EN 
DE A holistic approach to designing absolutely secure systems
Author: André Schmitz, Green Hills Software
Contribution – Embedded Software Engineering Congress 2017
Security is becoming increasingly important in today's world of networked systems. Everyone immediately understands the importance of protecting personal data, company data, and assets in general. Even with networked embedded systems, significant emphasis is now placed on securing and encrypting data transmissions and data storage. While the buildings housing the servers are highly secure, security gaps in embedded systems are all too often overlooked, making the entire system vulnerable. Therefore, a much broader approach is needed to secure embedded devices, encompassing all aspects of development, production, and maintenance. This article presents interesting examples of attacks and vulnerabilities in various systems, particularly those where a seemingly minor detail was compromised. Subsequently, a holistic approach is introduced that enables the production of absolutely secure systems. A wide range of areas are examined, including software development and system architecture, key and certificate management, and the manufacturing process. Only when all areas are considered in the vulnerability analysis can the system truly become absolutely secure.
Security in Embedded Software
In this article, I often use the English word "security" because the German word "Sicherheit" is too ambiguous. I'm referring to the security of software against attacks that exploit vulnerabilities in a system to steal or alter data. In this context, an embedded system is itself a data storage device or is connected to other entities, such as other devices or central data centers, via communication channels. The goal of security engineering is therefore to protect data against unauthorized access or modification. Encryption technology is used for both stored and transmitted data.
Even today, considerable effort is invested in securing networked systems. There is even a server farm housed in former military bunkers, equipped with state-of-the-art access control systems [1]. With data encryption and data center security, it is often believed that everything has been done to ensure the overall system's security. However, the security architecture of the end devices is sometimes ignored, resulting in inadequate protection. Systems are often built on unreliable operating systems and software architectures, access control is deficient, keys and certificates are poorly protected—in short, the embedded devices are relatively easy to attack, potentially compromising the entire network.
Examples of insecure systems
An example of such an attack on end devices occurred in the USA in early 2014. Thousands of payment terminals belonging to Target, a North American department store chain, were attacked, and payment data from over 40 million customers was stolen. The economic damage is estimated at many billions of US dollars [2][3].
Today, there are also botnets that utilize not the computer on your desk, but the embedded computers in your household appliances. In a case that came to light in 2014, televisions and refrigerators were used as clients of the botnets [4]. The company Gemalto was allegedly hacked by the NSA and the British GCHQ in 2010 and 2011 to steal SIM card keys. Also in 2011, the Netherlands-based certificate authority DigiNotar was hacked, and a number of certificates were illegally created that could impersonate websites, such as Google's [5]. A few years later, in 2015, the company D-Link made an embarrassing mistake. When disclosing the GPL-licensed source code on a website, the private keys hard-coded in the code were also exposed. This instantly rendered all network devices based on these keys insecure. Furthermore, in 2015, a Symantec employee who had been dismissed created unauthorized certificates for websites. It appears that the dismissal was not by mutual agreement. All of this demonstrates the importance of a holistic approach, and in particular, securing endpoints. The following chapters present a strategy for achieving absolute security.
Topics of holistic security
Looking at the examples above, we see two possible types of attacks: external attacks, meaning attacks from external or third-party attackers, and internal attacks, meaning attacks from within the company itself, as illustrated by the Symantec case. Furthermore, a distinction can be made between attacks via the network (Internet) and physical attacks through direct access to the device. The specifics of a holistic security approach naturally depend on the results of the threat analysis, which should definitely be conducted at the beginning of the project. This analysis should address all aspects of the product, its use, and its manufacturing. In most cases, this includes the development process, the hardware and software architecture, cryptographic methods, key and certificate management, the manufacturing process from supplier to final product, and maintenance and support (including software updates). Let's take a closer look at each of these aspects.
Development process and architecture
This broadly concerns measures that reduce the number of vulnerabilities in a system or completely eliminate their negative impact. Imagine you have adequately secured the stored and communicated data through encryption. Even then, you will eventually need to process the data unencrypted in your memory. If, in this case, there is even a single vulnerability in the system that could grant an attacker access to this memory, you are doomed. Therefore, you must achieve strict and reliable data separation to isolate the data from the vulnerable software components.
A proven principle for achieving this goal is the High Assurance Security Engineering. This principle requires that software development be aligned with the following five guidelines:
- Minimizing complexity,
- Restrictive (minimal) rights allocation,
- Division into components,
- Secure development process,
- Independent validation by experts.
In ESE articles of recent years [6][7] I have already presented this concept several times and will therefore not go into detail about it here.
