## Provable Execution in Real-Time Embedded Systems

Antonio Joia Neto Rochester Institute of Technology aj4775@rit.edu Norrathep Rattanavipanon Prince of Songkla University norrathep.r@phuket.psu.ac.th Ivan De Oliveira Nunes Rochester Institute of Technology ivanoliv@mail.rit.edu

Abstract—Embedded devices are increasingly ubiquitous and vital, often supporting safety-critical functions. However, due to strict cost and energy constraints, they are typically implemented with Micro-Controller Units (MCUs) that lack advanced architectural security features. Within this space, recent efforts have created low-cost architectures capable of generating Proofs of Execution (PoX) of software on potentially compromised MCUs. This capability can ensure the integrity of sensor data from the outset, by binding sensed results to an unforgeable cryptographic proof of execution on edge sensor MCUs. However, the security of existing PoX requires the proven execution to occur atomically (i.e., uninterrupted). This requirement precludes the application of PoX to (1) timeshared systems, and (2) applications with real-time constraints, creating a direct conflict between execution integrity and the real-time availability needs of several embedded system uses.

In this paper, we formulate a new security goal called Real-Time Proof of Execution (RT-PoX) that retains the integrity guarantees of classic PoX while enabling its application to existing real-time systems. This is achieved by relaxing the atomicity requirement of PoX while dispatching interference attempts from other potentially malicious tasks (or compromised operating systems) executing on the same device. To realize the RT-PoX goal, we develop Provable Execution Architecture for Real-Time Systems (PEARTS). To the best of our knowledge, PEARTS is the first PoX system that can be directly deployed alongside a commodity embedded realtime operating system (FreeRTOS). This enables both real-time scheduling and execution integrity guarantees on commodity MCUs. To showcase this capability, we develop a PEARTS open-source prototype atop FreeRTOS on a single-core ARM Cortex-M33 processor. Based on this prototype, we evaluate and report on PEARTS security and (modest) overheads.

#### 1. Introduction

The integration of embedded devices across various sectors, including home automation, agricultural technology, wearable gadgets, and smart appliances, has ushered in a multitude of security considerations. While playing a crucial role in enhancing the convenience and connectivity of modern living, embedded devices are characterized by their inherent limitations, which can complicate security efforts. This stems from rudimentary or entirely lacking architectural security features, making them vulnerable to a diverse range of potential threats and vulnerabilities. The importance of addressing security concerns in embedded devices cannot be overstated, especially when deployed in safety-critical environments. In such scenarios, even minor security oversights can yield severe consequences. For instance, the manipulation of sensor data or the disregard of control commands can lead to catastrophic outcomes, ranging from damage to infrastructure to human safety.

To address some of these security concerns, the concept of embedded Remote Attestation (RA) [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14] was proposed to enable remote verification of the integrity and authenticity of embedded device's software. RA is a (typically hardwareassisted) challenge-response protocol wherein a Prover (Prv) generates cryptographic proof of its internal state to a remote Verifier (Vrf) for examination. Based on the proof, Vrf can decide on the trustworthiness of Prv. Proof of Execution (PoX) [15], [16], [17], [18] extends RA to bind the data produced by Prv to the correct execution of an intended software routine (e.g., a sensing function), thereby assuring to Vrf integrity of received data from the point when it is first digitized, i.e., the moment physical measurements are first converted into digital data by edge Micro-Controller Units (MCUs). We revisit details of RA and PoX in Section 2

## **1.1. Motivation: On the Conflict Between PoX Integrity & Real-Time Availability**

Despite its potential to ascertain integrity "from birth" of sensor data (even if MCU software is compromised or illegally modified), current PoX methods require the PoX task (here denoted  $\mathcal{F}$ ) to execute atomically. This ensures that the context (data memory in use by  $\mathcal{F}$ ), resources (e.g., peripherals in use by  $\mathcal{F}$  and their configurations), and timing requirements of  $\mathcal{F}$  cannot be tampered with by concurrent applications on Prv. However, atomic execution hinders the application of PoX to real-time systems, which often rely on Real-Time Operating Systems (RTOS) to ensure strict timebased availability guarantees for various tasks executing on the same MCU. This incompatibility follows naturally from the fact that PoX must run continuously irrespective of deadlines of other time-critical tasks on the same Prv.

We argue that the reliability of real-time systems simultaneously depends on strong runtime integrity and real-time availability guarantees. While PoX and RTOSs may achieve each goal separately, their integration is non-trivial. First, the RTOS should be able to maintain its task scheduling role even when a PoX instance is active. On the other hand, the authenticity and integrity of the execution being proven must be preserved, despite attempts from other applications or a compromised RTOS to tamper with the PoX state. To make matters more challenging, MCU-based RTOSs (such as FreeRTOS [19]) often operate on single-privilege mode, where all running processes have the same level of access to resources as the RTOS itself.

#### **1.2. Intended Contributions**

We define <u>Real-Time Proof of Execution</u> (RT-PoX), an advancement over classic PoX to enable preemptive realtime multitasking to securely coexist with PoX. To realize this concept in practice we design *Provable Execution Architecture for Real-Time Systems* (PEARTS) by leveraging commodity MCU hardware support from the TrustZone-M [20] security extension. To the best of our knowledge, this is the first architecture for remotely verifiable execution integrity able to coexist with an unmodified RTOS while retaining both real-time and execution integrity guarantees. In sum, our contributions are:

- We define the notion of RT-PoX as well as the necessary requirements to achieve RT-PoX in real-time embedded systems. RT-PoX trades PoX original requirement of atomic execution for the assurance that interrupting tasks can not tamper with the timing, state, or resources belonging to the interrupted task without Vrf detection.
- We design PEARTS to realize RT-PoX goals. PEARTS leverages TrustZone-M on single-core ARM MCUs and does not rely on trust assumptions about applications or underlying RTOSs (which typically lack isolation and privilege level separation). PEARTS respects real-time requirements, as scheduled by the RTOS, even during a PoX. Meanwhile, it also monitors for any actions that could violate the integrity of the PoX task across interrupt cycles. Importantly, PEARTS is designed not to require changes to the underlying RTOS.
- To demonstrate PEARTS practicality, we develop and evaluate a fully functional open-source prototype [21] that runs alongside a well-known and unmodified commodity RTOS (FreeRTOS) deployed on a STM32L552ZE MCU [22] featuring a single-core ARM Cortex-M33 processor. Our results show that RT-PoX is obtainable at a relatively small overhead.

As discussed in the rest of this paper, achieving these goals requires addressing several conceptual and technical challenges. First, the single-privilege RTOS model implies a strong adversary (Adv) who may alter both  $\mathcal{F}$  and RTOS behaviors. At the same time, we strive for an approach that does not require modifying the underlying RTOS implementation, enabling seamless integration with existing settings and use cases. To that end, PEARTS leverages ARM TrustZone-M to create an Elastic Secure Region (ESR) used to monitor  $\mathcal{F}$ 's context, control flow, and resources and detect interference attempts during a PoX instance (see Section 5). However, as the RTOS resides in the Non-Secure World (see Section 2 for TrustZone background), it cannot directly interoperate (e.g., act upon scheduling decisions) with a TrustZone-protected task. Compatibility thus requires the creation of a mechanism (that we name "shadow" task) to emulate the (unmodified) RTOS' view of  $\mathcal{F}$  as a normal task while dispatching RTOS decisions related to  $\mathcal{F}$  into actions to be performed by TrustZone's Secure World.

## 2. Background

## 2.1. RA and PoX

RA is a challenge-response protocol in which Vrf aims to check the software image currently installed on Prv, i.e., the content of Prv's program memory (PMEM). As shown in Figure 1, a typical RA protocol is performed as follows:

- 1) Vrf requests RA from Prv by sending a unique cryptographic challenge (Chal).
- 2) An RA root of trust (RoT) within Prv computes an authenticated integrity-ensuring function over PMEM and Chal to produce an authenticated report (H).
- 3) Prv sends H to Vrf.
- 4) Vrf compares H to its expected value.

Step (2) can be implemented using a Message Authentication Code (MAC) or digital signature. The secret key used in this operation must be securely stored and used by the RoT on Prv to ensure it is inaccessible to any untrusted software. As a result, RA protocols usually rely on hardware support to implement this RoT on Prv, e.g., from Trusted Execution Environments (TEEs), as in the case of this work.

PoX augments RA with evidence that a particular software function within PMEM has been correctly executed and that any claimed outputs were direct outcomes of this timely and authentic execution. This is achieved by modifying step (2) in the RA interaction with the capability to compute a different report  $H_{exec}$  if and only if a function  $\mathcal{F}$ , chosen by Vrf and specified along with the request (step 1), is executed in between Prv receiving Chal and computing/sending the authenticated report to Vrf (step 3).

To ensure that the execution of  $\mathcal{F}$  is not tampered with by untrusted software on Prv other than  $\mathcal{F}$ , the RoT suspends all other applications before calling  $\mathcal{F}$ 's execution. As  $\mathcal{F}$  executes, it produces output  $\Theta$ . The PoX report is then computed by signing (or MAC-ing)  $\mathcal{F}$ 's binary,  $\Theta$ , and Chal. The RoT aborts the process (thus failing to produce  $H_{exec}$ ) if any attempt to interrupt or tamper with  $\mathcal{F}$ 's execution is made, as interrupting software could tamper with  $\mathcal{F}$  ongoing state. As noted in Section 1, this atomic execution requirement limits PoX practicality due to its direct conflict with real-time requirements of several embedded applications.

#### 2.2. TrustZone for ARM Cortex-M

TrustZone-M is a security extension for ARMv8 Cortex-M MCUs, establishing a TEE by partitioning CPU resources into two domains known as the "Secure" and "Non-Secure"



Figure 1: Transcript of RA/PoX interactions

Worlds. Each of these domains receives dedicated and physically isolated resources, including memory and peripherals.

**Memory Protection.** To enforce memory isolation, TrustZone-M implements two hardware controllers: the Secure Attribution Unit (SAU) and the Implementation-Defined Attribution Unit (IDAU). SAU grants the system the ability to define security designations (Secure or Non-Secure) to memory segments and allows for dynamic configuration of these designations at runtime. Conversely, the IDAU allows the establishment of security levels for predetermined memory blocks that are defined by the device manufacturer and unmodifiable thereafter.

As Cortex-M devices do not feature virtual memory/Memory Management Units (MMUs), a Memory Protection Unit (MPU) is used to implement access control policies directly – in physical memory. When TrustZone is present, the MPU is divided into two segments: the Secure MPU (S-MPU) for the Secure World and the Non-Secure MPU (NS-MPU) for the Non-Secure World. Access to the S-MPU configuration registers is only allowed to the Secure World, while the NS-MPU registers are accessible to both worlds.

**Peripherals Isolation.** Peripherals in Trustzone-M can be categorized into three distinct types based on their security capabilities: non-securable, securable, and TrustZoneaware peripherals. Non-securable peripherals are those that do not support any security features; they are always accessible from both Secure and Non-Secure worlds and cannot be protected by TrustZone mechanisms. Securable peripherals, on the other hand, support basic security features that allow them to be designated as either Secure or Non-Secure. TrustZone-aware peripherals are equipped with intrinsic mechanisms that not only allow them to be designated as Secure or Non-Secure but also enable them to react dynamically to security states or conditions.

**Interrupt Isolation.** To handle interrupts, the Cortex-M architecture includes a Nested Vectored Interrupt Controller (NVIC). When TrustZone-M is enabled, it supports two Interrupt Vector Tables (IVTs): one for the Secure and one for the Non-Secure World. Thus, each interrupt is individually configured as Secure or Non-Secure. The NVIC includes a register called Interrupt Target Non-Secure (NVIC\_ITNS) used to designate interrupts as belonging to the Secure and Non-Secure Worlds. This register can only be configured by the Secure World.

Secure interrupts can be configured to have higher priority than Non-Secure interrupts. When a high-priority Secure interrupt occurs, the CPU pauses Non-Secure operations and redirects execution to the respective Interrupt Service Routine (ISR), implemented in the Secure World. During this process, hardware stores the register context of the Non-Secure World automatically in the Non-Secure stack and changes the processor state to Secure. After handling the interrupt, the ISR updates the program counter (PC) to trigger the *Exception Return* routine, restoring the previous state and resuming Non-Secure task execution.

# 2.3. Embedded Real-Time Operating Systems and ARM Cortex-M

RTOSs are widely used specialized operating systems designed for resource-constrained embedded systems with real-time response requirements [23]. Their core attribute is deterministic behavior, achieved through task prioritization based on predefined deadlines, ensuring the timely and predictable execution of critical tasks. However, their focus on real-time constraints and simplicity often leaves security practices (e.g., isolation) as a secondary priority. For instance, widely used RTOSs such as FreeRTOS, are typically used in a single-privileged setup, having user-level and kernel-level code to coexist at the same privilege level without isolation [24].

**Systick and PendSV.** Typically, embedded RTOSs use a timer to switch active tasks. The timer triggers periodic interrupts, known as "systicks". When these interrupts occur, the RTOS scheduler checks the priorities assigned to current tasks. If needed, it switches to execute a different task. In ARM Cortex-M systems, instead of immediately switching tasks during the systick, it is common for the systick ISR to set up another interrupt called PendSV to happen afterward. When no higher priority interrupts are pending, PendSV is activated to perform the task context switch. This ensures precedence to critical interrupt handling over task switching.

