based iot systems - icc mediafiles.iccmedia.com/events/iotcon15/pdf/leopold/15h25_msc.pdf• iot =...
TRANSCRIPT
Security Aspects for COM-based IoT Systems
Peter EckelmannProduct Marketing Manager, Embedded Boards & Modules
Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |Introduction
3
Security is highly important for the safe and reliable operation of IoT connected devicesSecurity is one of the backbones of the IoT and requires attention from the beginningSecurity must start in the core of the processing elements and in the first step of firmware (not software) operation
Introduction
4
• IoT = large numbers of interconnected devices • “A chain is only as strong as its weakest link”• Unsecured devices connecting to the Internet = potential risk• In 2013, a researcher at Proofpoint, an enterprise security
firm, discovered the first IoT botnet− According to Proofpoint, more than 25 percent of the botnet was
made up of devices other than computers, including smart TVs, a refrigerator and other household appliances
• For IoT, security is of paramount importance!• Percentage of security breaches involving end-user devices
doubled year-on-year (Verizon/US Secret Service)
Security Risks of IoT
5
• Malware− Rootkits, trojans, viruses, worms, keyloggers, bots,...− Risk enhanced by rich & open OS− Countermeasures: trusted execution, high assurance boot
• Hacking− Reverse engineering, brute force− Countermeasures: secure storage, secure debug, encryption
• Physical attack− Bus snooping, glitching− Countermeasures: secure storage, tamper detection
Threats
Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |X86 Hardware & BIOS
77
Key Features• Highest Performance• Intel® Core™ i7-4700EQ (quad-core)• Intel® Core™ i5-4400, i5-4402, i3-4100, i3-
4102, Celeron 2000E and 2002E (dual-core)• Intel® HD Graphics 4600• Up to 16GB DDR3L SDRAM, dual channel • Supports digital display interfaces DisplayPort/
HDMI/DVI/eDP and USB3.0 (on Type 6) • Supports legacy interfaces PATA, PCI (on
Type 2)• LVDS (24 Bit, dual channel) and VGA
interface • Triple independent display support • Resolution up to 3800 x 2400• Basic Format (95mm x 125 mm)
Intel® Haswell Type 6 / Type 2
Typical COM Module based on x86MSC C6B-8S / CXB-8S
MSC COM Express Type 6 “Haswell”Block Diagram
99
Embedded SecurityMSC’s Trusted Embedded Computing Initiative
• The Goal: Enabling safer Embedded Solutions
• Protection against:− tampering− illegal copying of data and software− cloning of complete systems
• Based on open Standards− Trusted Computing Group
• Based on well-known components• 3rd Party Software Stacks and drivers • Customer can choose from a growing
variety of OSs and Applications
embedded
secur it y
1010
Embedded SecurityTrusted Embedded Computing Architecture
• Latest security technologies developed for secure computing− prohibiting theft or loss of sensitive data (notebooks)− enabling secure data exchange over the internet, e-commerce, DRM, …
• Based on TCG (Trusted Computing Group) standards− fully TCG compliant security solutions
• Infineon TPM 1.2• AMI Aptio® V BIOS with SecureBoot based on UEFI standard• Infineon Software Package for Windows and Linux• Microsoft Windows “Bitlocker” compliant
1111
Embedded SecurityTrusted Platform Module (TPM)
• Infineon SLB 9660 1.2− TCG 1.2 compliant trusted platform module− Security architecture based on Infineon SLE66CXxxPE security
controller family− 16-bit microcontroller in CMOS technology− TCG 1.2 compliant embedded software− EEPROM for TCG firmware enhancements and for user data and keys− Advanced Crypto Engine (ACE) with RSA support up to 2048 bit key length− Hardware accelerator for SHA-1 hash algorithm− True Random Number Generator (TRNG)− Tick counter with tamper detection used for time stamps− Protection against “Dictionary Attack”− Protection shield and sensors inside chip
1212
Embedded SecurityTrusted Platform Module (TPM)
• Block Diagram
• Similar to Smart Card chip− Field proven security
1313
Embedded SecurityTrusted Platform Module (TPM)
• Endorsement Key− Unique pair of private/public keys (2048 bit)− Foundation of platform unique identification
and key generation• Infineon Software Features− TPM Professional Package availableo Supports Windows 7, Windows 8.1,
Windows Server o Linux driver supporto TSS software stack compliant to TCG specificationso TPM Cryptographic Service Provider (CSP)o Infineon's desktop management software for policy enforcement and security
feature managemento Backup of migrateable keys
1414
Embedded SecurityAMI Aptio® UEFI BIOS Firmware
• AMI Aptio V UEFI BIOS Firmware supports Trusted Boot based on TPM security features
• AMI Aptio V contains full TPM support− Initialization− Trust measurement during boot process− “Chain of trust” from the very beginning− En-/disabling TPM device in Setup program− Full support of TCG specifications− Protected update policy (SecureFlash according to NIST SP 800-147)
1515
Embedded SecurityChain of Trust
• AMI Aptio® V supports “Chain of Trust” according to TCG
− From power-on every step is monitored
− CRTM (Core root of trust for measurement) is essential
− Hash values in TPM are compared to actual values of SW modules
− Boot process stops if integrity of one chain link is doubtful
− Root of Trust cannot be modified− SecureFlash update tool allows
signed update files only
Distributed/Network Apps
Apps
OS Drivers
OS Kernel
Boot Loader
“Root of Trust”(CRTM)
TPM
BIOS (POST Phase)
“Chain of Trust”
Boot Block
Option ROMs
1616
Embedded SecurityAuthenticated Boot
• CRTM and TPM during the boot process
BIOS
measuresROMs
measures
measures
measures
sends Value sends Value
sends Value
OS Loader
OS
Other SoftwareComponents
Other SoftwareComponentsOS ComponentsOther SoftwareComponents
Other SoftwareComponentsOS Components
Execution OrderBuilding Chain of Trust
1717
Embedded Security Operating Systems
• Windows 7 / 8.1− Integrated TPM Serviceso To be used by 3rd party applications
− Secure Startup (Bitlocker)o Full encryption of boot partitiono Keys stored in TPM
− TPM Administrative Tools− Key Storage Provider
Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |ARM Hardware & Bootloader
1919
Freescale® ARM Cortex-A9 i.MX6
Key Features• Freescale™ i.MX6 ARM® Cortex™-A9
quad-core, dual-core or single-core CPU• MPEG-4 Video Encoding/Decoding 1080p
HDMI graphics 1920 x 1080 x 30fps Dual-channel LVDS 1920 x 1080 x 30fps (also usable as two sep. LVDS channels)
• Up to 4GB DDR3 DRAM• Up to 32GB eMMC Flash Memory• PCI-Express x1• SATA-II (3Gbps, quad-/dual-core only)• USB 2.0 Host / Device• BT.656 Camera, MIPI_CSI-2
Typical COM Module based on ARMMSC Q7-IMX6
MSC Qseven IMX6
GbitLAN
Feature Connector
Audio
Ethernet 10/100/1000
PCI Express x1
Qse
ven
Conn
ecto
r (M
XM-2
30)
Freescale
i.MX6
SoloDualQuad
HDMI
USB Hub(opt.)
USB Host/Device
6x USB 2.0
I2C, SMBus, SPI
SPI UART MIPI CSI-2
BT.656 CAM
DDR3DRAM
eMMCFlash
USB 2.0
Dual-channel LVDS
CAN
SATA
Block Diagram
21
• Trusted Execution− Isolates execution of critical SW from possible malware− TrustZone Secure & Normal Worlds (processor modes)− Hardware firewalls between CPU & DMA masters
and memory & peripherals• High Assurance Boot
− Authenticated boot: prevents unauthorized SW execution− Encrypted boot: protects SW confidentiality− Digital signature checks embedded in on-chip boot ROM− Run every time processor is reset
• HW Cryptographic Accelerators− Symmetric: AES-128, AES-256, 3DES, ARC4− Message Digest & HMAC: SHA-1, SHA-256, MD-5
i.MX6 Trust Architecture Features
22
• Secure Storage− Protects data confidentiality and integrity− Off-chip: cryptographic protection including device binding− On-chip: self-clearing Secure RAM− HW-only keys: no SW access
• HW Random Number Generation− Ensures strong keys and protects against protocol replay− On-chip entropy generation− Cryptographically secure deterministic RNG
• Secure Clock− Provides reliable time source− On-chip, separately-powered real-time clock− Protection from SW tampering
i.MX6 Trust Architecture Features (cont’d)
23
• Secure Debug− Protects against HW debug (JTAG) exploitation for:
o Security circumventiono Reverse engineering
− Three security levels + complete JTAG disable• Tamper Detection
− Protects against run-time tampering− Monitoring of various alarm sources:
o Debug activationo External alarm (e.g. cover seal)o SW integrity checkso SW alarm flags
− HW and SW tamper response
i.MX6 Trust Architecture Features (cont’d)
24
i.MX6 Trust ArchitectureOverview
25
• High Assurance Boot ensures the boot sequence:− Uses authentic SW− Remains confidential (if required)− Establishes a “known-good” system state
• High Assurance Boot protects against:− Platform re-purposing− Rootkits and similar unauthorised SW designed to
o harvest secretso circumvent access controls
− Offline SW reverse engineering (if required)
High Assurance Boot Purpose
26
High Assurance Boot Operation
27
High Assurance Boot Encrypted
28
Your Innovative Partner
RuggedStandard Systems
Fanless
Verification
Building Blocks
System Design
ExperiencedLong term availability
3D Design
Semi Custom
Cooling-concepts
Approvals
MSC Technologies. Engineering Leadership
T H A N K Y O U