Linaro, profile picture
Uploaded byLinaro
PDF, PPTX1,591 views

BKK16-200 Designing Security into low cost IO T Systems

This document discusses security considerations for Internet of Things (IoT) systems. It outlines various security risks for IoT devices like weak cryptography, default passwords, and lack of device renewability. It then describes how security can be built into IoT systems at different levels, including device hardware with features like ARM TrustZone, software like mbed OS and mbedTLS, and cloud management platforms. The document advocates for an end-to-end secure IoT framework provided through collaboration between ARM and Linaro.

Embed presentation

Download as PDF, PPTX
Designing security into low cost IoT systems JimWallace Linaro Connect, Bangkok 2016 Director, SSG Marketing 8th March 2016
© ARM 20152 Connectivity EfficiencyManagementProductivity Security From Sensors to Servers
© ARM 20153 IoT is going everywhere Weak crypto, protocols Default Passwords No Passwords Hacked Devices Weak crypto Hacked device keys Side-channel attacks Memory bus probing No device renewability Software attacks After hours cloning Stolen keys Weak Protocols Base Stations Weakness in protocol No renewability Smart Meter Data ServersKeyServer Silicon/OEM Manufacturing Sensors/Devices Risks are hard to predict
© ARM 20154 Ultra-low cost Low cost BBC micro:bit BT Smart beacon Rich BT Smart Thread node BT Smart Device SW Capabilities IP +TLS mbed OS uVisor Management Security Firmware OTA ARMv6-M ARMv8-M Baseline TRNG + Crypto Device HW Resources ARMv8-M Mainline ARMv7-M with MPU Generic WiFi node Gateway Cortex-A Class TRNG + Crypto + GPU +VPU IP +TLS OP-TEE Management Security Firmware over-the-air Rich UI/Multimedia mbed OS / RTOS Linux / Rich OS IoT - From Cortex-M to Cortex-A class devices Intelligent Connected Secure
© ARM 20155 Evolution of IoT driving need for generic devices  Local intelligence enables: Camera/microphone/other sensors  Raw data does not need to be sent to the cloud, only processed meta- data is being sent  Reduced data bandwidth, transfer overhead and processing latency to/from cloud  Increased security Face Detection Arm/Disarm Motion Sensor Voice recognition Breaking Glass Communication
© ARM 20156 Security in IoT end points  Device management  Support for bootstrapping / provisioning / Behaviour monitoring…  Keep firmware up-to-date  Device integrity  Protect from untrusted S/W  Allow recovery from attack  Asset protection  Prevent access to certain resources  Data security  Keep data confidential  Prevent data alteration  Physical Security  Anti-tampering Device security Communications security Management security  Link encryption  Prevent eavesdroppers listening  Authentication  Identity of endpoint / server
©ARM 20157 Security must be built into all stages of the system
© ARM 20158  mbed Device Connector eases development, management and scaling of IoT  Available at https://connector.mbed.com  Management security implemented via standards such as OMA LWM2M Management security: mbed Device Connector Build IoT Device Connect your devices Build application with example code Utilize cloud solutions
© ARM 20159 Hardware Interfaces mbed OS uVisor mbed OS Core Schedulers mbed OS API Communication Management Device Management mbed TLS mbed Client IP Stack BLE APIEvent TasksEnergy Application Code Libraries uVisor Management SecuritySecure Drivers ARM Cortex-M CPU Crypto SensorRadio SW Crypto Thread API mbed OS 15.11  mbed OS is a modular, secure, efficient, open source OS for IoT  Connects to mbed Device Connector mbed OS Drivers Device DriversCMSIS-Core Debug Support Thread BLE6LoWPAN uVisor secure isolation MPU Communication Security Management Security Device Security
© ARM 201510 Device Connector Support Protocol Implementations: LWM2M, CoAP, HTTP Channel Security Implementations: TLS, DTLS Client Library Port mbed OS or RTOS / Linux + Networking mbed Client C++ API Application and Service Integration mbed Client  Connects to mbed Device Connector  Included as part of mbed OS, also portable to other platforms including Linux and third party RTOS  Implements protocols and support for securely publishing resources (e.g. sensor data), and managing the device from the cloud
© ARM 201511 Communication security: mbedTLS  Fully-fledged SSL /TLS / DTLS Library  Developer friendly: Clean API and documentation  Open Source under Apache 2.0 license at https://tls.mbed.org/  Suitable for use on Cortex-M and Cortex-A processors based targets Transport Security Symmetric Encryption Public Key Algorithms Hash Algorithms Random Number Generation X.509 Certificate Handling TLS/DTLS, etc AES, etc ECDHE, ECDSA, etc SHA, etc Entropy pool, CTR_DEBUG, etc ✔ https://tls.mbed.org/security
© ARM 201512 Device security services in low cost devices  Existing IoT solutions use flat address spaces with little privilege separation  Especially on microcontrollers  Mitigating strategy to split security domains into  Exposed code  Protected critical code Security Foundation • Cryptography • Key Management • Secure Identity • … Critical (secure world) Remainder of mbed OS • Scheduler • HAL + Drivers • Connectivity stack(s) • … Exposed (Normal world) mbed OS uVisor Hardware Interfaces ARM Cortex-M CPU Crypto SensorRadio MPU
© ARM 201513 TrustZone for low cost ARMv8-M IoT platforms  The ARMv8-M architecture introduces secure and non-secure code execution  Code running in non-secure memory can only access non-secure devices and memory  Code running in secure memory can access whole address space  So low cost devices can  Have trusted code & Apps in secure memory  Can have non trusted applications installed in non secure memory safe in the knowledge that they cannot be used to attack the system  CryptoCell augmentsTrustZone  Providing a range of security subsystems for acceleration and offloading Non Secure App Secure App/Libs SECURE WORLDNORMAL WORLD Non Secure RTOS Secure RTOS TrustZone AMBA 5 AHB5 Microcontroller -310 Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-310
© ARM 201514 TrustZone technology for every IoT platform Non Secure App Secure App Secure Monitor SECURE WORLDNORMAL WORLD Rich OS. e.g. Linux Secure OS Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-710 AMBA AXI Apps Processor Non Secure App Secure App/Libs SECURE WORLDNORMAL WORLD Non Secure RTOS Secure RTOS TrustZone AMBA 5 AHB5 Microcontroller -310 Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-310
© ARM 201515 Trusted Firmware, OP-TEE reduce fragmentation  SecureWorld foundations for ARMv8-A:  Trusted Board Boot  Secure World runtime – world switch, interrupt routing, PSCI, SMC handling  Open source projects on GitHub https://github.com/ARM-software/arm- trusted-firmware https://github.com/OP-TEE  v1.2 (December)  + Trusted Boot baseline features  + PSCI v1.0 key optional features  + OS vendor alignment  GICv3 drivers ARM Trusted Firmware EL3 SoC/platform port Normal World OS EL1/EL2 OP-TEE OS Secure-EL1 OP-TEE Dispatcher OP-TEEprotocol andmechanism Trusted App Secure-EL0 App EL0 OP-TEE Linux driver OP-TEE client OP-TEEprotocolviaSM C viaioctl Porting interface between Trusted Firmware and SoC/ platform Interface between Trusted Firmware and Trusted OS Dispatcher ARM Trusted Firmware Trusted OS supplier SoC supplier OS/hypervisor supplier Trusted App supplier Internal TOS interface
© ARM 201516 ARM TrustZone CryptoCell  TrustZone,TEE and CryptoCell provide platform level security  with a hardware Root of Trust /Trust Anchor for the system  Crypto acceleration  TRNG  Configurable to target application – right size  Enhances usability e.g. time for DTLS handshake & door lock to open  Simplifies security implementations Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell
© ARM 201517 LITE using this to enable a security foundation Efficient Crypto Robust Protocols Device Health Checks TLS Secure Manufacturing Line Strong Crypto Secure Meter Renewability Key Rotation Secure Key Provisioning End-to-End Security Silicon/OEM Manufacturing Hardware Root of Trust Secure Boot Trusted Execution Environment Trusted Firmware Secure Clocks/Counters, Anti-Rollback Secure Key Storage, Robust Crypto Data Servers Secure Key Server Secure Base Stations Strong ID/Trusted UI Memory Isolation FOTA HW-RoT TEE
© ARM 201518 Imagine a world where…  From the wide choice of ARM-based devices, you chose the perfect one for you  Price, performance, power, form, security etc.  And what software you ran on it was up to you…  Android / Brillo, BSD, CentOS, ChromeOS, RHEL, SUSE, Tizen, Snappy Ubuntu, Windows, Yocto/OE, etc …or something we haven’t even thought of yet  But once you made that choice, it should all just work!  ARM & Linaro are committed to making this happen
© ARM 201519 Linaro and ARM providing the foundation for IoT  ARM working with Linaro to provide an end-to-end open source IoT framework for specific IoT implementations  ARM part of LITEWG  “Place to collaborate on ARM architecture for IoT”, enabling  Software solutions from Cortex-M to Cortex-A based platforms
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. Copyright © 2016 ARM Limited

