By Caroline Hayes, Senior Editor
One of the joys of today’s electronics devices is that they are connected – endlessly connected. Anyone can tweet, engage in social media, share data, video, audio and graphic files wherever they happen to be. However, with the freedom of connectivity, comes the vulnerability of security breaches.
The access to applications and interfaces can bring us closer together – but it can also leave devices, and their users’ data, vulnerable to exploitation, attack and theft.
The business risk
The rise of connected devices is exposing networks to security breaches and cyber-attacks. In industrial use, automation networks, for example, the wireless network connections brings a serious threat, says IHS, of attack from malware. It recalls the Stuxnet computer worm that hit industrial control systems in Iran. It was designed to subvert and engage in the surveillance of supervisory control and data acquisition systems made by German manufacturer, Siemens.
As well as factory automation, many businesses, large and small, employ staff that bring their own devices to the workplace. The risk is that tablets and smartphones may lack sufficient security levels and expose a network, allowing hackers to access data or to spread malware through an international network.
The embedded revolution
Felix Baum, Senior Product Manager, Runtime Solutions, Mentor Embedded Software Division, agrees that unfettered connectivity is a double-edged sword. “We find ourselves in the midst of an embedded market undergoing revolutionary change. Unlike devices of yesterday that had limited access to the Internet and were mostly purpose- built, today’s embedded devices, with more powerful processing power and numerous built-in connectivity options, run on Linux and/or other modern operating systems side-by-side, which allows these devices to extend features and functionality via upgrades by device manufacturers or by downloaded third party applications. These embedded devices are capable of handling massive amounts of data of increasing value such as personal health records and banking/credit credentials putting them in a position of high risk to be exploited,” he warns.
Most attacks on embedded devices exploit vulnerabilities in software, for example with Linux and another operating system side-by-side; weaknesses in hardware interfacing, multi-tasking and timing or through Internet access via the connectivity options, rather than general data processing or network security issues.
Addressing these issues, Baum expands on what Mentor Graphics offers in the way of embedded protection for today’s and the next-generation of embedded, mobile devices. The company’s portfolio spans general-purpose operating systems, such as Mentor Embedded Linux, to the RTOS (Real-Time Operating System) Nucleus, an OpenSSL-based solution, with security facilities, such as encryption protocols and a set of algorithms for security. It supports cryptographic APIs (Application Programming Interfaces) and AES (Advanced Encryption Standard) 128 and AES 256, DES (Data Encryption Standard), 3DES (Triple DES), Blowfish and Cast-128 security protocols.
“These operating systems undergo network penetration testing, offer customers the ability to run kernel and application code in separate isolated areas and offer encryption capabilities. When a design relies on the multi-core ARM devices, customers can utilize the Mentor Embedded Hypervisor for additional separation and isolation capabilities to enhance design robustness. The Hypervisor also fully supports ARM TrustZone technology allowing designers to protect sensitive data and code by placing them into Secure World”.
Prevention is better than cure
Rob Coombs, Security Systems Marketing Director, ARM (right), considers a little forethought will go a long way. “Security engineering is a specialized topic where developers need to think about how a malicious adversary would attack the system, not just “does it work”. Typically a specialized secure Trusted OS is needed to provide secure services that live in hardware isolation to the main code. In ARM designs the Trusted OS normally exists in the Secure World that TrustZone architecture provides,” he says.
For Coombs, the process begins with consideration for where an attack may come from. “System designers benefit from thinking from the start how they are going to protect the system from software attack. Security needs to be designed into the hardware with roots of trust and secure boot and then build outwards from there”.
Consumers and business people alike will not give up their connected worlds, so what can be done to design safe, secure embedded devices?
Both Baum and Coombs agree that a holistic approach is necessary. For Baum, this includes hardware, software and the development process “to develop robust and reliable devices. Only by doing so, will they be able to ensure that the chain of trust is not broken,” he says. When devices are booted into a trusted state and application code has been authenticated, they provide some security, he says.
The same holistic approach is advised by Coombs. He points out that the problem with mobile devices is that their very nature means that they are made up of elements that need security yet are accessed by other parties. For example, a cell phone’s SIM (Subscriber Identity Module) will be provided by the OEM, which may need to access the operating system and other secure elements for holding keys and performing system integrity checks. Making the secure elements tamperproof resists physical attacks.
“ARM has a four compartment model of security providing a hierarchy of trust. System designers can decide which assets are best protected in which compartment e.g. hypervisor or TrustZone based TEE (Trusted Execution Environment)”. Coombs describes the latter as an important component in delivering secure services and applications.
The first compartment is Normal World –or user/system mode (as opposed to the Trusted World). This is where processes or application are isolated from each other by the operating system and the MMU (Memory Management Unit). Each process has its own addressable memory, a set of capabilities and permissions, administered by the operating system kernel, which executes with system-level privilege.
Another weapon in the security armor is Hypervisor Mode, where multiple instances of the same or different operating systems execute on the same processor as a virtual machine. Each virtual machine can be isolated and virtualized through the use of a system MMU, to virtualize other bus masters. By separating them, resources and assets in each virtual machine can be protected from the others.
In the Trusted World secure state, the company’s TrustZone security extensions allow the system to be physically partitioned into secure and non-secure components. Again, this serves to isolate assets and ensures that software cannot directly access secure memory or secure peripherals.
Finally, the SecurCore processors enable physically separate, tamper proof ICs, delivering secure processing and storage that is protected against physical attack or loss through improperly secured devices, and also protection from software attack.
Given all these elements, how can designers balance speed and accuracy in system design? Coombs again points to TrustZone, by which SoC designers can be guided to select the security hardware features needed to address different markets. “ARM Trusted Firmware provides an open source base of critical low level code that the industry can align with. Other security code can then be ported on top”. The benefits of this are reduced time to market and reduced fragmentation, says Coombs, as well as easier porting of Secure World software and the ability to support new features in the latest 64bit platforms.
The next stage is to look to the future. I asked what can be done to future-proof designs for authentication. “ARM has recently joined the FIDO (Fast Identity Online) Alliance and views it is a good place to create a verification framework that works for website owners and device manufacturers,” says Coombs. “A TrustZone based TEE can support secure peripherals (such as a touchscreen) and this can be integrated to create a strong authentication of person and device.
“For Crypto and key stores this is ideally managed from the TrustZone-based TEE to provide hardware isolation from malicious code. If the TEE provider offers Over The Air provisioning of Secure World code then updates can be delivered to future-proof the design”.