Evolution of Embedded Platform Security Architecture & XANDAR Project
The realisation and prototyping of networked embedded technologies and safety-critical systems require a computing hardware usually available in the form of an embedded platform. From the functional-safety and cybersecurity perspective, the attack surface and security perimeter of such embedded platforms heavily rely on the underlying defence mechanisms supported by the platform. Therefore, it is essential to review and better understand the evolution of embedded security platform architectures.
The evolution of embedded security platform architecture has been guided by technological advancements and a cause and effect of developing domain-specific system design challenges [1], [2], [3], [4]. These requirements include realisation of mix-critical applications, broader connectivity, a need for safety and security leading to wider adoption and availability of embedded multiprocessing platforms [5], [6], [7]. Though where these computing platform advancements brought benefits, they have exposed platforms to wide-range safety and security challenges due to increased connectivity, system attack surface and processor micro-architecture vulnerabilities [2], [5], [8], [9], [10], [11].
Figure 1: Evolution of Embedded Platform Security Architecture
Early Systems
The Early Systems were highly constraint in terms of resources, area, memory, performance, power and designed to solve domain-specific problems. Since these early systems had no connectivity, their security requirements were limited to the physical security. However, physically they found vulnerable to unauthorised access and modification to the system. Common example of such platforms is embedded system using a simple 8/16-bit single-core processor with no connectivity.
Software-based Security
To address this challenge and unleash their true potential, broader network connectivity had been introduced to the embedded platforms that enabled opportunities for pervasive computing as illustrated in Figure 1. It allowed automation and optimisation of industrial control processes by communicating with other systems using a dedicated/internal private network [12]. Though safe business operations require protection of secret data, thus a Software-based Security approach was introduced that executes symmetric cryptography libraries (AES, DES) as illustrated in Figure 1 to protect data [4].
Dedicated Cryptographic Engine
With technological advancements, the application requirements started to become complex, computationally expensive and require execution of asymmetric cryptography algorithms for secret key exchange that posed serious performance issues. To circumvent this problem, the computationally intensive cryptography services were offloaded from a host processor to a Dedicated Cryptographic Engine as illustrated in Figure 1.
Virtualisation-based Security
The realisation of mix-critical automotive and industrial control applications requires multiprocessing. Since the cost of silicon was still expensive and embedded architectures were area and memory constrained, the security architects had introduced Virtualisation-based Security approach. This allows to isolate and segregate computing resources [3], [6], [13]. Using virtualisation, a physical processor and platform resources are logically divided into multiple domains as shown in Figure 1. Examples include Arm TrustZone, Intel SGX, Hex-Five MultiZone Security etc.
Hardware-based Trusted Computing
Active involvement of third-party vendors during manufacturing and supply-chain processes had exposed businesses to device identity challenges, leading to wide-range of intellectual property theft, device cloning and counterfeit attacks etc. that severely damages the businesses both financially and morally. To approach this challenge, a Hardware-based Trusted Computing approach was introduced [4], [14] as illustrated in Figure 1. For this purpose, a hardware root-of-trust components that serve an immutable trust anchor is tightly integrated into the platform security architecture. Depending on the design and complexity, it can generate secret keys, store secret keys inside a tamper-proof secure storage and sign to verify digital secrets [14]. In multiprocessing embedded computing platforms, it is used to build chain-of-trust during the boot-up process. Examples include secure boot, secure update, secure debug and remote attestation etc.
Most of existing embedded technologies use one of the five discussed security architecture depending on the domain-specific security requirements.
In XANDAR project, the hardware-based trusted computing approach will be considered for platform security. Though the availability of security defences within a platform is one part of the cybersecurity puzzle. How these security defences are deployed and used is another critical part. Therefore, the is a need for a holistic risk-oriented automotive cybersecurity engineering processes. These processes shall allow adaptation, configuration, and management of security defences to architect a resilient system security architecture which is in-line with the international cybersecurity standards, frameworks and best practises.
References