RISC-V security: First piece of the puzzle falls into place


By Thomas Claburn

10 Sep 2018 at 20:08

Credits: http://www.theregister.co.uk/2018/09/10/sifive_hex_five_riscv_secure_environment/


If you’ve been looking at SiFive‘s RISC-V-based chip technology and thinking, y’know what, it’s missing an Arm TrustZone-style element to run sensitive code, well, here’s some good news.

And if you’re just into processor design and checking out alternatives to Arm CPU cores, then this may be some interesting news.

SiFive helps organizations turn semiconductor designs based on the open-source RISC-V instruction set architecture (ISA) into chips. On Monday, it announced it has integrated Hex Five Security’s MultiZone Security trusted execution environment (TEE) into its Freedom SDK.

The technical confection gives companies creating RISC-V chips the tools to implement a security environment comparable to ARM’s TrustZone, though perhaps without past flaws. It should help users of the SiFive toolchain bring security-enforcing silicon to market faster.

Hex Five‘s technology, as its name suggests, allows for the creation of multiple isolated zones in which sensitive code – such as secure boot procedures and cryptographic routines – can run without interference from other programs or operating systems executing at the same time. It works with a Configurator tool that combines the compiled code with a Hex Five nanokernel to run within the secured environment.

Read more of this post

The Journey to a Secure Internet of Things Starts Here

IoT Security Guidance

As the Internet of Things finds its way into ever more critical environments – from cars, to airlines to hospitals – the potentially life-threatening cyber security implications must be addressed. Over the past few months, real world examples have emerged showing how proprietary connected systems relying on outdated notions of ‘security-by-obscurity’ can in fact be reverse engineered and chip firmware modified to give hackers complete remote control. The consequences could be deadly.

A new approach is needed to secure connected devices, which is exactly what the prpl Foundation is proposing in its new document: Security Guidance for Critical Areas of Embedded Computing. It lays out a vision for a new hardware-led approach based on open source and interoperable standards. At its core is a secure boot enabled by a “root of trust” anchored in the silicon, and hardware-based virtualization to restrict lateral movement.

Read more of this post

How to Fix the Internet of Broken Things

iot-securityThe Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous blog I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Read more of this post

The Security Challenges Threatening to Tear the Internet of Things Apart

IoT SecurityThe Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-security experts designing and building connected systems the risks grow ever greater. So what can be done?

Read more of this post