The term "Internet of Things” or IoT came to be around two decades ago, at the boom of the Internet. At that time, experts envisioned that every system or appliance will be smart and have some internet connectivity that will serve some advanced features. This term was coined mostly to differentiate stand-alone connected devices from more traditional computers and servers, where regular manual servicing was the norm. At those times, cybersecurity was only considered in the scope of computers and servers and was a rarely used or understood concept for other types of equipment. Usability and innovation were getting the main focus.
As time passed, more and more types of equipment came on-line, including mobile devices, networking, industrial control, home appliances, and always-on-always-connected PCs. As there was no guidance, each vendor had their way about security or lack thereof. With the rise of connectivity came cybersecurity risks, capable connected devices became target for remote hackers that seek to exploit the capabilities of such devices for their own needs. It could be simply to abuse the connected system, use it as attack vector to a more complicated attack or create bots that will one day unleash a large-scale cyber-attack.
As these connected devices evolve, economy becomes more and more dependent on their functionality and operation. What used to be novelty is now a major pillar of modern society. Infrastructure, utility, households and government agencies all depend on the correct operation of connected equipment to maintain stable day to day living.
This led the US National Institute for Standards in Technology (NIST) to publish NIST SP800-193 “Platform Firmware Resiliency Guidelines” in May 2018 [1]. This publication targets every connected device which runs any sort of firmware. From large and complex servers and all the way to small embedded controllers. This publication and its principles will be explored here.
NIST SP800-193 (abbreviated ‘193’ from here on) discusses the concept of “Resiliency” i.e. making a system or platform resistant to malfunction due to malicious attacks or spontaneous errors. At the basis of resiliency there are 3 pillars:
Fig.1: Winbond Secure Flash provides means to protect-against, detect and recover-from unauthorized change of code and critical data stored in the Flash memory.
Protection is all about ensuring that platform code and data remain in state of integrity. Integrity does not mean it has not been modified but rather that it is in a state that allows correct operation as required by the vendor, user and infrastructure. For code, this means that a verified, trusted version of the code is running the system. For data, it means that data was only modified by authorized entities and processes.
Detection is the capability of the platform to identify corruption to code and critical data and alert. Detection must be handled by a separate layer since compromised code cannot be trusted to test itself or its relevant data.
Recovery is the capability of the system to return to a correct working state in terms of code and critical data.
When implementing protection, detection and recovery, a system can be trusted to continue operation throughout cyber-attacks and various spontaneous errors.
SP800-193 only covers resiliency of firmware and critical data. It does not cover loss or corruption of other data or any hardware of physical damage to the system.
In practice – how Winbond Secure Flash devices provide resiliency per NIST SP800-193
Winbond’s family of TrustME® Secure Flash devices are designed with resiliency in their core. They address the 3 pillars of SP800-193 with sophisticated logic built directly into the hardware of the flash devices, providing the separate layer needed to handle resiliency.
Protection
1. Root of Trust
Keeping the firmware in a state of integrity allows it to be trusted – used as “Root of Trust”. The user and infrastructure can rely on the functionality of the firmware to correctly operate the system and verify the authenticity and integrity of other parts of firmware before executing them.
2. Cryptographic Write Protection
To handle protection and keeping the system firmware and critical data in state of integrity, Winbond Secure Flash devices utilize cryptographic write protection (CWP). CWP allows the platform designer to protect sections of the flash device from erase or program operations. The only way to carry out program or erase to these sections is via cryptographic authentication process that requires knowledge of cryptographic keys securely stored in an inaccessible part of the flash device. These keys are unknown to an attacker as they are not present in cleartext in the system. These keys are also designed to be unique per system, preventing wide-spread compromise of systems should a single instance be attacked and broken.
3. Authenticated Update Mechanism
SP800-193 requires that the system firmware will be updated in a timely manner to patch security vulnerabilities. ‘193 requires that the update will be done via an authenticated update mechanism, ensuring that the update is authentic (true to source) and integral (complete and unmodified). Firmware updates must thus be provided with a signed digest allowing the system to ensure that the update code is genuine, complete and unmodified. This rises a “chicken and egg” problem – what if it is the update mechanism that is vulnerable and needs to be patched? If the update mechanism has vulnerabilities that might allow an attacker to load compromised firmware, how can it be trusted?
