Title 44pt Title Case High-end security features for low ...
Title 44pt Title Case How to protect Automotive systems ... · RTOS Next generation TrustZone...
Transcript of Title 44pt Title Case How to protect Automotive systems ... · RTOS Next generation TrustZone...
Title 44pt Title Case
Affiliations 24pt sentence case
20pt sentence case
© ARM 2016
How to protect Automotive systems with ARM Security Architecture
Thanks to this app You can manoeuvre
The new “Forpel”Using your smartphone!
Too bad it’sNot my car
© ARM 2016 2
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Successful products will be attacked
§ Attack surface is ever expanding – More networked MCUs are interacting
§ Cars are becoming more vulnerable:§ Greater computer interaction with steering, brakes…§ Remote wireless connectivity and remote interaction§ Bridges to Controller Area Network (CAN)
§ Attackers have the privilege of selecting where to attack
§ Security researchers willing to spend years on high profile attacks
“Since these remote attacks will necessarily be multi-stage, we recommend a defense in depth strategy”Survey of remote automotive attack surfaces: Miller & Valasek
© ARM 2016 3
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Connected to the Internet & CAN
© ARM 2016 4
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Security principles for automotive
Device Security
Communications Security
Lifecycle Security
trusted software
CryptoRoot of Trust
non-trusted
trusted
trusted hardwaresecure system
securestorage
© ARM 2016 5
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Layers of security to protect your system
SW & HW Attacks• Physical access to device – JTAG, Bus, IO Pins,•Time, money & equipment.
Software Attacks• Buffer overflows• Interrupts• Malware
Communication Attacks•Man In The Middle•Weak RNG (Random Number Generator)•Code vulnerabilities
Cost/Effort To Attack
Cost/Effort to Secure
Transport Layer Security (TLS)
Security Subsystem& HSM
Trusted Execution Environment (TEE)
Secure Element
H S M = Hardware Security Module
© ARM 2016 6
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Layers of security to protect your system
SW & HW Attacks• Physical access to device – JTAG, Bus, IO Pins,•Time, money & equipment.
Software Attacks• Buffer overflows• Interrupts• Malware
Communication Attacks•Man In The Middle•Weak RNG•Code vulnerabilities
Cost/Effort To Attack
Cost/Effort to Secure
mbed TLS
CryptoCell
TrustZone® TEE or SPM*
SecurCore™
* SPM = Secure Partitioning Manager
© ARM 2016 7
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Establishing trust and integrity based on hardware
Provisioned keys/certs
Initial Root of Trust: Dependable Security functions
Extended Root of Trust e.g. TrustZone® based Secure Partitioning Manager or TEE
Trusted Apps/Libs
RTOS
Apps
OS/RTOS
Trusted Software
TrustZoneSPM or TEE
iROTTrustZoneCryptoCell
Keys
© ARM 2016 8
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Ideally a RoT lives in a isolated security subsystem…
Security Subsystem
Security subsystemHighly evaluated code developedby security specialists & built in bysilicon vendor
© ARM 2016 9
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
…and provides trustworthy services to a hardware isolated TEE
Security Subsystem
TrustZone®
Normal WorldIoT developer writes AppsOn top of his/her chosen RTOS
Secure World= Trusted code (mostly libs)Provided by MDK, IoT platform or ISV + Trusted hardware
Security subsystemImplemented as Trusted PeripheralHighly evaluated code developedby security specialists & built in bysilicon vendor
(TCB)
© ARM 2016 10
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
ARM TrustZone® Technology in 3 Steps
TrustedExecution Environment
1. Define secure hardware architecture§ Two separate domains: normal and secure§ Extends across system
§ Processor, interrupts, peripherals, memory,
key storage, counters…
2. Implement in silicon System on Chip (SoC)§ Enforcing secure/normal separation in hardware
3. Combine SoC with Trusted Software§ Trusted Boot & Firmware§ Trusted OS / Secure Partitioning Manager
Result: A Trusted Execution Environment (TEE)§ Ready to develop and deploy trusted services
Rich OS Trusted OS
TrustedExecution Environment
CPUCPU
SECURENORMAL
© ARM 2016 11
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
GlobalPlatformStandardisation
Security on Apps processors (e.g.IVI): Defence in depth
Initial ROT &Security subsystem
TrustZone® basedTEE
Trusted Firmware
Hardware Interfaces
Normal World Code Trusted Software
EL3Trusted Boot
Payload DispatcherSMCCC PSCI
EL1
EL2
Secure Device Drivers
Hypervisor
AppsEL0
ARM Cortex-A SoCSystem
Physical IP
Trusted_AppsFIDO
Integrity
Rich OS
Device Drivers
Trusted OS
Comms Stack
Apps/User
CryptoCellSecurity Services Platform
https://www.globalplatform.org
© ARM 2016 12
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
SW platforms require security functions…
Graphics By Genivi®Cooperationwww.genivi.org
© ARM 2016 13
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Security functions are mapped to security layers
Hardware Interfaces
Normal World Code Trusted Software
EL3Trusted Boot
Payload DispatcherSMCCC PSCI
EL1
EL2
Secure Device Drivers
Hypervisor
AppsEL0
ARM Cortex-A SoCSystem
Physical IP
Trusted_AppsFOTA
Anomaly
Rich OS
Device Drivers
Trusted OS
Comms Stack
Apps/User
CryptoCellSecurity Services Platform
Anomaly
HSM
Crypto
© ARM 2016 14
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Example: Strong Authentication via FIDO*
§ Only allow authenticated users to interact§ No passwords or secrets for the user§ TrustZone® based TEE can protect integrity/crypto on FIDO “server” in car§ TrustZone based TEE can protect private keys/crypto and FPS on phone
User verification FIDO Authentication
TLS secure channel
Challenge
Signed ResponseUser gesture e.g. FPBefore key can be used
FIDO Server
*https://fidoalliance.org
© ARM 2016 15
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Example: Movies & TrustZone® Media Protection
Protected containerProtected container
Non-trusted container
TrustZone
010010010110101010001010001010100100101010010010100100010111010101010001011
Encryptedcompressed
videostream
010010010110101010001010001010100100101010010010100100010111010101010001011
Shaderprograms
VPU
010010010110101010001010001010100100101010010010100100010111010101010001011
Decryptionkeys
010010010110101010001010001010100100101010010010100100010111010101010001011
Plaintextcompressed
videostream
010010010110101010001010001010100100101010010010100100010111010101010001011
UI content
010010010110101010001010001010100100101010010010100100010111010101010001011
Workingmemory
010010010110101010001010001010100100101010010010100100010111010101010001011
Workingmemory
010010010110101010001010001010100100101010010010100100010111010101010001011
Framebuffer
010010010110101010001010001010100100101010010010100100010111010101010001011
Plaintextuncompressed
videostream
Crypto GPU DisplayTrustZoneCryptoCell
MaliDP550
MaliT8xx
Mali™V550
© ARM 2016 16
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Privileged
Hardware Interfaces
Normal World Code Trusted Software
Device Drivers
Unprivileged
RTOS
Next generation TrustZone enabled MCUs
Platform Code
ARM Cortex®-Mv8-M Microcontroller
Physical IP
SPM
TrustedLibs
Crypto
CAN Monitor
TrustZone® basedSecure Partitioning Manager
Comms Stack
Apps/User TLS/Crypto Libs
Initial ROT &Security subsystem
CMSIS API
CryptoCellSecurity Services Platform
TrustZone for ARMv8-M
© ARM 2016 17
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Practical steps for designing-in security today
§ Build in layers of hardware based security§ Unique keys / identities§ Security subsystems or HSMs§ TrustZone based TEE or TrustZone based SPM§ Secure/authenticated debug§ CAN gateways for isolation and anomaly detection
§ Consider advanced authentication such as FIDO (no passwords)§ Use end to end encryption – TLS for Internet § Enable secure OTA updates§ Have your system/platform penetration tested (e.g. whitebox testing)
© ARM 2016 18
Title 40pt Title Case
Bullets 24pt sentence case
bullets 20pt sentence case
Security – Summary
§ The automotive attack surface is expanding with the spread of connected MCU’s & at the same time vulnerability is increasing due to the growing autonomous nature of cars
§ Defence in depth is needed – TrustZone® and CryptoCell provide layers of hardware based security
§ ARM is helping by supplying security architecture, subsystems, TrustZone system IP and open source software to the partnership
§ ARM is accelerating investment in security solutions and OSS
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.
Copyright © 2015 ARM Limited
Thank you!