Now that the low-hanging fruit of phishing, weak passwords, inadequate authentication, and weak privilege enforcement are disappearing, hackers are being forced to find new ways to penetrate corporate networks and devices. The vast number of totally vulnerable devices currently connected to corporate networks presents a fertile opportunity for this. So far, device security has received much discussion and little action. This is about to change.
www.embedded.com/, Aug. 20, 2023 –
Over the past several years we have been working on a secure RTOS for MCU-based devices, in particular Cortex-v7M and v8M. This RTOS has many innovative features to contain and limit security breaches. The purpose of this article is to present these features and to show that by using them it is possible to achieve highly secure devices.
SecureSMX is based upon the smx real-time, multitasking kernel, which has provided reliable operation for hundreds of embedded systems over the past 30 years. It provides flexible and extensive solutions to enable OEMs to incorporate effective security protection into their embedded and IoT devices within reasonable time and cost constraints. The foundation for this security is isolated partitions, which are not easily achieved for such systems. Partitioning has numerous advantages:
- Permits hardware-enforced separation of privileged and unprivileged code and controlling access to system services, data, memory areas, and I/O registers.
- Makes possible other protections such as runtime limiting and limiting access to objects. Without hardware-enforced partitioning, such limits can be easily circumvented.
- Allows focusing scarce programmer talent on strengthening the most critical partitions.
- Protects against zero-days. These often sell for a great deal of money and are closely-guarded secrets of national security agencies [Ref 1]. However, a hacker might just as well use an unpatched, known vulnerability because either way he will end up in an isolated partition with strong limitations on what he can do without hitting a trip wire. If a non-critical partition has been penetrated, the system will continue doing its basic functions. This gives the security team time to fix the problem, rather than always playing catchup.
- Hardware enforcement of the good programming practices of modular code with well-defined interfaces. These not only result in higher-quality code, but also shorter integration and debug times.
- Partition-only recovery. When the hacker trips any of numerous checks, an immediate Memory Manage Fault (MMF) exception occurs. This can be used to shut down the partition and then reinitialize it. This is preferable to rebooting the whole system, since it does not stop normal operation.
- Partition-only updates. If nothing else moves, partitions can be updated individually. This eliminates the need to expose mission-critical code to insider attacks. Updating is limited to vulnerable partitions, which are being attacked. Legacy and trusted code has usually been exhaustively tested and will seldom require updates. Insider attacks are a much bigger problem than is generally acknowledged [Ref 2].
click here to read more...
