After a great event in Beijing we’ve moved to the much warmer climes of Shenzhen for the final leg of the China run. At every Arm Tech Symposium, after the keynotes are done for the day and everyone’s had their fill at lunch, it’s time to split into three streams for the afternoon’s Tech Talks. The very first of the day, and that I’ll talk about here, is of particular interest me and most of the industry right now, because it’s about something none of us can afford to ignore: security. You can tell from the turnout alone just what a vital topic this is, extra chairs were still being brought in halfway through.
As more and more devices become connected, there are ever more potential touchpoints at which a system is vulnerable to attack. Arm has, of course, been focused on tech security for many years, TrustZone is a product many of you will have heard of, having been introduced in 2005 for Arm Cortex products, but as today’s speaker, Erik Jacobson quoted: ‘If you connect something to the internet, it will get hacked.’ This is the modern reality and this is why we all have to think about protecting those devices, from the smallest to the highest value. As the pressure grows, so too do the solutions we produce.
Our response is to announce Platform Security Architecture, or PSA. It’s not just software, it’s a method of building industry best practices through a framework than can make complex security simpler and cheaper for our partners to protect their products because a shared approach is vital to a secure future.
The first part is very important, the analysis phase is where we deliver threat models and security analyses to document the risks and potential attackers and identify the most vulnerable assets in order to make recommendations on the most appropriate actions. The example Erik shows is that of usage data from an electricity meter. This data may seem innocuous but it needs to be protected for both integrity and confidentiality. For integrity to make sure no one is able to amend the amount of documented usage, resulting in loss of revenue. For confidentiality we need to ensure that no one can access information about your habits which may allow people to establish when your house is unoccupied, or when a vulnerable homeowner is alone, and so on.
For the second part, we provide hardware and firmware specifications to help partners build a more secure system and isolate and separate the firmware using appropriate APIs.
Finally, we provide a reference open source implementation of the firmware to make it all happen.
The outcome is that the data objective is strong crypto with, in this example, a hardware based key store. This all seems fairly intuitive, but today, not many companies are doing this. By providing three initial documents, for webcams, electricity meters, and vehicle tracking, we’re enabling our partners to take an easy route to protecting your data.
It might seem like this is only relevant to your personal step in the value chain but even if you’re building silicon or writing firmware, you still need to pay close attention to the cloud and system providers in order to make sure robust security is pulled through the whole system.
With this in mind, alongside the open source code available in March 2018, we’ll be providing an implementation of PSA that is independent of architecture, and will work across Cortex A R and M products. However, we’re prioritising M class processors due to the sheer volume of implementations, and the vulnerability of connected devices. PSA is therefore initially designed to protect low cost IoT devices where a full, trusted execution environment wouldn’t be appropriate. It protects them by separating the assets from the application’s firmware and hardware and it works best when implemented on TrustZone, though this isn’t essential. The recent Security Manifesto report published by Arm describes security of IoT in 2017.
Our biggest goal is simply for more secure devices, but our next is to standardise APIs so OEMs can choose their preferred implementation to reduce rework across partners and speed up device or component validation.
PSA is not about writing the software for you and it’s not about one solution, it’s a framework and a set of guidelines for the most secure system possible. Arm needs partners to innovate, create and protect, using this framework to make it easier, cheaper and simpler.
With that, Arm Tech Symposia China are done for another year and I’m off to the airport to make my way back to Cambridge.
Follow @ArmMali for the latest graphics and multimedia developments and follow my blog here for the latest Arm news.