Modular systems where each component in the system has unique functionality give raise to security dependencies between the different components. In particular, the security of the entire system is dependent upon the components located at the lowest level. Low level components such as firmware controls how software is loaded and plays a crucial role in a software platform security architecture.
Micro nodes must address requirements such as power-consumption and size restrictions. Power nodes may include multiple processors, shared secondary cache memory etc. From a security perspective the both node categories should be able to verify the integrity of loaded software before transfer control to it.
The code that is responsible of transfer images from media to internal memory must be trusted and this involves several security design issues. This code can either be hard coded (ROM) or also subject to software upgrades. In particular the latter case is challenging from a hardware/software embedded system security design point of view. Both Global platform and Trust Zone address this kind of problems, and should be analysed and implemented if appropriate to fulfil the nSHIELD requirements and architecture design.
Resilience against tampering in hostile environments must be balanced against requirements of firmware upgrades.
For Power nodes the Firmware could be very complex since it involves many other tasks that are not security related. One approach is to divide the monolithic firmware into two modules, one is resident in read-only-memory and therefore trusted, the other are checked prior to execution and also subject for upgrade. Since modern processors offers many execution states some peripherals must be initialized both by firmware and the operating system, therefore some functionality should in theory be migrated away from firmware to operating system. Suspend and resume of a laptop are one example of such event.
Micro nodes are expected to be less complex to initialize and therefore the entire firmware might be stored in read-only-memory.
Resilience against power failures, are very hard to implement in firmware. The node must keep a copy of the old active firmware when the downloading a new version. In addition, there must be some atomic mechanism that selects which version to run. Fixed firmware eliminates this kind of problems, but also the possibility to upgrades. Another approach to address this problem is to switch to fixed firmware when the products have been shipped in volumes and found stable.
Self-recovery for a system may involve a watchdog and an alternative media with alternative software. From a firmware perspective this involves more hardware to setup and operate.
Flexibility of choosing any file system and media type will directly map to the size and complexity of the firmware. Restrictions and limitations in the firmware could be addressed by partition the media with different file systems for the boot related software and the payload software. If the same file system is used on both primary and secondary media complexity can be reduced.
The firmware could be implemented as a suite of generic components that could be used for anything in the range of a micro to a power node. The components should also be possible to integrate into existing firmware as a security enhancement.
The interface between firmware and the operating system should also include a hyper-visor. If the hyper-visor is configured it should be invoked together with a guest operating system that enables management of additional guest operating system. The firmware should be designed to eliminate threats from any guests targeted the underlying hardware.
2.6Power supply protection 2.6.1State of the art
Sustainable operation of battery powered wireless embedded systems, such as SDR/cognitive enabled node or a micro node is a key challenge for every scenario defined in the scope of the project. Over time, Embedded Systems (ES) have evolved and are becoming more and more sophisticated and complex. For this reason, these systems need a better power supply design.
Current devices operate at lower voltages and higher currents than first models. Consequently, power supply requirements may be more demanding, requiring special attention to features deemed less important in past generations.
One of the basic requirements of a power supply for ES is to generate the necessary supply voltages in the best possible quality and a favourable electrical current which lets them make full use of their capabilities.
[2] presents a study of the power consumption of the different types of node, cognitive enabled nodes and micro nodes. After this analysis the protection of the different systems against external attacks is focused on three key points:
-
Study how to provide a continuous power supply source, without any cut in time or, at least, how to keep the system running during a period of time long enough to solve the problem with the main source or to send a warning to alert the person in charge. In the previous phase of the project also it was reported [1] different power supply sources. Three main groups were showed:
-
the energy storage systems: batteries, fuel cells, ultra-capacitors, micro-heat engines, nuclear micro batteries
-
the power harvesting methods like solar power, thermal energy, wind power, pressure variations energy and vibrations
-
the power distribution methods: it is possible to distribute power directly to the nodes or even, perform a wirelessly recharging (electromagnetic radio frequency distribution, elastic or acoustic waves and laser beam)
-
Design the appropriate protections to avoid system damages, including different operation modes to plug or unplug critical and non - critical sections of the nodes.
-
Monitor the power consumption.
2.6.2Relationship with pSHIELD
During the previous phase of the project two different protection boards were designed, manufactured and tested.
One of them was for a wireless platform which could have up to five different sub- systems connected. It will include not only the necessary protections to avoid damages into the circuit but also the hardware necessary to let the microprocessor controls the power supply of different sub - systems. To monitor power consumption, a current sense amplifier was included in the design. The second protection board contained only the protections needed to avoid damages into the circuit.
Both protection boards have been tested in order to verify that system is protected against over voltages, overloads, short circuit or over temperatures. Both designs have fulfilled the defined requirements since nodes have integrate d not only the necessary protections but also a mechanism to plug - unplug different sub - systems and a sensor to monitor power consumption.
Both designs can be considered as a starting point in the design of a secure power supply nSHIELD.
2.6.3References -
PSHIELD D3.2 SPD nano micro or personal node technologies prototype report http://www.pshield.eu/index.php?option=com_docman&Itemid=37
Share with your friends: |