Semiconductor Engineering, Nov. 10, 2015 – Progress is being made on all fronts for securing IoE hardware and some of the software.
After nearly two years of talking about how security is one of the biggest problems facing the IoE, progress is being made on a number of fronts.
The changes involve many companies, both individually and collaboratively through standards groups. And while none of this will stop the kind of high-profile breaches that affected Target or Home Depot or JPMorgan Chase or a long list of other giants, these efforts will help to keep the foundational hardware portion of those databases and point-of-sale systems more secure and prevent that from becoming an entry point for future illicit activity.
On the hardware side, one of the key considerations has been data paths. There are many ways into the hardware, but not all of them have to be secure all the time. Figuring out which paths need to be secured, and which ones don’t, sounds as if it should be relatively straightforward. The choices aren’t that simple, though.
“The question is always where do you put the path,” said Rob Aitken, an ARM fellow. “You want to encrypt when you go on or off that path. If you have a multicore architecture and you encrypt all of that, it becomes a nightmare. But there’s one other piece here, which is the TrustZone concept. There are things that need to be secure and things that don’t. So your pin number needs to be encrypted, but not everything in the IoT does. If you have a smart light bulb gateway, you only want to encrypt when you are sending data everywhere. That affects how do you want do the computing, whether it’s locally or off-chip.”
Charlie Cheng, CEO of Kilopass, agrees: “The historically tried-and-true solution has always been to separate the control plane and data plane. The narrow and long control plane doesn’t really have to slow down the data plane. This is a different architecture from the entry/exit of a building.”
While work has been going on for the past 24 months, it’s only in the past 12 months that there is a growing awareness and acceptance that something has to be done at all levels. This coincides with the growing number of smart and connected devices in many markets, not to mention a recognition that if breaches continue at the same rate, it’s going to be much harder to sell smart devices to consumers and business,
“It’s getting to the point where security is something people are paying attention to,” said Manas Saksena, senior director of technology and product marketing for the IoT group at Marvell. “With the Internet of Things, it all starts with the SoC. Once the product ships, the only thing that should be allowed to run are things that are trusted. That requires secure boot, keeping keys inside the chip, public key cryptography and encryption. Once all of those are in the base platform, you can add security on top of that. So you can keep credentials for the network and the cloud, which must be encrypted, and you can make sure communications are secure so you don’t get any ‘man in the middle’ attacks.”
Saksena said that after that, security is well defined through Transport Layer Security (TLS) and within the cloud.
The irony here is that the segments with the most advanced techniques and history of protecting data, namely data centers and secure networks, are where the biggest security breaches have occurred. Hardware is much more difficult to hack than software, although it is easier to counterfeit and sell once it is hacked. Typical approaches are side-channel attacks using such techniques as differential power analysis, as well as a more physical method where a grinder is used to strip off the package, followed by inserting probes to either monitor functionality or gain control of a chip’s clocks.
One approach taken by many security managers at major corporations is to be able to track these attacks. They know hackers will attempt to gain access wherever there is valuable information, but they don’t know exactly how. As soon as there is any extraordinary traffic or behavior, they can pinpoint it and track the hackers’ next moves. That worked well initially, but hackers are now so advanced and well-funded that their entry points are extremely small and the code they use is efficient enough that it’s hard to discern. There also can be months or even years between the time that code is inserted and when it is activated.
The newer approach is to isolate sensitive data in systems where data paths do not intersect and to monitor any access to that data much more closely, isolating it from the enormous quantity of data that flows through a data center.
More standards are being developed alongside these new strategies. The open-standards group prpl Foundation has developed a new framework, which will undergo peer review over the next month, focusing on the concept of root of trust, a secure boot and a completely separate data path for that boot-up based upon a type-1 hypervisor.
What differentiates this kind of hypervisor from a type-2 hosted hypervisor is that it runs directly on the metal, with no virtualization layer or operating system beneath it. There are a number of vendors now offering type-1 hypervisors, including Mentor Graphics, Oracle, Microsoft, VMWare, as well as the Hellfire framework.
