Documente Academic
Documente Profesional
Documente Cultură
Eran Rippel
Discretix Technologies, Ltd.
ABSTRACT
We present several use-cases where embedded security is a fundamental
requirement. For each use-case, we list a set of security-related
characteristics and translate these characteristics into security requirements.
We continue by analyzing the security requirements and identifying the
embedded security building blocks of each one. The information for each
use-case is presented in a tabular format combined with detailed analysis,
facilitating easy reference per specific use-case.
1 INTRODUCTION
Security is becoming a de-facto requirement in the embedded industry, where system integrity,
content and connectivity are gaining increasing market attention. This naturally leads to security
accounting for a more significant share of embedded designs cost. At the same time, with the
prevalence of software there is also a need to meticulously build a design to guarantee the security,
authenticity and availability properties of the overall solution.
In this paper we analyze the following use-cases where security challenges are involved:
Software integrity protection
Software IP protection (reverse-engineering protection, anti-cloning)
Secure information and data logging
Preventing use of non-original peripherals
Secure communication
Digital Rights Management (content protection)
Multi-CPU System-On-Chip
For each use-case, section 2 lists the various security requirements and maps those to security building
blocks. Section 3 provides a more in-depth description of each security building block.
2 USE-CASE ANALYSIS
In this section we examine various security use-cases. We begin by taking each use-case and listing the
set of security-related characteristics that must be provided to support the use-case. We then take
each characteristic and translate it into distinct security requirements. Finally, we take each identified
security requirement and list the embedded security building blocks that must be in place in order to
answer that security requirement.
originally provided or approved by the manufacturer. Such software modifications can cause a wide
range of undesired system behavior. The result can vary from simple loss of revenue to hazardous
unintended behavior malfunctions.
The manufacturer introduces software to the system at two distinct occasions. During manufacturing,
the manufacturer introduces software to the device by programming the flash memory. At a later
stage, the manufacturer can update the software image on flash by means of a secure software update
session. The requirement is to maintain the integrity of the manufacturer software on both occasions
and this is done by assigning a unique signature to the manufacturer’s software.
The unique signature over the software image is based on public key cryptography. A unique digest (e.g.
hash) value is calculated over the software image and the manufacturer uses its private key to sign the
software image hash. The software image and its signature are then loaded to the system during
system manufacturing, along with the associated manufacturer’s public key. Whenever there is a need
to authenticate the software image, a digest of the software image is calculated and the public key is
used to authenticate the private-key-generated signature. Any piece of software not signed by the
manufacturer is detectable at a later stage as non-authentic software.
Secure Key Storage must store the public key and protect it against modifications, otherwise the
authentication mechanism can be easily broken. An attacker interested in injecting a new software
image can randomly create a new private-public key pair. The attacker then uses the private key to sign
the new software image (in the same manner as the manufacturer does) and loads the new software
image, new signature and the matching new public key to the system. During such an attack, the
authentication scheme passes successfully, as the public key used for authentication matches the
private key which was used to sign the software image. This attack is foiled by storing the public key in
a secure key storage area. This prevents an attacker from loading a different public key to the device.
There are many options for secure manufacturer public key storage. The public key can be stored in on-
chip ROM – there is a clear advantage that the public key cannot be replaced, but also the
disadvantage of lack of flexibility – all systems have the same public key, meaning that all
manufacturers must use the same private key to sign the software image. A second option is to store
the public key in on-chip One-Time-Programmable (OTP) technology – the advantage here is flexibility,
where each chip can have a different public key, but carries the disadvantage of silicon area cost of a
large number of OTP bits. A remedy for that is a third option, where the public key is stored on external
flash, but a hash value of the public key is stored in on-chip OTP – maintains the solution flexibility but
dramatically reduce the number of required OTP bits.
Detection is carried out primarily by a Secure Boot function at boot time – during system boot the
software image is authenticated versus its signature. The Secure Boot function is an on-chip ROM-
based procedure, which carries the above-mentioned authentication scheme. The reason the function
must be ROM-based is so that an attacker cannot intercept the procedure and so that authentication is
always carried during boot, bringing the system to a known and trusted starting point. Whenever the
manufacturer wishes to update the software image on flash, best practice is to do so at Secure Boot
time, because at this point in time the system is at a known state for the update to commence.
