ZAYA μContainer Security

Updated: Nov 2

ZAYA μContainers are a brand new feature for resource-constraint small and MMU-less Microcontrollers to provide high-level security for IoT Edges. ZAYA μContainers are security-less execution and the following sections explain how ZAYA μContainers are protected.


1. Isolation "Limitation of Traditional RTOSes: Due to lack of isolation hardware’s such as MMU on the microcontrollers, there is no isolation between, Kernel and User Applications(s) and code can access all address range of the device. Herein, when an application is malfunctioned (e.g. Code Injection), can get control of the whole IoT Device, including secrets (e.g. crypto keys) of other modules. It is the most critical security leak at the moment for the IoT Edge devices. "


As mentioned before, ZAYA μContainers are isolated executables, and any malfunctioned user application or container cannot violate a μContainer.


Isolation is a requirement for almost all security certifications.

1.1 Platform Security Architecture(PSA)

PSA Level 1 requires isolation between Secure Processing Environment(SPE) and Non-Secure Processing Environment(NSPE).

Herein, a ZAYA μContainer runs in ZAYA User Space is equivalent to PSA NSPE and ZAYA Kernel Space is an equivalent to PSA SPE which is isolated from ZAYA User Space.


1.2. SESIP (v1.3)

SESIP requires two levels of isolation. a. Isolation of Platform: SESIP requires isolation of IoT Platform Layer from the IoT Application Layer. ZAYA Kernel space is the platform layer that is isolated from ZAYA User Space. Containers run in User Space which meets the requirement. b. Isolation of Application Parts: SESIP requires isolation between user applications. ZAYA Secure Kernel provides Process Isolation, and ZAYA Containers make use of ZAYA Process isolation to isolate themselves from other user-space executables which meet the SESIP requirement.


2. μContainer Authentication

ZAYA μContainers includes its signature (public-key cryptography). ZAYA Containers must be signed by a trusted source. ZAYA uses public-key authenticity to authenticate the Containers.


ZAYA Secure Kernel performs authentication checks during μContainers installation and upgrade. If authentication fails, installation/upgrade is rejected,

ZAYA Secure Kernel also performs authentication checks for each device startup and unauthenticated μContainers are not run by ZAYA Secure Run.


3. PSA Functional API ZAYA Secure Kernel is a PSA Certified™ Functional API Operating System and implements PSA Functional API using the proven security stacks. ZAYA Secure Kernel passes all PSA Test Suite Tests.


ZAYA containers make use of ZAYA’s PSA Functional API from ZAYA Secure Kernel to have security services such as Cryptography, Secure Storage, Attestation.


ZAYA Containers do not need to handle basic cryptographic algorithms nor secure key-storage which is already handled in isolated and certified Kernel Space. Therefore, ZAYA Containers are security free pure user executables.

4. μContainer Access Policy Each ZAYA μContainer has an "Access Policies" that shows what resources a μContainers can access. The access policy is a signed attribute that is also authenticated by the ZAYA Secure Kernel.


When a μContainer tries to access a resource, ZAYA Secure Kernel performs access right check using μContainer access policy, and grants access if μContainer has right.



For more details and demonstrations, please contact info@za-ya.co

101 views0 comments