Inferensys

Glossary

Memory Protection Unit (MPU)

A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
EMBEDDED SECURITY FOR TINYML

What is a Memory Protection Unit (MPU)?

A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.

A Memory Protection Unit (MPU) is a hardware-based security feature integrated into many modern microcontrollers. It functions as a programmable gatekeeper, partitioning the device's physical address space into distinct, configurable regions. For each region, the MPU enforces strict access permissions—such as read-only, read-write, or execute-only—based on the privilege level of the currently executing code. This hardware-enforced isolation is fundamental for creating Trusted Execution Environments (TEEs) and implementing the principle of least privilege, preventing a fault or malicious actor in one software module from corrupting or accessing sensitive data in another.

In TinyML deployment, an MPU is critical for securing the inference pipeline. It can isolate the machine learning model's weights and input data in a protected region, safeguarding intellectual property and ensuring data privacy. It also shields the model's execution from untrusted application code, guaranteeing deterministic operation. Unlike a full Memory Management Unit (MMU), an MPU lacks virtual memory capabilities, making it lighter and more suitable for resource-constrained devices. Its configuration is typically managed by a secure kernel or a Real-Time Operating System (RTOS) with MPU support, defining regions for the kernel, drivers, and application tasks.

HARDWARE SECURITY PRIMITIVE

Key Characteristics of an MPU

A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.

01

Region-Based Access Control

An MPU operates by dividing the processor's addressable memory into a limited number of configurable regions (typically 8-16). For each region, the MPU enforces rules defined by:

  • Base Address: The starting memory location of the protected region.
  • Size: The region's size, often required to be a power of two.
  • Access Permissions: Defines which bus masters (e.g., CPU, DMA controller) can perform read, write, and execute operations.
  • Memory Attributes: Specifies cache and buffer policies (e.g., write-through, non-cacheable). This granular control allows developers to create a privilege model, isolating the kernel, application tasks, and peripheral registers.
02

Privilege Levels & Fault Generation

MPUs enforce a fundamental security principle: least privilege. They define at least two processor modes:

  • Privileged Mode: Full system access (typically used by the OS kernel and trusted firmware).
  • Unprivileged/User Mode: Restricted access, governed by MPU region rules. Any access violation—such as an unprivileged task attempting to write to a kernel region or execute from a non-executable data region—triggers a Memory Management Fault (MemManage). This fault exception immediately halts the offending operation and transfers control to a secure handler, preventing exploitation of memory corruption bugs.
03

Static vs. Dynamic Reconfiguration

MPU configuration is a critical system operation. Two primary management models exist:

  • Static Partitioning: Regions are configured once at boot by secure firmware (e.g., a Real-Time Operating System kernel) and remain fixed. This is simple and secure but inflexible.
  • Dynamic Reconfiguration: The OS kernel changes MPU region settings on every context switch between application tasks. This provides strong isolation for a multi-tasking system but adds overhead. The configuration must be managed in privileged mode to prevent a malicious task from granting itself unauthorized access.
04

Comparison with an MMU

While both manage memory access, an MPU is distinct from a full Memory Management Unit (MMU):

  • MPU (Memory Protection Unit): Enforces protection only. It works with physical addresses, has a small number of fixed regions, and lacks address translation. It is lightweight, deterministic, and standard on Cortex-M series MCUs for real-time systems.
  • MMU (Memory Management Unit): Provides protection + virtualization. It translates virtual addresses to physical addresses via page tables, supports demand paging, and enables complex operating systems like Linux. It is more powerful but has higher latency and complexity. For TinyML on microcontrollers, the MPU's deterministic, low-overhead protection is ideal.
05

Role in System Security Architecture

An MPU is a foundational hardware-enforced security control within a defense-in-depth strategy for embedded systems:

  • Fault Containment: Isolates a fault or malicious activity within a single task or subsystem, preventing a full system compromise.
  • Trusted Computing Base (TCB) Minimization: Protects the integrity of the secure kernel and cryptographic libraries from buggy or compromised application code.
  • Enabler for Secure Coding: Allows the use of an RTOS with kernel/user space separation even on resource-constrained devices, moving beyond a monolithic, all-privileged firmware model. It is often used in conjunction with other hardware features like ARM TrustZone-M to create a robust security perimeter.
06

Implementation in TinyML Systems

In TinyML deployments, the MPU safeguards critical assets on the microcontroller:

  • Model Integrity: The trained neural network model weights in flash or RAM can be placed in a read-only, executable region for the inference engine, preventing accidental or malicious corruption.
  • Sensor Data Isolation: Raw sensor input buffers and pre-processed feature vectors can be assigned to regions accessible only by the specific data pipeline tasks.
  • Secure Communication Buffers: Regions holding cryptographic keys or data for secure updates (OTA) can be made inaccessible to the main application tasks.
  • Real-Time Guarantees: By preventing memory corruption, the MPU helps maintain the deterministic timing required for real-time sensor sampling and inference loops.
HARDWARE SECURITY PRIMITIVE

How a Memory Protection Unit Works

A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.

A Memory Protection Unit (MPU) is a hardware component within a microcontroller's memory management system that enforces access permissions for distinct memory regions. It operates by defining a set of programmable protection regions, each with configurable attributes for base address, size, and access rights (e.g., read-only, execute-never). During runtime, the MPU's hardware logic intercepts every memory access from the CPU core, checks it against the active region rules, and triggers a memory management fault for any violation, halting unauthorized execution. This hardware-enforced isolation is fundamental for creating privilege separation between a secure kernel and untrusted application tasks, a core requirement in Trusted Execution Environments (TEEs) and secure embedded systems.

In TinyML deployment, an MPU is critical for securing sensitive model parameters, inference data, and cryptographic keys stored in SRAM or flash. By configuring the MPU to mark the memory region containing a neural network's weights as execute-only or read-only from user space, it prevents a compromised application from extracting or tampering with proprietary intellectual property. Furthermore, it can isolate the intermediate activation buffers of a running model, guarding against data leakage. This hardware-based containment works in concert with other security primitives like Secure Boot and a Hardware Root of Trust to establish a robust defense-in-depth strategy for resource-constrained IoT devices, ensuring deterministic protection without the overhead of a full Memory Management Unit (MMU).

HARDWARE MEMORY MANAGEMENT

MPU vs. MMU: A Comparison for Embedded Systems

A technical comparison of Memory Protection Units (MPUs) and Memory Management Units (MMUs), highlighting their architectural differences, capabilities, and typical use cases in resource-constrained embedded and TinyML systems.

Feature / CharacteristicMemory Protection Unit (MPU)Memory Management Unit (MMU)

Primary Function

Enforces access permissions (read/write/execute) for fixed memory regions.

Performs address translation (virtual to physical) and enforces access permissions.

Address Space

Single, flat physical address space.

Virtual address space, isolated per process or task.

Memory Region Granularity

Coarse, fixed number of regions (e.g., 8-16). Region size is a power of two with alignment constraints.

Fine-grained, using page tables. Page size is configurable (e.g., 4KB, 64KB).

Dynamic Memory Management

Hardware Cost & Complexity

Low. Minimal logic, small silicon area, low power overhead.

High. Requires Translation Lookaside Buffer (TLB), page table walk logic, higher power.

Real-Time Determinism

High. Region checks are simple and predictable. No TLB miss penalties.

Variable. Subject to TLB miss penalties and page table walks, which introduce non-deterministic latency.

Task/Process Isolation

Limited. Provides spatial separation but within a single address space. Context switching requires MPU re-programming.

Strong. Full address space isolation per process. Context switch updates base register (e.g., TTBR0).

Use Case Typicality

Real-Time Operating Systems (RTOS), safety-critical firmware, microcontroller-based TinyML inference engines.

General-Purpose Operating Systems (Linux, Android), application processors running complex software stacks.

Required Privilege Levels

Often uses 2 privilege levels (e.g., Privileged/Unprivileged modes in ARM Cortex-M).

Leverages full privilege hierarchy (e.g., EL3/EL2/EL1/EL0 in ARMv8-A).

Example Architectures

ARM Cortex-M series (M3, M4, M7, M33, M55), RISC-V with PMP/ePMP.

ARM Cortex-A series, x86, RISC-V with Sv32/Sv39 paging.

SECURITY & ISOLATION

MPU Use Cases in TinyML & Embedded AI

A Memory Protection Unit (MPU) is a critical hardware component for securing resource-constrained devices. In TinyML systems, it enforces strict memory boundaries to protect models, data, and system integrity.

01

Model & Data Integrity Protection

The MPU enforces read-only access to critical memory regions, preventing unauthorized code from corrupting the deployed machine learning model's weights and architecture. It also isolates sensor input buffers and inference output buffers, ensuring raw data and results cannot be tampered with by other application tasks. This is foundational for guaranteeing the deterministic behavior of a production TinyML pipeline.

02

Fault Containment & System Resilience

In complex embedded applications, a bug in one task (e.g., a communication driver) must not crash the entire system. An MPU isolates task memory (stack, heap, data) into separate, unprivileged regions. A memory access violation triggers a precise hardware fault exception, allowing the Real-Time Operating System (RTOS) to terminate only the faulty task while the core TinyML inference engine and other critical services continue uninterrupted.

03

Enforcing Least Privilege

The MPU is used to implement a hardware-enforced privilege model. Critical kernel and security services execute in a privileged mode with full memory access. Application tasks, including the TinyML inference thread, run in an unprivileged user mode with access only to their explicitly allocated memory regions. This prevents a compromised inference task from accessing cryptographic keys, secure boot parameters, or other tasks' data, drastically reducing the attack surface.

04

Secure Multi-Tenancy on a Single Core

For devices hosting software from multiple vendors or running isolated workloads (e.g., a proprietary ML model alongside a customer's application logic), the MPU creates hardware-enforced partitions. Each tenant's code and data are confined to distinct, non-overlapping memory regions. This enables secure IoT edge scenarios where a sensor analytics model from one provider is logically separated from device management firmware from another, all on a single, cost-effective microcontroller.

05

Guard Against Code Injection & ROP Attacks

The MPU mitigates common software exploitation techniques. It can mark the .text (code) section as execute-only (XO) or read-only (RO), preventing an attacker from writing malicious shellcode into executable memory. It can also mark the stack and heap as non-executable (XN), thwarting attempts to run injected code from these data areas. This is a key defense in devices that parse complex network packets or file formats.

06

Integration with Secure Boot & TEE

The MPU is a foundational element in a layered security architecture. After Secure Boot verifies the initial firmware, the MPU is configured to protect the bootloader and root-of-trust code. In systems with ARM TrustZone-M, the MPU defines memory access rules for both the Secure and Non-secure worlds, acting as the hardware gatekeeper for the Trusted Execution Environment (TEE) where sensitive ML model parameters or keys might be stored.

MEMORY PROTECTION UNIT (MPU)

Frequently Asked Questions

A Memory Protection Unit (MPU) is a critical hardware security component in microcontrollers. These questions address its core functions, implementation, and role in securing TinyML deployments.

A Memory Protection Unit (MPU) is a hardware component within a microcontroller's memory system that enforces access rules for different regions of memory. It works by configuring a set of programmable protection regions or background regions that define the accessibility—such as read, write, and execute permissions—for specific address ranges. The MPU sits between the processor core and the memory bus, intercepting every memory access attempt. When the processor or a bus master (like a DMA controller) attempts to access an address, the MPU checks the request against the active region's rules. If the access violates the permissions (e.g., an untrusted application tries to write to a kernel memory region), the MPU triggers a memory management fault (MemManage fault), halting the unauthorized operation and protecting critical system software and data from corruption or theft.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.