AUSTIN, Texas—Security is a balance between how much hackers want to gain by infiltrating a system and how much cost and complexity teams are willing to handle to prevent the hack.
That was the message from Rhonda Dirvin, director of IoT Verticals for ARM at the Embedded TechCon keynote June 8 here. (Embedded TechCon is a co-located event with Design Automation Conference).
“Any system can be cracked if the attacker has infinite time and money,” Dirvin said. “The effort is generally proportional to the value of the assets.”
So security needs to balance cost and complexity against how much could be lost.
“The goal is to design a system where attacks are simply uneconomic,” she said. “In other words, the cost of mounting a successful attack on a device is much more expensive than the assets the attacker can hope to gain or to access.”
Security isn’t an absolute concept. “It’s a balance between the cost and effort that you, the system designers, are prepared to invest to protect your assets and what an attacker is willing to invest in an attack,” Dirvin said.
She held up as an example the 2013 hack of Target stores, in which hackers gained access to as many as 70 million customer accounts. The hack was traced to network credentials stolen from a third-party vendor, an HVAC company. This occurred despite Target’s preparing for (and investing to prevent) just such an attack.
“The Target hack woke up the whole security industry,” Dirvin said.
Dirvin said most of the threats are going to be confined to two major areas along the spectrum of possibilities: communications attacks (so-called man-in-the-middle attacks) and software attacks, such as buffer overflows.
ARM, she said, believes that multiple layers of hardware based security should be built into the chip (see graphic nearby).
Layering of course has a cost, but the advantages are huge. By layering security, with clean APIs, boundaries and checks at each transition, the number of things to crack and the difficulty of an attack is hugely increased, she said.
Those four layers are built into the ARM architecture. Having these layers architecturally defined gives us an additional benefit, that of consistent rigorous testing in every processor we build, and an openness that means third parties can independently study it, she added.
"As we go through each layer, we enhance the security by increasing the level of isolation and compartmentalization,” Dirvin told the audience.
"And we can rigorously use the principle of ‘least privilege,’ which states that code should have the least privilege necessary to perform the functions it’s given," she added.
The fundamental security principles of isolation and least privilege are reinforced by a root of trust, Dirvin said. This gives us a set of essential features every secure system needs such as:
Once a root of trust is established only then is it safe to start the applications themselves, Dirvin said.
From a software perspective, it all starts at the base with root of trust to protect system resources. Each layer (pictured below) verifies the one above it, and looks for external attempts to tamper, in case the layer above can no longer be confirmed to be in a known, secure state.
And right at the top, the communications protocols need to be robust – a device that operates in a secure known state can still have its assets compromised by insecure protocols
“I can’t over state how important a root of trust in a device is,” Dirvin said. “Without that and a chain of trust for the secure services and device resources, it just isn’t possible to protect assets in a verifiable, known state.”
Related stories:
ARM at DAC 2016: What not to miss
DAC 2016: ARM unveils POP IP for Cortex-A73, Mali-G71 for mainstream mobile SoCs
DAC 2016: ARM expands efforts to speed designs to prototype, production