WHITE PAPER Secure Firmware Upgrade System. June 2014

Transcription

1 WHITE PAPER Secure Firmware Upgrade System June 2014

2 TABLE OF CONTENTS Abstract... 3 Why Secure Firmware Upgrade?... 3 Requirements of a Firmware Upgrade System... 4 Secure Firmware Upgrade Process... 6 Secure Firmware Upgrade Reference Architecture... 6 Firmware Upgrade Generator... 7 Security Module... 7 Author Info... 12

3 Firmware Upgrades are required to correct bugs and add new functionalities. Abstract IEEE Standard Glossary of Software Engineering Terminology, std , defines Firmware as follows: The combination of hardware device and computer instructions and data that resides as read-only software on that device. Even though Firmware is designed as Read-only component, Firmware Upgrades are required to correct bugs and add new functionalities. The ability to upgrade Firmware is considered an important feature for embedded systems, particularly the ones that are connected to the Internet. It becomes even more important when the devices are deployed in remote locations. In such cases somebody has to go there and update the system, generally the OEMs don t get paid for updates, why would they incur this extra cost? A cost effective solution is to have a Remote Firmware Upgrade. But, it has its own share of problems - what if the system gets a wrong image and the system becomes unusable, it is even worse if the attacker adds a malware to the image, then the whole network at the client side will go for a toss. To overcome these problems device manufacturers are opting for Secure Firmware Upgrade, where the upgrades are first authenticated and verified and then upgraded. This paper discusses the key issues that must be considered for the upgradability of the system and presents a reference design of the Secure Firmware Upgrade System. Why Secure Firmware Upgrade? In order to strive for constant improvements OEMs quite often release firmware upgrades for their systems. These upgrades not only fix bugs, but also extend the existing firmware. Firmware upgrade is a very critical and sensitive operation 3

4 Security, Reliability, Minimal Downtime, Automated Process with minimal interface, Fault Tolerance are the basic requirements for Designing a Firmware Upgrade System. Doing it right the first time is important failing to do so might brick the device and make it unusable and worse, it could also update the firmware with any malicious code and attack the connected devices too. Recently there has been a lot of traction in this segment e.g. Firmware modification attack on some printers (CVE ) where a firmware update can be sent remotely to port 9100 without authentication and a recent firmware modification attack on home automation devices where firmware modification attack can be used to repeatedly turn on and off a small desk lamp. More malicious hacks could do similar things to heaters or other connected devices in the home. It is very important to authenticate and secure the firmware Upgrade system. Requirements of a Firmware Upgrade System The requirements for a firmware Upgrade system are different for each system we have listed below some of the generic requirements Security Firmware Upgrade should be received from the trusted source. User should be able to verify the Integrity of the upgrade before applying it. End user should not be able to change/modify any component of Firmware upgrade. Reliability Reliability is again a very important feature in fact at times when the user is unsure of the system s behavior he/she refuses to upgrade the firmware. During this process User should not lose his/her personalized data. System's performance should not degrade. 4

5 Minimal Downtime Firmware Upgrade system should be able to perform its operations with minimal time. Different strategies could be defined for different systems e.g. for critical systems downtime should be very low which might result in more memory and computational requirements. Hence downtime could vary, but the downtime should be well defined and agreed upon by all stakeholders. Fault Tolerance Firmware Upgrade may fail due to any of the reasons - bad Firmware resulting which device may stop functioning, flash corruption, Communication errors resulting in partially written Firmware. The Firmware Upgrade system should be designed by taking into considerations these real time scenarios and should not make the device unusable. Automated With Minimal User Interaction For General users the Firmware Upgrade process should not request any inputs from the users it should be a self-contained application that installs firmware upgrade if updates are available and user agrees to update his/her system. All the other required inputs could be received from the server or should be contained in the device. Depending on the device type the weightage of requirement can be increased for example for a critical system like Health Monitoring device minimal downtime is more important, in fact some of the Firmware Upgrade systems are providing zero Downtime Solutions. 5

