Title 44pt Title Case How to protect Automotive systems ... · RTOS Next generation TrustZone enabled MCUs Platform Code ARM Cortex®-M v8-M Microcontroller Physical IP SPM Trusted

Title 44pt Title Case

Affiliations 24pt sentence case

20pt sentence case

© ARM 2016

How to protect Automotive systems with ARM Security Architecture

Thanks to this app You can manoeuvre

The new “Forpel”Using your smartphone!

Too bad it’sNot my car

© ARM 2016 2


Bullets 24pt sentence case

bullets 20pt sentence case

Successful products will be attacked

§ Attack surface is ever expanding – More networked MCUs are interacting

§ Cars are becoming more vulnerable:§ Greater computer interaction with steering, brakes…§ Remote wireless connectivity and remote interaction§ Bridges to Controller Area Network (CAN)

§ Attackers have the privilege of selecting where to attack

§ Security researchers willing to spend years on high profile attacks

“Since these remote attacks will necessarily be multi-stage, we recommend a defense in depth strategy”Survey of remote automotive attack surfaces: Miller & Valasek

© ARM 2016 3




Connected to the Internet & CAN

© ARM 2016 4




Security principles for automotive

Device Security

Communications Security

Lifecycle Security

trusted software

CryptoRoot of Trust

non-trusted

trusted

trusted hardwaresecure system

securestorage

© ARM 2016 5




Layers of security to protect your system

SW & HW Attacks• Physical access to device – JTAG, Bus, IO Pins,•Time, money & equipment.

Software Attacks• Buffer overflows• Interrupts• Malware

Communication Attacks•Man In The Middle•Weak RNG (Random Number Generator)•Code vulnerabilities

Cost/Effort To Attack

Cost/Effort to Secure

Transport Layer Security (TLS)

Security Subsystem& HSM

Trusted Execution Environment (TEE)

Secure Element

H S M = Hardware Security Module

© ARM 2016 6




Layers of security to protect your system

SW & HW Attacks• Physical access to device – JTAG, Bus, IO Pins,•Time, money & equipment.

Software Attacks• Buffer overflows• Interrupts• Malware

Communication Attacks•Man In The Middle•Weak RNG•Code vulnerabilities

Cost/Effort To Attack

Cost/Effort to Secure

mbed TLS

CryptoCell

TrustZone® TEE or SPM*

SecurCore™

* SPM = Secure Partitioning Manager

© ARM 2016 7




Establishing trust and integrity based on hardware

Provisioned keys/certs

Initial Root of Trust: Dependable Security functions

Extended Root of Trust e.g. TrustZone® based Secure Partitioning Manager or TEE

Trusted Apps/Libs

RTOS

Apps

OS/RTOS

Trusted Software

TrustZoneSPM or TEE

iROTTrustZoneCryptoCell

Keys

© ARM 2016 8




Ideally a RoT lives in a isolated security subsystem…

Security Subsystem

Security subsystemHighly evaluated code developedby security specialists & built in bysilicon vendor

© ARM 2016 9




…and provides trustworthy services to a hardware isolated TEE

Security Subsystem

TrustZone®

Normal WorldIoT developer writes AppsOn top of his/her chosen RTOS

Secure World= Trusted code (mostly libs)Provided by MDK, IoT platform or ISV + Trusted hardware

Security subsystemImplemented as Trusted PeripheralHighly evaluated code developedby security specialists & built in bysilicon vendor

(TCB)

© ARM 2016 10




ARM TrustZone® Technology in 3 Steps

TrustedExecution Environment

1. Define secure hardware architecture§ Two separate domains: normal and secure§ Extends across system

§ Processor, interrupts, peripherals, memory,

key storage, counters…

2. Implement in silicon System on Chip (SoC)§ Enforcing secure/normal separation in hardware

3. Combine SoC with Trusted Software§ Trusted Boot & Firmware§ Trusted OS / Secure Partitioning Manager

Result: A Trusted Execution Environment (TEE)§ Ready to develop and deploy trusted services

