An effective way to safeguard embedded systems is to protect the running program code against tampering and implement secure boot.
Software for embedded systems is based more and more on open system platforms – Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (APIs). Such standards simplify software development between several teams within a large enterprise or even between different software companies. And similar to the success of software for traditional desktop systems or smart phones, developers can find more solutions that can be purchased from third parties instead of developed in-house.
However, this new open world also makes embedded systems vulnerable to attacks from two main challenge points. First, the embedded system can be attacked directly from the Internet. Execution codes can be replaced or modified by malicious code during code updates. Weaknesses in the code itself can also be exploited. Secondly, hackers have access to the same open source information as the developer. With knowledge of the execution code binary structure, hackers can use powerful development/analytical tools to directly modify the code in a static attack. Furthermore, with knowledge of the memory and process architecture, the hacker can initiate a dynamic attack by inserting malicious code into the boot process.
Recent examples of such exploitations include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The Internet of Things (IoT) now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers who can be located anywhere in the world.
One solution to prevent such attacks is the installation of security barriers between the code and the open internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.
A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent hackers from installing their own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized operating system.
There are two advantages to this approach. First, the execution code is authenticated by a private key accessible by the developer or owner of the key; no other source is possible and the code cannot be modified during delivery or on the embedded system. Second, the execution code is encrypted and cannot be easily reverse engineered by a hacker or a competitor.
Our CodeMeter technology provides this type of code protection at all levels of an embedded system where software components are running. The authentication process begins in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different development departments or companies. Dynamic updates of any component are possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.
I invite you to view a pre-recorded Webinar to see how CodeMeter enables the flexibility of secure code upgrades, which will be required in the ever evolving world of connected embedded systems, with the security of the closed, non-changeable, unconnected systems of today.