To address this, Winbond Secure Flash includes a built-in mechanism to provide firmware updates with authentication and integrity protection. On top of these, the update mechanism provides roll-back protection and atomic operation. This update mechanism allows a new firmware image to be written to the flash device piece by piece, catering for slow or unreliable networks. Once the entire update image has been written, the Secure Flash will authenticate the new image, checking that it is integral, authentic and its version is newer than the existing version in the flash. If these checks are successfully completed, the Secure Flash will swap the new image and the older image, providing the system with a genuine updated firmware. This entire process is fail-safe, increasing the platform resiliency even more, as it prevents the system from handing during the update process should some failure occur.
Detection
SP800-193 requires that the system will detect unauthorized changes to firmware and critical data before it is executed or used. Upon detection the system may initiate a recovery process.
1. Automatic Integrity Check
Winbond Secure Flash initiates automatic integrity check to the firmware section upon power-up and as requested by the user. This integrity check scans the entire firmware section, looking for any unauthorized changes. If unauthorized changes are detected, the Secure Flash implements a recovery process, described below.
The automatic integrity check is fully implemented in the flash hardware, and as such provides an additional, separate layer of protection.
2. Firmware Initiated Data Authentication
To authenticate critical data, Winbond’s Secure Flash supports dedicated hardware-based authentication mechanism. This mechanism can be initiated at will by firmware to ensure critical data has not been corrupted. The mechanism is based on built in SHA-256 engine, allowing ultra-fast authentication of large data sets without having to move the data from flash into memory.
Recovery
Recovery mechanism should restore the platform firmware and critical data to a valid and authorized state when it is detected to have been corrupted.
1. Automatic Firmware Fallback
In order to support automatic firmware recovery, Winbond Secure Flash devices allocate a fallback section. This section contains alternative firmware that is automatically swapped for the corrupted firmware when corruption is detected. This alternative firmware can either be an authentic copy of the original firmware or a special version of firmware dedicated to recovering the system from the corrupted state.
The automatic firmware fallback works in conjunction with the automatic integrity check. During system power-on the firmware integrity is checked internally by the flash. The system is held in reset during this short period. If the integrity check fails, the flash automatically remaps the fallback section instead of the corrupted firmware section and allows the system to execute this backup firmware.
The fallback firmware can either be a copy of the authentic system firmware, or it can support recovery of the firmware either from a locally stored copy or via remote storage.
The fallback firmware is protected by cryptographic write protection using a unique key dedicated to that section. Thus, compromising the keys to other sections does not compromise the fallback firmware. This addresses the requirements of SP800-193 for the integrity of the recovery mechanism.
2. Recovery of Critical Data
Winbond Secure Flash allows for various protection schemes for each section. Critical data can be saved in two separate sections, each with a unique key, allowing for critical data protection from corruption or malicious attacks. A safe copy of the data can thus be kept locally in a protected manner and used incase of data corruption.
Fig.2: Winbond Secure Flash automatically and authentically recovers platform firmware to a state of integrity in the event that any such firmware code or critical data are detected to have been corrupted or hacked.
Summary
NIST SP800-193 outlines the requirements from a system in order to make it resilient to firmware and critical data corruption either by malicious attacks or malfunction. These requirements can only be fulfilled by a dedicated protection layer. Such protection layer is rooted in immutable code that is very difficult to implement.
Winbond’s Secure Flash provides this protection layer in hardware, addressing resiliency requirements outlines in NIST SP800-193. The Secure Flash from Winbond is 100% drop in compatible with standard NOR Flash devices. This allows minimal effort converting a system into NIST SP800-193 resilient.
Fig.3: The Secure Flash from Winbond is 100% drop in compatible with standard NOR Flash devices.
For more details, contact us at TrustME@winbond.com or visit Winbond Secure Flash web page.
Reference: