Insight Series: Optimizing security evaluation and compliance for IoT systems
In this blog, Nir Tasher, Technology Executive at Winbond explains how GlobalPlatform is defining security requirements of secure memory components, to support IoT system designers to understand security threats and select the right solution for their intended application based on GlobalPlatform’s security levels.
The challenge with IoT security system evaluation
Most IoT systems today are a ‘mix and match’ of several key components, typically:
- Microcontroller Units (MCU) / System on Chip (SoC)
- Software code
- Storage (Non-Volatile Memory) holding code, data and keys
- Connectivity subsystem (LAN or WAN)
Designers have a selection of options to choose from when deciding which components to build their solutions with. In most cases, this is the point at which the security evaluation process starts. Yet unfortunately, this is not often a simple process. Evaluation takes time. It often requires adjustments due to discovered vulnerabilities, then more time to evaluate the effectiveness of the fixes, and so on. All this can delay product delivery, and result in increased costs.
A mix and match approach to certification
The SESIP methodology strives to change this from the core. It proposes a methodology that allows the reuse of evaluation results across products integrating evaluated components, and the evaluation of any type of composition of components. The designer can select from a plethora of certified components and combine them into a product that benefits from the ‘composition certification’. The security of each component is described by a set of security functions. The combination of security functions for all the certified components should cover most of the security requirements of the composing system. Only missing security functions should be provided by the system designer. As a result, the overall certification process should become faster, cheaper, and more accessible to new players in the IoT market.
Protection Profile for Secure Memories
The IoT Platform consists of a secure external memory: a discrete component that is part of the secure application (system) and performs the task of data and code storage in a secure manner. A secure external memory can be, e.g., a nonvolatile flash memory that is part of a secure subsystem in a complex SoC holding the secure function code and user data.
Within GlobalPlatform, Winbond is a part of the group developing SESIP standards. Together with other member companies, we have created the SESIP Protection Profile for Secure Memories which describes the functionality that makes the memory device an essential player in achieving the system's security.
This protection profile addresses security functions and requirements specific to the functionality of the memory components and, more specifically, to the non-volatile storage.
Why is non-volatile memory essential to IoT systems?
The non-volatile memory is an essential part of any IoT system. It holds the code base running all layers of the specific application, including secure boot, Root of Trust (RoT) services, connectivity, maintenance and software updates. The non-volatile memory also contains platform, network and user data and credentials. As such, it is both a snapshot of the specific IoT device, as well as a gateway to the network core and potentially the cloud, servers, and other devices. The non-volatile memory may hold, at certain times, sensitive user information that may be considered private.
Understanding security requirements and functionality
The SESIP Protection Profile for Secure Memories aims to help IoT system designers identify potential security issues, understand security requirements and find a suitable memory component for their intended application. This is done by defining the required security functions of the memory device, their benefit to the platform security and how they should be evaluated.
The first security function required by the Protection Profile is to protect the confidentiality and authenticity of data communicated between the memory device and the rest of the system. This requirement should prevent eavesdropping and data modification by manipulating the signals of the memory device, either physically affecting the bus or logical intervening by a non-privileged user. Without such a function unauthorized users or adversaries may gain access to information stored, and could violate user privacy and the integrity of infrastructure.
The second is for protecting the authenticity and integrity of stored data. This requirement allows the system to trust the information stored in the memory device, such as system code, user data, network credentials, etc. Authenticity guarantees that the data in the memory is genuine, i.e., generated or delivered by a trusted source. Integrity protection guarantees that the data is intact. These requirements allow the system integrator to create a "Root of Trust" (RoT) using a secure microcontroller with a secure memory. Without such functionality, the platform cannot be trusted to perform its intended role in the system without interrupting other services or becoming hostile entity.
The third requirement controls a multitude of access control privileges implemented in the memory device. By following this requirement, the memory device can protect various content from being accessed by non-authorized entities. As opposed to data confidentiality, access control can also be applied to plain (non-encrypted) information access. This functionality allows multi-tiered software design where each tier is allowed access only to the information necessary to its operation. This prevents instances of malicious code from accessing or modifying information.
A simple path to compliance
Adhering to the secure memory Protection Profile requirements allows faster and easier implementation of other SESIP requirements.
One such well-established requirement is ‘Secure Update of Platform’. SESIP requires that a device can patch and repair any detected software vulnerability. A secure memory component aids the update process by protecting the stored code's confidentiality, authenticity, and integrity. The hardware mechanisms implemented in the Secure Memory reduce the burden on the system designer to design and certify the implementation of the Secure Update. Instead, they can choose the certified memory component, knowing all relevant security requirements have been addressed, tested, and certified.
Another well-established security functionality is ‘Secure Storage’. Namely, the system must protect data from manipulation and maintain its secrecy, authenticity, and integrity. A certified secure memory device will already have built-in and certified functionality, relieving the system designer from worrying about implementation, evaluation, and certification.
The objective of SESIP is to build consistency across IoT certification schemes (regional or vertical) to facilitate product evaluation and certificate recognition. Through the work of GlobalPlatform and its member companies, we are setting the grounds for a faster, simpler and cheaper approach to system evaluation.
The goal is to have a comprehensive portfolio of components at various certification levels so that a system designer can choose the right ingredients from a vast catalog. Setting up clear guidelines and Protection Profiles is the first step in that direction, and our team at Winbond is proud of being at the core of this work.
Learn more about GlobalPlatform’s work on SESIP and get involved.