“Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab...
Transcript of “Secure Firmware Update” Lab Session - Renesas e … · “Secure Firmware Update” Lab...
Renesas Electronics America Inc.
© 2012 Renesas Electronics America Inc. All rights reserved.
Class ID: Class ID:
“Secure Firmware Update” Lab Session
BL02I
Shotaro Saito, Staff Application Engineer, Secure MCU
© 2012 Renesas Electronics America Inc. All rights reserved. 2
Shotaro Saito, Application Engineer
24 years in Embedded Systems Development
In-Circuit Emulator / Debugger Development
Debugger GUI Design
Biometrics Enabled Smartcard Development
4 Years with Renesas Electronics
In Charge of Secure MCU Development Kit and Tools
Board ID Solution Support
© 2012 Renesas Electronics America Inc. All rights reserved. 3
Renesas Technology & Solution Portfolio
© 2012 Renesas Electronics America Inc. All rights reserved. 4
Microcontroller and Microprocessor Line-up
Wide Format LCDs Industrial & Automotive, 130nm
350µA/MHz, 1µA standby
44 DMIPS, True Low Power
Embedded Security, ASSP
165 DMIPS, FPU, DSC
1200 DMIPS, Performance 1200 DMIPS, Superscalar
500 DMIPS, Low Power
165 DMIPS, FPU, DSC
25 DMIPS, Low Power
10 DMIPS, Capacitive Touch
Industrial & Automotive, 150nm
190µA/MHz, 0.3µA standby
Industrial, 90nm
242µA/MHz, 0.2µA standby
Automotive & Industrial, 90nm
600µA/MHz, 1.5µA standby
Automotive & Industrial, 65nm
600µA/MHz, 1.5µA standby Automotive, 40nm
500µA/MHz, 35µA deep standby
Industrial, 40nm
242µA/MHz, 0.2µA standby
Industrial, 90nm
1mA/MHz, 100µA standby
Industrial & Automotive, 130nm
144µA/MHz, 0.2µA standby
2010 2013
32
-bit
8
/1
6-b
it
© 2012 Renesas Electronics America Inc. All rights reserved. 5
Microcontroller and Microprocessor Line-up
Wide Format LCDs Industrial & Automotive, 130nm
350µA/MHz, 1µA standby
44 DMIPS, True Low Power
Embedded Security, ASSP
165 DMIPS, FPU, DSC
1200 DMIPS, Performance 1200 DMIPS, Superscalar
500 DMIPS, Low Power
165 DMIPS, FPU, DSC
25 DMIPS, Low Power
10 DMIPS, Capacitive Touch
Industrial & Automotive, 150nm
190µA/MHz, 0.3µA standby
Industrial, 90nm
242µA/MHz, 0.2µA standby
Automotive & Industrial, 90nm
600µA/MHz, 1.5µA standby
Automotive & Industrial, 65nm
600µA/MHz, 1.5µA standby Automotive, 40nm
500µA/MHz, 35µA deep standby
Industrial, 40nm
242µA/MHz, 0.2µA standby
Industrial, 90nm
1mA/MHz, 100µA standby
Industrial & Automotive, 130nm
144µA/MHz, 0.2µA standby
2010 2013
32
-bit
8
/1
6-b
it
True Embedded Security and Integration
© 2012 Renesas Electronics America Inc. All rights reserved. 6
The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security:
Challenge: “In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts.”
Solution:
The “Secure MCU” solution prevents end-point devices in the smart society from being compromised with secure authentication scheme
‘Enabling The Smart Society’
© 2012 Renesas Electronics America Inc. All rights reserved. 7
Embedded security basics
Knowing your opponents
Attack vectors on embedded systems
Security perimeter
Board ID – The best plug
Lab session
Preparing RX62N as target system
Download sample firmware with remote security stack
Penetration testing
Q&A
Agenda
© 2012 Renesas Electronics America Inc. All rights reserved. 8
Embedded Security Basics
© 2012 Renesas Electronics America Inc. All rights reserved. 9
Knowing Your Opponents (1)
Competitors
Reverse engineering, vulnerability research, etc.
– Let’s see what they got this time that we can ‘mimic’
Counterfeiters
Cloning
– Oh, they make it hard this time but we can still crack it
Hackers
Pure curiosity (raison d’être of them)
– I’ll run my homebrewed app on PS3. EULA? What is it?
