A Memory Protection Unit (MPU) is a hardware-based security feature integrated into many modern microcontrollers. It functions as a programmable gatekeeper, partitioning the device's physical address space into distinct, configurable regions. For each region, the MPU enforces strict access permissions—such as read-only, read-write, or execute-only—based on the privilege level of the currently executing code. This hardware-enforced isolation is fundamental for creating Trusted Execution Environments (TEEs) and implementing the principle of least privilege, preventing a fault or malicious actor in one software module from corrupting or accessing sensitive data in another.
Glossary
Memory Protection Unit (MPU)

What is a Memory Protection Unit (MPU)?
A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.
In TinyML deployment, an MPU is critical for securing the inference pipeline. It can isolate the machine learning model's weights and input data in a protected region, safeguarding intellectual property and ensuring data privacy. It also shields the model's execution from untrusted application code, guaranteeing deterministic operation. Unlike a full Memory Management Unit (MMU), an MPU lacks virtual memory capabilities, making it lighter and more suitable for resource-constrained devices. Its configuration is typically managed by a secure kernel or a Real-Time Operating System (RTOS) with MPU support, defining regions for the kernel, drivers, and application tasks.
Key Characteristics of an MPU
A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.
Region-Based Access Control
An MPU operates by dividing the processor's addressable memory into a limited number of configurable regions (typically 8-16). For each region, the MPU enforces rules defined by:
- Base Address: The starting memory location of the protected region.
- Size: The region's size, often required to be a power of two.
- Access Permissions: Defines which bus masters (e.g., CPU, DMA controller) can perform read, write, and execute operations.
- Memory Attributes: Specifies cache and buffer policies (e.g., write-through, non-cacheable). This granular control allows developers to create a privilege model, isolating the kernel, application tasks, and peripheral registers.
Privilege Levels & Fault Generation
MPUs enforce a fundamental security principle: least privilege. They define at least two processor modes:
- Privileged Mode: Full system access (typically used by the OS kernel and trusted firmware).
- Unprivileged/User Mode: Restricted access, governed by MPU region rules. Any access violation—such as an unprivileged task attempting to write to a kernel region or execute from a non-executable data region—triggers a Memory Management Fault (MemManage). This fault exception immediately halts the offending operation and transfers control to a secure handler, preventing exploitation of memory corruption bugs.
Static vs. Dynamic Reconfiguration
MPU configuration is a critical system operation. Two primary management models exist:
- Static Partitioning: Regions are configured once at boot by secure firmware (e.g., a Real-Time Operating System kernel) and remain fixed. This is simple and secure but inflexible.
- Dynamic Reconfiguration: The OS kernel changes MPU region settings on every context switch between application tasks. This provides strong isolation for a multi-tasking system but adds overhead. The configuration must be managed in privileged mode to prevent a malicious task from granting itself unauthorized access.
Comparison with an MMU
While both manage memory access, an MPU is distinct from a full Memory Management Unit (MMU):
- MPU (Memory Protection Unit): Enforces protection only. It works with physical addresses, has a small number of fixed regions, and lacks address translation. It is lightweight, deterministic, and standard on Cortex-M series MCUs for real-time systems.
- MMU (Memory Management Unit): Provides protection + virtualization. It translates virtual addresses to physical addresses via page tables, supports demand paging, and enables complex operating systems like Linux. It is more powerful but has higher latency and complexity. For TinyML on microcontrollers, the MPU's deterministic, low-overhead protection is ideal.
Role in System Security Architecture
An MPU is a foundational hardware-enforced security control within a defense-in-depth strategy for embedded systems:
- Fault Containment: Isolates a fault or malicious activity within a single task or subsystem, preventing a full system compromise.
- Trusted Computing Base (TCB) Minimization: Protects the integrity of the secure kernel and cryptographic libraries from buggy or compromised application code.
- Enabler for Secure Coding: Allows the use of an RTOS with kernel/user space separation even on resource-constrained devices, moving beyond a monolithic, all-privileged firmware model. It is often used in conjunction with other hardware features like ARM TrustZone-M to create a robust security perimeter.
Implementation in TinyML Systems
In TinyML deployments, the MPU safeguards critical assets on the microcontroller:
- Model Integrity: The trained neural network model weights in flash or RAM can be placed in a read-only, executable region for the inference engine, preventing accidental or malicious corruption.
- Sensor Data Isolation: Raw sensor input buffers and pre-processed feature vectors can be assigned to regions accessible only by the specific data pipeline tasks.
- Secure Communication Buffers: Regions holding cryptographic keys or data for secure updates (OTA) can be made inaccessible to the main application tasks.
- Real-Time Guarantees: By preventing memory corruption, the MPU helps maintain the deterministic timing required for real-time sensor sampling and inference loops.
How a Memory Protection Unit Works
A Memory Protection Unit (MPU) is a hardware component in a microcontroller that enforces memory access rules, preventing unauthorized code from reading from or writing to specific regions of memory to isolate and protect critical system software.
