Arm’s Ongoing Efforts to Demystify Security

During the recent uptick of car break-ins in the U.S., some drivers have resorted to an unexpected strategy:  capitulation. They leave their doors unlocked, and will even leave a note with money attached, in the hope that thieves won’t break their windows or cause other damage.

Police investigators, though, say it’s a doomed strategy: many thieves don’t take the time to read the notes before they start smashing.

Sadly, a similar situation often occurs in cybersecurity.

Cybercrime will cause $6 trillion in damage this year, a total surpasses the size of the drug trade and the annual losses caused by natural disasters. Analysts expect it to rise to $10.5 trillion by 2025. Security fears may also postpone the adoption of AI, 5G and IoT, technologies needed for the fight against climate change and other critical issues.

Unfortunately, security is also a topic that many businesses and consumers try to avoid as much as possible. They are also often skeptical of the technology’s ability to respond to the escalating sophistication of threats. In a recent survey conducted by PSA Certified, 54 percent of respondents said the uncertain ROI and potential lack of buy in for security among their employees leads to an unwillingness to invest continuously in security measures. Only 47 percent said they carry out a threat analysis for every new product, a figure that drops to 33 percent for smaller companies.

While some might be inclined to blame users, I believe that a substantial portion of the problem lies with the technology industry. The underlying mechanics of security breaches can be difficult to comprehend. The impact and consequences of breaches, let alone the best way to prevent it from happening again, can likewise be nebulous and confusing. Rather than take a more active role, businesses and consumers become frozen by fear, uncertainty and doubt.

Developers are often not much better off. Look at the SolarWinds attack. We know it was extensive, but we still don’t know how it spread, what the attackers were after or how to prevent similar attacks from occurring.

Sometimes, filing a cyber insurance claim looks like the best defense.

Security at the Architecture Level

To this end, we inside Arm’s security team are redoubling our ongoing efforts to more clearly map where we see the dangers and defenses at the silicon level. And if innovation starts at the silicon level, so should demystification. Ideally, a clearer picture might lead to greater collaboration and creative thinking within the Arm security community, which in turn can lead to solutions that perform better, achieve greater adoption and help stem the rising tide of cybercrime.

So how do we divide security defenses and risks? Into four categories.

1. Defensive Execution Technologies

Ransomware, side channel attacks, DDoS rely on sudden and sometimes overwhelming force. Many of these attacks are related to memory vulnerabilities where a virus effectively sneaks in through flaws an existing application (or in the way a processor handles a particular application.) An estimated 70 percent of Microsoft exploits are related to memory vulnerabilities, a common vector for these sort of attacks.

The Arm architecture includes technologies that help to defend against memory access and control flow attacks. For example, Pointer Authentication Code (PAC) (now available for both the A and M profile – see the Armv8.1-M PAC announcement), helps to prevent an attacker manipulating a program’s control flow by applying a cryptographic signature to pointers. Another example is the Memory Tagging Extension that provides the capability to detect if an object such as text string or array is accessed beyond its bounds, such as when a buffer overflows.

Both PAC and MTE can often be enabled by recompiling software with a compiler that supports these defenses.

2. Isolation Technologies

If defensive execution technologies are analogous to security gates or door locks, isolation technologies are the safe deposit boxes: hardened, small, secure zones for the most valuable resources. The goal is to create an impregnable space where unencrypted data can be shared, analyzed or viewed. In real world terms, an isolated space performs the same function as the attorney client privilege or the Hippocratic oath: consumers can get the benefit of sharing data without compromising their privacy.

Realms, part of our recently announced Arm Confidential Compute Architecture, allow trusted services or applications to spin up small, confined virtual chambers isolated from privileged and non-privileged software, including a hypervisor. A trusted partner can enter, process the data, analyze the information shared and then purge the chamber on completion. While within the chamber, it possible to measure and attest the isolation properties to be certain that the data is not accessible to the infrastructure that surrounds and supports the chamber.

Isolation technologies like Arm TrustZone have been around for a number of years but will likely be used far more broadly in the coming decade as they promise to be one of the stronger defenses against data theft. Google, Amazon and others (Arm included) are also working to automate isolation to simply adoption and use.

3. Common Platform Security Services

In a world of a trillion devices, whom can you trust? Common Platform Security Services are effectively the background checks of the digital world. Arm is helping develop standard firmware and software architectures across trust boundaries to simplify the adoption and make system software much more portable.

The firmware framework and the certification processes for PSA Certified are becoming increasingly popular for establishing a root of trust in devices. Veraison, coming with Arm Confidential Compute Architecture, extends this work with new components that can be used to build attestation verification services.

Again, we as an industry must make sure these standards are useful to the ultimate buyer. While 84 percent of the respondents say they are interested in industry-lead standards for IoT, 48 percent said different standards and regulations were one of their top challenges.

4. Standard Security APIs

In the early days of electricity, the Edison screw, the aluminum twirl at the bottom of light bulbs, offered manufacturers and consumers a convenient standard that could allow the industry to thrive while reducing safety risks and misuse. Platform Security APIs and PARSEC APIs seek to do the same for security. Standardization of security APIs in particular will be critical for markets like IoT and edge computing where standard implementations will help remove the friction for deploying these on scale. Coordination, collaboration and circumspection are critical. Poorly designed APIs can become an attack vector themselves. Complexity is another issue: if you have to be an expert to implement it, or use it, chances are many will screw up.

Greater awareness and understanding, of course, is only the beginning. We will need to continually develop defenses against new attacks and question our own assumptions about “proven” security processes like over-the-air upgrades. Still a more alert, active customer base who sees and understands security can pave the way for maintaining the upper hand.

As Sun Tzu might have said, we want them to shift from a defense centered around a hope the enemy doesn’t arrive to one based on being prepared for when he does.