More Related Content

PPTX
Crypto Performance on ARM Cortex-M Processors
byHannes Tschofenig
 
PDF
BKK16-100K2 ARM Research - Sensors to Supercomputers
byLinaro
 
PPTX
Advancing IoT Communication Security with TLS and DTLS v1.3
byHannes Tschofenig
 
PDF
Practical real-time operating system security for the masses
byMilosch Meriac
 
PPTX
Measuring the Performance and Energy Cost of Cryptography in IoT Devices
byHannes Tschofenig
 
PDF
LAS16-112: mbed OS Technical Overview
byLinaro
 
PPTX
LAS16-203: Platform security architecture for embedded devices
byLinaro
 
PPTX
The Role of Standards in IoT Security
byHannes Tschofenig
 
Crypto Performance on ARM Cortex-M Processors
byHannes Tschofenig
 
BKK16-100K2 ARM Research - Sensors to Supercomputers
byLinaro
 
Advancing IoT Communication Security with TLS and DTLS v1.3
byHannes Tschofenig
 
Practical real-time operating system security for the masses
byMilosch Meriac
 
Measuring the Performance and Energy Cost of Cryptography in IoT Devices
byHannes Tschofenig
 
LAS16-112: mbed OS Technical Overview
byLinaro
 
LAS16-203: Platform security architecture for embedded devices
byLinaro
 
The Role of Standards in IoT Security
byHannes Tschofenig
 

What's hot

PDF
How to Select Hardware for Internet of Things Systems?
byHannes Tschofenig
 
PDF
Developing functional safety systems with arm architecture solutions stroud
byArm
 
PPTX
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
byarmmbed
 
PDF
The importance of strong entropy for iot
byArm
 
PDF
Standardizing the tee with global platform and RISC-V
byRISC-V International
 
PDF
Introduction to ARM mbed-OS 3.0 uvisor
byViller Hsiao
 
PDF
Software development in ar mv8 m architecture - yiu
byArm
 
PDF
So you think developing an SoC needs to be complex or expensive?
byArm
 
PDF
High end security for low-end microcontrollers
byMilosch Meriac
 
PDF
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
byLinaro
 
PPTX
RISC-V 30906 hex five multi_zone iot firmware
byRISC-V International
 
PPTX
Sagar Kadam, Lead Software Engineer, Open-Silicon
bychiportal
 
PPTX
Data on the move a RISC-V opportunity
byRISC-V International
 
PPTX
RISC-V: The Open Era of Computing
byRISC-V International
 
PDF
LAS16-100K1: Welcome Keynote
byLinaro
 
PPTX
mbed Connect Asia 2016 mbed HDK From prototype to production
byarmmbed
 
PDF
Efficient software development with heterogeneous devices
byArm
 
PPTX
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
byRISC-V International
 
PDF
#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...
byParis Open Source Summit
 
PDF
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
byMichelle Holley
 
How to Select Hardware for Internet of Things Systems?
byHannes Tschofenig
 
Developing functional safety systems with arm architecture solutions stroud
byArm
 
