Neighborhood watch: CPU vendors lock in security
Mentor Graphics recently asked me to present a keynote speech at their conference on embedded safety and security. The company’s position is that outside the realm of DO-178B/254 (software/hardware) for avionics, or NIAP-certified MILS/MLS in certain defense applications, the general embedded market doesn’t pay diddly attention to security. My contact at Mentor defines “security” as: protecting key data in bank transactions or medical records, making sure that data at-rest or on-the-fly is unaltered from its originator’s intentions, and verifying that systems operate as they were intended without any intervention by bad actors or intentional malware1. For the purposes of Mentor’s venue, safety was similarly lumped in, though Robert Dewar, president of Ada software company AdaCore, correctly defines “safety” as a system that always works lest it lead to loss of life such as in an aircraft or petroleum refinery.
Be it safety or security, most embedded systems ain’t got it. Software, board, and systems designers give scant attention to these topics, as evidenced by how easily hackers broke into Predator UAV video feeds; the example of how Estonia, “the most wired country in Europe,” had its banks shut down in 2007 by hackers; or possibly even the unexplained acceleration on some Toyotas, which some pundits say might have been something intentionally created by an outsider. Rather than leave safety and security to chance, both Freescale and Intel are putting big effort into their silicon and related ecosystems with new features, instructions, and logic blocks. And boy, am I impressed with their efforts.
Freescale cries “uncle” for AltiVec
As we went to press in late September, Freescale announced that AltiVec technology would be added into P3, P4, and P5 QorIQ multicore processors over the next several months. On the surface, the popular AltiVec SIMD vector processor has nothing directly to do with safety or security, but the QorIQ platform’s Trust Architecture (TA) is extremely comprehensive and impressive at securing embedded systems. In military applications, the QorIQ has been a real dud follow-on to the popular MPC74xx PowerPC CPUs with AltiVec, causing mil designers instead to flock to Intel’s x86s in Core 2 Duos, Xeons, and Core i5/i7 CPUs. I’m betting that putting AltiVec into QorIQ will at last give a road map to legacy PowerPC designs and slow Intel’s socket-stealing Blitzkrieg. If this happens, the Trust Architecture becomes a hugely significant addition to next-gen DoD designs and COTS single board computers.
The Trust Architecture uses a secure-boot feature to bring up the system in a known (and trusted) state, then maintains that during runtime. Designers can be confident that the software initially loaded into the system or during updates is as-expected. Freescale added functional blocks to the QorIQ to protect against: 1. Theft of functionality, where legitimate users lose control; 2. Theft of third-party data – to an unauthorized party; and 3. Theft of uniqueness, via reverse engineering or duplication. The multicore CPU can boot securely from onboard memory enabled by a fuse, and can even utilize an onboard hypervisor to virtualize all the CPU’s cores, not just the e500mc-vcpu virtual boot-up logic. There’s even an “X” bit in the TLB that controls whether a memory page’s contents can be executable instructions2. The architecture is complicated and more than I want to cover here, but the features in the TA fill 23 pages in Freescale’s An Introduction to the QorIQ Platform’s Trust Architecture. DoD designers will want to take a second look now that AltiVec is on the way.
Intel, McAfee, and Embedded
At the recent Intel Developer Forum (IDF), CEO Paul Otellini made it clear in the opening keynote that one of Intel’s three Pillars of Computing is Security, in a world of always-on computing, “20 billion” mobile Internet devices, and an increasingly unsafe world of targeted security breaches and organized crime-based hacks. The company just did its biggest acquisition ever: the $7.6 billion purchase of anti-virus company McAfee.
Not much was said pertaining to McAfee during IDF, though Doug Davis, VP/GM of the Embedded Communications Group, responded to an audience question by stating that McAfee can work with antitheft software such as LoJack that can “brick” and locate your laptop, although the (future) approach is to “block Day Zero attacks.” He said that the whole raft of existing Intel silicon security features such as VT, vPro, TXT, and so on “can be used in a whole different way … wait for 2011.” The plan for the Security pillar is to lower the number of attack surfaces … whatever that means. By the way, you might piece together Intel’s security strategy by checking out the technical session “Securing Today’s Data Centers Against Tomorrow’s Attacks.” I doubt that Intel is going to create a killer QorIQ Trust Architecture since that’s not the company’s focus. Instead, they’ll add chip-enabled data center features (vPro and VT) with existing instructions to balance on-chip security with McAfee-like desktop security running in the OS3.
It’s heartening that even if designers haven’t yet taken security or safety seriously, these two CPU vendors will. That means they’ll form their own neighborhood watch and be on guard in everyone’s embedded neighborhood.
Chris A. Ciufo, Editor firstname.lastname@example.org
1 Mentor and all software companies distinguish code or systems intentionally tampered with from systems that are merely behaving badly due to poorly written, verified, or tested code. In the latter, static and dynamic analysis tools are used to make sure the system operates as expected in all operational modes.
2 This predates Intel’s x86 NX bit (No execute) by several generations.
3 I wonder if Wind River’s VxWorks will get built-in anti-virus. Intel bought Wind River in 2009.