Chips, why do we need to protect against physical attacks?
This article will explore how the Cortex-M35P, with its advantages and features, can provide protection against physical attacks and tampering for the widely supported and user-friendly Cortex-M processors, thus providing opportunities for your products to enter new markets.
The Cortex-M35P is the first Armv8-M processor to offer physical tamper resistance, enabling the processor core to more easily and quickly achieve payment-grade or telecom-grade security certification. The Cortex-M35P is also a processor that includes a multi-layered security structure, combining software protection using Arm TrustZone technology with physical protection in the SecurCore series of processors. The Cortex-M35P is an extension of the Arm security portfolio and follows the principles of Arm's PSA platform security architecture.
| Make your design more confident | Make protection more flexible | Accelerate your product success |
| Provides mature, battle-tested, and widely supported security technologies. | Choose from a variety of advanced physical security features. | Rich IP products and sound ecosystem support can effectively reduce product development costs. |
|
• Built on proven, market-ready technology deployed in billions of SecurCore processors.
• Uses TrustZone technology, supported in billions of Cortex-A based devices.
• Reuse existing knowledge on the same programmer's model already deployed by millions of Cortex-M developers. |
• Enhances market adaptability for the widely familiar Cortex-M series without compromising performance.
• Provides a high degree of flexibility and optional features for implementing advanced functions including signal processing.
• Improved security (Lockstep, configurable parity, observability) leading to faster and lower-cost deployment of system security features. |
• Optimize across our comprehensive portfolio of Arm security solutions.
• Easy upgrade from Cortex-M33 processor.
• Reuse existing software built on Cortex-M devices.
• Supported by the world’s number one embedded ecosystem, with access to the world’s largest open knowledge base. |
We encounter more and more devices in our daily lives – in our homes, workplaces, hospitals, industrial sites, urban spaces, etc. – some of which are connected and some are not. Many of these devices store valuable personal information, making them targets for physical attacks. These attacks are becoming more feasible from a cost perspective due to the deployment and availability of simple data collection tools. We are increasingly witnessing physical attacks, such as side-channel attacks, which have become part of the standard security threat model. The main concern about physical attacks comes from the cascading effects of the attack, that is, by compromising one device, the attacker can extract the source code and discover vulnerabilities, which can then be used to carry out larger cyber attacks.
"You only need physical access once -- once you've purchased one copy of a device or one model of a camera and successfully hacked it in the lab -- and you have all the information you need to hack the same device or model remotely," TechRepublic BGU senior lecturer Yossi Oren concluded in his IoT security blog post.
Let us use an analogy to explain why we developed the Cortex-M35P: It’s like protecting your house. Since you have valuables in your house, it is crucial to ensure that all entrances are protected, while also considering how difficult it is for a thief to break into a specific entrance.
Figure 1: Securing your device is like securing your house—it’s only as strong as its weakest link!
For example, if a thief were to break into a house through a small top-floor window, he would probably need a ladder and some special tools to do so. Because it is a bit of a hassle and difficult to get into, you might think that top-floor window would not be a thief's first choice of entrance and that your valuables are protected. However, if there are very valuable items in the house, or if the top-floor window is accessible without much effort, then a thief might be able to find a way in.
This concept also applies to the Internet of Things. Arm has a broad security portfolio that can defend various entry points, and now Arm is strengthening its defense against physical attacks. The Cortex-M35P has been developed to meet the needs of all embedded and IoT markets that require market adaptability. Now, any Cortex-M developer facing physical security project requirements can upgrade to this latest Cortex-M processor without losing all previous development investments.
In addition, the processor can be matched with the rest of the Arm IP portfolio to form a powerful and comprehensive security solution, accelerating time to market. Developers can benefit from Arm's extensive ecosystem, which provides the widest range of development tools, compilers, debuggers, operating systems and software middleware, effectively saving time and cost.
As attack surfaces continue to increase and the Internet of Things (IoT) scales exponentially, it can be difficult to determine how to protect your next generation of devices based on current circumstances during product design planning. To understand and address this situation, Arm describes security by modeling four different types of attack targets: communications , product lifecycle , software attacks , and physical attacks , as shown in Figure 2. The risk to the device depends on the value of the application and data. Many devices need to consider more attacks on the lower level of the system, such as attacks on the underlying software, which can be fully protected with the isolation provided by Arm TrustZone. However, there are other types of user products that need to consider more complex attack risks, such as the risk of various physical attacks on the chip.
Figure 2: Evaluation of the threat factor of four different types of security attacks
Which attacks you need to protect against depends on which physical attacks you believe pose a sufficient threat to your product. The Arm PSA Platform Security Architecture advises that security always starts with analysis , and by analysis I mean analysis using a threat modeling program . Threat modeling allows you to assess the security of your device and predict how it could be hacked or exploited. If you are new to the world of security, threat modeling can be a daunting process, so Arm has created three completely free threat model examples.
Once you have assessed your device and the threats it faces, the next important step is to take appropriate measures to protect your device. Arm recommends using a layered security approach, using the right combination of countermeasures to implement different levels of protection for your device.
Arm has extended a range of IP to address all types of security threats, as shown in the figure above. When physical attacks are considered to be a large enough risk, you can choose to use a processor with physical attack mitigation effects. The Cortex-M35P provides a combination of software isolation and physical security solutions to help designers achieve a higher level of system security to defend against physical and software attacks. You may decide that you need to use hardware-accelerated cryptographic mechanisms to resist side channel attacks (SCA) - and CryptoIsland-300P and CryptoCell-312P can help in this regard.
When the value of the protected asset is high enough, hackers have enough motivation to physically attack the device. The Cortex-M35P provides multiple dedicated components to protect the device from such attacks.
The Cortex-M35P includes a number of security features to prevent physical attacks. Among them, "indifferent timing" makes the number of cycles of any instruction operation constant, thus preventing information leakage. Users can specify whether to activate this feature.
Another example is the 100% parity coverage. Every flip-flop in the processor is protected with configurable parity, allowing detection of random errors or purposeful error injection.
Integrated cache improves performance when fetching instructions from embedded Flash.
Flash typically cannot provide RAM-level access times, which is a common performance bottleneck. This problem can be solved by activating an optional internal cache. Information stored in the cache is also protected from physical attacks.
TrustZone strengthens the protection of information security-sensitive functions in the system. It not only provides software isolation for code, memory, and I/O, but also meets the common requirements of embedded applications: real-time, deterministic response, minimal context switching overhead, and easy software development.
The Cortex-M35P processor with TrustZone has two security states - secure and non-secure, and some features closely related to the two states are shown in Figure 3:
Figure 3: Armv8-M additional security state
Improvements in software reliability and system security can be achieved by limiting each module so that it is only allowed to access specific memory areas necessary to complete its functions. As a complement to TrustZone, this protection prevents accidental access from overwriting critical data. Each security area can have its own dedicated MPU, and the two MPUs can have completely different numbers of domains. Compared to the past, the new system is also easier to program domains, which is mainly reflected in the removal of the constraint that "the target address must be aligned to an integer power of 2".
This optional MPU is programmable and provides up to 16 regions for secure and non-secure states respectively. In a multi-tasking environment, the operating system can reprogram the MPU during task context switching and update the memory access rights of different tasks. For example, a user task may be granted access only to certain application data and specific peripherals. In this way, the MPU can protect all other memories and peripherals other than the resources required by the current task from damage or unauthorized access, thereby significantly improving the reliability of the system.
Memory area settings are easier
The internal protection architecture of Cortex-M35P is based on the protected memory system architecture (PMSA) v8 version. This version uses the "comparison with the base address and the end address" method to define the scope, which is different from the previous scheme with the restriction that the address must be aligned to an integer power of 2. Each area consists of a basic start address, an end address, access permissions, and memory attribute settings. As a result, the target range can be covered using only one domain (Region), instead of having to use multiple domains (Regions) aligned to different sizes connected together as in the past. This greatly simplifies software development: reducing programming steps and context switching time, thereby encouraging users to use the MPU more frequently than in the past.
For specific applications, specialized computing can make a big difference. It is also critical to achieve this expanded computing capability while maintaining all the benefits of the world's leading ecosystem - the broadest choice of development tools, compilers, debuggers, operating systems, and middleware.
The Cortex-M35P processor includes an optional dedicated bus interface for integrating tightly coupled accelerator hardware. For frequently used compute-intensive operations, this interface provides a mechanism to enhance general-purpose computing capabilities with custom processing hardware. Most importantly, it does not disrupt the ecosystem. The interface controls and data signals, supports up to 8 coprocessors, and also provides information about processor privilege and security status, as well as instruction types, associated registers, and operation fields.
To accelerate software development, Arm also provides a free DSP library in the CMSIS project. The library contains a range of digital filters, conversions and mathematical functions (such as matrices), and supports a range of data types. The CMSIS project is an open source project, and the development version is released through GitHub.
Optional integer DSP extensions add 85 instructions. In most cases, the DSP instructions can improve program performance by an average of three times, thereby improving the performance of all applications centered around digital signal control.
The optional FPv5 single-precision floating-point extension includes an additional 16 64-bit registers. This extension adds 45 single-precision floating-point instructions compatible with IEEE754-2008. Using floating-point instructions typically results in an average performance improvement of 10 times over equivalent software libraries. The FPU is contained in a separate power domain, allowing it to be powered down when not enabled or used.
In summary, physical attacks are one of several potential attacks on embedded or IoT devices. Arm's PSA platform security architecture assesses the security level that designers need to pass during the threat modeling process in order to adopt the appropriate combination of countermeasures. Physical attacks are becoming easier and cheaper, so advanced chip protection technology is essential. However, physical security design is usually more complex.
Today, Arm’s new suite of physical security IPs provides market adaptability for any developer. The Arm Cortex-M35P processor provides an efficient security solution for software and physical attacks through TrustZone technology and anti-tampering capabilities. Combined with Arm CryptoCell IP, Arm CryptoIsland IP or dedicated custom cryptographic solutions, and supported by the Arm ecosystem, any embedded or IoT solution developer can be sure that they have a strong trusted foundation for secure IoT implementation deployments - because market adaptability is already in place.
京公网安备 11010802033920号