Guest Speaker: Jon Geater, CTO Thales – Mon SEP 10, 8-9am PT

Interoperability of trust: Device Standards, Container Standards, and the Missing Link.

Different devices have different levels of trust and security. These can range from being based on cryptography and secure provisioning – anything from hardware TPM through Secure Element to TEE/SGX to soft agents – to secure Root of Trust code, or on occasion there is just a certificate. When we come to use those, we need to distinguish who has access to those capabilities. This can be done with TrustZone, virtualization or Linux containers with or without SELinux or Kubernetes. The gaps between those two ends can be quite significant.

In this presentation, Jon Geater will introduce a set of considerations for the group that make it hard for an operating company to gain a consistent idea of how trusted all their different devices are, especially in a large device population. From this, they can then identify which threats they do or do not need to worry about in any given circumstance.

 

Jon Geater

Chief Technology Officer, Thales e-Security, Inc.
Jon Geater is Chief Technology Officer for Thales eSecurity. Over his career he has had extensive experience of securing information systems from embedded components of a smart phone to international rail systems, smart energy networks, cloud computing platforms and worldwide payments infrastructure. He has held technology leadership roles in hi-tech companies such as Trustonic, ARM and nCipher.

Website https://blog.thalesesecurity.com/author/jon-geater/
Follow Jon on Twitter http://twitter.com/jongeater

[Contact mirko dot lindner at prplfoundation.org for details]

Birds of a Feather – Santa Cruz New Tech Meetup, RISC-V and prpl

By Art Swift
President, prpl Foundation

Images courtesy of Darrel E. Santa Cruz New Tech Meetup

Remember the old adage, “Birds of a feather flock together”? The Farlex Dictionary of Idioms says the expression comes down to us from the 16th century, and suggests that people who have similar interests, ideas or characteristics tend to seek out and associate with one another. It applies today as well, and the vibrant tech meetup scene is a good example.

I saw this idiom in action when I recently made a presentation at the Santa Cruz New Tech Meetup, a monthly meetup with more than 4,000 members.  Given Santa Cruz’s eclectic blend of residents, this meetup brings together students and professors from the University of California – Santa Cruz, local tech entrepreneurs and workers, commuters who drive “over the hill” to Silicon Valley, and tech-savvy local residents. Interest in exciting emerging technologies is what brings these “birds of a feather” together.

Event organizer Doug Erikson invited me to speak on the new RISC-V processor architecture, which is starting to be viewed as a platform of choice for innovation in processor architecture design.

RISC-V is a U.C. Berkeley computer architecture project that was spun out into a non-profit foundation in 2015.  The project revolves around a free and open alternative to Arm and other legacy instruction set architectures. RISC-V has taken off like wildfire in the last year, with more than 100 member companies and universities supporting the project, and thousands of community members worldwide following it.

My talk at the meetup was about how the world can benefit from a free and open instruction set architecture, and how companies big and small are using it.

So, you might ask, what’s the link between the prpl Foundation and RISC-V?  Once again, it’s the “birds of a feather” adage at work. Areas of common interest include:

  • Both are non-profit foundations backed by industry contributions;
  • Both foundations emphasize open standards and open source software;
  • Both have a keen interest in security, embedded devices and the IoT;
  • Both have a focus on innovation and enabling new technologies;
  • And the organizations have members in common, including Imperas and Microsemi which are quite active in both.

As for myself, in my copius spare time away from my role as the president of the prpl Foundation, and as member of the founding team at the RISC-V-based AI startup, Esperanto Technologies, I volunteer for the RISC-V foundation as the vice chair of the Marketing Working Group.  In addition, I participate in the RISC-V security working group, as does prpl’s Chief Security Architect Cesare Garlati, where prpl member Microsemi’s Rich Newell is the vice chair.

If you are not a member of both organizations yet, I invite you to get involved! Please contact me if you need additional information on membership in the prpl foundation or an introduction to the RISC-V foundation team. Let’s flock together and work on areas of common interest!

prpl @ Embedded World 2018

Embedded-World

Last month, prpl attended Embedded World at the Nuremberg Exhibition Centre, Germany. From February 27th – March 1st  2018 the focus was on all things embedded systems, with members of the embedded community coming together from all over the world.

Embedded World is definitely becoming the leading event throughout the world for all things embedded.

There was a definite emphasis on Artificial Intelligence this year, from voice recognition to financial applications, to mapping tools. What’s new is the realisation that AI can definitely take advantage of both cloud and end point. In the past, AI was definitely relegated to the context of the cloud.

Now, given the exploding power of silicon, more and more parts of the AI application can be moved to where the data matters – the end point. For example in a car, making the important decisions if it has a self-driving application. These decisions are processed in real time with low latency. There is the expectation in terms of connectivity that all the AI functionality, data models, training algorithms and everything else is reliable.

 

The Growing Adoption of the Open Source Model Across Technology

Open source is nothing new. It’s been around for many many years; both on the consumer side and in industry. What’s interesting now is to see open source also applied to hardware related software stacks. I’ve seen great progress on the Linux Foundation sponsored project Zephyr, and seeing the involvement of Linaro, which from the commercial side is a very powerful entity. This combination is definitely going to produce some very interesting results!

We’re also seeing many other vendors proposing open source packs for connected devices, AI and embedded in general. What’s really interesting to observe, are the benefits that the model of open source brings to vendors in terms of control of the technology strategy itself. Open source in a business to business context is not about saving money, there are still costs in developing it. In the end it’s not a financial decision, it’s about controlling the platform so that the product can better fit the specific requirements set out.

Moving to hardware, we were really intrigued by the ten presentations we saw during the RISC-V track at the event. What’s really impressive is the variety of the ecosystem that is developing around this new iteration of the open source processor, developed by the Berkley EECS department. It’s called RISC-V because this is the fifth iteration. It’s the first time we’ve actually seen such a broad ecosystem developing around this technology. With everything from silicon vendor, tools, IP, simulation, security; all the building blocks are coming together. It’s very interesting to see both large players, as well as small, dynamic and innovative startups.

The other interesting aspect of RISC-V was the real driver behind adoption of open source hardware. A number of presentations at Embedded World actually showed that the one-size-fits-all model cannot really extract the best out of existing technology. Sometimes, the things we can buy from the shelf aren’t exactly tailored to optimise what we want to do. The example of extreme low power applications for energy harvesting devices is really interesting. In this case by relying on open source, researchers were actually able to develop components that were able to run at 90% power. This is compared to the same processor that would result from a traditional commercial license.

This is the true benefit of open source hardware – extreme customisation and optimisation to really deliver the most that technology can do these days.
The time is now for open source hardware!  
 
Open source hardware is extremely important in 2018, because the evolution in terms of silicon technology is about to reach the limits imposed by the physics of silicon. Therefore it’s important to take the best out of the technology that we are getting; and the extreme optimisation in terms of low-power, high-performance specialised custom hardware is possible only through open source.

Is Linux really coming to Embedded?

The other common theme that I’ve seen at Embedded World is Linux. Linux for the most part is delegated to data centre applications, computing applications, phones and so forth. Is it now coming to embedded?

We’d like to highlight the example of the high level of interest that we had in our OpenWrt 101 class. OpenWrt is a great example of community driven technology. The industry sees the commercial value and here’s where the community and industry come together. It was very revealing to see the role that a non-profit organisation such as prpl Foundation can play in matching the diverging requirements between industry and open source communities.

Prpl Foundation is an open-source, community-driven, collaborative, non-profit foundation with a focus on enabling next-generation datacenter to device portable software and virtualized architectures.

Highly optimised Linux systems are very open to third parties packaging and are definitely becoming more mainstream. In the room during the class, we saw the direct interest of one of the top three network device vendors in the world. Here, they were explaining how they are putting this in production. At the same time, the number one vendor of smart lighting solutions was looking into embedded linux and openwrt to provide smart ceilings, a very interesting proposition!

Security

Every year there’s a growing interest in the subject of security. We see more and more talks, more conversations and more products. The industry seems to realise that if it is not secure, it doesn’t work. This is true of software, communication protocols and applications, but finally we see this now on hardware. With this in mind, more companies are providing solutions and products to secure the hardware itself. This is so important because the lower we go in the technology stack, the more resilient the protection is. This isn’t to say that we only need hardware security, we need all security layers! What multilayer security has been missing so far was the actual hardware security.
We are seeing some very interesting tech developments so far, especially from startups. Something that’s intriguing is the idea of keeping track of all the metadata which, present in high level programming languages such as C or Java, traditionally gets lost in the compilation process. Now we are looking at keeping some of this metadata to offer to the hardware itself so that it can get a sense of the security context of the application when it executes every single instruction.

Hypervisors

It looks like 2018 at Embedded World was really the year of Hypervisors. In past editions, hypervisors were mentioned in presentations and by vendors more as an interesting new alternative to traditional ways of creating security with separations within systems. This year was more about showing real world applications. There are so many! They tend to be really mission critical applications from bionics to transportation to defence. Hypervisors are here to stay.

At the same time however, something presenters and exhibitors pointed out is that hypervisors are not all created equally. This isn’t to say that some are better than others, but rather about understanding all the differences and what fits better in specific use cases. For example, some hypervisors tend to be extremely thin, which is not only good for the system footprint and overhead but also for security. The smaller the piece of software, the smaller the attack surface.

Small is good, but can’t provide the richness of functionality an application might require, especially if they want to run rich operating systems such as Linux. This an interesting trade-off that needs to be made based on a specific application, where a vendor offers an extremely thin but minimal functionality type of hypervisor and another provides something a little richer in functionality but definitely has a larger overhead in the system as a whole.

What was also very interesting was that for the first time, we saw shared data about performance of benchmarking hypervisors on embedded systems. In particular we liked this comparison of an extremely thin hypervisor (for example the prpl open source hypervisor) and a well established commercial product (like Seltech FOXvisor) which has richer functionality and was benchmarked in microtests that would actually run linux. Obviously numbers in terms of performance were different, but at the same time the breadth of application was covered.

PUF – Physically Unclonable Functions

This year looks like the year where PUF becomes a commercial reality. In previous editions, we presented some of the most promising attempts at this technology – some of which are included in the prplSecurity framework, and in particular the prpl PUF API. In the past we showed proofs of concept and this year I gave a presentation with the world industry leader in commercial applications of SRAM PUF, which is prpl member Intrinsic ID.

We took the time to go through specific industry use cases as well as real world use case examples. In particular we showed how SRAM PUF technology can help secure IP within the processor itself and how this is delivered in the firmware. In this case, it’s encrypted but with a key which is specific to the device. This is about overproduction, grey market and all the issues that embedded systems vendors know well, and is a way to protect the firmware itself from unwanted duplication and clones.

Another very interesting use case that of an actual secure device connecting to the cloud. We looked at the example of AWS and how the  SRAM PUF technology can in fact create a unique identifier for each device and automatically generate a crypto pair and a certificate.
The presentation showed how this can now be done with ECC which is the best you can aim for in an embedded low power constrained device because it provides the same level of security with a much lower energy requirement and processing requirement.

prpl at Embedded World: Thursday

The final day of Embedded World saw prpl involved in three presentations.

First, Jack Greenbaum of Green Hills Software joined Cesare Garlati to talk about “Embedded Hypervisors: Hype or Reality?”

IMG_7099

In the next session in the same track, Shoi Egawa from Seltech joined Cesare to speak about Benchmarking Hypervisors.

IMG_7100

Finally, we ended our day joined by Geert-Jan Schrijen from IntrinsicID.

IMG_7112

As well as the sessions, several of our presenters joined us for a short interview on their talk subject. Some of these interviews were recorded, and all will be shared online in the upcoming days!

We want to thank our presenters again, as well as those of you who joined us for the talks on Thursday. We’re looking forward to seeing you all there next year!

prpl at Embedded World: Wednesday

We had a very successful day at Embedded World today, with presentations from Luka Perkov of Sartura, and Michael Hohmuth and Adam Lackorzynski from Kernkonzept.

Luka, one of the core developers of OpenWrt, led a class on how to build a linux embedded system in 30 minutes.

EmbeddedWorld3

In our second session Michael Hohmuth and Adam Lackorzynski led us in a live hacking session about Hardware-enforced Virtualization of a Linux Home Gateway.

IMG_7086

We had a lot of very insightful comments and questions from the session attendees and we’re looking forward to our three talks tomorrow, Thursday March 1st.

13:30 – 14:00
Embedded Hypervisors: Hype or Reality?
Room: Helsinki
NCC Ost

14:30 – 15:00
Benchmarking Embedded Hypervisors Performance – the Facts
Room: Helsinki
NCC Ost

15:30 – 16:00
Physically Unclonable Functions to the Rescue: A New Way to Establish Trust in Silicon
Room: Istanbul
NCC Ost