Cryptography, keys and certificates
This section deals with the correct cryptographic methods and the proper handling of keys and certificates. The latter was not successfully implemented by D-Link in the example above. An important aspect of Kerkhoff's principle [8] is that the key must be kept secret, but the algorithm may be public. Therefore, it is essential to ensure that the key (or the private key in asymmetric encryption) remains secret. Hardware security modules (HSMs) are often used in this context, as they can assist in both calculating and securing the keys. However, the use of an HSM alone does not guarantee a secure system.
Extensive publications exist on cryptographic methods [9]. A wide variety of methods and algorithms are available for different use cases. You can also decide whether to use the same key for all devices or to equip each device with a device-specific key. The latter allows you to unlock device-specific functions and verify the device's authenticity in the field. It is best to consult with experts (e.g., [10]) who can provide suitable suggestions for your use case.
Supply and manufacturing
This area is often underestimated. It's about making the entire manufacturing chain, from the supplier to the production of the final product, absolutely secure. This specifically addresses the aspect of internal attacks, the vulnerability overlooked by Symantec.
Let's first look at the end of this chain. Somewhere in the world is the factory that manufactures your devices. There, the hardware is assembled, tested, and the final product software is installed. This is also where the keys or certificates are typically installed. The keys and certificates are usually stored on servers in the factory (and hopefully not hard-coded into the software) and are transferred to a secure location on the device at the end of the production line. As we saw above, however, the keys are the elements of the security architecture that need the best protection. Anyone who gains access to the key servers and finds a way to read the keys can, in principle, completely compromise the entire security concept. Since the computers in a factory are usually connected to the company network, at least for maintenance purposes, and this company network in turn has gateways to the internet somewhere, the security of your embedded system suddenly becomes dependent on the security of your entire company network.
If the factory is located in your own buildings at your own site and connected to your own network, then at least you retain direct control over this infrastructure. But what if the factory is located at a subcontractor's facility in the Far East, whom you have contracted to manufacture your devices for cost reasons, and you yourself have no direct network connection there or can only establish a connection via the internet? How do you then ensure that your keys are secure there as well? You also need to integrate your suppliers, who manufacture parts of your hardware or software, into the security concept. Addressing this complex issue cannot, of course, be summarized in a few paragraphs. Therefore, I recommend seeking consulting services from experienced security experts (e.g., [10]).
Maintenance and updates
This section deals with how to monitor the software on your system and how to install new software when necessary. Unfortunately, common computer practices often give us a false sense of security through updates. In reality, the computer was essentially just as insecure before the update as it was after; the update only protects the computer from the most recently discovered and disclosed vulnerabilities. Updates allow the installation of new software that fixes known bugs or changes the device's functionality, and they should be used for this purpose.
If you want to allow software updates, the update concept also affects the system's boot process. To ensure that the loaded application software is indeed the correct one and hasn't been replaced or modified by an attacker, you need secure boot concepts. The loaded application must be digitally signed, and the OS loader must verify the validity of the digital signature using cryptographic methods. Similarly, the operating system and the loader must be digitally signed, which is also verified by the bootloader, and so on, creating a "chain of trust." The trustworthiness of each layer is based on the trustworthiness of the layer below it, starting with a "root of trust," whose trustworthiness can be assumed and is often derived via certificates and keys securely stored in an HSM or TPM.
Summary
A chain is only as secure as its weakest link. Similarly, an embedded system, and its associated network infrastructure, is only as secure as the weakest element in its entire product lifecycle. Holistic security approaches must therefore cover a broad range of topics to ensure that all elements of product development and manufacturing exhibit the same high level of security. Use a development process designed with security engineering in mind. Select a suitable hardware architecture that may include an HSM to accelerate cryptographic operations, as well as a key and certificate store. The software architecture should be designed with a focus on modularization and isolation between the security software and other, untrusted software. Consider not only the cryptographic methods but also, and especially, the handling and security of the cryptographic keys. Find a way to securely exchange security-relevant data within your network of suppliers and manufacturers and prevent any kind of misuse. And last but not least, use a clean boot process with a strong chain of trust.
Bibliography and list of sources
[1] https://www.thebunker.net/about-us/facilities/
[2] Chicago Tribune – Jonathan Stempel: „Target, security auditor Trustwave are sued over data breach“; March 26, 2014
[3] https://articles.chicagotribune.com/2013-12-20/business/ct-biz-1220-target-theft-20131220_1_debit-card-data-breach-accounts
[4] https://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1
[5] https://en.wikipedia.org/wiki/DigiNotar
[6] „Security in the Internet of Things“, Andre Schmitz, ESE Congress 2014
[7] „Developing Secure Embedded Software“, Andre Schmitz, ESE Congress 2009
[8] https://de.wikipedia.org/wiki/Kerckhoffs%E2%80%99_Prinzip
[9] https://de.wikipedia.org/wiki/Kryptographie
[10] https://www.ghsiss.com/
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