An attacker is also likely to attempt to modify the software while the system is running. There is a need
for Run-Time Integrity Checking (RTIC) capability, which periodically authenticates the software image
post-boot, either directly on XIP NOR flash or on external RAM for NAND flash implementations. RTIC
January 2009 Page 2 of 16
Security Challenges in Embedded Designs
operation is similar to Secure Boot operation, with slight modifications to accommodate runtime
changes. RTIC function must run in a Secure Execution Environment (SEE) with its own dedicated RAM,
where it is guaranteed that the RTIC functionality has not been tampered with by an attacker.
Considering that an attacker can attempt to modify the RTIC code or the procedure that calls the RTIC
in the first place, it is evident that the RTIC must run in an SEE. The SEE must also maintain a Secure
Timer, which periodically triggers the RTIC function.
Security Requirement
Optional mechanisms helpful for software integrity protection include a mechanism for Key
Management, in situations where more than one private-public key pairs need to be supported (for
example, to enable private-public key pair revocation for stolen keys). A Software Version Revocation
mechanism is important for long-lived systems, where the manufacturer may want to advance the
system to a new version of the software and prevent roll-back to an older version. In such a case a
software version counter is tied as part of the Secure Boot signature, enabling this mechanism.
Code encryption
Security Requirement
Security Building Block
● ● ● ● ● Cryptographic algorithms
● ● ● ● ● Secure Key Storage
○ ○ ○ Key Management
○ ○ ○ Secure Storage
● Secure Boot
● Secure JTAG Mechanism
○ Life Cycle State Management
● ● ● Provisioning
● - mandatory ○ ○ ○ ● Unique Secret Key
○ - optional ● Dedicated ROM
Once authenticated, the Secure JTAG unit opens the JTAG chains and enables debugging of the chip. An
attacker would have a hard time accessing JTAG chains and internal RAM when such a mechanism is in
place.
Optionally, the Secure JTAG can rely on a Life Cycle State Mechanism. The Life Cycle State mechanism
is a one-way function which indicates the current system state (e.g. development, production, user,
end-of-life, etc). When the system is in development, a developer would not want to perform the
challenge-response procedure every time. The Secure JTAG mechanism can hook to the Life Cycle State
indication and since development stage is carried out in a secure environment, disable the JTAG
protection.
Even if the code image is encrypted, the code image is not tied to a single chip or a single CPU.
Therefore, cloning the system is possible by copying the code image as is and running it on an identical
chip over the cloned system. Since the cloned chip CPU knows how to read the encrypted image,
cloning at the system level is possible. The attacker doesn’t understand the code that is executing on
the CPU, but gets the expected behavior out of the CPU. The solution here is to use a Unique Secret
Key per a specific chip and tie the chip’s code encryption to this unique key.
Database integrity
Database confidentiality
Security Requirement
Security Building Block
● ● ● ● ● Cryptographic algorithms
● ● ● ● ● Secure Key Storage
● Secure Storage
● ● Roll-back capability
● ● Unknown-state recovery
● Re-flash protection
● Secure JTAG mechanism
○ Life Cycle State Management
● Provisioning
● Process Caller ID
● Secure Execution Environment
● - mandatory ● Secure Boot
○ - optional ● Dedicated ROM & RAM
In order to prevent on-line database modification, a secure JTAG mechanism must be employed. This
mechanism has been discussed earlier in this paper. Furthermore, the software handling the Secure
Storage database must be isolated and executed in a Secure Execution Environment (SEE) with its own
Secure Boot function and dedicated ROM & RAM, so that all key material is handled in a trusted
compartment. The Secure Storage database should be integrated with the operating system, so that
better access control is available. In particular, using cryptographic methods a unique process Caller ID
indication can be provided per each system process, enabling the Secure Storage software to identify
the various processes which are asking for database services.