**Stack Pointers.** In bare-metal RTOSs, two distinct stack pointer registers are available: the Process Stack Pointer (PSP) and the Main Stack Pointer (MSP). PSP is primarily used by application threads (tasks) for regular stack operations. MSP is used by the RTOS during boot, initialization, and by ISRs. When TrustZone is present, PSP and MSP are banked across the Secure and Non-Secure worlds. This means that each world maintains its own PSP and MSP registers, allowing for secure and non-secure task stacks to be managed independently

**OS Services.** RTOSs typically offer a variety of services for tasks. In single-privilege environments, where conventional system calls for privilege elevation are inexistent, these services are often accessed through direct method-/function calls, instead of system call exceptions. Typical RTOS services include dynamic task management for creating and adjusting tasks; scheduling algorithms for task prioritization and timing; synchronization mechanisms such as semaphores and mutexes for coordination; precise timing services using timers; interrupt handling for responding to external stimuli; memory management for optimal resource allocation; inter-task communication for data transfer; and error handling mechanisms to ensure system stability and reliability.



ISR = Interrupt Service Routine Figure 2: RTOS and software modules on Prv

## 3. **RT-PoX Definition**

#### 3.1. Scope & Notation

RT-PoX targets settings that (contrary to classic PoX) depend on an RTOS to schedule multiple tasks on Prv. Vrf wants to assess if an output  $\Theta$  was produced by the timely execution of a Vrf-defined function  $\mathcal{F}$  on a specific Prv, checking that  $\Theta$  was not corrupted by any other (potentially malicious) software simultaneously installed and running on the same Prv.

As illustrated in Figure 2, the RTOS manages and preemptively schedules N software tasks, denoted as a set  $S = \{S_1, ..., S_{N-1}, S_{App}\}$ . Along with tasks, Prv implements K Interrupt Service Routines (*ISRs*), denoted  $I = \{ISR_1, ..., ISR_{M+1}, ..., ISR_K\}$ . Among tasks running on Prv, Vrf wants to receive a PoX of  $S_{App}$ .  $S_{App}$  behavior may depend on inputs obtained through the asynchronous (i.e., upon interrupt triggers) execution of one or more *ISRs*  $\{ISR_{M+1}, ..., ISR_K\} \subset I$ . A valid execution of  $S_{App}$  must start from entry point instruction ( $s_{entry}$ ) and conclude at an exit point ( $s_{end}$ ). We refer to  $S_{App}$  and the code of all *ISRs* it depends upon as a self-contained functionality  $\mathcal{F}$ . We define untrusted code ( $\mathcal{F}_{Adv}$ ) to encompass the RTOS and other tasks and ISRs that are not in  $\mathcal{F}$ . This separation is also depicted in Figure 2.

According to the constraints discussed in Section 1, we consider Prv as low-power single-core MCU with limited program (PMEM) and data (DMEM) memory in the order of dozens of kilobytes. Prv runs software at "bare-metal", executing instructions in place (physically from PMEM), and with no MMU to support virtual memory or interprocess isolation.

Furthermore, we define  $\mathcal{F}$ 's execution context  $Ctx(\mathcal{F})$ as all physical memory addresses written and read by  $\mathcal{F}$ during its execution, including input arguments given to  $\mathcal{F}$ , any global variables used by  $\mathcal{F}$ , and any physical peripheral addresses/peripheral configuration addresses  $\mathcal{F}$  may use/depend upon (e.g., General Purpose Input/Output (GPIO) and associated configuration registers).

#### **3.2. RT-PoX Requirements**

Removal of atomic execution introduces significant security challenges as it opens the door to illegal modifications to  $Ctx(\mathcal{F})$  during  $\mathcal{F}$  execution. Such incidents can stem from interrupts that result in  $\mathcal{F}_{Adv}$  controlling Prv state while  $\mathcal{F}$  execution is paused (but not completed). The same applies when  $\mathcal{F}$  demands RTOS services and issues system calls.

It follows that  $\mathcal{F}$  execution integrity depends on  $\mathcal{F}_{Adv}$  non-interference with  $Ctx(\mathcal{F})$  while  $\mathcal{F}$  executes, i.e:

$$Ctx(\mathcal{F}) \cap Ctx(\mathcal{F}_{\mathsf{Adv}}) = \emptyset, \tag{1}$$

where  $\cap$  denotes interference, i.e., Equation 1 asserts that no physical memory address accessed by  $\mathcal{F}$  during its execution is modified by  $\mathcal{F}_{Adv}$ .

Despite non-interference stipulated in Equation 1, timing attacks [25], [26], [27] may still affect critically timed behavior in  $\mathcal{F}$ . Therefore, Vrf must be able to assess any timing requirements that pertain to the correctness of  $\mathcal{F}$ . The root of the timing issue lies in the ability of  $\mathcal{F}_{Adv}$  to artificially delay the resumption of  $\mathcal{F}$ . Therefore,  $\mathcal{F}$  interrupt locations (i.e., at which instruction  $\mathcal{F}$  is paused) and periods (for how many clock cycles) must be observable by Vrf in the PoX result.

Aside from timing, Vrf must be informed of the nature of transitions between the  $\mathcal{F}$  and  $\mathcal{F}_{Adv}$  to define what constitutes a valid interrupt delay. This is because different interrupts/system calls or the same system calls with different arguments have varied timing constraints, e.g., a task "delay" system call (namely vTaskDelay in FreeRTOS) with argument "10 seconds" should take 10 seconds before resuming the caller task. Earlier resumption may cause the caller to access a resource that is not yet ready. Late resumption may result in missed sensing/actuation deadlines.

Finally, execution control flow path attacks can be leveraged by  $\mathcal{F}_{Adv}$  to divert the correct order in which instructions of  $\mathcal{F}$  should execute. This is possible without changing memory in use by  $\mathcal{F}$  or its timing, by simply jumping back to the incorrect instruction address of  $\mathcal{F}$  when resuming from an interrupt or a system call.

Given the aforementioned challenges, we stipulate that a secure RT-PoX must guarantee the following Properties 1-5 to support  $\mathcal{F}$  integrity irrespective of  $\mathcal{F}_{Adv}$ 's control of Prv state through interrupt periods within  $\mathcal{F}$  execution.

#### Property 1 - Ephemeral Immutability.

The binary of  $\mathcal{F}$  (in Prv's PMEM) must be immutable while  $\mathcal{F}$  executes and in between its execution and measurement (i.e, the latter part of the PoX procedure – recall Section 2).

Without Property 1,  $\mathcal{F}_{Adv}$  could change the binary of  $\mathcal{F}$  (which by definition also includes the code implementing ISRs  $\mathcal{F}$  depends upon). Clearly, this would modify  $\mathcal{F}$ 's behavior. Note that simply disabling all runtime modifications to PMEM in a single privilege system impedes remote software updates [7], which is impractical in many settings. Instead, RT-PoX must ensure that  $\mathcal{F}$  binary remains consistent (with the hash value reported to Vrf) during its execution, allowing PMEM modifications otherwise.

## **Property 2 - Execution Flow Integrity.**

Interrupts, system calls, or execution of  $\mathcal{F}_{Adv}$  must not affect the integrity of  $\mathcal{F}$ 's control flow. Additionally,  $\mathcal{F}$  must start from its valid entry point  $(s_{entry})$  and terminate at its valid exit  $(s_{exit})$ .

Per Property 2, RT-PoX requires that untrusted code execution due to transfers from  $\mathcal{F}$  to  $\mathcal{F}_{Adv}$  — such as interrupts, system calls, or task switches — must not affect the integrity of  $\mathcal{F}$ 's execution flow when  $\mathcal{F}$  execution resumes.

#### Property 3 - Context Integrity.

Data in use by  $\mathcal{F}$  must not be subject to influence from  $\mathcal{F}_{Adv}$ . This includes physical memory used by  $\mathcal{F}$  in DMEM, register contents, and data inputs obtained from I/O peripherals.

Property 3 ensures that  $\mathcal{F}$  does not rely on data provided or modified by  $\mathcal{F}_{Adv}$ , including any changes to peripheral configurations (e.g., timer or GPIO resolution) that could indirectly affect  $\mathcal{F}$ 's I/O values obtained by  $\mathcal{F}$ . We note, however, that data inputs used by  $\mathcal{F}$  can be influenced by external temporal/physical factors (which are independent of Prv's internal software state). For example, a physical temperature change could (and should) affect the data inputs of  $\mathcal{F}$  if  $\mathcal{F}$  is for instance a temperature-based application performing a temperature read.

#### **Property 4 - Timing Integrity.**

RT-PoX should provide Vrf with information about any delays to  $\mathcal{F}$  caused by  $\mathcal{F}_{Adv}$  execution periods (due to interrupts and system calls).

Property 4 allows Vrf to decide if any delays caused are still acceptable for the functionality implemented by  $\mathcal{F}$ .

# Property 5 - RTOS Availability.

RT-PoX must co-exist and not interfere with RTOS duties, e.g., task scheduling, timing, and resource allocation.

Property 5 is the *raison d'être* of real-time systems, where the predictability and reliability of task execution time are vital. It is also the main motivation of RT-PoX over classic PoX. RT-PoX enables the co-existence of PoX and a Non-Secure World RTOS responsible for scheduling. This maintains the RTOS outside the PoX trusted computing base (TCB). We highlight that RT-PoX focus is not to guarantee proper scheduling/availability despite a compromised RTOS. The latter is the focus of mechanisms supporting trusted scheduling (e.g., [28], [29], [30], [31]). Appendix C further elaborates on this difference.

#### 4. PEARTS Overview

PEARTS realizes RT-PoX on an off-the-shelf embedded RTOS (FreeRTOS) running on commodity MCUs (ARM Cortex-M) and does not require RTOS modifications. Toward this goal, it leverages ARM TrustZone-M to establish a secure environment that monitors the execution of  $\mathcal{F}$  during a PoX, enforcing RT-PoX properties.

#### 4.1. System Assumptions

**Device.** Prv consists of a resource-constrained single-core, bare-metal MCU (as described in Section 3.1) equipped with TrustZone-M (recall Section 2 for TrustZone-M details).

**RTOS.** We model the RTOS after the default structure of FreeRTOS, given its widespread adoption in practical settings [32]. It employs systick-based interrupts for time tracking and to decide when a context switch is needed. The PendSV ISR implements context switches. Tasks and the RTOS run within the same privilege level (no privilege separation/isolation) [24].

**Software Architecture**. The RTOS and tasks it oversees (including  $\mathcal{F}$ ) are housed in Prv's Non-Secure World. PEARTS RoT implementation, denoted  $\mathcal{F}_{RoT}$ , resides in the Secure World and has exclusive access to a secret key (*sk*). The corresponding public key (*pk*) is securely provisioned to Vrf before Prv's deployment.

**Remark.** We note that the trivial approach of implementing  $\mathcal{F}$  within the Secure World (thus isolated from the Non-Secure World) does not achieve RT-PoX. Such an approach does not allow RT-PoX of multiple, arbitrary (Vrf-configurable) applications, as it would fix  $\mathcal{F}$  to code shipped as part of the Secure World, at device deployment time. Furthermore, it would mix the TCB of PEARTS's RoT with the untrusted code of multiple applications that Vrf may want to execute provably (within the Secure World, in this hypothetical case).

#### 4.2. Adversary Model

The Adversary (Adv) is assumed to have full control over Prv's Non-Secure World and can alter its code (e.g., via code injection attacks) and exploit vulnerabilities to cause control flow hijacks and code reuse attacks. The RTOS in the Non-Secure World is not considered intently malicious, but rather untrustworthy (i.e., could contain exploitable bugs). Adv can also attempt to manipulate  $\mathcal{F}$  (such an attempt should be detected by a secure RT-PoX- recall Property 1). Adv can change Non-Secure World interrupt configurations to trigger ISRs at will and can alter or corrupt ISR implementations. However, given TrustZone-M protections, Adv cannot access or tamper with code or data in the Secure World. Similarly, it cannot deactivate or circumvent the TrustZone-M hardware-enforced access control rules and assurances. Physical and hardware-modifying attacks are out-of-scope, as they require orthogonal tamper resistance measures [33].



Figure 3: RT-PoX steps with PEARTS.

#### 4.3. Workflow

At  $\mathcal{F}$  compilation time,  $\mathcal{F}$  binary is generated with a custom linker to make its code self-contained/independent from  $\mathcal{F}_{Adv}$ . PEARTS supports but does not mandate the assignment of ISRs as a part of  $\mathcal{F}$ . If  $\mathcal{F}$  functionality relies on ISRs, relevant ISRs (and their dependencies) must be linked within  $\mathcal{F}$ 's binary as a part of  $\mathcal{F}$  implementation itself; otherwise, they can be excluded from  $\mathcal{F}$ .  $\mathcal{F}$  system calls are also instrumented, as depicted in  $\bigcirc$  from Figure 3. The instrumentation of  $\mathcal{F}$  system calls is used to ensure that they are intercepted and adequately dispatched by PEARTS's RoT. PEARTS system call dispatching ensures that system call timing requirements can be verified irrespective of  $\mathcal{F}_{Adv}$  behavior.

