shared resource abuse, and IPC-based denial of service.
  • Secure Wireless Communication: Secure ESP-NOW communication providing authentication, integrity, replay prevention, and freshness guarantees without TLS, BLE pairing, or Wi-Fi overhead.
  • Fault Isolation: Ensure attacks do not collapse the RTOS kernel (Detect → Isolate → Contain → Continue Operation).

Project Structure

  • main/main.c: Primary firmware entry point, initializes NVS, starts IPC layer, creates all FreeRTOS tasks.
  • main/comms_layer.c & .h: Implements the secure IPC backbone (static queues, static mutex).
  • main/task_sensor.c: Simulates an embedded sensor node generating telemetry.
  • main/task_comms.c: Security-critical task performing IPC validation, threat detection, HMAC generation, and ESP-NOW transmission.
  • main/task_attacker.c: Simulates malicious firmware behavior (buffer corruption, queue flooding, unauthorized memory access).
  • main/mpu_fault.c: Implements a software-based MPU.
  • main/ipc_fault.c: Centralized IPC threat response engine.
  • main/task_logger.c: Dedicated audit logging subsystem.
  • main/task_admin.c: Highest privilege supervisory task generating heartbeat logs.

Getting Started

To compile and flash this project onto an ESP32:

  1. Ensure you have the ESP-IDF installed.
  2. Clone this repository.
  3. Run idf.py build to compile the firmware.
  4. Run idf.py -p (PORT) flash monitor to flash the ESP32 and view the logs.

Documentation

For a detailed analysis of the architecture, simulated attack vectors, and security principles, please refer to Report.md.

About

Secure Task Isolation in RTOS for Embedded Systems

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors