print

Achieve Robust IoT Security with Less Pain

The majority of the black box that is IoT Security (including Arm TrustZone®) becomes a guided excursion, not a foray into the jungle with a machete…if you have good tools…

Security is a genuine concern in the age of IoT. Things that are connected to the internet and left to work in perpetuity with little to no human intervention can be, or become, ripe for hacking. Devices used in financial dealings are of special concern, but it doesn’t end there, as a poorly secured IoT device can be an open door for other devices on the same network to be hacked. Security starts in the hardware and should continue upward through the stack, or layers of software.

As hardware armor against hackers, a few years ago Arm created the Arm TrustZone®, which in theory is akin to an isolated processing core, with isolated memory, that cannot be influenced by unauthorized external entities, and runs with privileged access. Arm TrustZone essentially allows two operating systems (OS) to coexist, providing hardware and software isolation for applications using a root-of-trust that starts with a secure boot. This divides the system into a secure world and a normal world. The normal world cannot influence the secure world and is not even aware of it. In the normal world, the components of the traditional operating system exist, from standard application systems and services to the operating system kernel. The secure world has total access to all software and hardware on the device, but the normal world does not.

Splitting the system environment into two systems provides a foundation for IoT security called a Trusted Execution Environment (TEE) in TrustZone terminology. The TEE is a secure world OS that securely provides the assets needed to interact with normal world applications. Both Trusted Applications and independent applications can run in the secure world. The TEE can do things like dedicating certain areas of memory as for the secure world only. The normal world cannot access TrustZone’s secure areas, even with the highest level of privileges in the normal world. Carefully defined channels allow communication between “worlds.” Examples of uses for TrustZone are to store sensitive information for mobile payments, for protecting portions of hardware implementation in Point-of-Sale (POS) devices, as well as Digital Rights Management (DRM), where a secured device unlocks paid content from within the TrustZone.

Figure 1: The IoT Suite establishes a secure enclave to protect sensitive information. (Source: Sequitur Labs)

Figure 1: The IoT Suite establishes a secure enclave to protect sensitive information. (Source: Sequitur Labs)

No device can be completely hack-proof, but making it difficult and unattractive goes a long way. Nevertheless, with additional security comes additional complexity in the development process. Separate kernels inhabit each world. And in the details of implementing Arm TrustZone, one cannot get distracted from applying common sense; writing code that is merely hard to get to is not the same as writing secure code.

Microchip’s SAMA5D2, with an Arm Cortex™-A5 core, is one example of an MPU that incorporates the Arm TrustZone and includes on-the-fly encryption (AES128), secure debug modes, a software library for RSA Elliptic Curves (ASCL), secure key storage, erasure upon security events, tamper pins, memory scrambling, secure packaging, and more. The SAMA5D2 is serious about security.

When faced with the added complexity of making a secure IoT device from the silicon on up, inexperienced engineers have several online resources. Nevertheless, sometimes the learning curve is a challenge in itself, as time-to-market pressures create additional angst for project managers and engineers dealing with a new and complex task that leads them to Arm TrustZone. Arm TrustZone, to some, can seem as inscrutable and daunting as doing taxes. A good tax program can be well worth the cost. Work is still required of the user, but it’s guided and there’s a certain comfort in knowing that the program’s developers are not only programmers but tax experts that have applied deductions to your best advantage. Such tools exist for Arm TrustZone. A small company called Sequitur Labs that has created similar tools for the past three years provides Microchip’s SAMA5D2 users with the IoT Suite for SAMA5D2. The IoT Suite covers security throughout the life cycle from product design and development, on through manufacture, provisioning and deployment; and finally, to customer interaction and operation of the IoT device. In other words, Sequitur Labs has created a tool that makes it easier to implement security for Arm TrustZone.

Figure 2: Preconfigured to take advantage of Microchip SAMA5D2’s advanced security features, the IoT Security Suite makes it easy with simple APIs to access security components, pre-built security applications that include common use cases, and streamlined implementation of a secure domain. Source: Sequitur Labs.

Figure 2: Preconfigured to take advantage of Microchip SAMA5D2’s advanced security features, the IoT Security Suite makes it easy with simple APIs to access security components, pre-built security applications that include common use cases, and streamlined implementation of a secure domain. Source: Sequitur Labs.

The best news is that developers can use Sequitur Labs’ IoT Suite in a generous trial (that lasts forever for one board) with a Microchip SAMA5D2 Xplained Ultra development board (Rev B). Developers can create as many applications on the target board as they want using the IoT Suite trial. Once the developer moves to development, the Sequitur dev kit requires a fee. At production, the full license is purchased for the IoT Suite and an unlimited number of products with unique security keys (of the same model and derivatives) can be minted with the Suite, no royalties required.

“The world has been learning that security must be more than an afterthought. First and foremost, security is not a one-point solution, it’s not a one-time thing on a product check list. Security has to flow through the life cycle of the device, right from the time you manufacture the device all the way to a time when you decommission it,” emphasizes Philip Attfield, CEO of Sequitur Labs. Security cannot be bolted on. It has to be built in. TrustZone is foundational to implementing a secure architecture.

Microchip’s SAMA5D2 microprocessor unit (MPU) is one such example of security in a low cost, tuned-for-IoT device. States Attfield, “Here’s a hardware platform with many security features. The qualities for embedded security are available, but how do you make them accessible? How do you make it easy?”

Figure 3: Microchip’s SAMAD2 Xplained Ultra (Rev B) board (ATSAMA5D2B-XULT) features an Arm Cortex®-A5 MPU with external memory, 1 Ethernet transceiver, an SD/MMC interface, 1 host and 1 device USB port, a 24-bit RGB LCD, and debug interfaces, seven Arduino R3 Uno-compatible headers and two Xplained headers. Source: Microchip

Figure 3: Microchip’s SAMAD2 Xplained Ultra (Rev B) board (ATSAMA5D2B-XULT) features an Arm Cortex®-A5 MPU with external memory, 1 Ethernet transceiver, an SD/MMC interface, 1 host and 1 device USB port, a 24-bit RGB LCD, and debug interfaces, seven Arduino R3 Uno-compatible headers and two Xplained headers. Source: Microchip

When time is of the essence, bootstrapping a learning curve unaided isn’t always possible. Time-to-market has become a critical path item on the agenda. Sequitur Labs set out to own this niche with Microchip, by creating tools that accelerate development for select processors equipped with Arm TrustZone.

“One of the more difficult hurdles to jump in accommodating TrustZone is that implementation on each SoC is unique. Additionally, integrating drivers to secure peripherals is also a daunting task,” states Attfield. “We have mitigated the task by packaging functionality that streamlines the activation of TrustZone. We also provide a suite of security applications covering 95% of what most device makers need to address security including trusted boot, secure storage, secure firmware update and firmware protection.”

Steps to IoT Security
The scope of Sequitur’s IoT Suite mirrors what’s necessary for the end-to-end IoT security that defeats all but the most dedicated of hackers. Everyone is concerned, as trade secrets, employee information, emails, and other information can be betrayed by a lowly, insufficiently secure IoT device that offers a way in and becomes the weak link in the chain. Attfield describes the point of tools aptly when he states, “The majority of the black box that is IoT Security (including Arm TrustZone) becomes a guided excursion, not a foray into the jungle with a machete…if you have some good tools.

Figure 4: Phil Attfield, CEO of Sequitur Labs, has more than 20 years’ experience in computer engineering fields. Phil founded Signal 9 Solutions, a firm that pioneered firewalls, and served as CEO until the company was acquired by McAfee.®

Figure 4: Phil Attfield, CEO of Sequitur Labs, has more than 20 years’ experience in computer engineering fields. Phil founded Signal 9 Solutions, a firm that pioneered firewalls, and served as CEO until the company was acquired by McAfee.®

Proper setup of TrustZone, beginning with a trusted boot-up, is key. The next step is to set up root-of-trust, verified initial startup code, Linux®, and other embedded firmware. Firmware protection is part of the Sequitur process, as the IoT Suite’s tools assist in the encryption of embedded firmware. The device will then execute only authenticated firmware. Following through, a trusted device ID is established using a unique device certificate that’s tied to the aforementioned root-of-trust for strong identity authentication.

The IoT Suite continues the complete security process by assisting in set up and deployment of secure storage. Unique and encrypted code storage and data, including keys and algorithms, are used within in-system storage. That is, data is encrypted and stored in the TEE and only accessible by authorized applications. Authentication is next and ensures the privacy of communications to cloud devices and servers. This means that encrypted communication is verified with authentication checks, accomplished using a public-private key pair, for both the receiving and transmitting parties, as each verifies the other is the correct entity prior to acceptance.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis