Microcontroller systems are integral to our daily lives, powering mission-critical applications such as vehicles, medical devices, and industrial control systems. Therefore, it is essential to investigate and outline the challenges encountered in developing secure microcontroller systems. While previous research has focused solely on microcontroller firmware analysis to identify and characterize vulnerabilities, our study uniquely leverages data from the 2023 and 2024 MITRE eCTF team submissions and post-competition interviews. This approach allows us to dissect the entire lifecycle of secure microcontroller system development from both technical and perceptual perspectives, providing deeper insights into how these vulnerabilities emerge in the first place. Through the lens of eCTF, we identify fundamental conceptual and practical challenges in securing microcontroller systems. Conceptually, it is difficult to adapt from a microprocessor system to a microcontroller system, and participants are not wholly aware of the unique attacks against microcontrollers. Practically, security-enhancing tools, such as the memory-safe language Rust, lack adequate support on microcontrollers. Additionally, poor-quality entropy sources weaken cryptography and secret generation. Our findings articulate specific research, developmental, and educational deficiencies, leading to targeted recommendations for researchers, developers, vendors, and educators to enhance the security of microcontroller systems.

翻译：微控制器系统是我们日常生活的核心组成部分，为车辆、医疗设备和工业控制系统等关键任务应用提供动力。因此，研究和概述开发安全微控制器系统所面临的挑战至关重要。尽管先前的研究仅关注微控制器固件分析以识别和表征漏洞，但本研究独特地利用了2023年和2024年MITRE eCTF团队提交的数据和赛后访谈。这种方法使我们能够从技术和认知两个角度剖析安全微控制器系统开发的整个生命周期，更深入地揭示这些漏洞最初是如何产生的。通过eCTF的视角，我们识别了保护微控制器系统安全的基本概念和实践挑战。在概念上，从微处理器系统过渡到微控制器系统存在困难，且参与者并未完全意识到针对微控制器的独特攻击方式。在实践中，诸如内存安全语言Rust等增强安全性的工具在微控制器上缺乏足够的支持。此外，低质量的熵源削弱了密码学和密钥生成的安全性。我们的研究结果明确了具体的研究、开发和教育不足，从而为研究人员、开发者、供应商和教育工作者提出了有针对性的建议，以提升微控制器系统的安全性。