A Memory Protection Unit (MPU) is a hardware component within a microcontroller's memory management system that enforces access permissions for distinct memory regions. It operates by defining a set of programmable protection regions, each with configurable attributes for base address, size, and access rights (e.g., read-only, execute-never). During runtime, the MPU's hardware logic intercepts every memory access from the CPU core, checks it against the active region rules, and triggers a memory management fault for any violation, halting unauthorized execution. This hardware-enforced isolation is fundamental for creating privilege separation between a secure kernel and untrusted application tasks, a core requirement in Trusted Execution Environments (TEEs) and secure embedded systems.
In TinyML deployment, an MPU is critical for securing sensitive model parameters, inference data, and cryptographic keys stored in SRAM or flash. By configuring the MPU to mark the memory region containing a neural network's weights as execute-only or read-only from user space, it prevents a compromised application from extracting or tampering with proprietary intellectual property. Furthermore, it can isolate the intermediate activation buffers of a running model, guarding against data leakage. This hardware-based containment works in concert with other security primitives like Secure Boot and a Hardware Root of Trust to establish a robust defense-in-depth strategy for resource-constrained IoT devices, ensuring deterministic protection without the overhead of a full Memory Management Unit (MMU).
MPU vs. MMU: A Comparison for Embedded Systems
A technical comparison of Memory Protection Units (MPUs) and Memory Management Units (MMUs), highlighting their architectural differences, capabilities, and typical use cases in resource-constrained embedded and TinyML systems.
| Feature / Characteristic | Memory Protection Unit (MPU) | Memory Management Unit (MMU) |
|---|---|---|
Primary Function | Enforces access permissions (read/write/execute) for fixed memory regions. | Performs address translation (virtual to physical) and enforces access permissions. |
Address Space | Single, flat physical address space. | Virtual address space, isolated per process or task. |
Memory Region Granularity | Coarse, fixed number of regions (e.g., 8-16). Region size is a power of two with alignment constraints. | Fine-grained, using page tables. Page size is configurable (e.g., 4KB, 64KB). |
Dynamic Memory Management | ||
Hardware Cost & Complexity | Low. Minimal logic, small silicon area, low power overhead. | High. Requires Translation Lookaside Buffer (TLB), page table walk logic, higher power. |
Real-Time Determinism | High. Region checks are simple and predictable. No TLB miss penalties. | Variable. Subject to TLB miss penalties and page table walks, which introduce non-deterministic latency. |
Task/Process Isolation | Limited. Provides spatial separation but within a single address space. Context switching requires MPU re-programming. | Strong. Full address space isolation per process. Context switch updates base register (e.g., TTBR0). |
Use Case Typicality | Real-Time Operating Systems (RTOS), safety-critical firmware, microcontroller-based TinyML inference engines. | General-Purpose Operating Systems (Linux, Android), application processors running complex software stacks. |
Required Privilege Levels | Often uses 2 privilege levels (e.g., Privileged/Unprivileged modes in ARM Cortex-M). | Leverages full privilege hierarchy (e.g., EL3/EL2/EL1/EL0 in ARMv8-A). |
Example Architectures | ARM Cortex-M series (M3, M4, M7, M33, M55), RISC-V with PMP/ePMP. | ARM Cortex-A series, x86, RISC-V with Sv32/Sv39 paging. |
MPU Use Cases in TinyML & Embedded AI
A Memory Protection Unit (MPU) is a critical hardware component for securing resource-constrained devices. In TinyML systems, it enforces strict memory boundaries to protect models, data, and system integrity.
Model & Data Integrity Protection
The MPU enforces read-only access to critical memory regions, preventing unauthorized code from corrupting the deployed machine learning model's weights and architecture. It also isolates sensor input buffers and inference output buffers, ensuring raw data and results cannot be tampered with by other application tasks. This is foundational for guaranteeing the deterministic behavior of a production TinyML pipeline.
Fault Containment & System Resilience
In complex embedded applications, a bug in one task (e.g., a communication driver) must not crash the entire system. An MPU isolates task memory (stack, heap, data) into separate, unprivileged regions. A memory access violation triggers a precise hardware fault exception, allowing the Real-Time Operating System (RTOS) to terminate only the faulty task while the core TinyML inference engine and other critical services continue uninterrupted.
Enforcing Least Privilege
The MPU is used to implement a hardware-enforced privilege model. Critical kernel and security services execute in a privileged mode with full memory access. Application tasks, including the TinyML inference thread, run in an unprivileged user mode with access only to their explicitly allocated memory regions. This prevents a compromised inference task from accessing cryptographic keys, secure boot parameters, or other tasks' data, drastically reducing the attack surface.
Secure Multi-Tenancy on a Single Core
For devices hosting software from multiple vendors or running isolated workloads (e.g., a proprietary ML model alongside a customer's application logic), the MPU creates hardware-enforced partitions. Each tenant's code and data are confined to distinct, non-overlapping memory regions. This enables secure IoT edge scenarios where a sensor analytics model from one provider is logically separated from device management firmware from another, all on a single, cost-effective microcontroller.