Rich OS Trusted OS

TrustedExecution Environment

CPUCPU

SECURENORMAL

© ARM 2016 11




GlobalPlatformStandardisation

Security on Apps processors (e.g.IVI): Defence in depth

Initial ROT &Security subsystem

TrustZone® basedTEE

Trusted Firmware

Hardware Interfaces

Normal World Code Trusted Software

EL3Trusted Boot

Payload DispatcherSMCCC PSCI

EL1

EL2

Secure Device Drivers

Hypervisor

AppsEL0

ARM Cortex-A SoCSystem

Physical IP

Trusted_AppsFIDO

Integrity

Rich OS

Device Drivers

Trusted OS

Comms Stack

Apps/User

CryptoCellSecurity Services Platform

https://www.globalplatform.org

© ARM 2016 12




SW platforms require security functions…

Graphics By Genivi®Cooperationwww.genivi.org

© ARM 2016 13




Security functions are mapped to security layers

Hardware Interfaces


EL3Trusted Boot

Payload DispatcherSMCCC PSCI

EL1

EL2

Secure Device Drivers

Hypervisor

AppsEL0

ARM Cortex-A SoCSystem

Physical IP

Trusted_AppsFOTA

Anomaly

Rich OS

Device Drivers

Trusted OS

Comms Stack

Apps/User


Anomaly

HSM

Crypto

© ARM 2016 14




Example: Strong Authentication via FIDO*

§ Only allow authenticated users to interact§ No passwords or secrets for the user§ TrustZone® based TEE can protect integrity/crypto on FIDO “server” in car§ TrustZone based TEE can protect private keys/crypto and FPS on phone

User verification FIDO Authentication

TLS secure channel

Challenge

Signed ResponseUser gesture e.g. FPBefore key can be used

FIDO Server

*https://fidoalliance.org

© ARM 2016 15




Example: Movies & TrustZone® Media Protection

Protected containerProtected container

Non-trusted container

TrustZone

010010010110101010001010001010100100101010010010100100010111010101010001011

Encryptedcompressed

videostream

010010010110101010001010001010100100101010010010100100010111010101010001011

Shaderprograms

VPU

010010010110101010001010001010100100101010010010100100010111010101010001011

Decryptionkeys

010010010110101010001010001010100100101010010010100100010111010101010001011

Plaintextcompressed

videostream

010010010110101010001010001010100100101010010010100100010111010101010001011

UI content

010010010110101010001010001010100100101010010010100100010111010101010001011

Workingmemory

010010010110101010001010001010100100101010010010100100010111010101010001011

Workingmemory

010010010110101010001010001010100100101010010010100100010111010101010001011

Framebuffer

010010010110101010001010001010100100101010010010100100010111010101010001011

Plaintextuncompressed

videostream

Crypto GPU DisplayTrustZoneCryptoCell

MaliDP550

MaliT8xx

Mali™V550

© ARM 2016 16




Privileged

Hardware Interfaces


Device Drivers

Unprivileged

RTOS

Next generation TrustZone enabled MCUs

Platform Code

ARM Cortex®-Mv8-M Microcontroller

Physical IP

SPM

TrustedLibs

Crypto

CAN Monitor

TrustZone® basedSecure Partitioning Manager

Comms Stack

Apps/User TLS/Crypto Libs

Initial ROT &Security subsystem

CMSIS API


TrustZone for ARMv8-M

© ARM 2016 17




Practical steps for designing-in security today

§ Build in layers of hardware based security§ Unique keys / identities§ Security subsystems or HSMs§ TrustZone based TEE or TrustZone based SPM§ Secure/authenticated debug§ CAN gateways for isolation and anomaly detection

§ Consider advanced authentication such as FIDO (no passwords)§ Use end to end encryption – TLS for Internet § Enable secure OTA updates§ Have your system/platform penetration tested (e.g. whitebox testing)

© ARM 2016 18




Security – Summary

§ The automotive attack surface is expanding with the spread of connected MCU’s & at the same time vulnerability is increasing due to the growing autonomous nature of cars

§ Defence in depth is needed – TrustZone® and CryptoCell provide layers of hardware based security

§ ARM is helping by supplying security architecture, subsystems, TrustZone system IP and open source software to the partnership

§ ARM is accelerating investment in security solutions and OSS

The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.

Copyright © 2015 ARM Limited

Thank you!

Documents

Title 44pt Title Case How to protect Automotive systems ... · RTOS Next generation TrustZone enabled MCUs Platform Code ARM Cortex®-M v8-M Microcontroller Physical IP SPM Trusted