The Prpl Foundation, the group founded to develop open-source software for the MIPS architecture, has published an overview of techniques intended to improve the security of embedded systems.
The publication, Security Guidance for Critical Areas of Embedded Computing, outlines an approach that Prpl claims is relatively easy to implement and increasingly necessary for embedded systems.
Art Swift, president of Prpl, said: “The internet of things is rapidly connecting our world in ways not anticipated even a decade ago. This connectivity finds its way into everything from light bulbs and home appliances to critical systems including cars, airlines and even hospitals.
“Security, despite its huge and increasing importance, has so far been addressed in piecemeal and often proprietary ways. Given ubiquitous connectivity and the rapid emergence of IoT, the need for a well-designed, structured and comprehensive security architecture has never been greater.”
The Security Guidance Document lays out a set of proposals for a hardware-led approach based on open-source and interoperable standards. According to the document, the core requirement is a trusted operating environment enabled via a secure boot process. This requires a root of trust forged in hardware. This, in turn, establishes a chain of trust for all subsystems.
The document further proposes security by separation, a what Prpl calls a time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as paravirtualization, hybrid virtualization, and other methods.
Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.
“Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach,” added Cesare Garlati, prpl’s chief security strategist.
Prpl hopes to see the adoption of standard secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. In the document, Prpl offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.
Jesper Jurcenoks, product manager for vulnerability assessment at Alert Logic, said:
“[The Prpl guidance] is an excellent document showing how to secure embedded computing in a world of IoT. Using detailed examples of recent hacks in embedded computing, it takes the reader step by step though the weaknesses and show how they can be overcome using methods like root of trust, secure boot process, separation of duties and secure development and testing.”