6 Secure Firmware Upgrade Process Firmware Upgrade Process involves multiple steps and stages, following diagram depicts various steps that are required to Upgrade Firmware. The process starts right from the time when the firmware change needs to be propagated to the client. Reference Architecture for Secure Firmware Upgrade Based on the discussion, we present a Reference Architecture for Secure firmware upgrade. 6

7 The system is divided into two parts Server side Modules and client side modules. The server side implementation is used to generate an encrypted firmware image. This image is then pushed to the client from the server. The downloaded image is then decrypted and verified via security module at the client end and then the Firmware upgrade is installed. Firmware Upgrade Generator As discussed earlier Firmware Upgrades are generated using the delta between the firmware. Generally the upgrade generation process is automated and involves three steps Generate Upgrade using the two firmware versions. Test and Verify Upgrade on Old firmware. Publish Firmware upgrade. The tested firmware upgrade is then sent to the security module as an input. Security Module This module resides in client and server, the server side security module is responsible for encrypting the image, while 7

8 the client side module is responsible for the verifying the security and integrity of the Firmware. The goal of security module is Encrypt the Image Add Image verification Header Ensures that the firmware and the hardware of the embedded device are locked to each other and become unusable if firmware is deleted from the hardware or viceversa. To accomplish this task 2 level of security is maintained. Firmware Authentication To secure against Firmware tempering the device verifies the integrity and authenticity of the firmware before execution. This task is accomplished using asymmetric key pairs. Hardware Authentication Before execution the firmware verifies the hardware using Unique Id e.g. the MAC id of the hardware. The firmware is executed only if the verification is successfully completed. Device Firmware Update Client This module is deployed on the client device and is responsible for downloading the upgrade from the server. 8

9 Following is the flow chart for a typical Firmware Upgrade Client: Firmware Upgrade Process Start Check if FU is available Download FU Wait for predefined time End Before designing this module the OEM needs to consider the following parameters: How much of end user interaction is required? e.g. For some Firmware updating clients the end user has an option to specifically install a selected version on his/her device for others the end user confirmation is required to download and install new updates. How the end device will be notified about available updates? The device should poll for updates or the server will push updates on end devices. Will all the device get updates at once or each device will be notified about the updates separately to manage the load on update server? How frequently the updates will be pushed/pulled? Firmware Upgrade Installer Firmware Upgrade installer receives firmware as an input from the security module and installs it on the system. Typically a Linux based embedded system will have the following memory 9

10 structure. In this diagram we can see that generally Linux Kernel and File System are upgraded. For some cases even the boot loader can be updated Boot Loader UBL Kernel FileSystem }Updatable Part Summary The ability to upgrade a system remotely has become an important feature, each device that need to be upgraded comes with its own set of issues and design considerations. Firmware Upgrade design is a process that starts right from the Device Conception phase and continues till Device s End of Life. As discussed in this paper there could be serious consequences of tampering with the device firmware so OEMs need to define a procedure to verify and authenticate the firmware before upgrading. The advent of IoT has added flames to this problem and it has become necessary for the OEMs to continuously improve and secure their Firmware Upgrade process. 10

11 References When Firmware Modifications Attack: A Case Study of Embedded Exploitation Ang Cui, Michael Costello and Salvatore J. Stolfo Department of Computer Science Columbia University New York, US fang, costello, salg@cs.columbia.edu Implementing Secure Remote Firmware Updates Loren. K. Shade. To/Add-On-Firmware-Upgrades 11

12 Author Info Shivani Tomar is a Senior Technical Lead with HCL Tech. She has extensive experience in developing software focusing on the consumer electronics segment. She is currently focusing on various aspects of Security for Embedded Devices. She is a part of Practice team in HCL and has contributed in various projects. 12

13 Hello, I'm from HCL's Engineering and R&D Services. We enable technology led organizations to go to market with innovative products and solutions. We partner with our customers in building world class products and creating associated solution delivery ecosystems to help bring market leadership. We develop engineering products, solutions and platforms across Aerospace and Defense, Automotive, Consumer Electronics, Software, Online, Industrial Manufacturing, Medical Devices, Networking & Telecom, Office Automation, Semiconductor and Servers & Storage for our customers. For more details contact: Follow us on twitter: Our blog: Visit our website: