Layered Security for the Next One Trillion Devices
Arm technologies are in billions of devices today, a number we expect to see grow to over a trillion. Achieving this vision calls for a symbiotic relationship between hardware and software, where security is no longer an afterthought. Arm’s security portfolio is designed to protect against a broad spectrum of vulnerabilities, allowing partners to deploy the security level that best matches their application needs. Achieving layered security involves implementing technologies, processes and measures designed to protect systems, networks, and data from a range of attacks. Why? Because your device is only as strong as your weakest link - a single vulnerability could compromise an entire device. The types of vulnerability are communication, physical, lifecycle and software.
IoT is about connectivity, which means the device sends messages back to a server, and an attacker can try multiple means to intercept, spoof or disrupt those messages. Best-practice cryptographic defenses must match the increasing value of the assets they communicate.
Silicon attacks are often split into two categories: non-invasive and invasive. Non-invasive (side-channel) try to observe the chip in different ways to gain information. They may use perturbation techniques for example, altering the power supply voltage, or interfering with electromagnetic signatures. Invasive techniques involve opening the chip to probe or modify part of the passivation layer.
A device changes hands many times from factory to user, to maintenance and to end of life. We must protect the integrity of the device as it goes through this cycle: is the object repairable, who is repairing it, how is confidential data handled? It also addresses the response to unplanned or forbidden paths, such as theft, overages, or Wi-Fi changes.
These are the most common attacks where someone finds a way of using existing code to get access to restricted resources. It could be due to a software bug or to unexpected call sequences that are open to whole classes of exploits.
| Cryptography (Communication attacks) | Security Services (Lifecycle attacks) | Isolation (Software attacks) | Tamper mitigation and side-channel attack mitigation (Physical attacks) | |
| Analysis and specification | Platform Security Architecture | Platform Security Architecture | Platform Security Architecture | Platform Security Architecture |
| TEE | ||||
| Counter-measure | Pelion IoT Platform | Pelion IoT Platform | Arm Trustzone for Armv8-A | Arm SecurCore SC300 |
| Arm Trustzone for Armv8-M | Arm Cortex-M35P | |||
| Arm CryptoIsland | Arm CryptoIsland | Arm security IP with side-channel attack mitigation |
Our IP extends across the system with processors and subsystem protection (both hardware and software), as well as acceleration and offloading, fitting together seamlessly for layered protection.
The Arm Platform Security Architecture (PSA) is the framework for securing the next one trillion connected devices and systems, from chip to cloud, rallying the entire ecosystem to adopt a common security best practice. PSA calls for a consistent standard of security designed-in to both the hardware and firmware of all devices. PSA instructs three key phases (analyze, architect, implement) and reduces the ongoing cost of security and time-to-market by providing a holistic set of deliverables that anyone can use, regardless of security expertise.
Developers of IoT devices have a lot to consider and a key part of this is designing the right SoC. This requires a lot of moving parts: considering security, trust, power, performance and area constraints, plus scalable compute and connectivity to the cloud. Arm IoT frameworks accelerate time-to-security for SoC designers, device makers and developers by building on the principles of Platform Security Architecture and providing the powerful toolboxes they need to build their next system.
Offering protection against software attacks with isolation and a device root of trust
TrustZone is a system-on-chip (SoC) and CPU system-wide approach to security, helping to isolate and protect secure hardware, software and resources. TrustZone is hardware-based security built into SoCs by semiconductor chip designers, then used by software developers. The family of TrustZone technologies can be integrated into any Arm Cortex-A and the latest Cortex-M based systems, whether it’s establishing a trusted foundation for a high-performance experience or enabling authentication on the smallest embedded device.
Offering protection against communication and lifecycle attacks
Arm CryptoCell enables the protection of assets (code and data) belonging to different stakeholders in an ecosystem (for example, silicon vendor, OEM, service provider, user). CryptoCell enables SoC designers to trade off area, power, performance or robustness in a very flexible approach so SoC designs can be optimized to achieve the most appropriate security level for the target market.
- CryptoCell-300 family - optimized for low power and resource constrained platforms
- CryptoCell-700 family - aimed at higher performance systems
Offering protection against communication and lifecycle attacks
Arm CryptoCell enables the protection of assets (code and data) belonging to different stakeholders in an ecosystem (for example, silicon vendor, OEM, service provider, user). CryptoCell enables SoC designers to trade off area, power, performance or robustness in a very flexible approach so SoC designs can be optimized to achieve the most appropriate security level for the target market.
- CryptoCell-300 family - optimized for low power and resource constrained platforms
- CryptoCell-700 family - aimed at higher performance systems
Offering protection against physical security and close proximity attacks
There is no doubt that chip-based physical attacks are becoming easier and more dangerous. Arm provides a suite of security IP to guard the SoC on several fronts, including:
- Arm Cortex-M35P processor with tamper-resistance and TrustZone for Armv8-M
- A family of IP to protect against side-channel attacks
Arm also has a range of Security System IP, including: the TrustZone Random Number Generator, TrustZone Full Disk Encryption and TrustZone Address Space Controllers.
The Pelion IoT Platform is a flexible, secure, and efficient foundation spanning connectivity, device, and data management. It accelerates the time to value of your IoT deployments by helping you easily connect trusted IoT devices on global networks, invisibly administer them, and extract real-time data from them to drive competitive advantage.
As long as there is value in controlling a device or accessing its data, there will be a constant battle against potential attackers. Talk with an Arm expert to learn more about security technologies that can be designed into devices.
Security Resources
Everything you need to know to make the right decision for your project. Includes technical documentation, industry insights, and where to go for expert advice.
Blogs
