A Developer's Guide to Security on Cortex-M based MCUs

Size: px

Start display at page:

Download "A Developer's Guide to Security on Cortex-M based MCUs"

Silvia Montgomery
5 years ago
Views:

1 A Developer's Guide to Security on Cortex-M based MCUs 2018 Arm Limited Nazir S Arm Tech Symposia India

2 Agenda Why do we need security? Types of attacks and security assessments Introduction to TrustZone What is physical security? Processor selection Secure software development Arm Limited

3 Why do we need security? 2018 Arm Limited

4 Security is not optional anymore Billions of IoT devices Data integrity, security & privacy Potential losses of hacks, breaches Arm Limited

5 Security is an integral part of the DNA of Arm TEE for Cortex-A Cortex-A with TrustZone SecurCore Arm CryptoCell Platform Security Architecture (PSA) launched Arm CryptoIsland Secure Enclave isim technology Kigen family Physical security enhancements Physical vulnerabilities Mbed Armv8-M processors: Cortex-M23 and Cortex-M33 with Arm TrustZone Arm security manifesto PSA threat models PSA Trusted Firmware (TF-M) Communication vulnerabilities Lifecycle vulnerabilities Software vulnerabilities Arm IP protects against a wide set of attacks Arm Limited

6 Matching the attack with the right mitigation Communication Software Lifecycle Physical Arm Limited

7 How much security is needed? Cost/effort to attack Security subsystem & enclave Secure IoT Secure element TLS/SSL TrustZone-based TEE Communication attacks Man In The Middle Weak RNG Code vulnerabilities Software & hardware attacks Physical access to device JTAG, Bus, IO Pins, Time, money & equipment Software attacks & lightweight hardware attacks Buffer overflows Interrupts Malware Cost/effort to secure *Trusted Execution Environment / Secure Partitioning Manager Arm Limited

8 Introduction to TrustZone 2018 Arm Limited

9 Efficient TrustZone security isolation Comprehensive Secure, holistic protection across the entire processor and system Two worlds - one CPU Real-time transition* Non-trusted Simple to use Transparent to software developer Same programmers model Non-trusted view Trusted Trusted view Optimized for small embedded Hardware enforced isolation Deterministic, low-latency interrupts Secure services Firmware Secure firmware Data Secure data Peripherals Memory CPU resources Arm Limited * 2 cycles

Security for all embedded applications Root of trust applications - IoT IP Protection Crypto Trusted software Trusted hardware Secure system Secure storage TRNG* Valuable

10 Security for all embedded applications Root of trust applications - IoT IP Protection Crypto Trusted software Trusted hardware Secure system Secure storage TRNG* Valuable firmware Trusted drivers Trusted hardware Sandboxing Untrusted Trusted Certified OS / functionality Trusted drivers Trusted hardware * True random number generator Arm Limited

11 Device security: secure partitioning for MCUs Split memory into private secure and public non-secure Small private footprint enables exhaustive verification Public code never sees keys/secrets Vulnerabilities on public side can t affect private side Private side can verify integrity of the public side Public code can t write code directly to Flash Private side can reliably recover device to clean state Public Cloud BLE Stack WiFi Stack Application Protocol SSL Library Device Management Diagnose Private / Secure Firmware Update Secure Storage Crypto Keys Crypto API Secure ID RNG Arm Limited

12 Lifecycle & Physical Security 2018 Arm Limited

13 Lifecycle security Program unique ID, certificates, secure bootloader Disable debug Encrypted download of secure image, and app image via bootloader Secure firmware update Check for rollback, verify Wafer sort/ final test CM/OEM Customer Repair Arm Limited

Defending silicon vulnerabilities Power and EM

14 Defending silicon vulnerabilities Power and EM analysis Fault injection attacks Invasive attacks/tampering Can we build an IP solution portfolio that can address these threats efficiently at the source? Can we integrate the solution to these three vulnerabilities into a single IP? Arm Limited

15 Proliferation of the need for physical security Arm Limited

16 Processor Selection 2018 Arm Limited

17 Security layers Physical security Cortex-M35P TrustZone for Armv8-M Cortex-M23 Cortex-M33 Memory protection unit (MPU) Cortex-M0 Cortex-M0+ Cortex-M3 Cortex-M4 Cortex-M Arm Limited

18 Cortex-M23: Ultra low power with TrustZone Smallest area, lowest power With TrustZone, same energy efficiency as Cortex-M0+ Security foundation System wide security with TrustZone technology Ultra-high efficiency Flexible sleep modes Extensive clock gating Optional state retention Enhanced memory protection Easy to program Dedicated protection for both secure and non-secure states Enhanced capability Increased performance Multi-core system support 240 interrupts Hardware stack checking Enhanced & secure debug Security aware debug Simplified firmware development Embedded trace macrocell Arm Limited

Cortex-M33: Security for diverse embedded markets 32-bit processor of choice Optimal balance between performance and power 20% greater performance than Cortex-M4 With TrustZone, same energy

19 Cortex-M33: Security for diverse embedded markets 32-bit processor of choice Optimal balance between performance and power 20% greater performance than Cortex-M4 With TrustZone, same energy efficiency as Cortex-M4 Digital signal control Bring DSP to all developers FPU offering up to 10x performance over software Extensible compute Co-processor interface for tightly-coupled acceleration Security foundation System-wide security with TrustZone technology Enhanced memory protection Easy to program Dedicated protection for both secure and non-secure states Enhanced & secure debug Security aware debug Simplified firmware development Arm Limited

Cortex-M35P: Physical security for high-value applications Highest security Customizable anti-tampering and side channel attack mitigation Increased performance 5x Flash frequency boost thanks to

20 Cortex-M35P: Physical security for high-value applications Highest security Customizable anti-tampering and side channel attack mitigation Increased performance 5x Flash frequency boost thanks to instruction cache 3.5x boost for DSP applications +20% integer performance boost Extensible compute Co-processor interface for tightly-coupled acceleration Dual-core lockstep Partial or full lockstep Security and safety Security and safety packages Commercial, automotive Provides basis for certification Enhanced & secure debug Security aware debug Simplified firmware development Arm Limited

21 Total security: scalable protection for all attack types Cortex-M23/Cortex-M33 - First Cortex-M processors with TrustZone Cortex-M35P - A new Cortex-M processor with tamper resistance and software isolation CryptoCell-312/P - Cryptography and lifecycle IP with or without physical security mitigation CryptoIsland-300/P - Secure enclave IP with or without physical security mitigation Security is key for IoT to scale to 1 trillion Advanced protection is critical as physical security attacks are getting easier and cheaper Designers can use Arm s Platform Security Architecture to assess threats Arm makes security accessible to all embedded and IoT designers Arm Limited

Arm secure foundation solutions Complete system approach CorStone foundation IP (formerly SDKs): Pre-verified, configurable system and subsystem IP Modifiable

22 Arm secure foundation solutions Complete system approach CorStone foundation IP (formerly SDKs): Pre-verified, configurable system and subsystem IP Modifiable subsystem IP Pre-integrated with processor and security IP Development tools (including FPGA/test chip boards) CorStone-ready software (e.g. Mbed OS) Arm Limited

23 Secure Software Development 2018 Arm Limited

24 Existing IoT application Mixed Secure and Non-secure code MPU used for process protection PROJECT Crypto keys & certificates stored in non-readable memory. User application Function calls Firmware update Crypto keys, certificates Requires auditing of all code to protect against software vulnerabilities. Communications stack RTOS Function calls Start Crypto library Boot & boot loader Arm Limited

25 Developing code for secure IoT applications Composing a system from Secure and Non-secure projects Partition project place minimal security related code in secure project Non-secure project cannot access Secure resources. USER PROJECT Non-secure state User application Function calls SECURE PROJECT Secure state Firmware update Secure project can access everything. Secure and Non-secure projects may implement independent time scheduling. Communications stack RTOS Function calls Start Crypto keys, certificates Crypto library Secure boot & bootloader Arm Limited

26 IoT: Secure, Easier and More Scalable with Arm Secure IoT Platform Secure foundation IP Identity Certification of secure platforms Operating system Device management, & provisioning Diverse partner ecosystem Scalable Secure Consistent programming Services capable Arm Limited

27 Get started with security on Arm IoT security is not optional Consider attack types communication, software, life cycle and physical Platform Security Architecture provides a blueprint for secure design TrustZone provides software isolation to reduce the attack surface Visit Arm TrustZone on Arm Community for more information to get started Arm Limited

28 The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners Arm Limited

29 Thank You Danke Merci 谢谢ありがとう Gracias Kiitos 감사합니다 धन यव द תודה Arm Limited

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development Part1 - PSA Tech Seminars 2017 Agenda Platform Security Architecture Architecture overview Trusted Firmware-M IoT Threat