arm platform security architecture · psa tbsa test kit • psa aims to make security easier and...
TRANSCRIPT
Copyright © 2018 Arm, All rights reserved.
Arm Platform Security Architecture- One year on
Chet Babla
VP Solutions
IoT Device Line of Business
2Copyright © 2018 Arm, All rights reserved.
IoT – Still the Wild West?• Unregulated, no common standards
• Inconsistent approach to security
• Immature and fragmented end markets with diverse requirements
• Trusted data?
Mirai Botnet DDos attack
Jeep Hack Owlet Baby Monitor
Abbott Pacemaker
3Copyright © 2018 Arm, All rights reserved.
Mbed Cloud
FreeRTOS Mbed OS ThreadX
IoT service user
Cloud service
OEM
OS
SIP
The IoT security challenge
Complex value chain with inconsistent & untrusted device security
and fragmentation for developers.
Split for PDF
4Copyright © 2018 Arm, All rights reserved.
Trends impacting security today
Political trendsCyber-security becomes
a key area of focus
Government legislation
Economic trendsEarly Adopters get a head start
Regulatory compliance will be prime influencer
Technology trendsMore targets,
more accessible
AI Automation / quantum computing battle
Social trendsDigital safety
vs online security
There will be more high profile security hacks and
attacks
5Copyright © 2018 Arm, All rights reserved.
The facts about IoT security
The challenges of IoT security
are growing
IoT security trends are becoming
more complex
There are fourmain types of
attack to protect aganst
Arm can help simplify IoT
Security
6Copyright © 2018 Arm, All rights reserved.
Arm CryptoCell
TEE for Cortex-A
Cortex-A with
TrustZone
SecurCore
Security is a part of Arm’s DNA
Secure Enclave / CryptoIsland
iSIMtechnology
Kigen family
PSA launched
PSA threat models
PSA TF-M
Armv8-M processors:
Cortex-M23/M33 with Arm TrustZone
Arm security
manifesto
Mbed
Physical security
enhancements
Arm IP covers a variety of attack surfaces
2004 2018…
Physical vulnerabilities
Communication vulnerabilities
Lifecycle vulnerabilities
Software vulnerabilities
PSA APIs
PSA specifications
7Copyright © 2018 Arm, All rights reserved.
Arm’s Vision For IoT Security
Key IoT security considerations
Security needs to built-in from the ground up
1 A collectiveindustry
responsibility
2
Providing a framework to ensure consistent security
Platform Security Architecture (PSA) is the perfect starting point
Security needsto be simple,with seamless
integration
3
8Copyright © 2018 Arm, All rights reserved.
Platform Security Architecture- The perfect security starting point
A common foundation, ensuring common security best practice endorsed by
the Arm ecosystem
Reduce your ongoing costs and time-to-market for security with a set of holistic security deliverables
Ensure success and confidence in your designs
9Copyright © 2018 Arm, All rights reserved.
Platform Security ArchitectureConsistently design-in the right level of security, economically
10Copyright © 2018 Arm, All rights reserved.
PSA Analysis StageAssess the potential vulnerabilities
Software• buffer overflows • interrupts• malware
Physical• non-invasive• invasive
Lifecycle• code downgrade• ownership
changes• unauthorized
overproduction• Debug hacks
Communication• man-in-the-middle • weak RNG• code
vulnerabilities
Analysis - the first line of defence
11Copyright © 2018 Arm, All rights reserved.
Analysis - threat modelsAnalysis leads to requirements
Example
System description
Assets
Threats
Security objectives
Security requirements
Understanding Security Requirements is an essential first step
Asset: metering data to be protected in integrity & confidentiality
Threat: Remote SW attacks
Security objective: Strong Crypto
Security requirement: Hardware based key store
12Copyright © 2018 Arm, All rights reserved.
Architect - PSA docs now public!
PSA builds on a foundation of security architecture documents – now available
• Security Model
• Firmware Framework
• Firmware Update
• Hardware Requirements (TBSA-M v2)
13Copyright © 2018 Arm, All rights reserved.
Implement – TF-M open source projectAn open source project for rapid implementation
Trusted Firmware-M
• Reference firmware for PSA architecture spec
Targeting M-profile SoCs (Initially Armv8-M)
Available on www.trustedfirmware.org
Arm Mbed OS will include an implementation of PSA
Used by Mbed TLS, Pelion Device Mgmt & Mbed OS
Components being introduced now to future Mbed OS releases
14Copyright © 2018 Arm, All rights reserved.
Implement - mitigating with Arm IP
PSA Analysis StageAssess the potential vulnerabilities
Software• buffer overflows • interrupts• malware
Physical• non-invasive• invasive
Lifecycle• code downgrade• ownership
changes• unauthorized
overproduction• Debug hacks
Communication• man-in-the-middle • weak RNG• code
vulnerabilities
Physical mitigation Software mitigation
Lifecycle mitigationCommunication mitigation
Arm SecurCore,Arm Cortex-M35P,CryptpCell-312P,CryptoIsland-300P
Arm TrustZone, CMSIS-ZONEArm Keil MDK and Armprocessors with TrustZonesupport
Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform,Arm CoreLink SDC-600
Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform
15Copyright © 2018 Arm, All rights reserved.
PSA Security Model – 10 GoalsA device should support:
1. Unique instance ID
2. Attestation e.g. Entity Attestation Token
3. Secure Storage
4. Secure Boot
5. Isolation of ROT Services
6. Secure update process
7. Validation of updates
8. Anti-rollback feature
9. Security lifecycle supported with attestation
10. TRNG and Nonce services
16Copyright © 2018 Arm, All rights reserved.
PSA APIs and API test kitsFor a consistent developer experience
PSA Developer API
PSA Firmware Framework API
PSA TBSA test kit
• PSA aims to make security easier and quicker for IoT developers – this requires a consistent API across solutions
• Arm is delivering a set of APIs and compliance kits enabling the industry to address the IoT security challenge
• APIs and API test kits now becoming public (Beta in January)
Crypto SecureStorage
Attestation
17Copyright © 2018 Arm, All rights reserved.
PSA: one year on
A growing list of PSA ecosystem partners
Trusted Firmware board founded and TF-M software released
Threat Modelling examples made public
All PSA documentation and specifications
made public
PSA recognized as key security initiative
PSA APIs and API testing kits announced
18Copyright © 2018 Arm, All rights reserved.
Security is a shared responsibility – PSA partners
Silicon CloudSoftware Security Systems
19Copyright © 2018 Arm, All rights reserved.
PSA summary – making security easier
• PSA makes security easier to implement through a common architecture
• In the last 12 months we have delivered on threat models, open source & architecture documents
• We recently announced the PSA APIs and API testing kits to help build an ecosystem
• PSA provides a complete set of free security deliverables reducing TTM and cost
IoT device
Security Manifesto
2020
The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.
www.arm.com/company/policies/trademarks
© 2018 Arm Limited | All contents confidential.