Many embedded systems have relatively strong security requirements because they handle confidential data or support secure electronic transactions. A prototypical example are payment terminals. To ensure that sensitive data such as cryptographic keys cannot leak, security-critical parts of these systems are implemented as separate chips, and hence physically isolated from other parts of the system.
But isolation can also be implemented in software. Higher-end computing platforms are equipped with hardware support to facilitate the implementation of virtual memory and virtual machine monitors. However many embedded systems lack such hardware features.
In this paper, we propose a design for a generic and very lightweight hardware mechanism that can support an efficient implementation of isolation for several subsystems that share the same processor and memory space. A prototypical application is the software implementation of cryptographic support with strong assurance on the secrecy of keys, even towards other code sharing the same processor and memory. Secure co-habitation of code from different stakeholders on the same system is also supported.