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
byarmmbed
 
The importance of strong entropy for iot
byArm
 
Standardizing the tee with global platform and RISC-V
byRISC-V International
 
Introduction to ARM mbed-OS 3.0 uvisor
byViller Hsiao
 
Software development in ar mv8 m architecture - yiu
byArm
 
So you think developing an SoC needs to be complex or expensive?
byArm
 
High end security for low-end microcontrollers
byMilosch Meriac
 
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
byLinaro
 
RISC-V 30906 hex five multi_zone iot firmware
byRISC-V International
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
bychiportal
 
Data on the move a RISC-V opportunity
byRISC-V International
 
RISC-V: The Open Era of Computing
byRISC-V International
 
LAS16-100K1: Welcome Keynote
byLinaro
 
mbed Connect Asia 2016 mbed HDK From prototype to production
byarmmbed
 
Efficient software development with heterogeneous devices
byArm
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
byRISC-V International
 
#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...
byParis Open Source Summit
 
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
byMichelle Holley
 

Viewers also liked

PDF
Resilient IoT Security: The end of flat security models
byMilosch Meriac
 
PDF
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
byLinaro
 
PPTX
mbed Connect Asia 2016 Securing IoT with the ARM mbed ecosystem
byarmmbed
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 
PDF
Track 5 session 2 - st dev con 2016 - security iot best practices
byST_World
 
PDF
The 5 elements of IoT security
byJulien Vermillard
 
PDF
Foto denuncia estado via publica a 2 de febrero de 2013
byPSOE FUENTE DEL MAESTRE
 
PDF
A Modern View of Smart Cards Security
byIlia Levin
 
PDF
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
byCyren, Inc
 
PDF
Mr201303 trust zone
byFFRI, Inc.
 
PDF
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
byLinaro
 
PDF
BKK16-309A Open Platform support in UEFI
byLinaro
 
PDF
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
byLinaro
 
PDF
IoT Meets Security
bySamsung Open Source Group
 
PDF
LAS16-306: Exploring the Open Trusted Protocol
byLinaro
 
PPTX
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
PDF
UX and Security for the IoT
byKevin Rohling
 
PDF
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
PDF
Tower defense for hackers: Layered (in-)security for microcontrollers
byMilosch Meriac
 
PDF
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
byLinaro
 
Resilient IoT Security: The end of flat security models
byMilosch Meriac
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
byLinaro
 
mbed Connect Asia 2016 Securing IoT with the ARM mbed ecosystem
byarmmbed
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 
Track 5 session 2 - st dev con 2016 - security iot best practices
byST_World
 
The 5 elements of IoT security
byJulien Vermillard
 
Foto denuncia estado via publica a 2 de febrero de 2013
byPSOE FUENTE DEL MAESTRE
 
A Modern View of Smart Cards Security
byIlia Levin
 
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
byCyren, Inc
 
Mr201303 trust zone
byFFRI, Inc.
 
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
byLinaro
 
BKK16-309A Open Platform support in UEFI
byLinaro
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
byLinaro
 
IoT Meets Security
bySamsung Open Source Group
 
LAS16-306: Exploring the Open Trusted Protocol
byLinaro
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
UX and Security for the IoT
byKevin Rohling
 
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
Tower defense for hackers: Layered (in-)security for microcontrollers
byMilosch Meriac
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
byLinaro
 

Similar to BKK16-200 Designing Security into low cost IO T Systems

PDF
A practical approach to securing embedded and io t platforms
byArm
 
PPTX
04-ARM mbed IOT Device Introduction.pptx
byMohammed Moufti
 
PPTX
Security for io t apr 29th mentor embedded hangout
bymentoresd
 
PPTX
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
byLinaro
 
PDF
Building IoT devices with ARM mbed - RISE Manchester
byJan Jongboom
 
PPTX
mbed Connect Asia 2016 Intro to mbed OS
byarmmbed
 
PDF
1.devtrack1-mbed-connect-2016-asia-intro-to-mbed-os-mihail-xiao.pdf
byPabloGindel1
 
