Protecting IoT from chipsets
Update Time: 2022-08-15 17:28:10
The breadth of IoT systems is diverse, leading to a wide range of vulnerabilities in sensors, gateways, and cloud environments. Thanks to a long enterprise cloud computing and applications history, protecting cloud systems has matured significantly. However, at the sensor and edge, security has been stagnant.
As IoT devices become more complex and smart edges become more widely deployed, these end devices become attractive targets for attacks and access to larger IoT systems.
Qualcomm Technologies and Cog Systems recently announced an interesting partnership in which Cog's security and virtualization software will be available on the Snapdragon computing platform. In this article, we will examine the virtualization technologies being adopted and what features and functionality are important to improve the security of IoT endpoints.
Embedded Devices and Real-Time OS Roots
IoT devices are not a recent development. These devices have evolved from legacy embedded systems that have been around for over 50 years. Embedded systems have strict real-time requirements and typically employ some real-time operating system (RTOS). However, recently these systems have been split into Linux (non-real-time) environments and devices that handle time-critical functions of the RTOS. These newer embedded systems typically use a virtualization layer between the chip and the Linux/RTOS environment to share embedded resources on a physical device.
Initially, these embedded systems did not consider security a high priority because they were isolated and not connected. As embedded systems became connected, concerns grew, but if an intrusion occurred, the proprietary RTOS or "full metal" software embedded in the device still made attacks difficult and of little value while reducing the BOM costs associated with additional chipsets to support a separate standalone RTOS.
Today, IoT device compromise has far-reaching financial and life-threatening implications. Given the IoT in the automotive, medical and industrial sectors, the threat is real and must be taken seriously.
Secure Virtualization and IoT Devices
Cog Systems was founded in 2014 by Open Kernel Labs with a focus on microkernels and low-level software-based technologies. This long experience with embedded and mobile devices has given us insight into the security risks of this new world of IoT-enabled devices.
"Cog started with embedded microkernels and hypervisors and then focused on the security and hardening aspects needed to make devices IoT ready," described Dan Potts, CEO of Cog Systems. "We see a huge problem looming if people continue to build their devices as they are, if you look at the projected growth trends, due to the dramatic increase in scale."
The problem is that many embedded software designs tend to be monolithic systems. Cog realized early on that a more modular design was critical to identifying and managing security issues.
In addition, the Linux attack surface can be large, and bypassing security mechanisms is not difficult due to familiarity and open source access. As Cog began working with system integrators, they significantly improved their support technology to address the attack surface and security issues.
"By leveraging our initial experience, we are now able to focus on providing more off-the-shelf mass-market software solutions for IoT device development," said Potts. "We offer SDKs to help device manufacturers integrate designs based on security virtualization/managers. It allows them to move from monolithic to modular based on a Class 1 hypervisor."
The SDK is called D4 Secure. Hypervisors provide the first layer. In addition, other utilities and modules are available to build secure IoT devices more easily and securely. These tools include：
Virtual drivers with policies and shared controls
Device management for wireless updates
A set of security modules: VPN, secure communication, and authentication
The solution roadmap also includes research into next-generation hypervisor technologies to scale from large to small embedded chipsets. The intellectual property of the solution is to provide virtualization while maximizing performance.
Qualcomm® Snapdragon™ Security and D4 Security
Snapdragon is a high-performance chip that scales from 200 to 800 series with multiple applications - from simple sensors to smartphones, tablets, robotics, and self-driving cars. The security posture of the Qualcomm 855 is particularly attractive, with many features relevant to IoT and potential 5G connectivity.
The combined solution stack starts with a chain of trust and secure boot. This is supported by a chip that has a unique key for each chip. This feature provides the foundation for trust.
The Hypervisor layer relies on a secure boot. Once booted, the hypervisor takes over to maintain the security chain. The multi-stage boot process allows instant updates of the entire software image or individual modules (or virtual machines).
Integrity and multiple layers of security are also built-in. For example, Snapdragon provides the root key, but disk encryption is separate. These applications also can utilize security utilities but provide additional keys for standalone security.
Consumer/companion robot use cases require high-performance machine learning and vision processing. Often these are included in the operating system. There may also be legacy code involving the motor controller used for motion. Virtualization stacks allow these functions to run on different VMs on a single chipset. The benefit is lower cost and footprint, but modularity also allows for a "divide and conquer" approach to implementing safety features and separating critical functions.
Automotive applications are another area where real-time (powertrain, driver assistance/detection) and non-real-time (infotainment) systems can be more easily mixed and matched.
Snapdragon X50 modems support 5G networks, enabling true edge computing with reduced latency.
IoT device security has become a key requirement for today's IoT. Leveraging new tools and development kits can help reduce the learning curve and development time.
Ratings and Reviews
Qualcomm CSSP3 DPLX GT >
- MSM6000 CD90-V3050-2A