Security Scenarios Addressed by Arm Cortex-M23 and Cortex-M33

2016's DDoS attacks on webcams revealed just how vulnerable IoT devices are to remote attacks. The embedded security community and device makers are well aware of these shortcomings but with cost being a primary driver, security implementation often takes a back seat. This has to change. Inadequate device security has a broad business impact, especially when those devices are connected to a communication network.

These vulnerabilities impact revenue, brand image, customer confidence and retention, and total cost of ownership over the life of the device. CIOs and IT pros have dealt with such issues on the IT side for years. What is new is the scale, complexity and lack of standards in the IoT and embedded device space concerning security, governance and manageability. For these reasons, IoT security must be dealt with differently: it must be approached as a strategy not as a check box.

Arm’s new Cortex-M23 and Cortex-M33 present device makers an opportunity to build products that are secure by design, but also enable implementing a security strategy. The new architecture implements TrustZone for Armv8-M, which provides a secure foundation that can be easily utilized by device makers and application developers. A lot has been written on this blog about the technical abilities of the new processors and the new security extensions. Explore other articles on this site to learn more.

The following are a number of security applications permitted by the new TrustZone extensions that are implemented in Cortex-M23 and Cortex-M33, including:

• IP protection: Intellectual property related directly to a company’s intrinsic value. It can make or break device makers. The ability to designate secure memory regions can be used to store intellectual property while still allowing non-secure applications to access it via APIs.
• Secure storage of critical information: Keeping user data, identity information, and security keys separate from the rest of the system ensures confidentiality. This assurance limits liability, media exposure and helps protect brand image and consumer confidence.
• Root of trust implementation: A root of trust implementation provides a secure foundation for many different applications, such as secure over-the-air (OTA) firmware updates. This basis of trust is also critical to facilitating mutual authentication between devices in a system. Indeed, one of the principle benefits of the two processors is that it ensures system-wide security including external memory and peripherals.
• Sandboxing of certified software: Software certification is an expensive process. Using certified software for cryptography, for example, allows device makers to enter new markets where these requirements are mandated, such as medical devices, industrial control systems, and security related applications. TrustZone capabilities of Cortex-M23 and Cortex-M33 allow storing such code in secure memory regions, while allowing access to applications via APIs in NSC memory regions.

This Sequitur CoreLockr-TZ Demo effectively demonstrates how TrustZone for Armv8-M helps address security concerns plaguing low power devices. In the video, two different vulnerabilities are introduced to illustrate how devices can recover securely in the event of an attack. One simulates a malware attack and the other a failure of the rich OS. The latter shows the ability to use code in secure memory to monitor status in the non-secure region of the SoC.

Cortex-M23 and Cortex-M33 promote building energy-conscious devices like wearables or battery-operated edge nodes in markets such as smart utilities and smart cities. More importantly, they change security economics by reducing complexity and eliminating additional parts dedicated to performing security functions. SoCs based on the two processors are expected to hit the market in 2017. They are widely supported by a swath of software companies including Sequitur Labs, Express Logic, Green Hills Software, IAR Systems, IBM, Mentor Graphics, Micrium, Real-Time implemented Engineers, Symantec and Trustonic.

Find more resources, information and discussions about security for embedded in the TrustZone for Armv8-M Community.