Embedded World 2017 – IoT coming of age.

by Cesare Garlati – Chief Security Strategist, prpl Foundation

Last week I had the pleasure of attending Embedded World 2017 in Germany as I was invited to give a couple of presentations on the pioneering work we have been doing at the prpl Foundation with regards to the prplHypervisor™ and prplPUF™ APIs for securing IoT. As it turns out, IoT was the top line at the conference that drew in more than 30,000 trade visitors – and the event solidified the notion that embedded computing is now synonymous with IoT.

IoT Security: Pushing the boundaries of resource constrained devices

The main theme running throughout was the challenge of pushing resource constrained devices to the limits. From a tech provider’s perspective, this was the most pervasive, well-defined issue being tackled at the show – how do we push the capabilities when it comes to functionality and security in low power devices with limited memory and minimal CPU resources?

With IoT, applying security technology after the fact or using encryption as used in a traditional security model is simply not an option in devices that don’t have the battery power, memory or CPU to support such measures, much less being able to afford the expense when the device itself costs so little. Yet, the fact that these are physical devices makes them so much more dangerous to human life and therefore the security should be taken just as seriously as that of a data centre.

Open Source as (one) answer

The answer for much of these basic security questions meant that more and more vendors are adopting – or seriously considering – the use of open source software. Though not everyone was aligned with the true value of open source, some even felt opportunistic, it was encouraging that the message of using open source, with all the extra eyes on it, is getting through.

Having said that, and knowing that open source software is notoriously more resilient than proprietary, closed source software – it does have its issues that vendors and manufacturers need to be aware of. Namely, though it is open and freely available, open source is not free. Yes, there is no licensing fee, but that is not to say it doesn’t come with the expenses of developing expertise, ensuring the organisation using it has the right liability cover, maintenance and working with open source communities to get the best out of it. As with anything in life, using open source requires upkeep to get the most from it.

In silicon we trust

Using open source protocols to get the basics right in IoT means that embedded devices can truly be interoperable with each other. What stops this from being a security risk is trust. The other element I discussed and which received over an hour of questions from the audience was the prplPUF™ API, the Physical Unclonable Funtions implementation of the prplSecurity™framework. I think everyone can agree that we’ve established that embedding secrets in a device is just not a good idea – and if you need proof, look no further than the Vault 7 revelations; not even the CIA can hide such secrets. Instead, what if you could extract a unique identifier from the silicon itself, something that is exclusive and repeatable and unable to be cloned?

This could have all sorts of applications for improving and strengthening security in embedded devices and the real genius of it is that it’s something that already exists with in the hardware itself – much like a digital fingerprint.

By using the prpl platform which combines open source with the use of a light-weight hypervisor for security by separation and PUF to establish trust in embedded systems, we’re looking at a much safer future for IoT.

 *   *   *

For more information or to get involved in the groundbreaking work prpl is doing with improving embedded computing security, visit us at http://prpl.works or contact me directly at @CesareGarlati

IoT Evolution Wrap Up

UPDATE : Application Note posted at https://prpl.works/application-note-july-2016/

Last week, the prpl Foundation took to the stage at IoT Evolution Expo in Las Vegas to present a workshop on the prpl Security Framework, during which we revealed a demonstration of the framework in practice. It was a series of firsts, as the use of the prplHypervisor™ was put into practice as well as prplPUF™ and prplSecureInterVM™.

Cesare Garlati, chief security strategist at prpl Foundation demonstrated the prplHypervisor™ on Thursday July 14th at 9AM, as part of a prplSecurity™ workshop on the IoT Developer track. The demo was a joint development effort of three key prpl members: Intrinsic-ID, Altran and the Pontifical Catholic University of Rio Grande do Sul (PUCRS).

Garlati showed three virtual machines connecting to the Internet and securely controlling a robotic arm. A MIPS M5150 CPU powers the PIC32 microcontroller to run the prplDSC_5023 hypervisor and thus securely isolates each application in its own virtual machine (VM). VM #1 receives commands from the Internet via Altran’s picoTCP listener, VM #2 authenticates the request via Intrinsic-ID’s implementation of the prplPUF™ API, and then relies authenticated valid command to VM #3, which is responsible for the real time control of the robotic arm via USB. The three VMs are completely separated and communicate within the system via the prplSecureInterVM™ communications APIs.

Continue reading

prpl Foundation Unveils the First Open Source Hypervisor for the Internet of Things

Debut of the prplHypervisor™ to occur at the IoT Evolution Expo in Las Vegas

SANTA CLARA, CA–The prpl Foundation today announced the upcoming debut of the prplHypervisor™ at the IoT Evolution Expo in Las Vegas. The prplHypervisor™ is an industry-first light-weight open source hypervisor specifically designed to provide security through separation for the billions of embedded connected devices that power the Internet of Things.

A principle set out in the Security Guidance for Embedded Computing published by prpl in early 2016, security through separation is key to fixing the fatal security flaws plaguing the IoT. “From theft of personal information and financial data to remote takeover of devices which could bring harm to the public, it’s in the interest of every stakeholder in the connected device supply chain to ensure that these devices are designed first for security,” said Art Swift, president, prpl Foundation. Continue reading

Open source and virtualization provide a powerful combination for wireless routers

By , Imagination Technologies

Back in March 2015, the Federal Communications Commission (FCC) – a government agency tasked with regulating interstate communications in the United States – issued a security document that included a series of provisions related to the use of wireless devices that operate in the U-NII radio bands.

In essence, the FCC wanted the manufacturers of routers and other networking equipment to provide tightly defined access paths to all wireless transmission devices. Unfortunately, the FCC proposal is likely to result in OEMs locking down the whole firmware of their routers and thus preventing consumers from installing the open source operating system or software of their choice (e.g. OpenWrt or DD-WRT.)

Continue reading

Imperas, OVP and prpl

OVP diagramThe prpl Foundation recently published its first newsletter, as a way of extending communications with the embedded systems community.  Imperas CEO and Open Virtual Platforms™ (OVP™) founder Simon Davidmann wrote an article for the newsletter, titled “prpl Security Group and Imperas Address IoT Security Challenges via Multi-Domain Virtualization.”  That’s quite the long title.  What was Simon saying?

The full article has more detail, but here’s a summary:

The prpl Security PEG is defining a security roadmap to get from today’s software-virtualized solutions to full hardware supported virtualization, enabling multi-domain security across processors, heterogeneous SoCs and systems built on these technologies including connected devices, routers and hubs. As a provider of tools for embedded software development, Imperas’ unique perspective and added value to the collaborative PEG is in the tools for developing, testing and demonstrating the secure software stack.  Imperas is cooperating with the embedded software providers in the PEG to build Extendable Platform Kits™ (EPKs™) to accelerate development of the individual elements of the secure stack, and enable the easy analysis and verification of these elements in isolation as well as integrated into the complete stack.

The first product of this collaboration is an Extendable Platform Kit (EPK) using an Imperas Open Virtual Platforms (OVP) virtual platform based on the OVP model of the MIPS M5150, with SELTECH’s FEXER OX hypervisor and the Toppers (Tron) real time operating system (RTOS) as three individual guest operating systems (see Figure 2).  EPKs are designed to help users accelerate embedded software development, debug and test.  The platform and peripheral models included in the EPKs are open source, so that users can easily add new models to the platform as well as modify the existing peripheral models.

Enjoy reading the article!

Securing The Internet of (broken) Things: A Matter of Life and Death

If you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Continue reading

Android NDK for MIPS

Android RobotIn case you didn’t know, you can build native Android code using the NDK for MIPS processors. It’s actually super straightforward.

From the Android Developer site:

To generate MIPS machine code, include mips in your Application.mk file’s APP_ABI definition. For example:

APP_ABI := mips

For more information about defining the APP_ABI variable, see Application.mk.

The build system places generated libraries into $PROJECT/libs/mips/, where $PROJECT represents your project’s root directory, and embeds them in your APK under the /lib/mips/ directory.

Continue reading