Call for Papers

IEEE Computer Special Issue on Embedded System Security

October 2001

Guest Editors

William A. Arbaugh (University of Maryland, College Park)

Leendert van Doorn (IBM Research, T.J. Watson)

Embedded systems are becoming ubiquitous within our daily lives. While it is still early, embedded systems have the potential for creating the same economic and social impact as those created by the explosive bandwidth growth provided by the Internet. Because the dynamics are similar, the problems with security and privacy may be similar as well. Ideally, we can learn from our past successes and failures in the Internet space, and apply these lessons within the embedded space.

Embedded devices come in many different shapes and forms, ranging from personal digital assistants (PDAs) to disk controllers and from home thermostats to microwave regulators. The key trends in embedded systems are that they are becoming more powerful, more autonomous, and highly connected- following essentially the same path as the Internet. But, we have learned that these trends are a "double edged sword". On the one hand, the devices can be used to improve overall security, i.e. tamper protected storage of cryptographic keys. On the other hand, the devices may seriously invade our privacy, i.e. the covert collection of user activity. As a result, both the security and privacy implications must be considered as soon as possible. The purpose of this special issue is to identify the specific security and privacy challenges facing the embedded system arena and present potential solutions.

We have identified several general areas which we believe provide broad coverage of the potential research area, and we list them below along with a brief description of each to assist potential authors (we encourage submissions outside of these areas as well):

• Risk analysis: What are the security risks for embedded systems? How are they different from normal systems. We've already seen the first cell phone attacks, what else can we expect in the future?
• Privacy issues: With embedded devices becoming more ubiquitous and well-connected what measures can we take to preserve the privacy of the users of the technology?
• Legal Issues: With the increasing importance of embedded systems in, for example, financial world (smartcards, digital signatures stored on PDAs), what are the legal implications? That is, how secure must a system be in order to show due diligence?
• Intellectual property protection: Enforcing intellectual property (IP) protection on the host system via software has been fundamentally flawed from the beginning. Is it possible to provide stronger IP protection using embedded hardware?
• Software security architecture: We solicit papers that discuss software security architectures for embedded systems.
• Security requirements for embedded OSes: Research on secure operating system has traditionally been focused on powerful timesharing systems. An embedded system puts all sorts of restrictions on the operating system, including the security mechanisms that can be used. We solicit papers that discuss the security mechanisms necessary for embedded OSes.
• Embedded cryptographic devices: Secure cryptographic coprocessors, such as the 4758, are commercial secure embedded devices that are usually capable of much more than just encryption. We solicit papers that discuss the application of these devices.
• Using embedded devices to build secure systems: Physically securing whole systems, such as notebooks, is not very cost effective yet. Is it possible to build systems with somewhat relaxed security requirements using physically secure embedded coprocessors? What is the tradeoff? What is the separation of concerns between the host and the embedded coprocessors?
• Secure firmware upgrades for embedded devices: More and more devices have upgradeable firmware. If specialized programs can update firmware, a virus can do the same thing? As soon as malicious logic gains control over the hardware it is almost impossible to regain control, or trust the device. Questions to be answered are: How can we provide secure firmware updates? How can we regain control and trust in a device after it has been compromised?

Instructions for Paper Submission

Submitted papers should follow the IEEE guidelines for authors found here. Specifically, papers must not be more than 6,000 words with each figure and table counted as 300 words. Papers along with a cover page that includes the title, authors, and abstract must be submitted electronically in either postscript or pdf in a format suitable for anonymous review. You may submit your article by following this link.
 

Submission date:                 March 15, 2001.
Acceptance notification:    June 1, 2001.
 

Questions should be addressed to Bill Arbaugh, waa@cs.umd.edu or Leendert van Doorn, leendert@watson.ibm.com.