Previously I have talked about two features of Total Compute – compute performance and developer access. Both play a vital role in delivering the Total Compute vision of seamless digital immersion experiences on next-generation devices, as described in the blog on compute performance. This is being achieved through a solutions-based approach across the entire SoC focusing on a range of experiences and use-cases. These vary from everyday tasks, such as communication, shopping and banking, through to more complex and advanced workloads, such as video streaming, gaming, and XR, Virtual Reality (VR), and Augmented Reality (AR).
However, alongside the need for greater performance and developer access, we also need to deliver these experiences securely. Not just on the device itself, but across the entire mobile ecosystem.
Security is at the foundation of our new Total Compute approach. We are building security into all aspects of our Total Compute offering, from solutions on the device to support throughout the entire Arm ecosystem for consumer devices.
For the past two decades, Arm has been a pioneer of security on mobile. Our TrustZone technology is used in billions of mobile devices worldwide today. Its use being expanded even further into smart watches, DTVs, connected home devices and, now, the next generation of laptops. We are at the heart of compute processors on these consumer devices. Therefore, we are ideally placed to address new security threats across the entire device and application ecosystem.
We recognize that security needs to be built from the ground up, at the core of every device. Total Compute takes our commitment to secure endpoint devices one step further, providing ‘defense in depth’ security for hardware, firmware, software, operating systems, applications, and services.
Under the hood, consumer devices are composed of hardware components, firmware to run those hardware components and hundreds of thousands of lines of software code. We have seen that all of these can be vulnerable to different kinds of hacking attempts and need to be secured. The combinations and implementations are numerous and can be fragmented, making it challenging to do security patches quickly and broadly. It is an endless loop of finding holes and patching holes. Therefore, we need a different approach to break this cycle.
The security approach through Total Compute
Arm’s Total Compute Security vision is to protect personal data by securing devices from the ground up. This means we start with the architecture, the base design for all compute. Our objective is to mitigate vulnerabilities in the device before mass production and greatly reduce the attack vectors in consumer devices. In practical terms, this approach resolves into a focus on two key aspects of security:
As the complexity of the next generation of consumer devices continues to increase, security must move beyond standalone solutions that only protect one aspect of a device. We need multi-layered solutions where there is system cooperation, from device hardware all the way through to cloud services that utilize the plethora of personal data on our devices.
Foundational security is split into two security components – platform security and compute security.
Platform Security
The variety of implementations and Secure Operating Systems today makes it difficult for application developers and learning-algorithm developers to trust that their IP and their users’ data will be protected by the devices they are running on.
Platform security involves working with the industry on the 5 Cs. These are to establish Collaboration, Cooperation, Commonality, and Consistency and prevent Commoditization. We have already started open collaborations with silicon vendors, OEMs, Operating System Vendors (OSVs), Independent Software Vendors (ISVs) and developers to enable Platform Security for the next generation of consumer devices. We are collaborating with them on standards for common security frameworks and consistent implementations in hardware and firmware. Standardized Platform Security can help bring devices to market faster, but, more importantly, can help to establish device platform trust for applications and cloud services.
A great example of this collaboration already in action is our work on drafts of specifications for a Base System Architecture (BSA) and Platform Security Architecture (PSA). We have already seen some great progress, by working closely with silicon vendors and OSV partners, such as Android, to develop the SPCI (Secure Partition Client Interface) specification. The goal of SPCI is to create a set of standardized APIs between clients of secure services in the real world and providers of services in secure partitions. It is a generic interface that requires no Secure Operating System drivers in the real-world hypervisor. We are looking forward to continuing these kinds of open collaborations with all our partners to enable Platform Security for the next generation of endpoint devices.
Compute security
While standards take time to develop and adopt, Compute Security focuses on improving foundational security through the architecture today. These solutions include our efforts on 64-bit, Pointer Authentication Codes (PAC), Branch Target Identification) (BTI) and now Memory Tagging Extensions (MTE). They raise the exploitation threshold through, first, improving software resilience to attacks and, second, stopping software vulnerabilities at the source before they can cause harm.
MTE, which was described in this blog and in this Google blog in August 2019, is our most recent addition to Compute Security. Memory safety bugs are the single, largest category of hacker attack vectors. Put simply, MTE makes detecting memory safety violations easier and more efficient across the entire ecosystem. Immediately they can address this class of bugs before they provide their SoCs to OEMs. Next, OEMs benefit because MTE further helps them detect additional memory safety bugs before the devices go to mass production. Before hardware availability, tools like HWASAN are available in Android to support code checking. Once in the market, the OSV and application developers can use MTE enabled devices to find their own buffer overflows and heap corruption in their code. MTE has proven benefits to the breadth of C/C++ code in devices and it is likely to bring even greater value to the ecosystem in the future. For example, we are already seeing the unique applications of MTE in research where there may be benefits to other languages like Javascript.
Example of lock and key access to memory through MTE
While Arm’s solutions for Foundational Security are well-established, Total Compute will see the acceleration of Application & Service Security solutions as well.
We are investing in Applications and Services Security on two fronts:
Before delving into these two fronts, it is important to first reflect on the current security challenges that exist in relation to Applications and Services Security. TrustZone based operating systems have served mobile devices very well for over a decade. They have protected content for the movie industry through digital rights management, protected the personal biometric data of users and even payments made with mobile wallets. However, just as the number of high-level operating system (HLOS) applications has grown, so has the need to secure our personal data and protect the intellectual property (IP) of companies. Therefore, being able to scale today’s trusted operating systems to serve the needs of hundreds, if not thousands of, application, library, and model developers can be a challenge. Developers need to be able to create their own secure applications, but they do not have the resources necessary to work with every device OEM and silicon vendor. Conversely, OEMs and silicon vendors do not have the resources to work with the breadth of developers and test their variants.
The increased use of machine learning (ML), with developers incorporating more ML into their applications, has also illuminated the need for further IP protections. We are seeing ML used for shopping recommendations, natural language processing, matching drivers with riders, processing health data from our smartwatches and making diagnostic assessments. These models themselves are becoming a core asset of some companies’ businesses, so they need protection from their competitors and hackers.
Isolation architecture
Applications and Services Security meets these challenges through offering improvements in isolation architecture. Imagine if hardware manufacturers and HLOSs can establish trustable isolation. This means they can better ensure that a developer’s secure code and user’s data are well isolated from the device hardware, firmware, HLOS, and other applications. Hackers that introduce nefarious code into applications and vulnerabilities accidentally introduced by secure applications would be less of a concern because they could do less harm in this kind of environment. It lowers the risk of incidents considerably and may allow for secure code to be deployed in a more scalable manner through well-known application stores.
Isolation architecture can also help the industry achieve the scale required. The Firmware Framework for A-class (FF-A) is the first step to enabling scalable security for the future needs of confidential computing (more information on confidential computing will be provided in a later blog).
One significant step in that direction is the recent transition of the Google’s Hafnium project into Trusted Firmware, under a BSD-3-clause license. This enables the open and collaborative development of a reference Secure Partition Manager (SPM) for the Arm Secure EL2 Virtualization Extension. The Trusted Firmware project is an open governance community project that strives to develop a trustworthy and transparent reference firmware stack. This is reusable and designed to reduce porting and integration efforts for the device ecosystem. All Arm partners can now take advantage of the reference S-EL2 SPM for their own implementation of FF-A. The FF-A specification and the reference implementation at EL3 and S-EL2 provided by Trusted Firmware provides a common framework. This means that OEMs and silicon vendors can offer a common programming model that they can scale to work with any developer to create secure applications.
Interconnectivity security
Another aspect of Applications and Services Security is interconnectivity security. Consumer devices on the market now and those that will be available in the future illustrate the need for securing concurrent processes. Watching live sport on a consumer device, be that TVs, tablets or smartphones, is a good example. Today’s consumer devices can securely render DRM-protected 4K live streams, but what if a broadcast of live sport was showing purchase links to a player’s jersey? Clicking the link leads to smaller “picture in picture” window pops-up asking the user whether they would like to see the jersey on them. The device now needs to protect the live stream, the AR model being used to render the jersey on a picture of the viewer, the IP being used by the shopping app to show the team’s goods and also personal data for the purchase. There could be up to four simultaneous processes, running across different CPUs, GPUs, and NPUs that require protection.
Example of interconnectivity security in action through watching live sport
This kind of Interconnectivity Security use case is pushing the boundaries of secure processing on devices today. As we improve compute performance with Total Compute, we are also looking at new approaches to secure the increasingly complex workloads that run across different processors. Focusing on optimizing individual IP blocks restricts the ability to interconnect effectively and securely across the system. The fact that Total Compute takes a system-level solution view of the entire SoC benefits interconnectivity security.
The security benefits through Total Compute provide greater protection across the entire ecosystem, making all aspects less vulnerable to attacks. These benefits transcend across hardware, software, operating systems, applications and services, delivering security ‘defense in depth’ and protection. This will focus on key security use cases that are set to be prominent on the device and in the cloud in the future, while removing fragmentation in the ecosystem. As we enter a new era of data processing on devices and data innovation in wider society, users can rest-assured that this will be secure thanks to Total Compute.
[CTAToken URL = "https://www.arm.com/resources/dummies-guide/total-soc-compute" target="_blank" text="Read the Total Compute Dummies Guide" class ="green"]