A PEARTS instance begins when Vrf sends an RT-PoX request (containing challenge Chal) to Prv, requesting a timely execution of  $\mathcal{F}$ , as shown in **()**. Upon receiving the request, Prv must call  $\mathcal{F}_{RoT}$  to start the PEARTS Initialization Routine 2. This routine sets up the initial transition from  $\mathcal{F}_{Adv}$  to  $\mathcal{F}$ . This includes configuring a so-called Elastic Secure Region (ESR). ESR is a memory region in the Non-Secure world used to isolate  $\mathcal{F}$  memory from  $\mathcal{F}_{Adv}$ . Additionally, the initialization routine sets up all interrupts that do not belong to  $\mathcal{F}$ , to be trapped in the Secure World. This ensures that any eventual illegal memory accesses and control flow transitions between  $\mathcal{F}$  and  $\mathcal{F}_{Adv}$  are observable by  $\mathcal{F}_{RoT}$ . Furthermore, all peripherals are initially configured to be inaccessible to the Non-Secure World (including both  $\mathcal{F}_{\mathsf{Adv}}$  and  $\mathcal{F}).$  This traps  $\mathcal{F}$  attempts to access peripherals to  $\mathcal{F}_{RoT}$ , allowing  $\mathcal{F}_{RoT}$  to mark them as "in use" by  $\mathcal{F}$  and detect subsequent interfering accesses by  $\mathcal{F}_{Adv}$ .

Once the setup is complete,  $\mathcal{F}_{RoT}$  launches  $\mathcal{F}$  execution in ESR by switching the CPU mode to Non-Secure and jumping to  $s_{entry}$  (step 3). To support other real-time operations on Prv,  $\mathcal{F}$  execution may be sporadically paused to execute  $\mathcal{F}_{Adv}$  (e.g., due to  $\mathcal{F}$ -issued system calls or  $\mathcal{F}_{Adv}$ interrupts/context switches). Nonetheless, due to the traps created in the Initialization Routine,  $\mathcal{F}_{RoT}$  can monitor these transitions (step **4**) to detect control/data-flow violations as well as to record the duration of each transition. Once  $\mathcal{F}$  concludes at  $s_{end}$ , producing the output  $\Theta$ , it returns to  $\mathcal{F}_{RoT}$ , as shown in **5**.

During  $\mathcal{F}_{Adv}$  execution, any resources not exclusively used by  $\mathcal{F}$  are still freely accessible, allowing  $\mathcal{F}_{Adv}$  to operate normally without being blocked by PEARTS. The access to resources in use by  ${\mathcal F}$  is monitored by  ${\mathcal F}_{\mathsf{RoT}}$  to ensure non-interference by  $\dot{\mathcal{F}}_{Adv}$ . A so-called interference **exception** is triggered if  $\mathcal{F}_{Adv}$  attempts to: (i) access one of  $\mathcal{F}$ 's exclusive resources ( $\mathcal{F}$  code/data or peripherals) or (ii) execute code within ESR (e.g., directly jump to ESR without going through  $\mathcal{F}_{RoT}$ ). To preserve the RTOS availability,  $\mathcal{F}_{\mathsf{RoT}}$  records the exception and releases the resource to  $\mathcal{F}_{Adv}$ . The recorded exception is later included in the RT-PoX report (R) along with  $\Theta$  and  $\mathcal{F}$  measurement, which are all signed by  $\mathcal{F}_{RoT}$  and sent to Vrf (in **6**). Upon receiving R, in **(7**), Vrf considers  $\Theta$  trustworthy only if: (i) the signature is valid; (ii) no interference exceptions are reported<sup>1</sup>; (iii) all reported transitions between  $\mathcal{F} \leftrightarrow \mathcal{F}_{\mathsf{Adv}}$  occur within acceptable duration (according to  $\mathcal{F}$  requirements).

#### 4.4. PEARTS Guarantees at a High Level

Before delving into PEARTS details in Section 5, we here discuss the high-level rationale behind the workflow discussed in Section 4.3 in guaranteeing the properties introduced in Section 3.2.

<sup>1.</sup> Optionally, Vrf may choose to analyze the context of specific interferences to judge if they could have affected  $\mathcal{F}$  outcome.

**Property 1** ( $\mathcal{F}$  immutability) is attained by having  $\mathcal{F}$  code in ESR. Whenever a transition to  $\mathcal{F}_{Adv}$  occurs during  $\mathcal{F}$  execution,  $\mathcal{F}_{RoT}$  takes over the control to configure ESR (via the SAU TrustZone controller, recall Section 2) as a Secure Region before switching to  $\mathcal{F}_{Adv}$ . With this configuration, any  $\mathcal{F}_{Adv}$  attempts to access ESR will cause a fault; this fault redirects the control to  $\mathcal{F}_{RoT}$ , which saves such attempts to include them in R that will later be sent to Vrf.  $\mathcal{F}_{RoT}$  reverts ESR back to a Non-Secure Region when transitioning back to  $\mathcal{F}$  execution. This approach also ensures that  $\mathcal{F}$  TCB and  $\mathcal{F}_{RoT}$  TCB are isolated from each other (as  $\mathcal{F}$  does not execute in the Secure World). Since  $\mathcal{F}_{Adv}$  cannot modify  $\mathcal{F}$  code (located inside ESR) without  $\mathcal{F}_{RoT}$  detection, **Property 1** is fulfilled.

For **Property 2** (execution flow integrity),  $\mathcal{F}_{RoT}$  stores the proper return address before dispatching interrupts/system calls to  $\mathcal{F}_{Adv}$  and resumes  $\mathcal{F}$  at this address after  $\mathcal{F}_{Adv}$  execution concludes. Since the return address is stored in the Secure World, it cannot be manipulated by  $\mathcal{F}_{Adv}$ .  $\mathcal{F}_{Adv}$  may also attempt to cause execution flow attacks by directly jumping to the middle of  $\mathcal{F}$ . However, as  $\mathcal{F}$  code resides in ESR (inaccessible to  $\mathcal{F}_{Adv}$ ) such attempts lead to an interference exception which is therefore detected and included on the report to Vrf by  $\mathcal{F}_{RoT}$ .

Recall that  $Ctx(\mathcal{F})$  consists of all memory regions allocated or used during  $\mathcal{F}$  execution, including its DMEM, peripheral addresses, and peripheral configuration addresses. PEARTS achieves **Property 3** (Data Integrity) using three methods. First, in addition to  $\mathcal{F}$ 's code,  $\mathcal{F}_{RoT}$  makes  $\mathcal{F}$ 's DMEM part of ESR. Doing so prevents illegal access to  $\mathcal{F}$ 's runtime data during  $\mathcal{F}_{Adv}$  execution. Second,  $\mathcal{F}_{RoT}$ configures the peripherals used by  $\mathcal{F}$  to be inaccessible by the Non-secure World while  $\mathcal{F}_{Adv}$  executes. This prevents  $\mathcal{F}_{Adv}$  code from altering peripheral configurations or stealing peripheral data meant for  $\mathcal{F}$  without detection and logging by  $\mathcal{F}_{RoT}$ . Third,  $\mathcal{F}$  system calls are instrumented with trampolines to the System Call Dispatcher in  $\mathcal{F}_{RoT}$ . This causes  $\mathcal{F}_{RoT}$  to intercept them before redirection to the RTOS, allowing PEARTS to monitor RTOS's response times and log timing manipulations.

**Property 4** (Timing Integrity) is satisfied in PEARTS by  $\mathcal{F}_{RoT}$ 's implementation always recording each operation (i.e., system calls, returns, interrupts, or returns from interrupts) that triggers a transition during  $\mathcal{F}$  execution. Also,  $\mathcal{F}_{RoT}$  logs the timestamp of each transition using a dedicated secure clock that is only accessible/configurable to/by  $\mathcal{F}_{RoT}$  within the Secure World.

By design,  $\mathcal{F}$  provable execution is interruptible while leveraging aforementioned interference exceptions to detect and log (but not block) any external interference. Therefore, an RTOS can still fulfill its duties according to any underlying real-time requirements, realizing **Property 5** (RTOS Availability).

#### 5. PEARTS Design in Detail

## 5.1. Interference Exceptions

This section explains the resource isolation scheme to enable exception-based monitoring (Section 5.1.1) and details how each type of interference exception is handled and reported in PEARTS reports (Section 5.1.2). Interference exceptions are active whenever an RT-PoX instance exists in the system, i.e., in between PEARTS Initialization (Section 5.2) and Finalization (Section 5.6) routines.

#### 5.1.1. Resource Isolation Scheme.

**Code & Data Isolation.** The Non-Secure memory (including PMEM and DMEM) is partitioned into two regions, ESR and the rest of the system memory, each containing its own code and data sections. ESR is used for storing  $\mathcal{F}$  and the rest is for  $\mathcal{F}_{Adv}$ . During a PEARTS protocol instance, whenever a transition happens from  $\mathcal{F}$  to  $\mathcal{F}_{Adv}$ ,  $\mathcal{F}_{RoT}$  marks the ESR as a Secure Region by modifying the SAU controller configuration. As a result, any subsequent attempts by  $\mathcal{F}_{Adv}$  to access (read, write, or execute) ESR will trigger an interference exception, notifying  $\mathcal{F}_{RoT}$  about these attempts. Conversely, when  $\mathcal{F}_{Adv}$  returns the control to  $\mathcal{F}$ ,  $\mathcal{F}_{RoT}$  sets ESR as a Non-Secure Region, re-enabling execution and access to  $\mathcal{F}$  in the Normal World.

**Peripheral Isolation.** At the beginning of PEARTS protocol,  $\mathcal{F}_{RoT}$  configures all peripherals to the Secure state. This restricts direct access to all peripherals from Non-Secure World (including  $\mathcal{F}$ ) during  $\mathcal{F}$  execution. When  $\mathcal{F}$  needs to access a certain peripheral, it must request access to  $\mathcal{F}_{RoT}$ . Upon receiving it,  $\mathcal{F}_{RoT}$  switches the peripheral to the Non-Secure state and associates it with  $\mathcal{F}$ . Whenever a transition  $\mathcal{F} \rightarrow \mathcal{F}_{Adv}$  occurs,  $\mathcal{F}_{RoT}$  configures peripherals in use by  $\mathcal{F}$  as belonging to Secure-World and other peripherals as belonging to Normal World. As a result,  $\mathcal{F}_{Adv}$  attempts to access  $\mathcal{F}$  peripherals lead to interference exceptions, thereby notifying  $\mathcal{F}_{RoT}$  of the attempted access.

**Remark.** The secure configuration of peripherals does not prevent  $\mathcal{F}_{Adv}$  from accessing these resources. Instead, it is leveraged to trigger  $\mathcal{F}_{RoT}$  to quickly log the peripheral access before allowing it (see details below). This ensures that the RT-PoX report informs Vrf of any potential interference of  $\mathcal{F}_{Adv}$  on peripherals that  $\mathcal{F}$  may depend upon during execution.

#### 5.1.2. Interference Exception Handling.

When an interference exception is triggered,  $\mathcal{F}_{RoT}$  examines the source address that caused the fault to determine its origin. A flag corresponding to the type of fault cause is added to the RT-PoX exception log ( $\mathbb{E}log$ ).  $\mathbb{E}log$  is subsequently included in the RT-PoX report. If the fault was caused by an access to ESR, PEARTS deactivates the ESR, re-configuring it as a Non-Secure region to allow the access (as this could be a time-critical access to a resource in use by  $\mathcal{F}$ ). If the fault resulted from peripheral access, PEARTS re-configures the peripheral to be part of the Non-Secure world after logging the access. By allowing  $\mathcal{F}_{Adv}$  to continue operation after a fault, PEARTS avoids disrupting other potentially critical tasks in Prv and allows  $\mathcal{F}$  to resume its execution afterward. At the same time, it ensures that any interference is logged in the RT-PoX report that is sent to Vrf after  $\mathcal{F}$  execution.

To track time delays that  $\mathcal{F}_{Adv}$  interrupts might introduce to  $\mathcal{F}$ 's execution we define a tuple to be measured for each transition  $\mathcal{F}_{Adv} \leftrightarrow \mathcal{F}$  (in both directions). This tuple captures the execution timestamp t of the context switch and is structured as

$$e = [Op, Src, Dst, Args, t]$$
<sup>(2)</sup>

where:

- Op is the operation initiating the transition between  $\mathcal{F}$  and  $\mathcal{F}_{Adv}$  (a particular interrupt or system call);
- *Src* is the last instruction address executed before the transition;
- *Dst* is the jump-to destination address of the transition; and
- *Args* contains relevant arguments in the transition (e.g., system calls parameters, if applicable).

The sequence  $\mathbb{T}log = [e_0, ..., e_e]$  (where each  $e_i$  has the form defined in Equation 2) contains information of all transitions during  $\mathcal{F}$  execution and is also included in the RT-PoX report sent to Vrf.

#### 5.2. Initialization Routine

Upon receiving an RT-PoX request from Vrf, RTOS creates a task, associated with the RT-PoX execution, that triggers the  $\mathcal{F}_{RoT}$  to start PEARTS Initialization Routine, performing the following:

- Memory Allocation.  $\mathcal{F}_{RoT}$  reserves memory segments within ESR for  $\mathcal{F}$  data allocation. This includes moving  $\mathcal{F}$  stack pointers (PSP and MSP, recall from 2.3) and heap structures to fall within that range.
- **Peripheral Configurations**. All the peripherals are set to be accessible only by the Secure World. This enables the exception-based interference monitoring described in Section 5.1.
- **DMA Configuration.**  $\mathcal{F}_{RoT}$  checks if any DMA channel is configured to write within ESR. If so, a record is added to  $\mathbb{E}log$  detailing the address range and peripheral(s) involved in DMA writing.
- $\mathcal{F}$  **Binary Measurement.**  $\mathcal{F}_{RoT}$  hashes ESR PMEM and the NS-IVT (which contains code pointers to the ISRs called upon each possible interrupt trigger, including the ISRs belonging to  $\mathcal{F}$ ). This result –  $H(\mathcal{F})$  – is later included in the RT-PoX report.
- Interrupt Dispatchers.  $\mathcal{F}_{RoT}$  configures all interrupts that are not associated with  $\mathcal{F}$  to be trapped by the Secure World. This setup intercepts any transitions between  $\mathcal{F}$ and  $\mathcal{F}_{Adv}$  triggered by interrupts to ensure that they are securely dispatched back to their original ISRs in the Non-Secure World (see dispatching details in Section 5.3).
- Secure Timer.  $\mathcal{F}_{RoT}$  reserves a hardware timer to timestamp transitions between  $\mathcal{F}$  and  $\mathcal{F}_{Adv}$ , monitoring the time taken by  $\mathcal{F}_{Adv}$  to resume  $\mathcal{F}$ .

#### 5.3. Interrupt Dispatcher

Recall that PEARTS redirect interrupts to the Secure World so that  $\mathcal{F}_{RoT}$  can configure the system to enforce non-interference with  $\mathcal{F}$  before allowing Non-Secure ISR handling. To redirect interrupts, PEARTS configures them as Secure. This implies that the S-IVT is used to locate the ISR responsible for handling each trigger (instead of NS-IVT). This is accomplished by setting the corresponding bits in the NVIC\_ITNS registers (recall Section 2.2) to 0 for all interrupts. PEARTS maintains two versions of the NVIC\_ITNS: one for when  $\mathcal{F}$  is active and another for when  $\mathcal{F}_{\mathsf{Adv}}$  is active. When  $\mathcal F$  is active, the interrupts not related to  $\mathcal{F}$  are marked as Secure in the NVIC\_ITNS while the  $\mathcal{F}$ related ones are marked as Non-Secure. Conversely, when  $\mathcal{F}_{Adv}$  is active, all interrupts from  $\mathcal{F}$  are set as Secure and all others return to the original security state. This dynamically adjusts the security settings based on the active application to maintain operational integrity.

Note that the assignment of interrupts to  $\mathcal{F}$  should be based on whether  $\mathcal{F}$ 's functionality depends on the ISR execution. If  $\mathcal{F}$  does not rely on any interrupts, all interrupts should be assigned to  $\mathcal{F}_{Adv}$ .

## 5.4. RTOS System Calls Within $\mathcal{F}$

 $\mathcal{F}$  should be self-contained to include all code its functionality depends upon. However, to maximize Prv utilization by other simultaneous tasks,  $\mathcal{F}$  must still use RTOS system calls related to scheduling and time management. For instance, if  $\mathcal{F}$  must "sleep" for 10 seconds, it should be able to use the RTOS system calls to sleep. In that way, the RTOS would be notified of the 10-second slot made available by  $\mathcal{F}$  and potentially allocate it to other tasks, increasing system utilization. However, reliance on system calls implemented by the potentially compromised RTOS may result in violations to  $\mathcal{F}$ 's execution integrity, e.g., if instead of waking up  $\mathcal{F}$  after the expected 10 seconds,  $\mathcal{F}_{Adv}$ were to hold control for a shorter or longer period.

PEARTS allows  $\mathcal{F}$  to make RTOS system calls for functions that involve time management, scheduling, and synchronization. However, instead of directly handing control to the RTOS, PEARTS instruments the aforementioned system calls to trigger  $\mathcal{F}_{RoT}$  to start its own measurement of the time taken to resume  $\mathcal{F}$ . This is achieved using the  $\mathcal{F}_{RoT}$ dedicated Secure Timer discussed in Section 5.2. The secure time measurements are used to construct  $\mathbb{T}log = [e_0, ..., e_e]$ (as discussed in Section 5.1). At the same time, this enables the use of the default RTOS system calls for time management and scheduling of  $\mathcal{F}$  together with other tasks in the system. Appendix B lists system calls supported in PEARTS prototype (along with related security considerations).

#### 5.5. Auxiliary $\mathcal{F}_{RoT}$ Services

Heap Memory Allocation. In real-time embedded systems, dynamic memory allocation is often avoided due to

overhead and, in some cases, unpredictability. In situations where dynamic allocation is required, the memory allocation process is handled by an RTOS service. In our scenario, however,  $\mathcal{F}$  cannot yield control over its memory to  $\mathcal{F}_{Adv}$ . Thus, when  $\mathcal{F}$  uses dynamic allocation, a separate instance of the memory allocator is implemented within the ESR. When dynamic memory allocation is required by  $\mathcal{F}$ ,  $\mathcal{F}_{RoT}$  assigns space in ESR designated as the heap during the Initialization Routine.

**DMA Management.** CPU-independent writes by DMA might attempt to modify ESR. To mitigate this, PEARTS revokes DMA permissions from the Non-Secure World and provides an API that allows the Non-Secure World to request DMA operation configuration to  $\mathcal{F}_{RoT}$ . This allows  $\mathcal{F}_{RoT}$  to log DMA attempts that interfere with  $Ctx(\mathcal{F})$  to  $\mathbb{E}log$ .

**Self-Timing.**  $\mathcal{F}$  can perform secure time measurements during its execution through a request to a time function implemented by  $\mathcal{F}_{RoT}$ . This is implemented using the same reserved secure timer discussed in Section 5.2, also used to time  $\mathcal{F}_{Adv}$  execution periods when  $\mathcal{F}$  is interrupted.

#### 5.6. Finalization Routine and Verification

After  $\mathcal{F}$  execution concludes, the Finalization Routine is triggered. This routine restores the system's configuration to its state prior to the RT-PoX process. It frees DMA and peripherals for the Non-Secure World, sets ESR as Non-Secure, clears runtime memory, and restores interrupt configurations. Finally, it generates the attestation report R.

The RT-PoX report  $R = \{\sigma_{\mathcal{F}}, \mathbb{E}log, \mathbb{T}log, \Theta\}$  contains information needed by Vrf to assess the integrity of  $\mathcal{F}$ 's execution on Prv.  $\mathbb{E}log$  contains all external ( $\mathcal{F}_{Adv}$ ) accesses that interfered with  $\mathcal{F}$ 's context during its execution.  $\mathbb{T}log$ contains the times and context switch information of all interrupts and system calls during  $\mathcal{F}$ 's execution.  $\Theta$  is the output of  $\mathcal{F}$  execution.  $\sigma_{\mathcal{F}}$  is the signature

$$\sigma_{\mathcal{F}} = Sign_{sk}(H(\mathcal{F})||\mathsf{Chal}||\mathbb{E}log||\mathbb{T}log||\Theta)$$

computed using the Secure World's secret key sk. Therefore, it authenticates  $\mathcal{F}$ 's binary,  $\mathbb{E}log$ ,  $\mathbb{T}log$  and  $\Theta$ , and proves the freshness of R through Chal. Importantly,  $H(\mathcal{F})$  and Chal are committed to an RT-PoX instance by the Initialization Routine before  $\mathcal{F}$  execution.  $\mathcal{F}$  (in ESR) is immutable thereafter. On every RT-PoX instance,  $\sigma_{\mathcal{F}}$  is computed on the same  $H(\mathcal{F})$  and Chal committed during initialization and only after  $\mathcal{F}$  execution reaches its last instruction ( $s_{exit}$ ), indicating  $\mathcal{F}$ 's execution has completed.

After authenticating  $\sigma_{\mathcal{F}}$ , checking  $H(\mathcal{F})$ , and checking Chal, Vrf can examine  $\mathbb{T}log$  for adherence to applicationspecific timing constraints. Similarly, it can inspect  $\mathbb{E}log$  to verify that  $\mathcal{F}$  context was not tampered with.

#### 6. Security Analysis

Adv's goal is to convince Vrf that  $\mathcal{F}$  executed correctly on Prv (optionally producing some  $\Theta$  output) when no such execution occurred, when its context or timing constraints were tampered with, or when  $\Theta$  is not a direct result of said execution. Towards this goal Adv might attempt to perform:

- $\mathcal{F}$  binary modifications. Adv might change  $\mathcal{F}$  binary prior to the initiation of RT-PoX process. However, as  $H(\mathcal{F})$  is computed during initiation, any such modification would result in a mismatch with the code hash expected by Vrf. Adv could also attempt to alter the  $\mathcal{F}$  binary during the RT-PoX process (after  $H(\mathcal{F})$  computation). However, due to SAU-enforced protection to ESR, this attempt is detected by  $\mathcal{F}_{RoT}$  and thus by Vrf.
- $\mathcal{F}$  execution flow manipulation. To manipulate the execution flow of  $\mathcal{F}$  during an RT-PoX process, Adv must return from  $\mathcal{F}_{Adv}$  to an incorrect instruction in  $\mathcal{F}$ . Directly jumping to an arbitrary address within  $\mathcal{F}$  is infeasible because during  $\mathcal{F}_{Adv}$  execution ESR is set as a Secure Region by SAU (hence not executable from the Non-Secure World). Alternatively, Adv might attempt to change intermediate control flow-related data in  $\mathcal{F}$ 's stack. This also fails because  $\mathcal{F}$ 's data is also within ESR. Finally, Adv could try to modify the interrupt vector tables to change the address executed upon interrupts during  $\mathcal{F}$  execution. However, PEARTS checks the integrity of the IVT addresses related to  $\mathcal{F}$  before  $\mathcal{F}$  execution and maintains a copy of the IVT in the ESR (which is always checked upon resuming  $\mathcal{F}$  execution).
- $\mathcal{F}$  data corruption. As previously discussed, Adv is unable to directly modify the data within  $\mathcal{F}$  due to SAU memory protections to ESR. Consequently, Adv may attempt alternative strategies to modify  $Ctx(\mathcal{F})$ . One such strategy involves altering the configurations of peripherals used by  $\mathcal{F}$ . This alteration can change the expected behavior of the peripheral and affect the data that  $\mathcal{F}$ subsequently reads from it. However, when  $\mathcal{F}_{Adv}$  is active, all peripherals accesses are trapped by the Secure World and logged, preventing Adv from stealthily modifying the peripheral registers/configurations. Alternatively, Adv can attempt to use DMA to corrupt  $\mathcal{F}$  data. This is not feasible because, during the RT-PoX process, all DMA channels are configured securely by  $\mathcal{F}_{RoT}$ . PEARTS also checks for any pre-configured DMA channel targeting ESR during the RT-PoX initialization.
- Timing attacks. Adv may alter response times of timesensitive operations within *F* by interfering with their schedule. Adv could achieve this by either delaying or prematurely advancing the schedule of operations within *F* when the schedule is handled by the RTOS. However, PEARTS independently logs times and associated context of all *F* ↔ *F*<sub>Adv</sub> transitions using a dedicated timer only accessible in the Secure World. Therefore, timing attacks are detectable by Vrf.
- **RT-PoX report forgery.** Given Adv's inability to perform the aforementioned actions, its last resort is to forge the RT-PoX report. This in turn requires forging signature  $\sigma_{\mathcal{F}}$  which is computationally infeasible as long as sk is unknown to Adv and the underlying signature primitive is existentially unforgeable. In turn, sk is stored in the Secure World and only accessible to  $\mathcal{F}_{RoT}$ .

## 7. Implementation Details

#### 7.1. Interfacing the RTOS and PEARTS

Housing  $\mathcal{F}$  in ESR prevents the RTOS from directly managing it as a normal task in the Non-Secure World. Doing so would raise a security exception (due to Trust-Zone's world separation) during context switches or system calls. To allow PEARTS to run on an unmodified RTOS, a "shadow task" is created to mimic  $\mathcal{F}$ 's presence as a standard RTOS-managed task. The RTOS creates the Shadow Task in the Non-Secure World normally, using its standard task creation API (e.g., *xTaskCreate* in FreeRTOS). Shadow tasks have fixed behavior and interface the unmodified RTOS with  $\mathcal{F}_{RoT}$ . Once the Shadow Task starts executing (as scheduled by the RTOS) it calls  $\mathcal{F}_{RoT}$  to initiate/switch/resume  $\mathcal{F}$ .

The Shadow Task also mediates system calls originating from  $\mathcal{F}$ .  $\mathcal{F}$  system calls are instrumented to yield control to  $\mathcal{F}_{RoT}$ .  $\mathcal{F}_{RoT}$  then changes the context to  $\mathcal{F}_{Adv}$  and directs the execution to the Shadow Task which triggers the respective system call in the RTOS, in the Non-Secure World. See Appendix A for implementation details on Shadow Tasks.