PDF
LCU13: An Introduction to ARM Trusted Firmware
byLinaro
 
PPTX
mbed Connect Asia 2016 Developing IoT endpoints with mbed client
byarmmbed
 
PDF
How to fast track your Internet of Thing deployments?
byBijal (Bee) Hayes-Thakore
 
PDF
HKG18-212 - Trusted Firmware M: Introduction
byLinaro
 
PPTX
ASDF WSS 2014 Keynote Speech 1
byAssociation of Scientists, Developers and Faculties
 
PDF
Survey of Operating Systems for the IoT Environment
byEswar Publications
 
PDF
Dec.20.2019, Arduino based on Mbed os
byDaniel Lee
 
PPTX
Simon Ford - ARM and the Open Internet of Things
byBusiness of Software Conference
 
PDF
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
PDF
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
byLinaro
 
PDF
LAS16 100 K1 - Keynote George Grey
by96Boards
 
PDF
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
bysatyabratmallaBujarb
 
PPTX
Lecture01_IntroductionToTheInternetOfThings.pptx
byarabnuradin
 
A practical approach to securing embedded and io t platforms
byArm
 
04-ARM mbed IOT Device Introduction.pptx
byMohammed Moufti
 
Security for io t apr 29th mentor embedded hangout
bymentoresd
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
byLinaro
 
Building IoT devices with ARM mbed - RISE Manchester
byJan Jongboom
 
mbed Connect Asia 2016 Intro to mbed OS
byarmmbed
 
1.devtrack1-mbed-connect-2016-asia-intro-to-mbed-os-mihail-xiao.pdf
byPabloGindel1
 
LCU13: An Introduction to ARM Trusted Firmware
byLinaro
 
mbed Connect Asia 2016 Developing IoT endpoints with mbed client
byarmmbed
 
How to fast track your Internet of Thing deployments?
byBijal (Bee) Hayes-Thakore
 
HKG18-212 - Trusted Firmware M: Introduction
byLinaro
 
ASDF WSS 2014 Keynote Speech 1
byAssociation of Scientists, Developers and Faculties
 
Survey of Operating Systems for the IoT Environment
byEswar Publications
 
Dec.20.2019, Arduino based on Mbed os
byDaniel Lee
 
Simon Ford - ARM and the Open Internet of Things
byBusiness of Software Conference
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
byLinaro
 
LAS16 100 K1 - Keynote George Grey
by96Boards
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
bysatyabratmallaBujarb
 
Lecture01_IntroductionToTheInternetOfThings.pptx
byarabnuradin
 

More from Linaro

PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
PDF
HKG18-318 - OpenAMP Workshop
byLinaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
byLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
byLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
byLinaro
 
Bud17 113: distribution ci using qemu and open qa
byLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
byLinaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
byLinaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
byLinaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
byLinaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
byLinaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
byLinaro
 
HKG18-318 - OpenAMP Workshop
byLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
byLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
byLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
byLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
byLinaro
 
HKG18-113- Secure Data Path work with i.MX8M
byLinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
byLinaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
byLinaro
 

Recently uploaded

PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
AI Technology important knowledge ......
byutkarshj2007
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
December Patch Tuesday
byIvanti
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 