Guard Against Code Injection & ROP Attacks
The MPU mitigates common software exploitation techniques. It can mark the .text (code) section as execute-only (XO) or read-only (RO), preventing an attacker from writing malicious shellcode into executable memory. It can also mark the stack and heap as non-executable (XN), thwarting attempts to run injected code from these data areas. This is a key defense in devices that parse complex network packets or file formats.
Integration with Secure Boot & TEE
The MPU is a foundational element in a layered security architecture. After Secure Boot verifies the initial firmware, the MPU is configured to protect the bootloader and root-of-trust code. In systems with ARM TrustZone-M, the MPU defines memory access rules for both the Secure and Non-secure worlds, acting as the hardware gatekeeper for the Trusted Execution Environment (TEE) where sensitive ML model parameters or keys might be stored.
Frequently Asked Questions
A Memory Protection Unit (MPU) is a critical hardware security component in microcontrollers. These questions address its core functions, implementation, and role in securing TinyML deployments.
A Memory Protection Unit (MPU) is a hardware component within a microcontroller's memory system that enforces access rules for different regions of memory. It works by configuring a set of programmable protection regions or background regions that define the accessibility—such as read, write, and execute permissions—for specific address ranges. The MPU sits between the processor core and the memory bus, intercepting every memory access attempt. When the processor or a bus master (like a DMA controller) attempts to access an address, the MPU checks the request against the active region's rules. If the access violates the permissions (e.g., an untrusted application tries to write to a kernel memory region), the MPU triggers a memory management fault (MemManage fault), halting the unauthorized operation and protecting critical system software and data from corruption or theft.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Memory Protection Units (MPUs) are a foundational hardware security component. They operate within a broader ecosystem of embedded security technologies designed to protect devices, data, and system integrity.
Trusted Execution Environment (TEE)
A Trusted Execution Environment (TEE) is a secure, isolated area of a main processor that provides a protected space for the execution of sensitive code and the handling of confidential data, separate from the device's standard operating system. While an MPU enforces memory access rules, a TEE creates a complete, hardware-isolated execution environment.
- Isolation: Uses hardware features to create a 'Secure World' separate from the 'Normal World' OS.
- Use Case: Protects cryptographic operations, secure boot sequences, and payment credentials.
- Example: ARM TrustZone technology is a widely implemented TEE for Cortex-M and Cortex-A processors.
Secure Boot
Secure Boot is a hardware-enforced security mechanism that ensures a microcontroller executes only cryptographically signed and verified firmware during its initial startup sequence. It establishes a chain of trust from immutable hardware (Root of Trust) up through the operating system.
- Process: Each stage of the bootloader verifies the digital signature of the next stage before loading and executing it.
- Integrity: Prevents the execution of malicious or tampered firmware.
- MPU Synergy: After Secure Boot completes, the MPU is often configured to protect the now-verified code and data regions from runtime attacks.
Hardware Security Module (HSM)
A Hardware Security Module (HSM) is a dedicated, tamper-resistant physical computing device that safeguards and manages digital keys, performs cryptographic operations, and provides a root of trust. Compared to an MPU, which is a protection unit, an HSM is an active cryptographic unit.
- Dedicated vs. Integrated: Can be a discrete chip or a certified core integrated into a System-on-Chip (SoC).
- Key Functions: Secure key generation, storage, and use; acceleration of encryption/decryption; digital signing.
- Application: Used in high-assurance scenarios like automotive, payment terminals, and government ID systems.
Control Flow Integrity (CFI)
Control Flow Integrity (CFI) is a software security mechanism that protects against control-flow hijacking attacks (e.g., Return-Oriented Programming) by ensuring a program's runtime execution flow adheres to a pre-determined, legitimate control-flow graph. It complements MPU's data and code region protection.
- Mechanism: Inserts runtime checks before indirect branch instructions (like function pointers) to validate the target address.
- Defense: Thwarts exploits that aim to redirect program execution to malicious code.
- Embedded Use: Lightweight, compile-time CFI schemes are increasingly important for securing firmware on constrained devices.
Platform Security Architecture (PSA)
Platform Security Architecture (PSA) is an ARM-led industry framework that provides a holistic set of threat models, security specifications, and open-source firmware to enable the design of secure, connected devices from the ground up. It defines how components like MPUs, TrustZone, and Secure Boot should work together.
- Components: Includes threat models, security API specifications (PSA Certified APIs), and reference firmware (Trusted Firmware-M).
- Goal: Standardizes a security baseline for IoT and embedded devices across the silicon ecosystem.
- MPU Role: PSA specifications mandate and provide templates for MPU configuration to isolate trusted firmware from application code.
Lightweight Cryptography
Lightweight Cryptography refers to a class of cryptographic algorithms—including ciphers, hash functions, and authentication protocols—specifically designed for implementation on constrained devices. They feature small code size, low RAM usage, and minimal computational overhead.
- Standards: NIST has standardized algorithms like ASCON for authenticated encryption and hashing, designed for microcontrollers.
- Trade-off: Optimizes for resource efficiency while maintaining a rigorous security margin suitable for embedded applications.
- System Context: These algorithms are often the ones executed within memory regions protected by an MPU or inside a TEE.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us