Skip to main content

A look at foundational security when designing systems or devices

IaaS
(Image credit: madartzgraphics, pixabay)

As cyberattacks continue to evolve, software-only security is no longer sufficient. In fact, according to a 2020 Microsoft report, more than 80 percent of enterprises have experienced at least one firmware attack in the past two years. As changes to computing continue – such as the decentralization from cloud to geographically distributed edge computing – it’s critical that today’s security also be rooted in hardware. Every component – from software to silicon – plays a role in helping to secure data and maintain device integrity.

But the industry faces many challenges, including a lack of physical security. For example, in the datacenter, Cloud Service Providers want to provide assurance from rogue administrators. And at the edge, devices can be unstaffed and in physically vulnerable locations. Furthermore, distributed workloads are no longer monolithic; data is processed through an array of devices and micro-services. To secure the weakest link, data must be protected at every step. And finally, devices producing and processing data are increasingly diverse. Consistent protections need to be applied across code running on all processors, such as CPUs, GPUs, sensors, FPGAs, etc. 

How are hardware vendors building trustworthiness into systems and devices to help combat rising threats?

The security development lifecycle (SDL) was an initiative originally introduced by Microsoft to enhance software security, but is now more broadly applied to all types of products. Hardware vendors use SDL practices to identify threats, mitigations and establish security requirements. In addition to the SDL, it’s essential to have a framework that guides architectural choices and design decisions for new security technologies. This often includes elements or pillars such as foundational security, workload protections, and software reliability. In this article, I’d like to focus on foundational security. 

Foundational security technologies develop a critical base of protection focused on identity and integrity. Customers face a challenge of achieving confidence in a system built from a diverse set of silicon components and providers. Consistent foundational protections across diverse processing devices helps with this. This includes, for example, features designed for secure boot, updates, runtime protections, and encryption, which help to verify the trustworthiness of devices and data. 

The idea of foundational security is to design a system that can bring up components in a known and safe configuration and have all the hooks necessary to keep them so. Regardless of the underlying architecture, a trustworthy computer system is expected to provide continuous protections across its lifecycle and all data states and transitions. Whether the data is in the cloud, edge or a personal device, foundational security can provide assurance that processors and platform components are doing their part in securing data and computing transactions. 

What are some key protection capabilities and technologies that provide the foundation for the end-to-end security vision? 

Roots of trust

Trust is a chain starting from a root (or the root of trust). It’s a secret, which is typically a cryptographic key or set of cryptographic keys burned into the chip, only accessible to the components that are part of the chain of trust. There could be multiple roots of trust in a system (for example silicon/components or platform rooted). A hardware root of trust is responsible for establishing trustworthiness pre-boot and during system runtime. It forms the foundation for security on devices (or a trusted computing base) and a known secure starting point. But it also does so much more, depending on the implementation. Not only does it bring up the device or overall system into a known good state, but it also stores and manages cryptographic keys, and proves identity and measurements to a relying party to establish trust using attestation, reporting, verification and integrity measurements. 

Today, hardware vendors offer roots of trust technologies in the form of security modules, such as Trusted Platform Modules (TPM), with silicon capabilities either integrated within the main processor or as dedicated security co-processors for an extra layer of security. Isolating security functions supports the separation of duty and helps apply Zero-Trust concepts inside the silicon. Emerging hardware security technologies such as Physically Unclonable Functions (PUFs) extract hardware fingerprints and provide a unique identifier for the system. This is very much like a secret key that can be used as a root of trust to establish whether software is executing on the correct platform.

Secure updates and recovery

Roots of trust ensure that a system starts securely, but once in operation how are changes managed? Secure change management and system modifications are inevitable in most hardware. There must be mechanisms for secure runtime updates, code signing, and signature verification. This includes support and enforcement of secure updates of software and firmware, which is critical to maintaining the integrity of a system. Allowing systems to perform unsecure and/or unauthorized updates without enforcing signing requirements can compromise the intended secure execution state of the system. That puts a premium on rollback protections or firmware updates that are allowed only when the firmware can be proven to be newer than the existing version or when approved by a trusted authority. It also means that failures must be anticipated and handled in a manner that leaves the system in a safe and secure state (i.e., recovery). 

Failure modes and effects must be considered during system design. In addition to the default modes of operation for boot and updates, recovery modes (either enabled by the user or automatically applied by the system) can help detect issues or unexpected behaviors.

Data encryption and protection 

When it comes to data encryption and protection, having dedicated circuits is truly unique for acceleration. Hardware implementations are faster. And there’s a constant race to improve crypto performance. The community wants (and needs) data to be encrypted. It’s one of the most valuable resources any organization manages. Confidentiality is primarily protected through data encryptions and strong access control. In addition to roots of trust and system security (such as secure boot chain, updates, recovery, etc.), additional encryption can help verify that only trusted code and apps run on a device. But as encryption is applied to different parts of a system, it can impact performance. 

Understanding where those performance impacts intersect with new technologies is critical when designing a system. But advancements in crypto performance are helping to create more secure, high-performing designs. This includes capabilities such as new instructions for public key cryptography acceleration (which can help lower costs), full memory encryption, and link encryption. As well as additional future technology innovation that’s helping prepare for post-quantum resilience and homomorphic encryption.

Foundational security advocates for a systems-based view of security. All these components work as part of a system to manage the code that enables data flows. Trustworthiness is now a systems challenge. It extends to all types of processing devices as workloads move across platforms. Every device, system, and workload should have integrity and identity across its lifecycle and transitions. The goal is to have every piece of silicon attest its genuine identity and security state at any time. Whether the data is in the cloud, edge, or a personal device, customers want confidence that the silicon is doing its part in securing the data and computing transactions. 

To learn more about foundational security in hardware, check out the Trusted Computing Group, Distributed Management Task Force or the NIST Platform Firmware Resiliency Guidelines.

Asmae Mhassni, Principal Engineer, Intel

Asmae Mhassni is a principal engineer focused on silicon security architecture and resiliency design for hardware, embedded firmware, and system security engineering at Intel.