Finally, even the Secure Storage database is prone to re-flash attacks. Re-flash attacks refer to the
attacker’s ability to save a copy of the database now and at a later point in time overwrite the database
with the saved copy. Because the saved copy is a legal copy of the database (passes all integrity checks),
the attacker is able to bring the system to a known previous state. The solution to re-flash attacks
involves adding a secure timestamp to the database integrity. Adding such a secure timestamp requires
some on-chip Non-Volatile-Memory (NVM) counter, which is increased every-so-often and added as
part of the Secure Storage database integrity.
Chip-Peripheral binding
Security Requirement
Security Building Block
● ● ● Cryptographic algorithms
● ● ● Secure Key Storage
● Provisioning
○ ○ ○ Key Management
● ● Secure Storage
● - mandatory ● ● ● Secure Boot
○ - optional ● ● ● Dedicated ROM
Finally, there is a need to establish a secure communication channel, which means that data is
encrypted for confidentiality and also integrity-protected. Various security protocols are useful here,
including Diffie-Hellman if there is a need for secure key agreement.
Confidential channel
Integrity-protected channel
mechanism, but also a secure provisioning solution, which is able to securely inject the device key into
the system.
Security Requirement
Security Building Block
● ● ● ● Cryptographic algorithms
● ● ● Secure Storage
● ● ● Key Management
● Provisioning
● RO parsing capability
● Secure Time
● Secure Execution Environment
● - mandatory ● Secure Boot
○ - optional ● Dedicated ROM & RAM
At its basis, DRM deals with usage rights enforcement, as appearing in Rights Objects (ROs). Working
with ROs has two security-related aspects – RO storage and RO handling. First, ROs must be stored
securely in a Secure Storage database. Since a DRM-enabled system can hold numerous ROs, a full-
blown database must be used, enabling unlimited number of data items to be stored securely with an
efficient search mechanism. Secure Storage is mandatory (as opposed to regular storage), since ROs
contain enforcement parameters, such as the remaining usage counter, or the expiration date. Second,
ROs must be handled in a Secure Execution Environment (SEE). The SEE must handle two aspects of
security – parsing the RO correctly and keeping track of secure time. Secure RO parsing is necessary as
some RO fields are not fail-safe in nature. For example, OMA DRM ROs have the time constraint in
plain XML format – an attacker can simply erase the appropriate XML lines and the time constraint
disappears. Secure Time is necessary in order to be able to enforce any time-related usage.
engine
Identify the CPU accessing the security
material belonging to another CPU
Prevent one CPU from accessing security
execution space between the CPUs
Share a single security software
Security Requirement
Security Building Block
● ● ● Multi-source-aware interface
● ● Cryptographic algorithms
● ● Secure Storage
● ● Key Management
● Secure Execution Environment
● - mandatory ● Secure Boot
○ - optional ● Dedicated ROM & RAM
The first step to establish distrust between CPUs is to enable the central security engine to distinguish
which CPU is addressing it at any point in time. Identification must be robust and therefore should be
based on hardware signals. As an example, many advanced bus architectures today provide the
transaction source indication as an integrated part of the transaction, using side-band signals.
Once the CPU accessing the central security engine is identified, there is a need to prevent that CPU
from accessing security-related material belonging to another CPU. Assuming lack of dedicated RAM
per each CPU, the best method to provide such access separation is by means of cryptography. At
system initialization, a Key Management unit assigns a dedicated random key to each CPU. These keys
are kept protected using a Secure Storage mechanism. All security related material belonging to a given
CPU is encrypted using its dedicated random key and is therefore inaccessible to other CPUs.
Additional mechanisms can be added on top of the basic separation mechanism just described. For
example, if two CPUs need to share information in a secure manner, then a random inter-CPU
communication key can be defined, which is accessible only to the two CPUs.
If more than one CPU needs to execute security related software, then it makes sense to use a central
security software execution space. The execution space is based on a Secure Execution Environment
(SEE) with its own dedicated ROM for Secure Boot and dedicated RAM for software execution. The SEE,
being trusted by all CPUs, has access to all key material and is therefore able to support all CPUs
without compromising each CPU’s security.
schemes. If more than a few keys require protection, then on-chip solutions quickly become
unpractical and it’s best to use off-chip storage.
