SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

Similar documents
Amanda Lowe Director Product Marketing WindRiver, an Intel Company

Windows IoT Security. Jackie Chang Sr. Program Manager

USING DEVICE LIFECYCLE MANAGEMENT TO FUTURE PROOF YOUR IOT DEPLOYMENT

Provisioning secure Identity for Microcontroller based IoT Devices

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Cybersecurity with Automated Certificate and Password Management for Surveillance

Trustzone Security IP for IoT

Securing IoT with the ARM mbed ecosystem

New Approaches to Connected Device Security

A Developer's Guide to Security on Cortex-M based MCUs

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Intel s Architecture for NFV

The Road to a Secure, Compliant Cloud

Using the tpm with iot

Security of Embedded Systems

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Connecting Securely to the Cloud

CIS 4360 Secure Computer Systems SGX

Security: The Key to Affordable Unmanned Aircraft Systems

Intel Security Dev API 1.0 Production Release

Big and Bright - Security

Mohan J. Kumar Intel Fellow Intel Corporation

Strong Security Elements for IoT Manufacturing

How to protect Automotive systems with ARM Security Architecture

MASP Chapter on Safety and Security

Trusted Platform Modules Automotive applications and differentiation from HSM

The Open Application Platform for Secure Elements.

ARM Security Solutions and Numonyx Authenticated Flash

SECURING DEVICES IN THE INTERNET OF THINGS

Intel Software Guard Extensions

SECURING DEVICES IN THE INTERNET OF THINGS

Massively Parallel Hardware Security Platform

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

Intel, OpenStack, & Trust in the Open Cloud. Intel Introduction

Resilient IoT Security: The end of flat security models

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

The Future of Security is in Open Silicon Linux Security Summit 2018

Project Cerberus Hardware Security

IoT Market: Three Classes of Devices

Lecture 3 MOBILE PLATFORM SECURITY

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Securing Devices in the Internet of Things

Windows 10 IoT Core Azure Connectivity and Security

Partner Center: Secure application model

Designing Security & Trust into Connected Devices

Building Trust in the Internet of Things

Intel and Symantec: Improving performance, security, manageability and data protection

How Secure is your Server?

Beyond TrustZone PSA. Rob Coombs Security Director. Part1 - PSA Tech Seminars Arm Limited

IoT Edge within the IoT Framework

An Introduction to Platform Security

GSE/Belux Enterprise Systems Security Meeting

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Designing Security & Trust into Connected Devices

Mobile Platform Security Architectures A perspective on their evolution

A Peek at the Future Intel s Technology Roadmap. Jesse Treger Datacenter Strategic Planning October/November 2012

AMD Security and Server innovation

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Real-Time Systems and Intel take industrial embedded systems to the next level

Trusted Computing and O/S Security

Introduction to Device Trust Architecture

Trusted Platform Module explained

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

TRUSTED COMPUTING TECHNOLOGIES

NFV Platform Service Assurance Intel Infrastructure Management Technologies

Designing Security & Trust into Connected Devices

Fast-track Hybrid IT Transformation with Intel Data Center Blocks for Cloud

CS 356 Operating System Security. Fall 2013

How I Learned to Stop Worrying and Love the Internet of Things

Out-of-band (OOB) Management of Storage Software through Baseboard Management Controller Piotr Wysocki, Kapil Karkra Intel

Technical Brief Distributed Trusted Computing

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

TPM v.s. Embedded Board. James Y

Mitigating Security Breaches in Retail Applications WHITE PAPER

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

DICE: Foundational Trust for IoT

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Digital Trust Ecosystem

CIS 4360 Secure Computer Systems Secured System Boot

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

The Next Steps in the Evolution of Embedded Processors

A Comparison Study of Intel SGX and AMD Memory Encryption Technology


Intel Analysis of Speculative Execution Side Channels

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Building a Better Mousetrap:

Intel Software Guard Extensions Platform Software for Windows* OS Release Notes

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Securing Edge Devices

Deploying Secure Boot: Key Creation and Management

9 GENERATION INTEL CORE DESKTOP PROCESSORS

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

ARM mbed Towards Secure, Scalable, Efficient IoT of Scale

Cisco Secure Boot and Trust Anchor Module Differentiation

2013 Cisco and/or its affiliates. All rights reserved. 1

Transcription:

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION Legal Disclaimers Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to http://www.intel.com/performance. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. Copyright 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. 2

Security Breaches - How they Happen Default Passwords Poor, Manual Device provisioning Delayed Image updates Lack of Security Designed in to HW

IoT Security Is Essential to Scale IoT Deployments HW Security is an IOT Priority Best practice guidelines Customer Requirement Barrier to IoT Adoption* Hackers exploiting poor device security Most Important Items for IOT Platform* RFP Isolation & added protections of HW security has recognized role Requirements to secure YOUR platforms and solutions. HW based security moving from shadows to key RFP requests Security solutions Designed-in to HW are keys to accelerating adoption and scale *35% of respondents Gartner 2016 IoT Backbone Survey 4

Intel Security Strategy and Solutions On-Demand Lifecycle Services accelerating IIoT / IoT Solutions Intel Secure Device Onboard - Provisioning of Device Trust and Credentials Remote Device Health Attestation Customer / Eco System Unified Application security API IOT sf requirements Authentication and Authorization Privacy Device Hardware and Physical Security Device Application Integrity and Authenticity Encryption and Key Management (Hardware) Security Usages HW & SW platform authentication; local and remote Ensure HW & SW image are in expected knowngood, non-compromised configuration Enables trusted apps to run sensitive code, data, and store credentials in HW isolated enclaves Protected memory for data at rest and in use On chip Trusted Platform Module cryptographic functions Designed-in foundation HW/SW Identity Platform Integrity Trusted Execution Crypto / Protect Storage

#

Base Platform- Security Accelerators Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Offload Crypto to Main CPU Crypto - Intel Data Protection Technology with AES-NI, SHA-NI, SHA256, RDRAND, RDSEED, ECC. vpro=fips 140-2 L1 Crypto Block. FPGA-Security Assist Intel SoC FPGA Crypto Accelerators Maximize CPU performance with crypto offload. Extend the life of MCUs that may risk running out of performance as security needs change. Intel SoC FPGAs allow security protocols to move from software to custom hardware even after deployment-extending product lifetime. Intel Stratix 10 Secure Device Manager - Fully configurable & authenticated boot, configuration schemes, secure key mgt/storage, and tamper resistance to create an isolated co-processor Security Performance Min Max 10

OS Hardening-Memory, Virtualization Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Malware Protection- Intel Platform Protection Technology with OS Guard (privilege-escalation attacks), SMEP, SMAP Virtualization & VM Isolation - Intel VTx (CPU), Intel VTd (I/O), VmFunc (Hypervisor) 8

Base Platform Identity- Intel Enhanced Privacy ID Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW TCG/ISO standard with open source SDK Remotely attests device HW ID as part of valid group without revealing identity Removes Intel from directly authenticating the device during the provisioning process Unique, In-demand, Proven - 2.7 billion keys distributed with IA & non-ia platforms. Simplifies key management & distribution Prevents Attack Mapping - Protects device data vs PKI that reveals data to hack device Intel EPID 1-to-many key match, unique signature every time, ANONYMOUS EPID vs. PKI Traditional PKI 1-to-1 key match, standard signature every time Enables zero touch device provisioning with onboarding services Pvt-Key 1 Pvt-Key 2 Pvt-Key X Pvt-Key Immutable hardware root of trust for IoT networks to Identify devices & secure their communications 9

Protected Boot Solutions for Platform Integrity Ecosystem Firmware - Partner & TianoCore.org UEFI open source implementations Surface Area Protected Data/Keys SW Stack Apps OS/VMM BIOS/FW Intel Platform Protection Technology with Boot Guard Cryptographically verifies first portion of OEM bios code executing out of reset. Intel Platform Protection Technology with BIOS Guard-protection against BIOS recovery attacks. Ecosystem Values - OEMs & ISV s like as Boot Guard adds robustness to chain of trust process where UEFI boot process cryptographically verifies and/or measures each software module before executing it. Enabling - Requires BIOS enabling and OEM support in signing of the policy manifests, hashing of BIOS boot block module, programming the hash of OEM public key and boot policies in field programmable fuses. Supports both TPM families TPM 1.2 and TPM2.0 and also PTT as part of measured boot Reset Boot Guard Component and Sequence Scope of Coreboot Boot Guard Scope Boot Guard Initial Boot Block IBB Payload: Coreboot UEFI uboot OS Loader OS direct Platform Trust Technology, firmware Trusted Platform Module (TPM) 2.0

Transitive Trust Chain Firmware TPM - Intel Platform Trust Technology Surface Area Protected Data/Keys Intel Platform Trust Technology (Intel PTT)- HW TPM 2.0 implementation integrated in Intel ME/CSME/TXE security engines for credential storage and key management. Device Stack Applications Apps OS/VMM BIOS/FW Secure trust element to meet requirements for TPM 2.0 Measured Boot for remote attestation Systems boot block is measured by HW/FW and successfully attests if unaltered No protection for applications 0011000101 1100010100 Trusted Code Operating System Kernel Boot Loader Hardware RoT CPU & Boot Sequence Fuses/ ROM Key Intel PTT Trusted Storage for Measurements Measured Boot to TPM Flow 12

Trusted Execution Environment Protected App Enclave Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Intel Software Guard Extensions (Intel SGX) memory-architecture extension designed to protect select code or data from disclosure or modification. Enables trusted in-app enclaves, which are protected areas of execution in memory. Intel Dynamic Application Loader - Intel signed & verified 3rd party java applets run in separate VM sand box within ME/Intel TXE security co-processor. Trusted apps given controlled access to security resources and services. Apollo Lake specific. TEE CO DE DA TA SNOOP SGX=on over 70 Ecosystem Platforms, Major CSP Blockchain Announcements-Azure, Alibaba, Fortranix 9

E-to-e Edge to cloud IOT Security Channel software Solutions #

Wind River Helix* Device Cloud Device Management Connect, Operate, Protect Security Specific Capabilities Rest API Secure Signed Update - OTA/FOTA integrity checked software or kernel update over encrypted channel. Reconfigure anything to respond to vulnerabilities Management Console Customer s IOT Platform & Apps Security Monitoring - alerts, secure logs, & ability to remotely decommission device Management Server - DDOS, anti spoofing, script & forgery protection Secure Update Package Deploy Decommission Full Device Monitor Device OS Device Cloud Agent Lifecycle Update Service Manage 14

On-demand Platform Trust Services

Intel Secure Device Onboard Automation - Takes seconds at power on Security - Unique HW protected onboarding w/privacy Dynamic Provisioning to customer s IoT platform of choice Scale - 1-to-many enablement for device makers INTEL SECURE DEVICEONBOARD Hardware Security Device Zero-touch IoT Platform Provider Intel Ecosystem Secure wants Device automated Onboard drives SIM scalability like approach to move that POCs ties identity to production. to platform Increases initiated devices activation. in use. No-one is solving. 16

Enabling Tools Supply Chain - traceability signing tool Silicon Providers EPID SDK Device Intel EPID SDK TEE Onboard Client Mgr Agent Initial Device Identification (EPID Attestation) 2 Intel Secure Device Onboard Take Ownership 4 ONBOARD ATTEST SDO Service Identification 3 1 IoT Platform Service Provider Platform Registration Service Onboard API Device Mgt Service Supplier Ownership Proxy New Owner CSP/ISV Toolkit - integrate onboard API into their IoT Platform OEM Credential Toolkit - board and gateways - integrate client software into their platfrom Device securely on-boarded under Normal Platform Control 17

#

Secure IoT Smart Camera Mitigated Attacks 2 Default Credential Leave device vulnerable to cyberattacks. In 2014-73,011 security cameras were secured only by default credentials (i.e User: admin, Password: admin) 6 Missed FW/SW Update Not updated or older FW leaves device vulnerable to known exploits. 5 Camera plugin Weak P2P (Cloud) Link Weakness may grant remote hacker access to the local network from any remote location Web App CGI process P2P (Cloud) Agent Services (telnet, httpd, sshd, etc) SOC Linux Kernel Bootloader emmc/ SDXC SRAM COMMS 3 7 Insecure data-in-transit Sending unencrypted video 3 streams in the clear increases data privacy risks App Services Kernel FW HW 1 2 4 5 Intel Boot Guard Enforced secure boot allowing only signed & untampered firmware to run Intel secure device onboard Provides service that uses HW key to secure the rendezvous of device to its owner Intel AES-NI Enable AES computation without compromising performance Intel Platform Trust Technology ftpm enables cryptographic keys to be securely stored in tampered-resistant keys vault Intel Enhanced Privacy ID Utilize unique HW based key for secure channel establishment 1? Unsigned firmware Allows hacker to easily break the integrity of the boot firmware and OS image. Hacker infiltrates the system by subverting execution flow. 4 7 Insecure key storage Leaves the cryptographic keys used to protect platform and owner secrets easily recovered by hacker Network Video Recorder 6 7 Wind River Helix device cloud Automate FW/SW over-the-air update & full device lifecycle management Intel Security Essentials API Abstracted, simplified HW security development </>

#

#

Internet of Things Group Intel Confidential

IoT Security Ecosystem HWROT Silicon Providers Equipment Providers IoT Platforms & Solution Providers Intel EPID Intel SDO Devices Intel SDO Platforms FPGA Crypto Providers Telit - HDC Oracle - HDC Device Cloud Partners

Portfolio Solutions to Secure Entire Device Lifecycle Manufacture FAB/OEM/ODM Configure OEM/ODM Onboard Installer Provision System Integrator Operate IT & OT Decommission Admin/End User Develop, Attest, Onboard Operational Security Management </> ONBOA RD Root of Trust Technologies Intel Security Essentials core security capabilities/ technologies Ecosystem Enabling Tools Intel Security Essentials API Intel Platform Protection Technology TianoCore UEFI Firmware Coreboot and FSP Intel EPID Identity SDK ATTE Platform Trust Services ST Intel Secure Device Onboard Services Gateway/Fog Edge Security Enhanced Security for Gateways Device Management Wind River* Helix* Device Cloud IA-enabled IoT Security ISVs 5

Intel SGX Ecosystem Identity/Security Cloud Solution Providers IoT Platforms & Solution Providers Blockchain Payments Telit - HDC Oracle - HDC

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback