Securing Embedded Devices: A Multi-Layered Approach with SAFERTOS^® and the ESM

18 Sep, 2025

Securing embedded devices requires a multi-layered approach, with each security measure building upon the last. The strength of an embedded system’s security is determined by its weakest link. The integrity of an embedded system’s security is only as strong as its weakest link, meaning that every component, hardware and software alike, must be meticulously protected. Key security concerns include safeguarding sensitive data, preventing unauthorized control, mitigating Denial of Service (DoS) attacks, and securing intellectual property. At the heart of these protections is the Root of Trust, which ensures the authenticity and integrity of both the device and its software through digital signatures.

A critical part of the Root of Trust is the Real-Time Operating System (RTOS), which provides a secure platform for running applications. The specific security requirements for an embedded system depend on its architecture and the threats it faces. In this blog, we’ll explore RTOS security, focusing on SAFERTOS^® and its Enhanced Security Module (ESM) as an example of best practices in safeguarding embedded systems.

To read our white paper on the ESM, click here.

Attack Surface

The security of an embedded device depends on its software architecture, perceived threats, and attack surface. The attack surface is the sum of points where a bad actor can gain access to the system or extract data. Minimizing this surface is key to security.

In a simple system, such as a remote sensor with a single network connection, the attack surface is limited to the network channel, where encryption and key authentication can mitigate risks.

In more complex systems, like embedded medical devices with multiple processors, the attack surface grows. For example, a safety processor managing sensitive data and an application processor handling third-party software may introduce risks through communication channels. Securing the interface or communication link can help protect against attacks.

In complex systems such as autonomous vehicles, the attack surface is larger due to multiple processors and external interfaces. Security must be addressed on several levels, including using an RTOS to limit access to specific memory regions and resources, isolating any compromised tasks and preventing further system breaches.

SAFERTOS^® and Security Overview

SAFERTOS^® is a safety-critical RTOS designed for industries such as automotive, medical, and industrial. It leverages the processor’s Memory Protection Unit (MPU) or Memory Management Unit (MMU) to create spatial separation between Tasks, preventing one from overwriting another’s memory and reducing the risk of system failure. The system assigns specific access permissions (read-only, write, execute) to each Task’s memory regions, with privileged memory protecting the SAFERTOS^® kernel data.

To further strengthen security, the SAFERTOS^® Enhanced Security Module (ESM) hardens the spatial separation between Tasks, ensuring a compromised Task cannot access other system areas and minimizing the risk of DoS attacks. It includes a penetration detection monitor that identifies abnormal system behaviour and protects the system from security breaches. The ESM minimizes the attack surface by restricting each Task’s access to only the necessary resources.

SAFERTOS^® and the ESM also include an Access Control Policy (ACP) that limits the SAFERTOS^® APIs available to each Task, reducing vulnerabilities and preventing compromised Tasks from impacting other system areas. Additionally, the Object Access Control Policy (OACP) restricts Task access to specific RTOS objects like queues and semaphores, closing potential access points to sensitive data.

To enhance security, the ESM replaces traditional Task/Object handles with indirect Object IDs, preventing Tasks from discovering and accessing the memory locations of critical system components like RTOS objects or Task Control Blocks (TCBs). This approach strengthens system security by limiting the information available to a compromised Task.

SAFERTOS^® and its ESM must reside in privileged memory, ensuring that user-mode Tasks cannot access sensitive system data. Tasks should be confined to the smallest memory region possible to reduce the attack surface. The system also includes a security-aware portable layer that ensures a stronger boundary between privileged and user-mode memory, preventing user tasks from elevating their privileges.

The Penetration Detection Monitor within the ESM continuously monitors violations of the ACP, OACP, or any API failures, reporting breaches to the application to allow for a rapid response. SAFERTOS^® and the ESM are initialized during the ‘Root of Trust’ boot sequence, and proper management of Task priorities, MPU configurations, and system resource access is essential for maintaining system security. Tasks should run in user mode, with interrupts operating in privileged mode, and careful attention must be given to how Tasks interact with system resources.

Summary

In conclusion, securing embedded systems requires more than a single fix, it demands a multi-layered approach. The ESM plays a key role in minimizing the attack surface of user mode tasks, helping to contain bad actors within a single task and preventing them from spreading throughout the system. This blog shows how SAFERTOS^® and its ESM offer robust protection mechanisms to detect, slow down, and block unauthorized access, ensuring sensitive data stays secure and the system remains under control.

For more information or to evaluate the ESM for Arm Cortex-M and Cortex-R platforms, contact us today.

Author

Stephen Ridley, Engineering Manager

Back to News

• Archives
• 2025
• 2024
• 2023
• 2022
• 2021
• 2020
• 2019
• 2018
• 2017
• 2016
• 2015
• 2014
• 2013
• 2012