“secure firmware update” lab session - renesas e … · “secure firmware update” lab...

23
Renesas Electronics America Inc. © 2012 Renesas Electronics America Inc. All rights reserved. Class ID: Class ID: “Secure Firmware Update” Lab Session BL02I Shotaro Saito, Staff Application Engineer, Secure MCU

Upload: dinhnhu

Post on 30-Aug-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

Renesas Electronics America Inc.

© 2012 Renesas Electronics America Inc. All rights reserved.

Class ID: Class ID:

“Secure Firmware Update” Lab Session

BL02I

Shotaro Saito, Staff Application Engineer, Secure MCU

Page 2: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 2

Shotaro Saito, Application Engineer

24 years in Embedded Systems Development

In-Circuit Emulator / Debugger Development

Debugger GUI Design

Biometrics Enabled Smartcard Development

4 Years with Renesas Electronics

In Charge of Secure MCU Development Kit and Tools

Board ID Solution Support

Page 3: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 3

Renesas Technology & Solution Portfolio

Page 4: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 4

Microcontroller and Microprocessor Line-up

Wide Format LCDs Industrial & Automotive, 130nm

350µA/MHz, 1µA standby

44 DMIPS, True Low Power

Embedded Security, ASSP

165 DMIPS, FPU, DSC

1200 DMIPS, Performance 1200 DMIPS, Superscalar

500 DMIPS, Low Power

165 DMIPS, FPU, DSC

25 DMIPS, Low Power

10 DMIPS, Capacitive Touch

Industrial & Automotive, 150nm

190µA/MHz, 0.3µA standby

Industrial, 90nm

242µA/MHz, 0.2µA standby

Automotive & Industrial, 90nm

600µA/MHz, 1.5µA standby

Automotive & Industrial, 65nm

600µA/MHz, 1.5µA standby Automotive, 40nm

500µA/MHz, 35µA deep standby

Industrial, 40nm

242µA/MHz, 0.2µA standby

Industrial, 90nm

1mA/MHz, 100µA standby

Industrial & Automotive, 130nm

144µA/MHz, 0.2µA standby

2010 2013

32

-bit

8

/1

6-b

it

Page 5: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 5

Microcontroller and Microprocessor Line-up

Wide Format LCDs Industrial & Automotive, 130nm

350µA/MHz, 1µA standby

44 DMIPS, True Low Power

Embedded Security, ASSP

165 DMIPS, FPU, DSC

1200 DMIPS, Performance 1200 DMIPS, Superscalar

500 DMIPS, Low Power

165 DMIPS, FPU, DSC

25 DMIPS, Low Power

10 DMIPS, Capacitive Touch

Industrial & Automotive, 150nm

190µA/MHz, 0.3µA standby

Industrial, 90nm

242µA/MHz, 0.2µA standby

Automotive & Industrial, 90nm

600µA/MHz, 1.5µA standby

Automotive & Industrial, 65nm

600µA/MHz, 1.5µA standby Automotive, 40nm

500µA/MHz, 35µA deep standby

Industrial, 40nm

242µA/MHz, 0.2µA standby

Industrial, 90nm

1mA/MHz, 100µA standby

Industrial & Automotive, 130nm

144µA/MHz, 0.2µA standby

2010 2013

32

-bit

8

/1

6-b

it

True Embedded Security and Integration

Page 6: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 6

The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security:

Challenge: “In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts.”

Solution:

The “Secure MCU” solution prevents end-point devices in the smart society from being compromised with secure authentication scheme

‘Enabling The Smart Society’

Page 7: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 7

Embedded security basics

Knowing your opponents

Attack vectors on embedded systems

Security perimeter

Board ID – The best plug

Lab session

Preparing RX62N as target system

Download sample firmware with remote security stack

Penetration testing

Q&A

Agenda

Page 8: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 8

Embedded Security Basics

Page 9: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 9

Knowing Your Opponents (1)

Competitors

Reverse engineering, vulnerability research, etc.