“We’re going to brand this as open security,” said Cesare Garlati, chief security strategist for the prpl Foundation. “The way this works is nothing kicks in before the hypervisor. You can manage this with microcode in the SoC. In the first stages of the boot, it’s just the hypervisor. If it’s not signed off on by a trusted entity, then the system does not boot. Managing security is about managing risk, and the best way to deal with that is layered security. There are many security solutions at the upper level in the Cloud, but they have been missing in low-level hardware.”
The prpl foundation originally was started to support the MIPS architecture, but its architecture is open and its member roster includes companies ranging from Qualcomm, Broadcom, Elliptic (now owned by Synopsys) to Lantiq (now owned by Intel).
“This is becoming more and more of a short-term urgency with the IoT and connected devices,” said Garlati. “Potentially, it is about people getting killed with planes, cars and even firearms. Hacking is more and more about warfare. There are more pilots who fly drones than actual jets these days. With a $20 system, you can send wireless activity to disrupt that, broadcasting over 2G as a text message.”
The IEEE is working on security, as well, addressing everything from split manufacturing to physically unclonable functions. There are currently a number of working groups in this area, ranging from malware to a group developing an architectural framework for the IoT. In short, this has become an industry-wide imperative because security is one of the most cited issues with the IoT/IoE. The number of companies involved in these efforts is growing.
Securing the whole supply chain
While most companies think about the supply chain as physical pieces, increasingly that includes embedded software, firmware, soft IP and over-the-air updates. Counterfeiting has been largely focused on the physical parts, which is a risk because of the potential for adding back doors. But the other parts pose an equal or greater threat.
Warren Kurisu, director of product management for runtime solutions at Mentor Graphics, points to three states of data—at rest, at work and in transit. He said one solution is a hardware-enforced security partition, where the sensitive information is completely walled off in a separate area from the other functions. This follows the key data path approach, but it also allows updates across the other parts to keep it current.
“There is wired and wireless support, and you can add ARM TrustZone separation in,” Kurisu said. “This is critical for industrial customers and it’s critical for medical.”
Mentor has designed a secure gateway that includes secure boot, anti-tamper technology and cryptographic protection. Outside the protected device is a secured device, which is guarded by a firewall, mutual attestation and access control. That, in turn, is safeguarded by a managed device, which adds secure firmware updates, management agents and ARM’s TrustZone. Updates need to pass through multiple layers of security just to begin, and they are barred from reaching further into the device by multiple more layers.
Fig. 1: Mentor Graphics’ layered approach to a secure gateway.
Nothing is ever completely safe, but the more security layers and the harder it is to get into a device, the lower the ROI for hackers. If the hardware is secure enough, the risk of a breach moves to the next level, which is over-the-air updates. And even that is getting attention these days.
“With over-the-air updates, you have to authenticate the server and make sure you are talking to who you think you’re talking to. So you can authenticate the server or an image. That image is kept confidential and transferred over a secure channel. And all of it is encrypted.”
ARM introduced a “snoop filter” earlier this year, which it is bundling with its latest interconnect technology. Snoop filters help maintain coherency among cache controllers as a way of optimizing bandwidth, but they also can help with security, according to Neil Parris, senior marketing manager for ARM’s System and Software Group. Combining the two of those is important, because while the first reaction is to plug security holes, that has to be done in a way that doesn’t impact performance or the overall power budget. “ARM is spending a lot more time looking a the system these days,” said Parris.
Security is being designed into the latest hardware at the architectural stage in recognition that every part of a connected system needs to be resistant to breaches.
“Ultimately, all chips will have a base level of security,” said Charlie Janac, chairman and CEO of Arteris. “You will have a root of trust, which may include having employees in the fab while the chips are being made. There will be a hardware layer and a software layer, which includes cryptography, differential power analysis and digital rights management. But above the hardware, there is still a big security problem. And right now, there is no go-to security company. You want to have someone to take on the pain.”