Copyright © 2018 Arm, All rights reserved.

Arm Platform Security Architecture- One year on

Chet Babla

VP Solutions

IoT Device Line of Business

2Copyright © 2018 Arm, All rights reserved.

IoT – Still the Wild West?• Unregulated, no common standards

• Inconsistent approach to security

• Immature and fragmented end markets with diverse requirements

• Trusted data?

Mirai Botnet DDos attack

Jeep Hack Owlet Baby Monitor

Abbott Pacemaker

3Copyright © 2018 Arm, All rights reserved.

Mbed Cloud

FreeRTOS Mbed OS ThreadX

IoT service user

Cloud service

OEM

OS

SIP

The IoT security challenge

Complex value chain with inconsistent & untrusted device security

and fragmentation for developers.

Split for PDF

4Copyright © 2018 Arm, All rights reserved.

Trends impacting security today

Political trendsCyber-security becomes

a key area of focus

Government legislation

Economic trendsEarly Adopters get a head start

Regulatory compliance will be prime influencer

Technology trendsMore targets,

more accessible

AI Automation / quantum computing battle

Social trendsDigital safety

vs online security

There will be more high profile security hacks and

attacks

5Copyright © 2018 Arm, All rights reserved.

The facts about IoT security

The challenges of IoT security

are growing

IoT security trends are becoming

more complex

There are fourmain types of

attack to protect aganst

Arm can help simplify IoT

Security

6Copyright © 2018 Arm, All rights reserved.

Arm CryptoCell

TEE for Cortex-A

Cortex-A with

TrustZone

SecurCore

Security is a part of Arm’s DNA

Secure Enclave / CryptoIsland

iSIMtechnology

Kigen family

PSA launched

PSA threat models

PSA TF-M

Armv8-M processors:

Cortex-M23/M33 with Arm TrustZone

Arm security

manifesto

Mbed

Physical security

enhancements

Arm IP covers a variety of attack surfaces

2004 2018…

Physical vulnerabilities

Communication vulnerabilities

Lifecycle vulnerabilities

Software vulnerabilities

PSA APIs

PSA specifications

7Copyright © 2018 Arm, All rights reserved.

Arm’s Vision For IoT Security

Key IoT security considerations

Security needs to built-in from the ground up

1 A collectiveindustry

responsibility

2

Providing a framework to ensure consistent security

Platform Security Architecture (PSA) is the perfect starting point

Security needsto be simple,with seamless

integration

3

8Copyright © 2018 Arm, All rights reserved.

Platform Security Architecture- The perfect security starting point

A common foundation, ensuring common security best practice endorsed by

the Arm ecosystem

Reduce your ongoing costs and time-to-market for security with a set of holistic security deliverables

Ensure success and confidence in your designs

9Copyright © 2018 Arm, All rights reserved.

Platform Security ArchitectureConsistently design-in the right level of security, economically

10Copyright © 2018 Arm, All rights reserved.

PSA Analysis StageAssess the potential vulnerabilities

Software• buffer overflows • interrupts• malware

Physical• non-invasive• invasive

Lifecycle• code downgrade• ownership

changes• unauthorized

overproduction• Debug hacks

Communication• man-in-the-middle • weak RNG• code

vulnerabilities

Analysis - the first line of defence

11Copyright © 2018 Arm, All rights reserved.

Analysis - threat modelsAnalysis leads to requirements

Example

System description

Assets

Threats

Security objectives

Security requirements

Understanding Security Requirements is an essential first step

Asset: metering data to be protected in integrity & confidentiality

Threat: Remote SW attacks

Security objective: Strong Crypto

Security requirement: Hardware based key store

12Copyright © 2018 Arm, All rights reserved.

Architect - PSA docs now public!

PSA builds on a foundation of security architecture documents – now available

• Security Model

• Firmware Framework

• Firmware Update

• Hardware Requirements (TBSA-M v2)

13Copyright © 2018 Arm, All rights reserved.

Implement – TF-M open source projectAn open source project for rapid implementation

Trusted Firmware-M

• Reference firmware for PSA architecture spec

Targeting M-profile SoCs (Initially Armv8-M)

Available on www.trustedfirmware.org

Arm Mbed OS will include an implementation of PSA

Used by Mbed TLS, Pelion Device Mgmt & Mbed OS

Components being introduced now to future Mbed OS releases

14Copyright © 2018 Arm, All rights reserved.

Implement - mitigating with Arm IP

PSA Analysis StageAssess the potential vulnerabilities

Software• buffer overflows • interrupts• malware

Physical• non-invasive• invasive

Lifecycle• code downgrade• ownership

changes• unauthorized

overproduction• Debug hacks

Communication• man-in-the-middle • weak RNG• code

vulnerabilities

Physical mitigation Software mitigation

Lifecycle mitigationCommunication mitigation

Arm SecurCore,Arm Cortex-M35P,CryptpCell-312P,CryptoIsland-300P

Arm TrustZone, CMSIS-ZONEArm Keil MDK and Armprocessors with TrustZonesupport

Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform,Arm CoreLink SDC-600

Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform

15Copyright © 2018 Arm, All rights reserved.

PSA Security Model – 10 GoalsA device should support:

1. Unique instance ID

2. Attestation e.g. Entity Attestation Token

3. Secure Storage

4. Secure Boot

5. Isolation of ROT Services

6. Secure update process

7. Validation of updates

8. Anti-rollback feature

9. Security lifecycle supported with attestation

10. TRNG and Nonce services

16Copyright © 2018 Arm, All rights reserved.

PSA APIs and API test kitsFor a consistent developer experience

PSA Developer API

PSA Firmware Framework API

PSA TBSA test kit

• PSA aims to make security easier and quicker for IoT developers – this requires a consistent API across solutions

• Arm is delivering a set of APIs and compliance kits enabling the industry to address the IoT security challenge

• APIs and API test kits now becoming public (Beta in January)

Crypto SecureStorage

Attestation

17Copyright © 2018 Arm, All rights reserved.

PSA: one year on

A growing list of PSA ecosystem partners

Trusted Firmware board founded and TF-M software released

Threat Modelling examples made public

All PSA documentation and specifications

made public

PSA recognized as key security initiative

PSA APIs and API testing kits announced

18Copyright © 2018 Arm, All rights reserved.

Security is a shared responsibility – PSA partners

Silicon CloudSoftware Security Systems

19Copyright © 2018 Arm, All rights reserved.

PSA summary – making security easier

• PSA makes security easier to implement through a common architecture

• In the last 12 months we have delivered on threat models, open source & architecture documents

• We recently announced the PSA APIs and API testing kits to help build an ecosystem

• PSA provides a complete set of free security deliverables reducing TTM and cost

IoT device

Security Manifesto

2020

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.

www.arm.com/company/policies/trademarks

© 2018 Arm Limited | All contents confidential.