Protecting embedded systems from unauthorized software modifications

Story

January 04, 2010

Today's embedded avionics and other security-critical systems increasingly face the requirement for heightened security. Hence, a software downloading/flashing scheme utilizing digital signatures and the Rivest Shamir Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms is helping to prevent unauthorized access and counterfeiting.

More and more devices in our modern world are equipped with a multitude of embedded systems. An obvious example of this trend is the aviation industry, which uses a multitude of Electronic Control Units (ECUs) to control almost everything, such as air conditioning, the engine, and even the brake system[1]. ECUs typically allow downloading of updated program and data code via a boot loader. The authenticity of the software and a secure boot process must be ensured, since an increasing number of embedded devices are used in security-sensitive applications such as the engine control of an aircraft. Hence, any local or remote tampering of these devices must be prevented[1].

To prevent counterfeiting or unauthorized access, software – which is typically stored in reprogrammable flash memory – must be updated securely. During the boot process – where the software is typically signed at a secure back end server and then installed using a boot loader – the system must verify the authenticity of the new firmware by checking the digital signature. The new firmware must be executed by the device only if this verification is successful. A secure software download/flashing scheme based on digital signatures integrating the Rivest Shamir Adleman (RSA) algorithm and the Elliptic Curve Cryptography (ECC) signature algorithm is discussed as a means of granting this assurance[3].

Authenticity via digital signatures

A digital signature provides integrity and authenticity; data that is digitally signed cannot be altered by a malicious third party without being detected by the receiver. Furthermore, the receiver can verify that the data was indeed signed by the claimed signer. Moreover, the signer is not able to deny that he is the legitimate creator of the signature (non-repudiation). Additionally, digital signatures are generated and verified with asymmetric cryptographic algorithms, such as the RSA algorithm or ECC.

A digital signature is computed as indicated in Figure 1. There is a pair of keys consisting of a private key SK and a public key PK. Only the signer has access to SK, whereas PK can be publicly distributed. In general, SK is only known to the embedded system’s manufacturer, for example, an OEM in the aviation industry, whereas PK is built into every embedded system. The program code x is first hashed to a short fixed length value y. Typically, y is computed by applying a hash function of the Secure Hash Algorithm (SHA)1 family. Then a digital signature is computed over y using the private key SK. The signature can thereafter be verified using the public key PK.

Figure 1: Generation of digital signatures at the embedded systems manufacturer

(Click graphic to zoom by 1.5x)

Hence, the software issuer (that is, the manufacturer of the embedded system) holds a private key SK for signing the software, and the ECU holds the corresponding public key PK for verifying it (see again Figure 1).

Secure software downloads

Utilizing a secure software download process is key to upholding these required levels of information security in modern embedded systems. The secure software download process consists of several unique yet vital steps (see Figure 2):

Step 1: The software is developed.
Step 2: The program object code is passed to a trust center in a secure environment of the software issuer that signs the object code using its private key SK.
Step 3: The signature is then passed back and attached to the program object code.
Step 4: The package of code and signature are now stored in a database that might hold versions for different embedded systems.
Step 5: The appropriate program code is downloaded to an embedded system.
Step 6: The appropriate program code is then verified with the corresponding public verification key PK.

Figure 2: Secure software download process

(Click graphic to zoom by 1.7x)

In the context of this secure software download, RSA is an appropriate fit for signature verification. This is because it allows very fast signature verification and can be implemented in software without infringing patents. Some performance values of this implementation are displayed in Table 1.

Table 1: Runtime of an RSA signature verification measured on an ARM MPCore @ 400 MHz compared to various cryptographic algorithms

(Click graphic to zoom by 1.7x)

It is sufficient to issue a single private/public key pair such that the private key SK is stored in the trust center and the public key PK in the embedded system. The trust center might be a PC disconnected from any computer network and a secure smart card that holds the secret key. The embedded system only needs to store the public key such that no secret information is stored in the system itself. However, this public key must be protected against manipulation (that is, it must be stored in secure memory that may be read but not overwritten[3]). Thus, safe storage receptacles include Read-Only Memory (ROM) or Write-Once Read Many (WORM) memory, which has to be initialized by the manufacturer during the production process[1].

Secure software flashing

In the flash process, each block of software is optionally encrypted and the signature is computed beforehand. Next, an external programming device authenticates the boot loader (for example, by using a challenge-response mechanism). Then the external device passes block by block to the boot loader of the embedded system. The boot loader decrypts and stores each block and computes a hash over it[2]. Finally, after the boot loader has computed the hash value over the new flash program file, it performs digital signature verification. If the signature verification is successful, the downloaded file is accepted and activated. Otherwise, a safety procedure is activated and the boot loader awaits the download of a proper flash file.

Digital signatures ensure peace of mind

Usually, a boot loader is built into the firmware to update the program. However, in most cases there are no mechanisms implemented to avoid downloading a manipulated program that alters the device’s behavior in a manner not authorized by the manufacturer. The presented mechanisms are an efficient countermeasure to manipulation attacks. Such mechanisms have been successfully implemented in a variety of applications such as the automotive domain[3], the aeronautical domain, and even the mobile phone industry. We strongly suggest implementing the asymmetric cryptographic approach described – based on digital signatures.

References

Marko Wolf, André Weimerskirch, and Thomas Wollinger, “State-of-the-Art: Embedding Security in Vehicles,” EURASIP Journal on Embedded Systems, Special Issue on Embedded Systems for Intelligent Vehicles, 2007.
Cullen Linn and Saumya Debray, “Obfuscation of Executable Code to Improve Resistance to Static Disassembly,” ACM Conference on Computer and Communications Security (CCS), 2003.
Hersteller Initiative Software (HIS), “HIS Security Module Specification, Version 1.1,” available at www.automotive-his.de/download/HIS\%20Security\%20Module\%20Specification\ %20V1.1.pdf, July 2006.

Dr. André Weimerskirch is CEO and president of American-based escrypt Inc., where he is in charge of international activities. Previously, he held the position of CTO of escrypt GmbH. Prior to this, André worked with several research, development, and consulting companies including Accenture, Deutsche Post, Philips, and Sun. He studied Business Information Technology and Mathematics at Darmstadt Technical University before receiving his Master of Science in Computer Science at Worcester Polytechnic Institute, USA. He then received a Ph.D. from Ruhr-University of Bochum in Applied Data Security. He can be contacted at [email protected].

Dr. Kai Schramm is CTO of escrypt Inc. Previously, he worked for Renesas Technologies in the UK as a consultant. Kai has worked worldwide as a security researcher, consultant, and developer at the IBM Watson Research Center in Hawthorne, New York; the Infineon Technologies smart card department in Munich, Germany; and the Hitachi Central Research Laboratory in Tokyo, Japan. He studied Electrical Engineering and Computer Science at Purdue University in the USA and at the University of Bochum in Germany. He received a Ph.D. from the University of Bochum with a focus on Applied Data Security and Cryptography. Kai can be reached at [email protected].

escrypt Inc. 734-418-2797 www.escrypt.com

1 The SHA hash functions are a set of cryptographic, one-way functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) as one of the U.S. Federal Information Processing Standards (FIPS).