7 Debug Security

A common way for attackers to compromise an embedded control system is to connect to the microcontroller’s debug port using JTAG, SWD or some other standard protocol. If the debug port is unsecured, the attacker could easily redirect execution, extract secrets, or explore other ways to compromise the system. A microcontroller used in a secure application should offer password-based locking of the debug port as a base requirement. For added security, system designers who want to avoid the use of passwords, which are potentially exposable as shared secrets, an alternate authentication mechanism can be implemented, such as challenge-response or certificate-based authentication using public key cryptography.

In certain cases, it is desirable to demarcate the application into multiple domains, potentially outsourcing the development of one or more of those domains to a third party or otherwise untrusted software development environment. In this scenario, having a single authentication credential that is shared across all development parties is less than ideal from a security standpoint. To address this weakness, the device architecture can partition resource groups on the chip with independent debug enable signals. Multiple authentication credentials can then be created for a given device, with varying levels of access to device resource groups. For instance, one debug certificate could grant access to the entire chip, while another certificate blocks access to memory regions containing sensitive data.