Embedded World Product Showcase: BG Networks Security Automation Tool
March 04, 2021
A New GUI-Based Software Automation Tool Designed to Make Implementing IoT Cybersecurity Easy
BG Networks announced a new graphical-user-interface based software automation tool and complementary embedded security software architecture explicitly designed to make IoT cybersecurity easy.
The BG Network Security Automation Tool (SAT) enables embedded engineers to develop cyber-secure code efficiently and effectively without needing a background in cybersecurity. With this tool, engineers can easily improve security capabilities, enhance productivity, and reduce the time required to take advantage of security features built into hardware platforms.
When used with the SAT, BG Network’s Embedded Security Software Architecture (ESSA), a collection of scripts, recipes, configurations, and documentation for Linux, enhances cybersecurity for IoT devices, including secure boot, encryption, authentication, and secure software updates. The ESSA enables engineers to extend a hardware root of trust to secure U-Boot, the Linux kernel, and applications in the root file system.
Enabling IoT Security Everywhere - A Philosophy, Not An After-Thought
BG Networks’ mission is to ensure every connected embedded device has the cybersecurity needed to keep IoT networks safe from cyber-attacks. We believe it is feasible to simplify the task of adding cybersecurity to IoT devices on a large scale. Our goal is to remove obstacles that prevent embedded engineers from including cybersecurity by making it quick, easy, and seamless.
The BG Networks SAT and ESSA address the challenge of implementing cybersecurity by providing easy-to-use and time-saving tools for embedded engineers to implement complex security protocols without extensive training or expensive consultation.
Leverage of In-Silicon Features and Open-Source Software for First-Class Security
Leveraging openly available cryptography and taking advantage of inherent cybersecurity features in hardware are additional tenants of BG Networks’ philosophy. Why reinvent the wheel when many available options offer high levels of security and can shorten the time for implementation?
To provide strong cybersecurity without compromising performance or functionality, our automation tools leverage:
In-silicon cryptographic accelerators and secure memory
Over-The-Air (OTA) software update solutions from open-source and trusted partners
Linux security features
In-Silicon Cryptographic Security Features for Greater Efficiency
Processor semiconductor companies are continually improving cybersecurity features in embedded microprocessors and microcontrollers. These “in-silicon” features are extremely secure because they build on a hardware root of trust, store keys in secure memory, can monitor the state of security, and establish trusted execution environments based on ARM’s TrustZone.
Compared to software-only approaches, BG Networks SAT takes advantage of these inherent security features by direct processor configuration and adding the necessary code/keys/signatures to the engineer’s software. This approach of using in-silicon hardware results in highly secure software with high levels of cryptographic data throughput, without sacrificing power consumption, or core processor MIPS.
Over-The-Air (OTA) Software Update for Greater Security
No system is 100% secure. After deployment, security vulnerabilities are sure to be found, so software updates are critical. Vulnerabilities discovered after the IoT devices are in the field can be remedied using OTA software updates. Security risks can be closed quickly and cost-effectively for large fleets of devices, even if they are remote.
BG Networks leverages open-source OTA update software and works with industry-leading companies to provide complete solutions. BG Networks’ Embedded Security Software Architecture integrates Mender.io, an open-source end-to-end robust and secure OTA software update manager that is easy to use and uses best-of-breed security technologies.
Leveraging Linux Security Features for Greater Capability
The Linux kernel has built-in security features that can be used to extend the hardware root of trust. The Device Mapper (DM) framework, provided by the kernel, supports security functions used to authenticate, confirm integrity, and encrypt application code stored in block-memories. BG Networks’ ESSA leverages these Linux security features to encrypt the rootfs, which contains Mender’s client software, and is authenticated during boot.
BG Network SAT and ESSA Features
BG Networks’ Security Automation Tool and Embedded Security Software Architecture combine to support security from the boot loader to application software as shown in the diagram below.
The SAT supports the following cybersecurity features for NXP’s I.MX 6 and I.MX 8M families of processors:
Authenticated and encrypted boot for systems on bare metal, using an RTOS or Linux
Generation of public and private keys for RSA digital signatures
Support for up to 4096-bit keys for resilience against quantum computing attacks
Signing of application binaries with RSA signatures
Hardware accelerator-based SHA-256 hashing for authentication of public keys
Generation of AES keys up to 256 bits in length
Accelerator-based AES-CCM encryption for bootable code stored in flash memory
Use of NXP’s immutable High Assurance Boot (HAB) code stored in ROM
Supply chain security preventing gray market and counterfeit device manufacturing
Securing UART, USB, JTAG I/O interfaces
Download of secure binaries to flash memory via USB or UART interfaces.
Locking of the processor
The ESSA is Linux based and when used in conjunction with the SAT will support:
Hardware root of trust extended to the Linux rootfs and software application layer.
Configuration of Linux Device Mapper (DM) cryptographic functions.
Use of AES-XTS and HMAC-SHA256 cryptographic algorithms.
OTA software update support based on Mender.
Mender security features include:
Client-server authentication using RSA signatures & JSON Web Tokens (JWT)
Software updates sent over an encrypted channel (HTTPS)
Software updates authenticated using RSA signatures
An Overview of the Steps to Create Secure Code
To secure your Linux software using these tools, the starting point is ESSA. Build your software using ESSA files, which is Yocto based. This builds an image which will have Mender integrated to perform OTA software updates. The integration creates a Yocto Project image, including a disk image that can be flashed to device storage during initial provisioning and includes an artifact containing filesystem image file that Mender can deploy to, over-the-air. The next step is to use the SAT. By answering a series of questions keys will be generated, U-boot will be encrypted and signed, and the Linux kernel will be signed. The SAT is then used to download your code to flash memory, secure I/O interfaces, and lock the processor. This will result in code that is stored in encrypted form in flash memory, that will be authenticated and checked for integrity on boot, and can be updated over a network interface using Mender.
To Get Started and To Learn More
To see a video of the steps to create secure code go to BG Networks’ webpage that provides an overview of these automation tools .
To request an evaluation version of the Security Automation Tool or for access to Embedded Security Software Architecture demonstration code please visit the BG Networks tools request page.
For more information on OTA software updates visit the Mender website .
For additional information on cybersecurity for software updates see Mender’s white paper titled: Security Consideration for Remote Management of Software in IoT Devices.
For additional information on cybersecurity considerations for hardware see WINSYSTEMS’ article titled: Trusted Hardware, The IoT Cybersecurity Improvement Act of 2020 .
If you looking for a cybersecurity solution specifically tailored for your IoT device, BG Networks offers IoT security consulting services that include risk/threat assessments, software development, and testing. For more information on these consulting services see the BG Networks consulting services web page