Inria's challenge RIOT-fp : a major project aimed at improving the security and transparency of connected objects

What many connected objects have in common is that they operate using simple microcontrollers, meaning they have limited processing power and use up relatively little energy. This is the case for communicating sensors, for example, which deliver information or interact with storage servers (clouds) or, at a more local level, with home heating systems.

How can the frugality constraints on these systems be combined with high-speed, high-security features in programmes which are open to all, in order to build trust in connected objects?

The answer from a growing community of programmers and users is “RIOT!”. RIOT is an operating system designed for the internet of things (IoT) which brings together several hundred developers from across the world - more than 200 of whom have contributed towards the main branch of this free “toolbox” - under a shared license, with the possibility of adding ancillary owner codes.

“RIOT was conceived as an equivalent to Linux for connected objects with microcontrollers, which have substantially less processing power and one millionth of the memory of microprocessors”, explains Emmanuel Baccelli, a researcher within the TRIBE project team at the Inria Saclay - Ile-de-France Research Centre, who has been responsible for coordinating the community of developers since it was set up in 2013.

The goal of this “Linux of things” is ambitious: to unify the secure programming of a wide variety of objects using C language as a basis, offering opensource programme building blocks which anyone can view or make changes to in order to make the core of RIOT’s code an adaptable, ultralight and secure system. “Making the model opensource is our way of ensuring the sustainability of this common resource, enabling it to be constantly improved by contributors, whether universities, manufacturers or other users, such as ‘makers’.”

It also responds to calls for security and transparency, which users of connected objects have been clamouring for ever since Edward Snowden's revelations and the various instances of information being leaked via these objects.

A major project - and a major challenge 

In this context, Inria launched a major project (IPL) aimed at supporting the development of RIOT, relying on the drive of a number of the institute’s teams (EVA, GRACE, PROSECCO, TEA and TRIBE). Support also came from Freie Universität Berlin, where Emmanuel Baccelli, coordinator of RIOT-fp, teaches.

“fp stands for ‘future proof’ - we set the bar very high, meaning there’s obviously a risk of us not reaching it”, explains Emmanuel Baccelli. “As is the case with all research, there’s a risk of failure. We have major challenges to overcome. Can a balance be struck between security and energy efficiency? Is it possible, for example, to devise effective cryptographic algorithms with the limited processing power of a microcontroller while operating at the same level as the rest of the internet? Can a balance be struck between security and user sovereignty? Would it be possible, for example, to allow anyone to install or update new software without invalidating pre-existing security?”. 

This is another challenge that the RIOT-fp project has set itself: to deliver formal proofs of execution robustness in order to enable these secure updates to take place via a low-energy, wireless network, whether for the operating system itself or for the different modules it might incorporate. At this point in the adventure, one unknown remains: on what proportion of code would a formal proof be possible, without this comprising either the generality of the code or its performance levels, namely its size or its speed?

Rock solid motivation

A highly ambitious project, RIOT-fp will provide answers to some of these questions, combining academic results with the publication of opensource codes, which will be updated and incorporated into RIOT’s free ecosystem. Some features have been available since 2018, and employed in connected objects using RIOT.

However, although some of the stakeholders in the RIOT community are manufacturers, modifying the operating system of a connected object is no mean feat. “In absolute terms, it is possible”, explains Emmanuel Baccelli. “But there are a number of obstacles we still have to overcome. Firstly, it’s necessary for the manufacturers not to have ‘locked’ the object in question, as is sometimes the case with objects offering connected services. This makes suppliers reluctant to grant users free rein to load additional opensource services. Another entirely legitimate obstacle is user security. Although RIOT is compatible - or can easily be adapted for use - with a wide range of objects, you can’t do just anything on any object. Take a medical device like a pacemaker, for example... Through RIOT-fp, we want to factor in this aspect by formalising a solution that is both versatile - covering all types of objects via a common base that can be adapted to the relevant security level - and which performs well, with formal proofs regarding security.” 

In a context as complex as the internet of things, RIOT-fp should give us a much clearer idea of the feasibility of a “Linux of things” within the next three years. The potential for such a “common resource” is enormous: users would be able to adopt their desired operating system - for a connected alarm linked to a monitoring centre, for example - independently of the manufacturer of the object, or even the supplier of the service. It could also prove highly beneficial in terms of the environment and resources: a system that performs well, is scalable and which uses a limited amount of energy would help boost the longevity of materials, not just by saving on batteries, but by adapting the software and its security to keep pace with changes to requirements and standards.