BKK16-200 Designing Security into low cost IO T Systems

  • 1.
    Designing security intolow cost IoT systems JimWallace Linaro Connect, Bangkok 2016 Director, SSG Marketing 8th March 2016
  • 2.
    © ARM 20152 ConnectivityEfficiencyManagementProductivity Security From Sensors to Servers
  • 3.
    © ARM 20153 IoTis going everywhere Weak crypto, protocols Default Passwords No Passwords Hacked Devices Weak crypto Hacked device keys Side-channel attacks Memory bus probing No device renewability Software attacks After hours cloning Stolen keys Weak Protocols Base Stations Weakness in protocol No renewability Smart Meter Data ServersKeyServer Silicon/OEM Manufacturing Sensors/Devices Risks are hard to predict
  • 4.
    © ARM 20154 Ultra-lowcost Low cost BBC micro:bit BT Smart beacon Rich BT Smart Thread node BT Smart Device SW Capabilities IP +TLS mbed OS uVisor Management Security Firmware OTA ARMv6-M ARMv8-M Baseline TRNG + Crypto Device HW Resources ARMv8-M Mainline ARMv7-M with MPU Generic WiFi node Gateway Cortex-A Class TRNG + Crypto + GPU +VPU IP +TLS OP-TEE Management Security Firmware over-the-air Rich UI/Multimedia mbed OS / RTOS Linux / Rich OS IoT - From Cortex-M to Cortex-A class devices Intelligent Connected Secure
  • 5.
    © ARM 20155 Evolutionof IoT driving need for generic devices  Local intelligence enables: Camera/microphone/other sensors  Raw data does not need to be sent to the cloud, only processed meta- data is being sent  Reduced data bandwidth, transfer overhead and processing latency to/from cloud  Increased security Face Detection Arm/Disarm Motion Sensor Voice recognition Breaking Glass Communication
  • 6.
    © ARM 20156 Securityin IoT end points  Device management  Support for bootstrapping / provisioning / Behaviour monitoring…  Keep firmware up-to-date  Device integrity  Protect from untrusted S/W  Allow recovery from attack  Asset protection  Prevent access to certain resources  Data security  Keep data confidential  Prevent data alteration  Physical Security  Anti-tampering Device security Communications security Management security  Link encryption  Prevent eavesdroppers listening  Authentication  Identity of endpoint / server
  • 7.
    ©ARM 20157 Security mustbe built into all stages of the system
  • 8.
    © ARM 20158 mbed Device Connector eases development, management and scaling of IoT  Available at https://connector.mbed.com  Management security implemented via standards such as OMA LWM2M Management security: mbed Device Connector Build IoT Device Connect your devices Build application with example code Utilize cloud solutions
  • 9.
    © ARM 20159 HardwareInterfaces mbed OS uVisor mbed OS Core Schedulers mbed OS API Communication Management Device Management mbed TLS mbed Client IP Stack BLE APIEvent TasksEnergy Application Code Libraries uVisor Management SecuritySecure Drivers ARM Cortex-M CPU Crypto SensorRadio SW Crypto Thread API mbed OS 15.11  mbed OS is a modular, secure, efficient, open source OS for IoT  Connects to mbed Device Connector mbed OS Drivers Device DriversCMSIS-Core Debug Support Thread BLE6LoWPAN uVisor secure isolation MPU Communication Security Management Security Device Security
  • 10.
    © ARM 201510 DeviceConnector Support Protocol Implementations: LWM2M, CoAP, HTTP Channel Security Implementations: TLS, DTLS Client Library Port mbed OS or RTOS / Linux + Networking mbed Client C++ API Application and Service Integration mbed Client  Connects to mbed Device Connector  Included as part of mbed OS, also portable to other platforms including Linux and third party RTOS  Implements protocols and support for securely publishing resources (e.g. sensor data), and managing the device from the cloud
  • 11.
    © ARM 201511 Communicationsecurity: mbedTLS  Fully-fledged SSL /TLS / DTLS Library  Developer friendly: Clean API and documentation  Open Source under Apache 2.0 license at https://tls.mbed.org/  Suitable for use on Cortex-M and Cortex-A processors based targets Transport Security Symmetric Encryption Public Key Algorithms Hash Algorithms Random Number Generation X.509 Certificate Handling TLS/DTLS, etc AES, etc ECDHE, ECDSA, etc SHA, etc Entropy pool, CTR_DEBUG, etc ✔ https://tls.mbed.org/security
  • 12.
