Layered Security for the Next One Trillion Devices
Arm technologies are in billions of devices today, a number we expect to see grow to over a trillion. Achieving this vision calls for a symbiotic relationship between hardware and software, where security is no longer an afterthought. The Arm Platform Security Architecture guides partners through the complex world of security design, which when paired with Arm’s security portfolio, allows partners to deploy the security level that best matches their application needs. Achieving layered security involves implementing technologies, processes and measures designed to protect systems, networks, and data from a range of attacks and a broad spectrum of vulnerabilities. Why? Because your device is only as strong as your weakest link - a single vulnerability could compromise an entire device.
What vulnerabilities do I need to consider?
As the appetite for exploiting security flaws intensifies, so does the broad spectrum of vulnerabilities. It’s important to consider each type of vulnerability and how these could impact your system. At Arm we split the types of vulnerability into four areas: communication, physical, lifecycle and software.
IoT is about connectivity, which means the device sends messages back to a server, and an attacker can try multiple means to intercept, spoof or disrupt those messages. Best-practice cryptographic defenses must match the increasing value of the assets they communicate.
Silicon attacks are often split into two categories: non-invasive and invasive. Non-invasive (side-channel) try to observe the chip in different ways to gain information. They may use perturbation techniques for example, altering the power supply voltage, or interfering with electromagnetic signatures. Invasive techniques involve opening the chip to probe or modify part of the passivation layer.
A device changes hands many times from factory to user, to maintenance and to end of life. We must protect the integrity of the device as it goes through this cycle: is the object repairable, who is repairing it, how is confidential data handled? It also addresses the response to unplanned or forbidden paths, such as theft, overages, or Wi-Fi changes.
These are the most common attacks where someone finds a way of using existing code to get access to restricted resources. It could be due to a software bug or to unexpected call sequences that are open to whole classes of exploits.
Selecting the security products required for a device requires careful analysis to identify the level of threat, considering all four types of vulnerability. Sometimes it is hard to know where to start, which is why we created the Arm Platform Security Architecture (PSA) - a framework to secure devices from the ground up. PSA uses three key stages: analyze, architect and implement, that identify threats to a system and which counter-measures should be implemented. Below you will see the wide spectrum of counter-measures from Arm and how they can help you to counter a wide variety of vulnerabilities.
| Cryptography (Communication attacks) | Security Services (Lifecycle attacks) | Isolation (Software attacks) | Tamper mitigation and side-channel attack mitigation (Physical attacks) | |
| Counter-measure | Pelion IoT Platform | Pelion IoT Platform | Trustzone for Armv8-A | SecurCore SC300 |
| Trustzone for Armv8-M | Cortex-M35P | |||
| CryptoIsland | CryptoIsland | TEE | Arm security IP with side-channel attack mitigation | |
| CoreLink SDC-600 | CMSIS-Zone Arm Keil MDK |
Our IP extends across the system with processors and subsystem protection (both hardware and software), as well as acceleration and offloading, fitting together seamlessly for layered protection.
The Arm Platform Security Architecture (PSA) is the framework for securing the next one trillion connected devices and systems, from chip to cloud, rallying the entire ecosystem to adopt a common security best practice. PSA calls for a consistent standard of security designed-in to both the hardware and firmware of all devices, guiding you through the process regardless of security expertise.
Developers of IoT devices have a lot to consider and a key part of this is designing the right SoC. This requires a lot of moving parts: considering security, trust, power, performance and area constraints, plus scalable compute and connectivity to the cloud. Arm IoT frameworks accelerate time-to-security for SoC designers, device makers and developers by building on the principles of Platform Security Architecture and providing the powerful toolboxes they need to build their next system.
Offering protection against software attacks with isolation and a device root of trust
TrustZone is a system-on-chip (SoC) and CPU system-wide approach to security, helping to isolate and protect secure hardware, software and resources. TrustZone is hardware-based security built into SoCs by semiconductor chip designers, then used by software developers. The family of TrustZone technologies can be integrated into any Arm Cortex-A and the latest Cortex-M based systems, whether it’s establishing a trusted foundation for a high-performance experience or enabling authentication on the smallest embedded device.
Offering protection against communication and lifecycle attacks
Arm CryptoCell enables the protection of assets (code and data) belonging to different stakeholders in an ecosystem (for example, silicon vendor, OEM, service provider, user). CryptoCell enables SoC designers to trade off area, power, performance or robustness in a very flexible approach so SoC designs can be optimized to achieve the most appropriate security level for the target market.
- CryptoCell-300 family - optimized for low power and resource constrained platforms
- CryptoCell-700 family - aimed at higher performance systems
Offering protection against communication and lifecycle attacks
Arm CryptoCell enables the protection of assets (code and data) belonging to different stakeholders in an ecosystem (for example, silicon vendor, OEM, service provider, user). CryptoCell enables SoC designers to trade off area, power, performance or robustness in a very flexible approach so SoC designs can be optimized to achieve the most appropriate security level for the target market.
- CryptoCell-300 family - optimized for low power and resource constrained platforms
- CryptoCell-700 family - aimed at higher performance systems
Offering protection against physical security and close proximity attacks
There is no doubt that chip-based physical attacks are becoming easier and more dangerous. Arm provides a suite of security IP to guard the SoC on several fronts, including:
- Arm Cortex-M35P processor with tamper-resistance and TrustZone for Armv8-M
- A family of IP to protect against side-channel attacks
Arm also has a range of Security System IP, including: the TrustZone Random Number Generator, TrustZone Full Disk Encryption and TrustZone Address Space Controllers.
The Pelion IoT Platform is a flexible, secure, and efficient foundation spanning connectivity, device, and data management. It accelerates the time to value of your IoT deployments by helping you easily connect trusted IoT devices on global networks, invisibly administer them, and extract real-time data from them to drive competitive advantage.
As long as there is value in controlling a device or accessing its data, there will be a constant battle against potential attackers. Talk with an Arm expert to learn more about security technologies that can be designed into devices.
what they thought about security
Sixty-seven percent (67%) thought most technology companies
did not regard security as fundamental. Arm believes this is a problem.
Protect Your Data Platforms from the Next Wave of Cybercrime
The latest Arm Security Manifesto 2018 shows a disturbing trend in the continuing rise of cybercrime, particularly vast armies of attack bots and elaborate global security offensives. Yet industry is under pressure to simplify IoT, even as the numbers of IoT devices and data streams multiply by billions every year.
Security Resources
Everything you need to know to make the right decision for your project. Includes technical documentation, industry insights, and where to go for expert advice.
Blogs
- New CryptoCell Security IP reduces Time-to-Market and meets Chinese Crypto Standards
- Arm Cortex-M35P: multi-layered security at the heart of your device
- New Arm IP Helps Protect IoT Devices from Increasingly Prevalent Physical Threats
- New FIPS 140-2 certification provides time savings for Arm security partners