Fame, promotion and job opportunity
– “He’s very popular as iPhone and PlayStation3 jailbreaker” (Geohot vs. Sony, 2010)
– “I could hack your server. Why don’t you hire me as your CSO?” (Marriott Hotel, Nov. 2011)
© 2012 Renesas Electronics America Inc. All rights reserved. 10
Knowing Your Opponents (2)
Opponents in the real world
They do ANYTHING for making a profit
– This is fake Samsung Galaxy SIII
– BTW, this Apple store is FAKE!
© 2012 Renesas Electronics America Inc. All rights reserved. 11
Communication Interface
JTAG
– Widely available on popular MCUs
Serial (RS-232C)
– Console hacking starts from here
Ethernet
– Remote hacking from the other side of the Earth
USB
– Stuxnet, PS3 jailbreak utilize USB dongle/memory stick
I2C, SPI, SMBus, etc.
Attack Vectors (1)
© 2012 Renesas Electronics America Inc. All rights reserved. 12
Physical penetration
Opening enclosure
– Trace cut/jumper
– Add/remove/replace devices (i.e. MOD chips)
Compromising device
– Break/dissolve device packaging
– Reconnect blown fuse with micro probe
Attack Vectors (2)
© 2012 Renesas Electronics America Inc. All rights reserved. 13
Security Perimeter
© 2012 Renesas Electronics America Inc. All rights reserved. 14
What we protect and what we don’t
We can prevent this
But we cannot prevent this
Defining ‘End-Point’ as security perimeter
The target should not be cloned (Hardware/Software)
The target ‘eco’ system should be protected
Security Perimeter (1)
© 2012 Renesas Electronics America Inc. All rights reserved. 15
Security Perimeter (2)
‘End-point’ security
Remote intrusion
Altered meter
Unauthorized charging
Sophisticated theft
Unauthorized access
Remote intrusion
Remote intrusion
Denial-of-service
© 2012 Renesas Electronics America Inc. All rights reserved. 16
Target system definition
RX63N RDK – Represents network enabled device
Application – Console application with update feature
Protection profile
The application (RX63N side)
– Not to be altered
– Not to be extracted
Update scheme (Server side)
– Unauthorized system is properly rejected
– False attempt is rejected and logged
Adding secure MCU to RX63N RDK makes it easy
Security Perimeter (3)
© 2012 Renesas Electronics America Inc. All rights reserved. 17
Board ID – Proven Security Enhancement
Board ID – Tiny secure microcontroller (4.2mm x 4.2mm)
Embedded secure element
– Credentials are stored in tamper proof memory section
– Hardware protection against known attacks
Cryptographic coprocessor
– Fast RSA transaction with modular multiplication coprocessor
Turn-key Solution
– Pre-loaded firmware for authentication specific application
Outsourcing security measures
Firmware update mandates Board ID on RX63N RDK
Counterfeit target without Board ID is rejected
© 2012 Renesas Electronics America Inc. All rights reserved. 18
Lab Session
© 2012 Renesas Electronics America Inc. All rights reserved. 19
Lab Session
Material
RX63N RDK
– 32bit microprocessor demo kit
Board ID Module
– Authentication specific module
Authentication server
– Provides firmware update service ONLY AFTER proper authentication is done
The Goal
Utilize the Board ID module to perform secure firmware download to the RX63N demo kit from the Authentication Server
Lab Procedure
Follow the lab procedure (takes approximately 40 minutes)
© 2012 Renesas Electronics America Inc. All rights reserved. 20
Questions?
© 2012 Renesas Electronics America Inc. All rights reserved. 21
The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security:
Challenge: In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts.
Solution:
The “Secure MCU” solution prevents end-point devices in the smart society from being compromised with secure authentication scheme
Do you agree that we accomplished the above statement?
‘Enabling The Smart Society’ in Review…
© 2012 Renesas Electronics America Inc. All rights reserved. 22
Please utilize the ‘Guidebook’ application to leave feedback
or
Ask me for the paper feedback form for you to use…
Please Provide Your Feedback…
Renesas Electronics America Inc.
© 2012 Renesas Electronics America Inc. All rights reserved.