The first step in order to protect access to plain keys (or any other data items) on an external flash is to
encrypt the keys prior to their storage. Such encryption is able to thwart basic attacks techniques of
simply reading flash content or probing the bus signals passing between the flash chip and the CPU
chip. Adding integrity protection for each key also prevents the attacker from utilizing replacement
attacks.
Once the encrypted key is within the chip boundary, it is still prone to attacks. The basic question is
which root key is used to encrypt all other keys residing in the Secure Storage database. The best
practice here is to use a hardware-based solution for this root key: on-chip OTP bits. Using OTP bits
provides the chip manufacturer with the flexibility to program a different random root key for each and
every chip, which in turn leads to a Secure Storage database which is encrypted with a different key for
every chip. The other option is to use a software-based root key, where the root key is stored
somewhere in the software image on flash.
Breaking a Secure Storage database with a root key that is hardware-based requires the attacker to
decap the chip and attempt to read the OTP value. Such an attack is not scalable, since the attacker
needs to repeat the same attack for every chip. On the other hand, using a software-based root key
provides a scalable attack pattern: once an attacker manages to analyze the software image and find
the root key, the attacker is able to easily distribute the attack and reveal every root key in every chip.
Assuming that the root key is indeed hardware based, it should still be used in a secure manner. The
best practice here is to use a dedicated hardware module which reads the root key directly from OTP
bits and decrypts encrypted keys fetched from the Secure Storage on flash. Using such a dedicated
hardware module means that the root key is contained in a defined hardware block and is never
exposed in more attack-prone locations such as CPU RAMs. The dedicated hardware module can range
from a single dedicated engine up to a full Secure Execution Environment – depending on the type of
assets available on the chip.
The final aspect of access protection is to limit the CPU applications which are accessing Secure Storage
keys. A robust Secure Storage solution is able to use cryptographic measures to uniquely identify each
CPU application and ascertain whether this application is allowed to use the root key in order to
decrypt Secure Storage data.
Additional features are required in order to provide a complete Secure Storage solution. Primarily, the
Secure Storage database should be able to recover from unexpected power-loss as well as unexpected
application errors – neither one should render the database useless. Fast search capability is required
when handling a large database, providing reasonable performance characteristics. Smart utilization of
buffers is essential in order to decrease flash wear out, both for reads and writes. Finally, as discussed
in section 2.3, the Secure Storage database is prone to re-flash attacks. The solution to re-flash attacks
involves adding a secure timestamp to the database integrity.
Secure Boot, as described in section 2.1, works by calculating a hash value of the software image. The
hash value is then signed using the software manufacturer private key, to create a unique signature
which an attacker cannot forge without access to the private key. The unique signature is then loaded
to the flash alongside the software image. The software manufacturer’s public key is also provisioned
to the system.
The Secure Boot routine is a ROM-based routine which performs the following steps at boot time:
reads the software image from flash, calculates the hash value of the software image and uses the
software manufacturer’s public key to verify that the new hash just calculated matches the old hash
present on flash and signed by the software manufacturer’s private key. Even a single bit modification
of the software image will lead to a different hash and as a result will lead to Secure Boot failure. As
mentioned in section 2.1, the Secure Boot function must be ROM-based, so that an attacker cannot
intercept the procedure.
Additional features are required in order to provide a complete Secure Boot solution. These include the
ability for software update at any point in time. Given that the software is correctly signed with the
software manufacturer private key, the Secure Boot routine should pass successfully. If the software
image is constructed of several components, the Secure Boot routine should be able to accommodate
multiple software vendors and multiple keys used to sign the image. If a private key has been
compromised, the Secure Boot routine should support revocation of a compromised private key and
discard the appropriate public key. Finally, a Software Version Revocation mechanism is able to
advance the system to a new version of the software image and prevent roll-back to an older version.
4 SUMMARY
In this paper we have looked at several use-cases that require security foundations. For each use-case
we defined the set of features that involve security and from these feature we derived the security
requirements. Analyzing each security requirement we identified the embedded security building
blocks. The use-case analysis was also presented in a tabular format, showing the clear flow from
requirements to building blocks. Finally, several security buildings block were discussed to some extent,
highlighting characteristics which are of importance to the system designer.