Part of the  

Chip Design Magazine

  Network

About  |  Contact

Headlines

Headlines

Deeper Dive – Software Attacks

By Caroline Hayes, Senior Editor

Big Brother is no longer suspected of watching you – it’s more likely to be a technology corporation. In response, system level designers have made the security of data and content a prime objective in our connected lives.

Following the acquisition of WhatsApp by Facebook, one commentator questioned the real reason for the inflated sum paid for the mobile messaging service. (Facebook paid $16billion with $3billion reserved shares for executives, although Google offered just $1billion for the company last year.)

StJohn Deakins, founder of the soon-to-be launched citizenme, described as a personal, digital identity guardian, believes that the value of WhatsApp lies in the information and content shared by its 450million members. “Currently, WhatsApp can change terms and conditions at any time, without notifying users… Meanwhile, Facebook already has a very broad copyright license on people’s content and already shares [users’] data with many other services”. He continues: “Social data is being concentrated into silos – Facebook also bought Instagram for $1bn…Yahoo bought Tumblr, Google purchased YouTube and Android – all these acquisitions are really about buying customers, and therefore, buying data…It’s not just the network that is being sold, it’s our data that really makes the purchase, as they combine it with all the other personal data they already hold about us”.

The Internet of Things is accelerating the pace of connectivity for a range of devices, with peripherals that can be susceptible to attack or vulnerable, with hardcoded passwords, insecure APIs (Application Programming Interfaces) and third party service integrations.
Many companies are integrating ARM TrustZone technology for embedded security in mobile and connected devices. ARM’s Rob Coombs believes that system designers need to think about software attack from the outset. “Security needs to be designed into the hardware with roots of trust and secure boot and then build outwards from there. Typically a specialized secure Trusted OS is needed to provide secure services that live in hardware isolation to the main code. In ARM designs the Trusted OS normally exists in the Secure World that TrustZone architecture provides”.

He explains that the TrustZone operating system, TEE (Trusted Execution Environment) provides a Trusted World secure state, or, the highest level of TrustZone security, EL3 (Exception Level 3) in the ARMv8 architecture. TEE works with conventional operating systems, such as Android and Linux. Security extensions allow the system to be physically partitioned into secure and non-secure elements, isolating them protects the system as the operating system cannot directly access secure memory or peripherals.

TrustZone also offers system security features not available to the hypervisor, for example it supports secure debug, secure bus transactions and takes secure interrupts directly for trusted inputs.

Isolating secure application code and data from normal operations adds a secure state, only allowing secure code to be executed or secure addresses to be accessed from the memory or secure peripherals.

Coombs makes the case that a TrustZone based TEE can provide robust security with little effect on design and manufacturing costs. For example, a monitor mode acts as a gatekeeper to control access, for example to malicious software, which will not be able to address any secure assets of executable code.

It also places an additional bit on the AXI (Advanced eXtensible Interface) system bus. This NS (Non-Secure) bit indicates the processor state i.e. TEE or non-secure in normal operation) when the transaction is requested. Other bus masters can make a secure transaction or restrict them. Peripherals can be statically configured to be secure on non-secure or by using an ARM TrustZone Protection Controller which can be dynamically configured to be accessible by the Trusted World level or the Normal World. The NS bit also secures peripherals. If taken off-chip, all transactions from external masters (i.e. RAM, fuses or I/O) can only be controlled by on-chip bus masters. Coombs elaborates – once exposed and with access to the rest of the AXI system bus, there is line exposed to force secure address access. By this NS bit mechanism, external devices cannot access secure assets on-chip.

Ideally, JTAG and trace debug should be disable in the production process. JTAG could compromise security by allowing the inspection of memory or arbitrary code execution while trace debug could leak information.

Selecting I/O peripherals either dynamically or as part of the design of the IC allows secure input, secure display or secure storage. The Protection Controller can execute a request from the Normal World software to dynamically change a peripheral from being accessible by the Normal World state, to a secure one. The trusted application receives a PIN entry and secure text which cannot be physically accessed by software running in the Normal World. Alternatively, an interface to a storage device can be encrypted by the Trusted World and the data stored in the Normal World. Paths for audio and video can be similarly configured for secure decoding and display.

According to Coombs, the virtualization extensions and secure processor cores of TrustZone provides a secure base for SoC (System on Chip) designs “that simply cannot be matched by a PC-based design” while facing the main threat of networked mobile devices: software attack.

Tags: , , , , ,

Leave a Reply