DESIGN & PRODUCTS BIOMETRICS & DATA ENCRYPTION
that such an approach is impossible on Arm Cortex-M-based
microcontrollers because they do not have an MMU, rather only
an MPU.
The DeepCover Security Framework (DSF) software isolation
solution proposed by Maxim proves that such a high level of
security can be reached, and guarantees a very strong isolation
between the software “boxes” running on Cortex-M-based
microcontrollers. The core of this solution relies on a hypervisor
that enforces a strict software architecture configuration at any
time. This configuration defines boxes, the boxes’ resources
and the boxes’ interactions. Different applications run in separate
boxes, each with their defined set of privileges and resources.
Applications may interact with each other through gateways.
Everything described in the configuration is guaranteed by the
hypervisor that guarantees that the boxes’ execution matches
the configuration. Any difference with the intended configuration
is immediately detected, such as access out of allowed memory
ranges, attempts to interact with another box out of an allowed
gateway, or direct access to disallowed resources. The hypervisor
manages and controls other boxes’ resources and execution,
while keeping its own ones for its execution.
This solution is credited with a high level of confidence. Indeed,
a security laboratory has rated the framework as compliant
with the very demanding PCI-PTS POI
security requirements for software isolation:
what is secure for the payment can
be considered secure for the IoT too.
In our example, we see that DSF allows
a simple but efficient architecture design
that consists of the exclusive allocation
of a specific box for the management of
the biometric characteristics, including
access to the fingerprint sensor and the
extraction of the minutiae. By preventing
access to this sensor from other
boxes, and thanks to the hypervisor’s
control over this access, any fraudulent or
unwanted attempt to read the sensor is
detected and an exception is raised, leading
to a safe failure. Following the same
model, other boxes can be defined and developed with a focus
on their very specific functional objective, after a careful study
of their needs in term of resources and peripherals. The communication
links between boxes are enforced by the hypervisor,
which guarantees that only these links can be used for data
exchanges between the boxes. No arbitrary jump to a random
code location is possible, and no direct access to another’s box
resources is possible.
Of course, this framework (or any other, even with any
hardware support like the MMU or TrustZone) neither improves
developers’ skills nor transforms any buggy software into a bugfree
application, but yet the attack scenario described above
is mitigated: a weakness in an application cannot expose the
whole firmware. The bug remains contained in its box, hence
the bug’s value is dramatically decreased.
The immense benefit of this solution is to allow hosting of
multiple applications from multiple providers with different levels
of confidence and robustness on a single device. The owner of
the most demanding application can now accept other applications
on the same hardware device without the risk of weakening
his own application and exposing his assets.
Benefits
By extension, the high level of control in the boxes’ architecture
and resource partitioning allows the update
of applications easily and with trust.
Applications are fully controlled by the
hypervisor, which can modify, update, or
remove them through simple operations
without hurting the functioning of the others.
Furthermore, that secure update can
propose additional services like encryption
without exposing the keys to any box.
Finally, another important benefit is
that, as one box execution does not hamper
another box execution, any certification
granted to one box is not impacted
by another box modification: the certification
remains valid. From a single monolithic
software, where each modification
has an impact on its whole robustness
and the certification of some portions of
it, we have now moved to a set of independent,
isolated images, keeping their
own properties and bugs!
30 News January 2018 @eeNewsEurope www.eenewseurope.com
/eenewseurope
/www.eenewseurope.com