#### 7.2. Context Switches

**Switching**  $\mathcal{F} \to \mathcal{F}_{Adv}$ : During this context switch, ESR is configured as a Secure Region, and the peripherals used by  $\mathcal{F}$  are set as Secure while all other peripherals are set as Non-Secure. Register context (including MSP and PSP) is saved to the Secure World, and MSP and PSP are replaced with those belonging to  $\mathcal{F}_{Adv}$  to prepare  $\mathcal{F}_{Adv}$  context and stack. The NS-IVT is configured as described in Section 5.3. A new entry is recorded in  $\mathbb{T}log$  to log the transition, interrupts are re-enabled, and control is passed to  $\mathcal{F}_{Adv}$ .

**Switching**  $\mathcal{F}_{Adv} \rightarrow \mathcal{F}$ : Per PEARTS enforced properties,  $\mathcal{F}_{RoT}$  receives control to initiate this switch.  $\mathcal{F}_{RoT}$  marks ESR as Non-Secure. Next,  $\mathcal{F}$  peripherals are reconfigured as Non-Secure, while the remaining peripherals are set to Secure. The register context of  $\mathcal{F}_{Adv}$  is saved and the  $\mathcal{F}$ 's register context and the NS-IVT are restored. This transition is logged in  $\mathbb{T}log$ . Finally, the switch concludes by reenabling interrupts and resuming  $\mathcal{F}$ .

#### 7.3. Dispatching Banked Interrupts

When TrustZone is active, certain interrupts (such as systick) are banked between Secure and Non-Secure modes. Thus, they are signaled separately for each world. This separation prevents the direct configuration of a banked Non-Secure interrupt to be handled by PEARTS dispatcher in the Secure World. To address this, PEARTS keeps a copy of the NS-IVT within ESR, where the addresses of the ISRs for these banked interrupts are replaced with fixed reserved Secure World addresses. When the NS-IVT copy is accessed as part of the Non-Secure World interrupt handling process, any trigger of the banked interrupt will also trigger a Secure World exception. The exception implementation allows the Secure World to verify if the fault originated from a systick exception attempting to access the associated secure address. If so, the fault is redirected to the interrupt dispatcher and then redirected by the dispatcher to the original systick ISR in the Non-Secure World.

#### 8. Prototype & Evaluation

We developed a proof-of-concept prototype of PEARTS on a NUCLEO-L552ZE-O development board, which features an STM32L552ZE MCU. This MCU is built on the ARM Cortex-M33 (v8) architecture, operates at 110 MHz, and supports Arm TrustZone-M. PEARTS functions in the Secure World are implemented in C. SHA224 and HMAC cryptographic operations leverage MCU built-in hardware accelerators and are only accessible by the Secure World. The Non-Secure World runs a standard version of FreeRTOS, with its API interfaces specified in CMSIS-RTOS2 [34]. Vrf is implemented in Python to communicate with Prv, initiate RT-PoX requests, and verify responses. PEARTS prototype implementation is publicly available in [21]. We evaluate PEARTS prototype regarding its latency, memory, and runtime overheads. We also analyze PEARTS's impact on real applications.

#### 8.1. Runtime Overhead

#### 8.1.1. Interrupt Dispatcher Latency.

We start by examining the latency overhead of PEARTS's Interrupt Dispatcher on Prv. Recall that when  $\mathcal{F}$  is active,  $\mathcal{F}_{RoT}$  dispatches  $\mathcal{F}_{Adv}$  interrupts and returns from interrupts, increasing the latency of interrupt handling. This increase in latency can impact the application's time budget. The degree of this impact depends linearly on the interrupt frequency in  $\mathcal{F}_{Adv}$ .

We assess the latency associated with both types of transitions in PEARTS:  $\mathcal{F} \to \mathcal{F}_{Adv}$  (interrupt) and  $\mathcal{F}_{Adv} \to \mathcal{F}$ (return from interrupt, a.k.a. interrupt backtrip). We consider the following metrics:

- **Interrupt Latency**: The time elapsed from the triggering of an interrupt to the start of its respective ISR execution.
- **Interrupt Latency Back-trip**: The time from the completion of the ISR execution to the resumption of the interrupted task.

Results are summarized in Table 1. In all cases, the time unit reported is the number of CPU cycles taken (at 110 MHz, one CPU cycle is  $\approx$  9 nanoseconds). Each measurement was conducted 1000 times, covering all possible execution paths of the interrupt dispatcher, to ensure consistency. During tests, we ensured that no other interrupts occurred between the start and end of the measurements. For comparative analysis, we also measured these components with PEARTS deactivated, thus establishing a baseline to quantify the overhead introduced by the dispatcher.

The analysis of interrupts for  $\mathcal{F} \to \mathcal{F}_{Adv}$  shows that the maximum interrupt latency was 102 CPU cycles. Similarly,

TABLE 1: Context Switch Latency Introduced by PEARTS

| Event                                                          | CPU Cycles |     |  |
|----------------------------------------------------------------|------------|-----|--|
| Event                                                          | Max        | Min |  |
| $\mathcal{F} \to \mathcal{F}_{Adv}$ Interrupt                  | 119        | 117 |  |
| $\mathcal{F} \rightarrow \mathcal{F}_{Adv}$ Interrupt Backtrip | 85         | 85  |  |
| $\mathcal{F}_{Adv} \to \mathcal{F}$ Interrupt                  | 102        | 101 |  |
| $\mathcal{F}_{Adv} \to \mathcal{F}$ Interrupt Backtrip         | 84         | 83  |  |

the maximum interrupt backtrip latency was 85 CPU cycles. For  $\mathcal{F}_{Adv} \rightarrow \mathcal{F}$ , the observed maximum interrupt latency was about 102 CPU cycles, and the maximum interrupt backtrip latency recorded was 84 CPU cycles. While transitions from  $\mathcal{F}$  to  $\mathcal{F}_{Adv}$  will always frequently occur due to the scheduler interrupt associated with  $\mathcal{F}_{Adv}$ , transitions from  $\mathcal{F}_{Adv}$  to  $\mathcal{F}$  depends more on specific application needs.

#### 8.1.2. Per-Module Runtime Breakdown.

Table 2 shows the runtimes of various operations in PEARTS that could impact the performance of Prv.

To quantify PEARTS Initialization Routine's impact, we measured the time taken between RTOS' call to  $\mathcal{F}$ 's shadow task until  $\mathcal{F}$ 's RT-PoX execution starting. The maximum initialization latency observed was around 8.5K CPU cycles ( $\approx 0.08$  milliseconds). The runtime introduced during the initialization routine is attributed to both the required configuration of hardware controls and the computation of  $H(\mathcal{F})$  (using SHA224). Additionally, we measure the Finalization Routine latency, which involves generating report R (implemented with HMAC) and reverting Prv to its pre-PoX configuration. The maximum finalization routine runtime recorded was 14.3K CPU cycles ( $\approx 0.14$  milliseconds) when R size was around 2KBytes due to a large number of *Tlog* entries. As a lower bound, when *Tlog* is empty, the runtime measured was around 3.2K CPU cycles ( $\approx 0.03$ milliseconds). Note that the initialization and finalization routines are executed once per RT-PoX instance, before and after  $\mathcal{F}$  execution, respectively. Therefore, they do not influence timings within  $\mathcal{F}$ 's execution.

The latency introduced by the System Call Dispatcher to the system calls in  $\mathcal{F}$  should also be considered. The measured maximum latency for the system call dispatching was 77 CPU cycles vs. 1 CPU cycle in the baseline FreeRTOS without dispatching. This introduces an overhead of up to 76 cycles for system call dispatching. There is no overhead for system calls originating from  $\mathcal{F}_{Adv}$ , since they are not dispatched.

Another potential overhead, although likely infrequent, is from PEARTS interference exception handling. If  $\mathcal{F}_{Adv}$ tries to access resources in use by  $\mathcal{F}$ , an exception is triggered. PEARTS then logs the interference attempt to the RT-PoX report and releases the resource for  $\mathcal{F}_{Adv}$  to use. Regarding interference exception handling, the maximum time measured from when triggered to when control is returned to the interfering task is 92 CPU cycles.

To evaluate the effects of PEARTS on RTOS context switches, we measure the time from the completion of the RTOS context switch function to the resumption of the active task. When analyzing the RTOS context switch latency, we focus exclusively on transitions from  $\mathcal{F}_{Adv}$  to  $\mathcal{F}$ . We observe the overhead of this transition to be at most 98 CPU cycles. We do not consider the RTOS context switch from  $\mathcal{F}$  to  $\mathcal{F}_{Adv}$  because, when it happens, the context initially changes to  $\mathcal{F}_{Adv}$  due to the systick interrupt used by the RTOS scheduler. Consequently, when the PendSV interrupt occurs to switch to a  $\mathcal{F}_{Adv}$  task, the context is already in  $\mathcal{F}_{Adv}$ . Hence, there is no overhead in the measured time.

TABLE 2: Overhead Introduced by PEARTS modules

| Event                                                           | CPU Cycles |      |  |  |
|-----------------------------------------------------------------|------------|------|--|--|
| Event                                                           | Max        | Min  |  |  |
| System Call Dispatching                                         | 77         | 74   |  |  |
| Initialization Routine                                          | 8512       | 8436 |  |  |
| Finalization Routine                                            | 14332      | 3252 |  |  |
| Interference Exception                                          | 92         | 91   |  |  |
| RTOS Context Switch $\mathcal{F}_{Adv} \rightarrow \mathcal{F}$ | 98         | 93   |  |  |

#### 8.2. Memory Footprint

Table 3 presents (i) the number of lines of C+Assembly code, measured using "cloc v1.90"; (ii) the corresponding compiled binary size compiled using the "-O0" optimization flag (measured with the STM32CubeIDE build analyzer tool); and (iii) the maximum RAM usage at runtime (measured using the STM32CubeIDE static stack analyzer tool) for each of PEARTS's modules.  $\mathcal{F}_{RoT}$  implementation in the Secure World (TCB) comprises 569 lines of code. The Initialization and Finalization Routines, excluding the cryptographic libraries, occupy 0.3KBytes and 0.4KBytes of binary size, respectively. Their maximum runtime RAM usage is 272 Bytes and 256 Bytes, respectively. The cryptographic library is striped to include only the code necessary for HMAC and SHA224 usage of built-in cryptographic accelerator hardware in the MCU. This code occupies 2.7KBytes in the binary and allocates 256 Bytes of RAM at runtime. The Interrupt Dispatcher, System Call Dispatcher, and Interference Handler together occupy around 0.9KBytes of PMEM and do not use any RAM, as all memory operations are done at the register level. In the Non-Secure World, the Shadow Task code occupies 0.2KBytes of  $\mathcal{F}_{Adv}$  PMEM and allocates 16 Bytes of RAM at runtime.

**TABLE 3: PEARTS Memory Footprint** 

| Module                 | Binary Size<br>(KBytes) | Lines of<br>Code | Max RAM<br>Usage (Bytes) |  |  |  |  |
|------------------------|-------------------------|------------------|--------------------------|--|--|--|--|
|                        | Secure World            | 1                |                          |  |  |  |  |
| System Call Dispatcher | 0.1                     | 28               | 0                        |  |  |  |  |
| Interrupt Dispatcher   | 0.5                     | 86               | 0                        |  |  |  |  |
| Interference Handler   | 0.3                     | 65               | 0                        |  |  |  |  |
| Finalization Routine   | 0.3                     | 84               | 272                      |  |  |  |  |
| Initialization Routine | 0.3                     | 74               | 256                      |  |  |  |  |
| Cryptography Library   | 2.7                     | 232              | 256                      |  |  |  |  |
| Non-Secure World       |                         |                  |                          |  |  |  |  |
| Shadow Task            | 0.2                     | 30               | 16                       |  |  |  |  |

PEARTS default implementation reserves 2.4Kbytes of RAM to store logs generated during the RT-PoX instances and all metadata contained in the report. This memory was sufficient for all applications considered in our tests (see Section 8.3 for log sizes required by each tested application as a function of interrupt frequencies).

#### 8.3. End-To-End Run-Time Evaluation

We assess the performance of PEARTS on real embedded applications through a series of experiments involving a selection of open-source MCU applications and MCU programs from the BEEBS benchmark [35]. Initially, we focus on a case where only one task is being scheduled by the RTOS using a systick interrupt configured to trigger at 1 kHz, running without interference from other tasks. In this setup, we aim to assess the execution delay experienced by the task both with and without PEARTS. We evaluate eight different algorithms under conditions where no additional interrupts are set up for the task.

The results of the experiment is illustrated in the first row of Table 4. When PEARTS is activated, the task experiences a runtime increase that varies from 10.6% to 19.8%, reflecting the overhead introduced by the additional security processes. This increase is relatively modest across all eight algorithms tested, suggesting that PEARTS efficiently integrates security without significantly compromising the system's performance.

Next, we expand our evaluation to include scenarios where the RTOS schedules multiple tasks simultaneously. In this configuration, all tasks are assigned the same priority, ensuring the RTOS allocates the same time budget to each. We vary the number of tasks within  $\mathcal{F}_{Adv}$  from 1 to 8, focusing on assessing the overhead generated by the task operating within  $\mathcal{F}$ , while maintaining the  $\mathcal{F}_{Adv}$  interrupt frequency fixed at 1 kHz. By analyzing the results in Table 4, we observe that overhead increases across all applications, indicating an approximately linear increase in overhead relative to the number of tasks.

Next, we evaluate how PEARTS performs when a task running in  $\mathcal{F}$  is subjected to interrupts at frequencies ranging from 1kHz to 8kHz in  $\mathcal{F}_{Adv}$ . This test aims to assess the scalability of PEARTS under varying levels of interrupt-driven stress. The results of this experiment are presented in Table 5. We observe a linear increase of approximately 0.1% overhead increase for each 1kHz increment in the interrupt frequency.

We also evaluate the overhead of a task in  $\mathcal{F}_{Adv}$  when there is an active RT-PoX instance on Prv. We consider a single task running in  $\mathcal{F}_{Adv}$  and another in  $\mathcal{F}$ . We vary the interrupt frequency within  $\mathcal{F}$  from 2kHz to 8kHz, while  $\mathcal{F}_{Adv}$  maintains a fixed systick frequency of 1kHz. The results of these experiments are presented in Table 6. By comparing Table 5 with Table 6, we observe that for the same interrupt frequency, the runtime overhead for tasks in  $\mathcal{F}_{Adv}$  is lower than the overhead generated by tasks in  $\mathcal{F}$ . However, in both cases, we note that the increase in overhead is proportional to the increase in interrupt frequency. Both present similar growth rates.

Finally, Table 7 presents PEARTS report sizes across different applications, with varying  $\mathcal{F}_{Adv}$  interrupt frequency.

Higher interrupt frequencies lead to more context switches  $\mathcal{F} \leftrightarrow \mathcal{F}_{Adv}$ , resulting in a higher number of  $\mathcal{F}_{Adv}$  timings logged and thus a larger log size. Log sizes across tested applications ranged from 84 to 244 bytes.

#### 9. Related Work

Remote Attestation (RA): RA architectures are generally classified in three types: software-based (or keyless), hardware-based, and hybrid. Software-Based RA Architectures [36], [37], [38], [39], [11], [5], [40], [10] do not rely on any specialized hardware. The main advantage of software-based RA is its flexibility and ease of implementation since it does not require additional hardware. However, this model places significant demands on the security of the software itself. It operates under strict assumptions about the capabilities of Adv capabilities and the flawless implementation of the RA mechanism. This can be a limiting factor as it may not provide robust security against sophisticated hardware-level attacks. Hardware-Based RA Architectures [41], [42], [43], [14], [9] incorporate dedicated hardware to support security features, such as Trusted Platform Modules (TPMs) [44] or uses specific CPU instruction sets like Intel SGX [45]. The use of hardware provides a stronger security foundation, as the RA processes are less vulnerable to software attacks and can leverage the physical security properties of the hardware. The primary drawback is the increased cost and complexity of integrating specialized hardware components, which might not be feasible for all devices or contexts. Hybrid RA Architectures [2], [1], [3], [4], [6], [46] aim to bridge the gap between software and hardware solutions. This type of design seeks to combine the lower cost and flexibility of software-based RA with the robust security features of hardware-based RA. This is often achieved through hardware/software co-designs that smartly integrate both approaches to fit specific use cases. For example, hybrid RA might use minimal hardware to bolster a primarily software-based RA process, thus providing enhanced security without the full cost of hardware-based systems.

Proof of Execution (PoX): On high-end devices (application computers and servers), Flicker [15] was the first to utilize hardware support for a dynamic root of trust for measurement in TPMs (along with AMD's SVM support in commodity AMD processors) to prove execution of code in isolation. A Flicker session sets an isolated and uninterruptable environment (protected mode) for the execution to be proven in order to prevent interference from other software on the same machine. Also in high-end devices, Sanctum [47] employs a similar approach by instrumenting Intel SGX's enclave code to convey information about its execution to a remote party. APEX [16] introduces the notion of PoX on low-end single-core devices running baremetal software. It implements a verified hardware monitor to check for violations to the atomic execution of the application being attested, disallowing interrupts during the execution being proven. ASAP [48] extends APEX to allow

| Number   | Interrupt |            | Sensor Applications |         |             |       |       |       | S Programs           |
|----------|-----------|------------|---------------------|---------|-------------|-------|-------|-------|----------------------|
| of Tasks | Frequency | Ultrasonic | Geiger              | Syringe | Temperature | GPS   | prime | crc32 | sglib-arraybinsearch |
| 1        | 1 kHz     | 15.1%      | 19.8%               | 12.8%   | 11.5%       | 18.7% | 16.6% | 10.6% | 15.2%                |
| 2        | 1 kHz     | 15.3%      | 20.2%               | 14.4%   | 11.7%       | 18.9% | 17.0% | 10.8% | 15.7%                |
| 4        | 1 kHz     | 15.9%      | 22.7%               | 15.2%   | 12.9%       | 19.4% | 17.5% | 11.1% | 16.3%                |
| 8        | 1 kHz     | 17.5%      | 26.8%               | 17.9%   | 14.0%       | 20.8% | 18.3% | 11.6% | 16.7%                |

TABLE 4: PEARTS runtime overhead on  $\mathcal{F}$  for different number of tasks in  $\mathcal{F}_{Adv}$  with same priviledge

TABLE 5: PEARTS runtime overhead on  $\mathcal{F}$  task for different interrupt frequency in  $\mathcal{F}_{Adv}$ 

| Number   | Interrupt |            | Sensor Applications |         |             |       |       |       | Applications         |
|----------|-----------|------------|---------------------|---------|-------------|-------|-------|-------|----------------------|
| of Tasks | Frequency | Ultrasonic | Geiger              | Syringe | Temperature | GPS   | prime | crc32 | sglib-arraybinsearch |
| 1        | 2 kHz     | 15.2%      | 19.8%               | 12.9%   | 11.5%       | 18.8% | 16.6% | 10.6% | 15.2%                |
| 1        | 4 kHz     | 15.4%      | 19.9%               | 13.0%   | 11.5%       | 18.9% | 16.7% | 10.6% | 15.3%                |
| 1        | 6 kHz     | 15.7%      | 20.2%               | 13.3%   | 11.6%       | 19.0% | 16.7% | 10.6% | 15.5%                |
| 1        | 8 kHz     | 16.0%      | 20.5%               | 13.7%   | 11.8%       | 19.2% | 16.9% | 10.7% | 15.9%                |

TABLE 6: PEARTS runtime overhead on  $\mathcal{F}_{Adv}$  task for different interrupt frequency in  $\mathcal{F}$ 

| Number   | Interrupt |            | Sen    | sor Applic |             |       | BEEBS | Applications |                      |
|----------|-----------|------------|--------|------------|-------------|-------|-------|--------------|----------------------|
| of Tasks | Frequency | Ultrasonic | Geiger | Syringe    | Temperature | GPS   | prime | crc32        | sglib-arraybinsearch |
| 1        | 2 kHz     | 13.5%      | 15.2%  | 10.8%      | 10.5%       | 14.2% | 13.3% | 10.7%        | 12.7%                |
| 1        | 4 kHz     | 13.5%      | 15.3%  | 10.8%      | 10.5%       | 14.3% | 13.4% | 10.7%        | 12.8%                |
| 1        | 6 kHz     | 13.7%      | 15.5%  | 11.0%      | 10.6%       | 14.6% | 13.4% | 10.8%        | 13.1%                |
| 1        | 8 kHz     | 13.7%      | 16.1%  | 11.3%      | 10.7%       | 15.2% | 13.6% | 10.8%        | 13.5%                |

TABLE 7: PEARTS Log Size (bytes) for varying interrupt frequencies in  $\mathcal{F}_{Adv}$ 

| Number   | Interrupt |            | Sen    | sor Applica |             | BEEBS | Applications |       |                      |
|----------|-----------|------------|--------|-------------|-------------|-------|--------------|-------|----------------------|
| of Tasks | Frequency | Ultrasonic | Geiger | Syringe     | Temperature | GPS   | prime        | crc32 | sglib-arraybinsearch |
| 1        | 2 kHz     | 104 B      | 84 B   | 84 B        | 84 B        | 84 B  | 124 B        | 104 B | 104 B                |
| 1        | 4 kHz     | 124 B      | 104 B  | 104 B       | 84 B        | 104 B | 164 B        | 124 B | 124 B                |
| 1        | 6 kHz     | 144 B      | 144 B  | 144 B       | 104 B       | 144 B | 204 B        | 144 B | 144 B                |
| 1        | 8 kHz     | 184 B      | 184 B  | 184 B       | 144 B       | 184 B | 244 B        | 184 B | 184 B                |

the proven task to implement its own interrupts but still disallows interrupts external to the task being proven.

Control Flow Attestation (CFA): CFA generates remotely verifiable evidence for the control flow path taken by an application running on Prv [49]. This is achieved by instrumenting the application code [50], [51], [52], [53], [54], [55] with instructions to track the control flow path during a PoX. This process generates a measurement that verifies the execution of each node in the control flow graph. Alternatively, hardware-based techniques [56], [57], [58] leverage custom hardware to track the control flow path. In the context of real-time systems, ISC-FLAT [51] safeguards CFA logged control flow transfers by allowing interrupts while blocking critical resources during the interruptions. However, this approach conflicts with RT-PoX because blocked resources cannot be managed or accessed by the RTOS, impeding co-existence. ARI [55] offers a CFA mechanism that includes timing information in CFA reports. However, it does not address coexistence between an unmodified (Non-Secure World-resident) RTOS and PoX.

**Control Flow Integrity** (CFI): In contrast to CFA, CFI techniques implement measures to detect control flow path violations in place, locally on Prv. Different from CFA (and PoX), CFI is not concerned with the generation of remotely verifiable execution evidence. Static CFI uses static analysis

at compilation time to create a control flow graph (CFG) and insert runtime checks to ensure that control transfers match the CFG [59], [60], [61]. For instance, Microsoft's Control Flow Guard [62] adds runtime checks to validate indirect function calls for forward-edge protection. Dynamic CFI [63], [64], monitors the control flow at runtime beyond static CFG, often using hardware support [65]. Return Address Validation and Shadow Call Stacks protect return addresses on the program's stack from tampering [66], [67], [68].

Security in Real-Time Systems. Various prior works enhance the security of real-time systems in aspects other than proving code or execution integrity. Scheduler-based methods leverage the scheduler to monitor task execution and impose security restrictions [69], [70], [71] or to decrease system predictability, thereby mitigating side-channel attacks [72], [73], [74]. Some techniques use time reservation from conservative systems to enforce data flow integrity [75] or implement runtime monitors [76]. Task memory isolation to reduce the attack surface is also studied in [77].

Availability in Real-time Systems. Recent efforts have focused on providing availability guarantees in real-time systems. [29] and [30] propose architectural mechanisms to fuse interrupts (including time-based) with isolated execution of trusted software despite full software compromise of MCUs. [28] proposes the concept of trusted scheduling, i.e., leveraging trusted computing to ensure real-time guarantees. More recently, [31] leverages hardware primitives on commodity platforms to ensure the availability of system resources (e.g., CPU and I/O) for real-time tasks, along with trusted scheduling of these tasks. RT-PoX goal differs from previous work as it aims to enable the coexistence of offthe-shelf RTOS functions with PoX rather than enforcing trusted scheduling or guaranteed availability (see Appendix C for additional discussion).

#### **10.** Conclusion

We formulated the RT-PoX concept to address the limitations of classic PoX definitions and make them compatible with real-time systems. To realize RT-PoX, we developed PEARTS as the first PoX architecture compatible with an off-the-shelf RTOS (FreeRTOS). This enables both real-time availability offered by the RTOS and PoX verifiable integrity guarantees to co-exist securely on off-the-shelf MCUs. We also evaluate PEARTS's security and performance overheads and make its prototype publicly available [21]. RT-PoX formulation and its instantiation in PEARTS open several avenues for future work. Among them, we highlight the following.

**Mitigating vulnerabilities within**  $\mathcal{F}$ : RT-PoX is designed to protect an application in  $\mathcal{F}$  from external adversaries in  $\mathcal{F}_{Adv}$ . However, when  $\mathcal{F}$  is itself potentially vulnerable (e.g.,  $\mathcal{F}$  has a memory safety bug) Adv can manipulate its control flow path within the PoX. To effectively enforce or remotely verify the control flow of  $\mathcal{F}$ , PEARTS can be used alongside other techniques such as CFI and CFA. See Section 9 for an overview of CFI and CFA.

 $\mathcal{F}$  **Confidentiality:** PoX focuses on providing integrity while RT-PoX augments PoX not to violate the availability needs of RTOS-based environments. Our treatment does not consider systems in which confidentiality of data is also a pressing concern. For a discussion of the data confidentiality aspect of potentially compromised embedded/sensing systems see [78]. Incorporating confidentiality into RT-PoX is an interesting avenue for future work.

**Report Scalability**. PEARTS logs timing events to detect interferences, as detailed in Section 5.1. This implies that extended executions could generate a large log size. To mitigate this, optimizations can be implemented, e.g., sending a partial report to Vrf when Prv's memory fraction budgeted for storing logs is full. Another alternative is Vrf to implicitly specify acceptable pause times for  $\mathcal{F}$  and have PEARTS check if Vrf policy is met during the RT-PoX, reporting a yes/no result to Vrf.

### Acknowledgements

We sincerely thank the paper's shepherd and anonymous reviewers for their feedback and guidance. This work was partly supported by the National Science Foundation (SaTC award #2245531). PSU author was partly supported by the ASEAN IVO (www.nict.go.jp/en/asean\_ivo/) project, Artificial Intelligence Powered Comprehensive Cyber-Security for Smart Healthcare Systems (AIPOSH), funded by NICT (www.nict.go.jp/en/).

#### References

- K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito, "SMART: Secure and minimal architecture for (establishing dynamic) root of trust," in *NDSS*, vol. 12, 2012, pp. 1–15.
- [2] I. D. O. Nunes, K. Eldefrawy, N. Rattanavipanon, M. Steiner, and G. Tsudik, "VRASED: A Verified Hardware/Software Co-Design for Remote Attestation," in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1429–1446.
- [3] F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and P. Koeberl, "TyTAN: Tiny trust anchor for tiny devices," in *Proceedings of the 52nd annual design automation conference*, 2015, pp. 1–6.
- [4] P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan, "TrustLite: A security architecture for tiny embedded devices," in *Proceedings* of the Ninth European Conference on Computer Systems, 2014, pp. 1–14.
- [5] M. Ammar, B. Crispo, and G. Tsudik, "Simple: A remote attestation approach for resource-constrained iot devices," in 2020 ACM/IEEE 11th International Conference on Cyber-Physical Systems (ICCPS). IEEE, 2020, pp. 247–258.
- [6] K. Eldefrawy, N. Rattanavipanon, and G. Tsudik, "HYDRA: hybrid design for remote attestation (using a formally verified microkernel)," in *Proceedings of the 10th ACM Conference on Security and Privacy in wireless and Mobile Networks*, 2017, pp. 99–110.
- [7] I. De Oliveira Nunes, S. Jakkamsetti, N. Rattanavipanon, and G. Tsudik, "On the TOCTOU problem in remote attestation," in *Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security*, 2021, pp. 2921–2936.
- [8] E. Brickell, J. Camenisch, and L. Chen, "Direct anonymous attestation," in *Proceedings of the 11th ACM conference on Computer and communications security*, 2004, pp. 132–145.
- [9] J. Noorman, J. V. Bulck, J. T. Mühlberg, F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, J. Götzfried, T. Müller, and F. Freiling, "Sancus 2.0: A low-cost security architecture for iot devices," ACM Transactions on Privacy and Security (TOPS), vol. 20, no. 3, pp. 1–33, 2017.
- [10] L. Petzi, A. E. B. Yahya, A. Dmitrienko, G. Tsudik, T. Prantl, and S. Kounev, "SCRAPS: Scalable Collective Remote Attestation for Pub-Sub IoT Networks with Untrusted Proxy Verifier," pp. 3485– 3501, 2022.
- [11] M. Grisafi, M. Ammar, M. Roveri, and B. Crispo, "PISTIS: Trusted computing architecture for low-end embedded systems," in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 3843– 3860.
- [12] M. Ammar, B. Crispo, I. De Oliveira Nunes, and G. Tsudik, "Delegated attestation: scalable remote attestation of commodity cps by blending proofs of execution with software attestation," in *Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks*, 2021, pp. 37–47.
- [13] M. M. Rabbani, E. Dushku, J. Vliegen, A. Braeken, N. Dragoni, and N. Mentens, "Reserve: Remote attestation of intermittent iot devices," in *Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems*, 2021, pp. 578–580.
- [14] J. Vliegen, M. M. Rabbani, M. Conti, and N. Mentens, "SACHa: Selfattestation of configurable hardware," in 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2019, pp. 746–751.
- [15] J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki, "Flicker: An execution infrastructure for tcb minimization," in *Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008*, 2008, pp. 315–328.

- [16] I. D. O. Nunes, K. Eldefrawy, N. Rattanavipanon, and G. Tsudik, "APEX: A verified architecture for proofs of execution on remote devices under full software compromise," in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 771–788.
- [17] A. Caulfield, N. Rattanavipanon, and I. De Oliveira Nunes, "ASAP: reconciling asynchronous real-time operations and proofs of execution in simple embedded systems," in *Proceedings of the 59th ACM/IEEE Design Automation Conference*, 2022, pp. 721–726.
- [18] A. D. N. B. C. Patel, "Rares: Runtime attack resilient embedded system design using verified proof-of-execution," arXiv preprint arXiv:2305.03266, 2023.
- [19] R. Barry et al., "Freertos," Internet, Oct, vol. 4, p. 18, 2008.
- [20] A. Ltd, "TrustZone technology for Armv8-M Architecture Version 2.1," https://developer.arm.com/documentation/100690/0201/, 2019.
- [21] "PEARTS Github Repository." 2024. [Online]. Available: https: //github.com/SPINS-RG/pearts
- [22] STMicroelectronics, "STM32 Nucleo-144 development board," https: //www.st.com/en/evaluation-tools/nucleo-1552ze-q.html, [Online; accessed 17-November-2023].
- [23] J. A. Stankovic and R. Rajkumar, "Real-time operating systems," *Real-Time Systems*, vol. 28, no. 2-3, pp. 237–253, 2004.
- [24] A. Khan, D. Xu, and D. J. Tian, "Low-cost privilege separation with compile time compartmentalization for embedded systems," in 2023 *IEEE Symposium on Security and Privacy (SP)*. IEEE, 2023, pp. 3008–3025.
- [25] M. Bechtel and H. Yun, "Denial-of-service attacks on shared cache in multicore: Analysis and prevention," in 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, 2019, pp. 357–367.
- [26] R. Mahfouzi, A. Aminifar, S. Samii, M. Payer, P. Eles, and Z. Peng, "Butterfly attack: Adversarial manipulation of temporal properties of cyber-physical systems," in 2019 IEEE Real-Time Systems Symposium (RTSS). IEEE, 2019, pp. 93–106.
- [27] B. Wittenmark, J. Nilsson, and M. Torngren, "Timing Problems in Real-time Control Systems," in *Proceedings of 1995 American Control Conference-ACC'95*, vol. 3. IEEE, 1995, pp. 2000–2004.
- [28] R. J. Masti, C. Marforio, A. Ranganathan, A. Francillon, and S. Capkun, "Enabling trusted scheduling in embedded systems," in *Proceedings of the 28th Annual Computer Security Applications Conference*, 2012, pp. 61–70.
- [29] F. Alder, J. Van Bulck, F. Piessens, and J. T. Mühlberg, "Aion: Enabling open systems through strong availability guarantees for enclaves," in *Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security*, 2021, pp. 1357–1372.
- [30] E. Aliaj, I. D. O. Nunes, and G. Tsudik, "GAROTA: Generalized active root-of-trust architecture (for tiny embedded devices)," in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 2243– 2260.
- [31] J. Wang, A. Li, H. Li, C. Lu, and N. Zhang, "Rt-tee: Real-time system availability for cyber-physical systems using arm trustzone," in 2022 *IEEE Symposium on Security and Privacy (SP)*. IEEE, 2022, pp. 352–369.
- [32] EETimes, "2019 Embedded Markets Study," https://www.embedded. com/wp-content/uploads\\/2019/11/EETimes\\_Embedded\\_2019\\_ Embedded\\_Markets\\_Study.pdf, [Online; accessed 28-Feb-2024].
- [33] J. Obermaier *et al.*, "The past, present, and future of physical security enclosures: From battery-backed monitoring to puf-based inherent security and beyond," *Journal of Hardware and Systems Security*, vol. 2, 2018.
- [34] "CMSIS-RTOS2 Documentation," https://arm-software.github.io/ CMSIS\_5/develop/RTOS2/html/index.html.
- [35] J. Pallister *et al.*, "Beebs: Open benchmarks for energy measurements on embedded platforms," *arXiv preprint arXiv:1308.5174*, 2013.

- [36] R. Kennell and L. H. Jamieson, "Establishing the genuinity of remote computer systems," in 12th USENIX Security Symposium (USENIX Security 03), 2003.
- [37] A. Seshadri, A. Perrig, L. Van Doorn, and P. Khosla, "SWATT: Software-based attestation for embedded devices," in *IEEE Sympo*sium on Security and Privacy, 2004. Proceedings. 2004. IEEE, 2004, pp. 272–282.
- [38] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. Van Doorn, and P. Khosla, "Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems," in *Proceedings of the twentieth ACM* symposium on Operating systems principles, 2005, pp. 1–16.
- [39] A. Seshadri, M. Luk, and A. Perrig, "Sake: Software attestation for key establishment in sensor networks," in *Distributed Computing in Sensor Systems: 4th IEEE International Conference, DCOSS 2008 Santorini Island, Greece, June 11-14, 2008 Proceedings 4*, 2008, pp. 372–385.
- [40] S. Surminski, C. Niesler, F. Brasser, L. Davi, and A.-R. Sadeghi, "Realswatt: remote software-based attestation for embedded devices under realtime constraints," in *Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security*, 2021, pp. 2890–2905.
- [41] N. L. Petroni Jr, T. Fraser, J. Molina, and W. A. Arbaugh, "Copilota coprocessor-based kernel runtime integrity monitor." in USENIX security symposium. San Diego, USA, 2004, pp. 179–194.
- [42] X. Kovah, C. Kallenberg, C. Weathers, A. Herzog, M. Albin, and J. Butterworth, "New results for timing-based attestation," in 2012 IEEE Symposium on Security and Privacy. IEEE, 2012, pp. 239– 253.
- [43] D. Schellekens, B. Wyseur, and B. Preneel, "Remote attestation on legacy operating systems with trusted platform modules," *Science of Computer Programming*, vol. 74, no. 1-2, pp. 13–22, 2008.
- [44] Trusted Computing Group., "Trusted platform module (tpm)," 2017. [Online]. Available: http://www.trustedcomputinggroup.org/ work-groups/trusted-platform-module/
- [45] V. Costan and S. Devadas, "Intel SGX explained," Cryptology ePrint Archive, Report 2016/086, 2016. https://eprint.iacr.org/2016/086, Tech. Rep.
- [46] F. Brasser, K. B. Rasmussen, A.-R. Sadeghi, and G. Tsudik, "Remote attestation for low-end embedded devices: the prover's perspective," in *Proceedings of the 53rd Annual Design Automation Conference*, 2016, pp. 1–6.
- [47] V. Costan, I. Lebedev, and S. Devadas, "Sanctum: Minimal hardware extensions for strong software isolation," in 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 857–874.
- [48] A. Caulfield, N. Rattanavipanon, and I. De Oliveira Nunes, "Asap: reconciling asynchronous real-time operations and proofs of execution in simple embedded systems," in *Proceedings of the 59th ACM/IEEE Design Automation Conference*, 2022, pp. 721–726.
- [49] M. Ammar, A. Caulfield, and I. D. O. Nunes, "Sok: Runtime integrity," arXiv preprint arXiv:2408.10200, 2024.
- [50] Z. Sun, B. Feng, L. Lu, and S. Jha, "Oat: Attesting operation integrity of embedded devices," in 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020, pp. 1433–1449.
- [51] A. J. Neto and I. D. O. Nunes, "ISC-FLAT: On the Conflict Between Control Flow Attestation and Real-Time Operations," in 2023 IEEE 29th Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, 2023, pp. 133–146.
- [52] T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, and G. Tsudik, "C-flat: control-flow attestation for embedded systems software," in *Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security*, 2016, pp. 743–754.

- [53] F. Toffalini, E. Losiouk, A. Biondo, J. Zhou, and M. Conti, "ScaRR: Scalable runtime remote attestation for complex systems," in 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 2019, pp. 121–134.
- [54] Y. Zhang, X. Liu, C. Sun, D. Zeng, G. Tan, X. Kan, and S. Ma, "ReCFA: resilient control-flow attestation," in *Annual Computer Security Applications Conference*, 2021, pp. 311–322.
- [55] J. Wang, Y. Wang, A. Li, Y. Xiao, R. Zhang, W. Lou, Y. T. Hou, and N. Zhang, "{ARI}: Attestation of real-time mission execution integrity," in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2761–2778.
- [56] I. D. O. Nunes, S. Jakkamsetti, and G. Tsudik, "Tiny-CFA: Minimalistic control-flow attestation using verified proofs of execution," in 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2021, pp. 641–646.
- [57] G. Dessouky, S. Zeitouni, T. Nyman, A. Paverd, L. Davi, P. Koeberl, N. Asokan, and A.-R. Sadeghi, "Lo-fat: Low-overhead control flow attestation in hardware," in *Proceedings of the 54th Annual Design Automation Conference 2017*, 2017, pp. 1–6.
- [58] G. Dessouky, T. Abera, A. Ibrahim, and A.-R. Sadeghi, "Litehax: lightweight hardware-assisted attestation of program execution," in 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 2018, pp. 1–8.
- [59] C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike, "Enforcing {Forward-Edge}{Control-Flow} integrity in {GCC} & {LLVM}," in 23rd USENIX security symposium (USENIX security 14), 2014, pp. 941–955.
- [60] V. Van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, "Practical context-sensitive cfi," in *Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security*, 2015, pp. 927–940.
- [61] R. J. Walls, N. F. Brown, T. Le Baron, C. A. Shue, H. Okhravi, and B. C. Ward, "Control-flow integrity for real-time embedded systems," in *31st Euromicro Conference on Real-Time Systems (ECRTS 2019)*. Schloss-Dagstuhl-Leibniz Zentrum für Informatik, 2019.
- [62] Microsoft, "Control Flow Guard," https://learn.microsoft.com/en-us/ windows/win32/secbp/control-flow-guard?redirectedfrom=MSDN.
- [63] T. Nyman, J.-E. Ekberg, L. Davi, and N. Asokan, "Cfi care: Hardware-supported call and return enforcement for commercial microcontrollers," in *Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September* 18–20, 2017, Proceedings. Springer, 2017, pp. 259–284.
- [64] N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis, "Hcfi: Hardware-enforced control-flow integrity," in *Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy*, 2016, pp. 38–49.
- [65] X. Tan and Z. Zhao, "Sherloc: Secure and holistic control-flow violation detection on embedded systems," in *Proceedings of the* 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 1332–1346.
- [66] N. S. Almakhdhub, A. A. Clements, S. Bagchi, and M. Payer, "μrai: Securing embedded systems with return address integrity," in *Network* and Distributed Systems Security (NDSS) Symposium, 2020.
- [67] N. Burow, X. Zhang, and M. Payer, "Sok: Shining light on shadow stacks," in 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019, pp. 985–999.
- [68] J. Zhou, Y. Du, Z. Shen, L. Ma, J. Criswell, and R. J. Walls, "Silhouette: Efficient protected shadow stacks for embedded systems," in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1219–1236.
- [69] X. Hao, M. Lv, J. Zheng, Z. Zhang, and W. Yi, "Integrating cyberattack defense techniques into real-time cyber-physical systems," in 2019 IEEE 37th International Conference on Computer Design (ICCD). IEEE, 2019, pp. 237–245.

- [70] M. Hasan, S. Mohan, R. B. Bobba, and R. Pellizzoni, "Exploring opportunistic execution for integrating security into legacy hard realtime systems," in 2016 IEEE Real-Time Systems Symposium (RTSS). IEEE, 2016, pp. 123–134.
- [71] M. Hamad, Z. A. Hammadeh, S. Saidi, V. Prevelakis, and R. Ernst, "Prediction of abnormal temporal behavior in real-time systems," in *Proceedings of the 33rd Annual ACM Symposium on Applied Computing*, 2018, pp. 359–367.
- [72] R. Pellizzoni, N. Paryab, M.-K. Yoon, S. Bak, S. Mohan, and R. B. Bobba, "A generalized model for preventing information leakage in hard real-time systems," in 21st IEEE Real-Time and Embedded Technology and Applications Symposium. IEEE, 2015, pp. 271–282.
- [73] M.-K. Yoon, S. Mohan, C.-Y. Chen, and L. S. Taskshuffler, "A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. in 2016 ieee real-time and embedded technology and applications symposium (rtas)," 2016.
- [74] K. Krüger, M. Volp, and G. Fohler, "Vulnerability analysis and mitigation of directed timing inference based attacks on time-triggered systems," *LIPIcs-Leibniz International Proceedings in Informatics*, vol. 106, p. 22, 2018.
- [75] Y. Wang, A. Li, J. Wang, S. Baruah, and N. Zhang, "Opportunistic data flow integrity for real-time cyber-physical systems using worst case execution time reservation."
- [76] F. Alder, G. Scopelliti, J. Van Bulck, and J. T. Mühlberg, "About time: On the challenges of temporal guarantees in untrusted environments," in *Proceedings of the 6th Workshop on System Software for Trusted Execution*, ser. SysTEX '23. New York, NY, USA: Association for Computing Machinery, 2023, p. 27–33. [Online]. Available: https://doi.org/10.1145/3578359.3593038
- [77] C. H. Kim, T. Kim, H. Choi, Z. Gu, B. Lee, X. Zhang, and D. Xu, "Securing real-time microcontroller systems through customized memory view switching." in NDSS, 2018.
- [78] I. D. O. Nunes, S. Hwang, S. Jakkamsetti, and G. Tsudik, "Privacyfrom-birth: Protecting sensed data from malicious sensors with versa," in 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022, pp. 2413–2429.

# Appendix A. Shadow Task Details

A shadow task is created by the RTOS in the Non-Secure World to serve as a user-space handle used by the RTOS to interact with  $\mathcal{F}$ , since  $\mathcal{F}$  is isolated from  $\mathcal{F}_{Adv}$ . It has three main functionalities: (1) starting and terminating an RT-PoX process, (2) handling system calls, and (3) intermediating task switching by the RTOS. Figure 4 illustrates the interplay between the shadow task and other components in PEARTS.

**Starting/Terminating RT-PoX**. When Vrf requests RT-PoX of  $\mathcal{F}$ , the RTOS creates the shadow task in the Non-Secure World, whose initial behavior is to trigger PEARTS to start the PEARTS Initialization Routine (see Section 5.2). When the RT-PoX process is finished, PEARTS sends the report to the shadow task. The shadow task then forwards the report either directly to Vrf or to another task responsible for the report transmission. After that, the shadow task asks the RTOS to terminate the task of  $\mathcal{F}$ .

**Handling System Calls.** Since  $\mathcal{F}_{Adv}$  is untrusted, PEARTS must prohibit the use of system calls that return data from  $\mathcal{F}_{Adv}$  to  $\mathcal{F}$ , as this could affect  $\mathcal{F}$ 's behavior (recall Property 3). To enforce this, during the offline phase, all system calls made by  $\mathcal{F}$  are replaced with virtual instructions that invoke the PEARTS system call dispatcher. When  $\mathcal{F}$  triggers a system call, the PEARTS system call dispatcher (1) copies the arguments to the Non-Secure World context that will later be used by the shadow task; (2) logs the event in the RT-PoX report (including the system call type and arguments); and (3) resumes the shadow task in the Non-Secure World. When the CPU changes to Non-Secure mode, the registers are loaded with the system call context and the shadow task calls the corresponding system call. When system calls return 'void', the Shadow Task immediately triggers  $\mathcal{F}_{RoT}$  to resume  $\mathcal{F}$ . If the system call returns a status (success or failure), the Shadow Task relays this information to PEARTS dispatcher, which logs it in the report before sending it to  $\mathcal{F}$ . For synchronization, tasks using mutexes and semaphores must hold the corresponding handles. In this case, the shadow task holds the handle while the PEARTS system call dispatcher creates a token representing it and gives this token to  $\mathcal{F}$ . When  $\mathcal{F}$  needs to use the handle, it presents the token to the PEARTS system call dispatcher, which subsequently signals the shadow task to use the corresponding object on  $\mathcal{F}$ 's behalf.

Task Switching. The shadow task acts as an intermediary for task switching by the RTOS. Suppose the CPU is executing  $\mathcal{F}$  inside the ESR during RT-PoX. When a systick interrupt occurs, PEARTS dispatches it, switches the context to the Non-secure World and directs execution to the systick interrupt handler of the RTOS. Within the handler execution, the RTOS checks if a task switch is needed. If so, it sets the PendSV flag and then exits. After the systick handler ends and returns the control to PEARTS, PEARTS checks if the PendSV flag is active. If it is not, PEARTS resumes  $\mathcal{F}$ . When the flag is active, it means the RTOS wants to switch tasks. In this case, PEARTS transfers control to the Shadow Task, which is immediately interrupted by the PendSV interrupt. The PendSV interrupt handler then switches the context to another task. When the RTOS decides to switch back to  $\mathcal{F}$ , it first restores the Shadow Task's context and resumes its execution. The Shadow Task then invokes PEARTS to resume  $\mathcal{F}$ .

# Appendix B. System Calls Available to $\mathcal{F}$

During an RT-PoX process, to ensure Property 2, PEARTS does not expose all FreeRTOS system calls to  $\mathcal{F}$ . Specifically, any system call that fetches data (e.g., peripheral inputs) to  $\mathcal{F}$  must be restricted because a malicious RTOS could provide tampered data, compromising  $\mathcal{F}$ 's context. To cope with this,  $\mathcal{F}$  must implement its own data fetching functions (which is feasible and simple in baremetal MCUs). Other than data fetching, PEARTS supports the use of FreeRTOS system calls in two categories.

The first category is **control-yield system calls**, which allows  $\mathcal{F}$  to yield control of its execution. An example is "vTaskDelay()", where the task requests the RTOS to pause its execution for a certain amount of time. While a malicious RTOS could misbehave and delay for an incorrect amount of time, this behavior would be measured and subsequently detected by Vrf in PEARTS. This is because PEARTS measures time independently when  $\mathcal{F}$ 's execution is paused.

The second category includes **synchronization system** calls, used when  $\mathcal{F}$  needs to synchronize with another task in  $\mathcal{F}_{Adv}$  to access shared resources such as peripherals. These calls are allowed because synchronization controls resource access but does not involve sharing data and invalid access conflicts would be detected by PEARTS. For example, if the RTOS falsely signals that a resource is free when it's not, and  $\mathcal{F}_{Adv}$  modifies it while  $\mathcal{F}$  is using it, an interference exception would occur and be detected by Vrf. Conversely, if the RTOS falsely claims a resource is never available, Vrf would detect this through timing measurements that reveal the RTOS's blocking behavior.

A third category of system calls (although not currently implemented in PEARTS prototype) is possible: **datatransmission system calls**. These system calls could be allowed when originating from  $\mathcal{F}$  since sending data to a task in  $\mathcal{F}_{Adv}$  does not violate Property 2. In this case, the associated Shadow Task would manage the transfer, where the system call dispatcher copies the data to the shadow task. Alternatively, a shared memory region could be used to send the data. As mentioned above,  $\mathcal{F}$  should not blindly receive and use data fetched/generated by  $\mathcal{F}_{Adv}$ , so data-receiving system calls are not allowed.



 $\rightarrow$  Create / End Task --> Task Switching  $\rightarrow$  System Call Figure 4: Shadow Task interfacing the RTOS and PEARTS.

# Appendix C. RT-PoX vs. Trusted Scheduling

Property 5 in Section 3.2 states "RTOS availability" as the ability for PoX to function alongside the RTOS without disrupting its underlying duties or giving up on the system's timing requirements outside the context of  $\mathcal{F}$ . PEARTS realizes this by never blocking essential operations and resources, not interfering with RTOS task scheduling and resource management mechanisms, and keeping RT-PoXrelated overheads small.

The goal above is not to be confused with prior work on mechanisms that support/leverage trusted scheduling [28], [30], [29], [31]. The latter aims to guarantee real-time availability despite compromised software states. RT-PoX, on the other hand, enables remotely verifiable execution of a specific task ( $\mathcal{F}$ ), defined and requested by Vrf. The evidence contained in an RT-PoX report reliably informs Vrf of interruptions (and their durations) during the execution of  $\mathcal{F}$ , as well as any interference in  $\mathcal{F}$ 's context through its provable execution. Different from the related work above, PEARTS does not involve bringing functions that would normally be performed by the Non-Secure World RTOS (e.g., scheduling of Non-Secure World tasks) into the Secure World to guarantee their occurrence. Instead, it allows the RTOS to remain in the Non-Secure World while enabling remote verifiability of execution integrity and associated timing for specific tasks upon Vrf's request.

TABLE 8: List of FreeRTOS system calls allowed by PEARTS

| FreeRTOS Services            | System Calls Available to $\mathcal{F}$                                                                                                                                                                                                                                                                                                                                                                                                         |
|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Task Control                 | vTaskDelay()<br>vTaskDelayUntil()<br>xTaskDelayUntil()<br>vTaskPrioritySet()<br>vTaskSuspend()<br>vTaskResume()<br>xTaskAbortDelay()                                                                                                                                                                                                                                                                                                            |
| Direct To Task Notifications | xTaskNotifyGive()<br>xTaskNotify()<br>xTaskNotifyAndQuery()<br>xTaskNotifyWait()<br>xTaskNotifyStateClear()                                                                                                                                                                                                                                                                                                                                     |
| Semaphore / Mutexes          | xSemaphoreCreateBinary()<br>xSemaphoreCreateBinaryStatic()<br>vSemaphoreCreateBinaryStatic()<br>xSemaphoreCreateCounting()<br>xSemaphoreCreateCountingStatic()<br>xSemaphoreCreateMutex()<br>xSemaphoreCreateMutex()<br>xSemaphoreCreateRecursiveMutex ()<br>xSemaphoreCreateRecursiveMutexStatic()<br>vSemaphoreDelete()<br>xSemaphoreTake()<br>xSemaphoreTakeRecursive()<br>xSemaphoreGive()<br>xSemaphoreGive()<br>xSemaphoreGiveRecursive() |

# Appendix D. META-REVIEW

The following meta-review was prepared by the program committee for the 2025 IEEE Symposium on Security and Privacy (S&P) as part of the review process as detailed in the call for papers.

## **D.1. Summary**

This paper develops a provable execution (PoX) system that aims to enable interrupt, a necessary condition for realtime availability, which was not never supported in prior efforts.

## **D.2.** Scientific Contributions

- Provides a Valuable Step Forward in an Established Field
- Creates a New Tool to Enable Future Science
- Addresses a Long-Known Issue

## **D.3.** Reasons for Acceptance

- Real-time availability is a long standing challenge and this paper provides a value step in harmonizing realtime availability with the existing line of work on proof of execution
- 2) The solution is implemented and evaluated on actual hardware.