Secure Software Updates Via Embedded Integrity Protection
17/12/2014 Marcellus Buchheit
Software for embedded systems is based more and more on open system platforms, which are however vulnerable to attacks from hackers.
Software for embedded systems is based more and more on open system platforms, such as Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (API). Such standards simplify software development between several teams within a large enterprise or even in different software companies. And similar to the success of software for traditional desktop systems or smart phones, you can find more solutions that can be purchased from third parties instead of developed in-house.
However, this new open world also makes embedded systems vulnerable to attacks from hackers who also know the system platforms very well. Current examples of such threats include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The IoT now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers located around the world.
One solution to prevent such attacks is the installation of security barriers between the code and the open Internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.
A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent a hacker from installing his own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized platform.
Wibu-Systems CodeMeter technology provides consistent code protection at all levels of an embedded system where software components are running. Beginning in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different sources. Dynamic updates of any component is possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.
This technology enables the flexibility of secure code upgrades, which will be required in the ever evolving IoT world, with the security of the closed, non-changeable, unconnected systems of today. It is currently available in the latest version of VxWorks Real Time Operating System and will also be available for other platforms in the coming months. The technology is based on secure keys which are stored in a security device and which can be integrated as a chip directly into the system hardware or attached as a USB Stick, SD, microSD or CF Card.
If you are interested in learning more about Integrity Protection for embedded systems, download our whitepaper.