    © ARM 201512 Devicesecurity services in low cost devices  Existing IoT solutions use flat address spaces with little privilege separation  Especially on microcontrollers  Mitigating strategy to split security domains into  Exposed code  Protected critical code Security Foundation • Cryptography • Key Management • Secure Identity • … Critical (secure world) Remainder of mbed OS • Scheduler • HAL + Drivers • Connectivity stack(s) • … Exposed (Normal world) mbed OS uVisor Hardware Interfaces ARM Cortex-M CPU Crypto SensorRadio MPU
  • 13.
    © ARM 201513 TrustZonefor low cost ARMv8-M IoT platforms  The ARMv8-M architecture introduces secure and non-secure code execution  Code running in non-secure memory can only access non-secure devices and memory  Code running in secure memory can access whole address space  So low cost devices can  Have trusted code & Apps in secure memory  Can have non trusted applications installed in non secure memory safe in the knowledge that they cannot be used to attack the system  CryptoCell augmentsTrustZone  Providing a range of security subsystems for acceleration and offloading Non Secure App Secure App/Libs SECURE WORLDNORMAL WORLD Non Secure RTOS Secure RTOS TrustZone AMBA 5 AHB5 Microcontroller -310 Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-310
  • 14.
    © ARM 201514 TrustZonetechnology for every IoT platform Non Secure App Secure App Secure Monitor SECURE WORLDNORMAL WORLD Rich OS. e.g. Linux Secure OS Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-710 AMBA AXI Apps Processor Non Secure App Secure App/Libs SECURE WORLDNORMAL WORLD Non Secure RTOS Secure RTOS TrustZone AMBA 5 AHB5 Microcontroller -310 Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell-310
  • 15.
    © ARM 201515 TrustedFirmware, OP-TEE reduce fragmentation  SecureWorld foundations for ARMv8-A:  Trusted Board Boot  Secure World runtime – world switch, interrupt routing, PSCI, SMC handling  Open source projects on GitHub https://github.com/ARM-software/arm- trusted-firmware https://github.com/OP-TEE  v1.2 (December)  + Trusted Boot baseline features  + PSCI v1.0 key optional features  + OS vendor alignment  GICv3 drivers ARM Trusted Firmware EL3 SoC/platform port Normal World OS EL1/EL2 OP-TEE OS Secure-EL1 OP-TEE Dispatcher OP-TEEprotocol andmechanism Trusted App Secure-EL0 App EL0 OP-TEE Linux driver OP-TEE client OP-TEEprotocolviaSM C viaioctl Porting interface between Trusted Firmware and SoC/ platform Interface between Trusted Firmware and Trusted OS Dispatcher ARM Trusted Firmware Trusted OS supplier SoC supplier OS/hypervisor supplier Trusted App supplier Internal TOS interface
  • 16.
    © ARM 201516 ARMTrustZone CryptoCell  TrustZone,TEE and CryptoCell provide platform level security  with a hardware Root of Trust /Trust Anchor for the system  Crypto acceleration  TRNG  Configurable to target application – right size  Enhances usability e.g. time for DTLS handshake & door lock to open  Simplifies security implementations Asymmetric Crypto Symmetric Crypto Data interface Security resources Roots oftrust Always On Control interface CryptoCell
  • 17.
    © ARM 201517 LITEusing this to enable a security foundation Efficient Crypto Robust Protocols Device Health Checks TLS Secure Manufacturing Line Strong Crypto Secure Meter Renewability Key Rotation Secure Key Provisioning End-to-End Security Silicon/OEM Manufacturing Hardware Root of Trust Secure Boot Trusted Execution Environment Trusted Firmware Secure Clocks/Counters, Anti-Rollback Secure Key Storage, Robust Crypto Data Servers Secure Key Server Secure Base Stations Strong ID/Trusted UI Memory Isolation FOTA HW-RoT TEE
  • 18.
    © ARM 201518 Imaginea world where…  From the wide choice of ARM-based devices, you chose the perfect one for you  Price, performance, power, form, security etc.  And what software you ran on it was up to you…  Android / Brillo, BSD, CentOS, ChromeOS, RHEL, SUSE, Tizen, Snappy Ubuntu, Windows, Yocto/OE, etc …or something we haven’t even thought of yet  But once you made that choice, it should all just work!  ARM & Linaro are committed to making this happen
  • 19.
    © ARM 201519 Linaroand ARM providing the foundation for IoT  ARM working with Linaro to provide an end-to-end open source IoT framework for specific IoT implementations  ARM part of LITEWG  “Place to collaborate on ARM architecture for IoT”, enabling  Software solutions from Cortex-M to Cortex-A based platforms
  • 20.
    The trademarks featuredin this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. Copyright © 2016 ARM Limited