– Let’s see what they got this time that we can ‘mimic’

Counterfeiters

Cloning

– Oh, they make it hard this time but we can still crack it

Hackers

Pure curiosity (raison d’être of them)

– I’ll run my homebrewed app on PS3. EULA? What is it?

Fame, promotion and job opportunity

– “He’s very popular as iPhone and PlayStation3 jailbreaker” (Geohot vs. Sony, 2010)

– “I could hack your server. Why don’t you hire me as your CSO?” (Marriott Hotel, Nov. 2011)

Page 10: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 10

Knowing Your Opponents (2)

Opponents in the real world

They do ANYTHING for making a profit

– This is fake Samsung Galaxy SIII

– BTW, this Apple store is FAKE!

Page 11: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 11

Communication Interface

JTAG

– Widely available on popular MCUs

Serial (RS-232C)

– Console hacking starts from here

Ethernet

– Remote hacking from the other side of the Earth

USB

– Stuxnet, PS3 jailbreak utilize USB dongle/memory stick

I2C, SPI, SMBus, etc.

Attack Vectors (1)

Page 12: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 12

Physical penetration

Opening enclosure

– Trace cut/jumper

– Add/remove/replace devices (i.e. MOD chips)

Compromising device

– Break/dissolve device packaging

– Reconnect blown fuse with micro probe

Attack Vectors (2)

Page 13: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 13

Security Perimeter

Page 14: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 14

What we protect and what we don’t

We can prevent this

But we cannot prevent this

Defining ‘End-Point’ as security perimeter

The target should not be cloned (Hardware/Software)

The target ‘eco’ system should be protected

Security Perimeter (1)

Page 15: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 15

Security Perimeter (2)

‘End-point’ security

Remote intrusion

Altered meter

Unauthorized charging

Sophisticated theft

Unauthorized access

Remote intrusion

Remote intrusion

Denial-of-service

Page 16: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 16

Target system definition

RX63N RDK – Represents network enabled device

Application – Console application with update feature

Protection profile

The application (RX63N side)

– Not to be altered

– Not to be extracted

Update scheme (Server side)

– Unauthorized system is properly rejected

– False attempt is rejected and logged

Adding secure MCU to RX63N RDK makes it easy

Security Perimeter (3)

Page 17: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 17

Board ID – Proven Security Enhancement

Board ID – Tiny secure microcontroller (4.2mm x 4.2mm)

Embedded secure element

– Credentials are stored in tamper proof memory section

– Hardware protection against known attacks

Cryptographic coprocessor

– Fast RSA transaction with modular multiplication coprocessor

Turn-key Solution

– Pre-loaded firmware for authentication specific application

Outsourcing security measures

Firmware update mandates Board ID on RX63N RDK

Counterfeit target without Board ID is rejected

Page 18: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 18

Lab Session

Page 19: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 19

Lab Session

Material

RX63N RDK

– 32bit microprocessor demo kit

Board ID Module

– Authentication specific module

Authentication server

– Provides firmware update service ONLY AFTER proper authentication is done

The Goal

Utilize the Board ID module to perform secure firmware download to the RX63N demo kit from the Authentication Server

Lab Procedure

Follow the lab procedure (takes approximately 40 minutes)

Page 20: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 20

Questions?

Page 21: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 21

The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security:

Challenge: In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts.

Solution:

The “Secure MCU” solution prevents end-point devices in the smart society from being compromised with secure authentication scheme

Do you agree that we accomplished the above statement?

‘Enabling The Smart Society’ in Review…

Page 22: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

© 2012 Renesas Electronics America Inc. All rights reserved. 22

Please utilize the ‘Guidebook’ application to leave feedback

or

Ask me for the paper feedback form for you to use…

Please Provide Your Feedback…

Page 23: “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab Session ... 1200 DMIPS, Performance ... –False attempt is rejected and logged

Renesas Electronics America Inc.

© 2012 Renesas Electronics America Inc. All rights reserved.