Security at all System Layers through Chains of Trust and Isolation

It is a truism that IT-supported systems are becoming increasingly complex and progressively determine all areas of our lives. What is known as digitization, however, has real-world implications that reach further than most people realize....

One example illustrates the dilemma of today's digitization: Insecure routers that do not receive security patches are now the norm, not the exception. A hacker who uses vulnerabilities that are many years old for an attack usually has few problems breaking in. The situation is no better for many other digital devices and software. Perhaps a more tangible example: Someone who wants to eavesdrop on young parents usually just needs the right baby monitor. There is no provision for encryption here. In industry, things look only a little better, if at all. Encrypted communication between machines is still uncharted territory, despite technologies such as OPC UA. This untenable state of affairs, which runs through all areas of digital life, opens the door to hackers, who are acting in an increasingly professionalized manner. From this point of view, the vulnerable infrastructure has also been inadequately protected to date.

Risky Dependencies

On the strategic level, Europe is economically and politically dependent on a small number of providers who are not only free to exploit their market power. The dependence on certain hardware and certain IT infrastructure is a political risk. The RISC-V architecture has emerged in recent years as a way out of this dependency. As an open source platform, it offers the technological and legal security to build future developments on it. The potential has not yet been fully exploited, but since it has not only been recognized that the architecture will become performant enough through clever further development, and that it already is in parts for almost all IoT applications, and since support is now also coming from the U.S. tech giants such as Alphabet (Read more), it makes sense to use it as the basis for secure systems.

Slowly, the realization is gaining ground at the political level that IT products must be built securely from the ground up on the one hand, and on the other hand must be provided with security patches that close critical vulnerabilities over their lifetime. In this sense, product features that are added through updates are a nice touch, but what is really needed are security updates that are based on a resilient security architecture, so that data protection does not remain a fig leaf on corporate websites and a fine claim by legislators.

Politics pulls the right Levers

For this reason, the administration has now become active at both European and national level and is now making specifications on how software and digital systems must be built (Read more) and tested so that they meet minimum cybersecurity requirements. In 2019, the Cybersecurity Act was passed by the European Parliament, and at the end of 2022 - although not yet ratified - the Cyber Resilience Act was launched. The initiatives call for digital products to be given basic security features. Essentially, customers are to be enabled to act securely by being informed and, in addition, products with digital components are to be classified and certified in security levels and provided with updates. These products should also be based on a reliable security framework.

A few years ago, the German government therefore introduced an initiative at the national level in Germany with the research framework program "Self-determined and secure in the digital world 2015-2020", which promotes basic research on this topic. One of the research projects in this initiative is the subsection "Security at all IT system layers." This program funds projects that contribute significantly to cybersecurity, produce technology far beyond the current state of the art, as well as its blueprints, which then just meets the requirements of legislators.

SASVI: Chains of Trust hold Systems together

SYSGO is now one of the companies and institutions involved in the research project and is developing SASVI. SYSGO's SASVI stands for "security at all system layers through chains of trust and isolation". The project provides a model for trustworthy IT systems. The following problems are addressed, which the researchers want to answer:

• Growing attack surface of (I)IoT systems due to the progressive networking of highly integrated devices
• Lack of development support
• Analysis and configuration capabilities of secure chains of trust, such as for the implementation of zoning concepts from IEC 62443 in industrial applications
• the difficulty of designing interfaces such as those for RISC-V in such a way that an implementation in the product can be secured against hardware and software attacks.

These problems are solved in SASVI by means of chains of trust with end-to-end isolation, which consist of secure RISC-V-based processor architectures, hardware-based operating system components, hardware-based root-of-trust components, and trusted execution environments (TEE). In addition, a special focus is placed on the secure and end-to-end integration of the components into a trusted overall system suitable for industrial applications.

This procedure aims directly at the following objectives:

• efficient procedures for formal verification or for statistical guarantees as well as for validation and certification of the security of components and systems;
• secure specifications and derivable security guarantees for open instruction sets such as RISC-V;
• methods and tools for building and verifying chains of trust in composite IT systems.

On the one hand, the developed technologies will be commercially exploited by industrial partners through new products. On the other hand, the results of the research work will gain special leverage through publications, conferences and integration into the teaching context by the universities and will strengthen the trust in European high-tech products and thus secure technology sovereignty in Europe in a sustainable and broadly effective way.

The subproject targets the operating system layer (OS layer), and its integration into the hardware layer (HW layer) as well as Industrial-Internet-of-Things layer (IIoT layer). The researchers are implementing HW mechanisms for security such as root-of-trust and secure boot, hypervisor extensions, and concurrency control that will be used for SYSGO's real-time operating system product line.

"For SYSGO, the SASVI research project will explore and implement essential technologies in the area of hypervisor-based chain of trust with OS isolation. This is considered at all system levels and based on RISC-V we have access to open components (e.g. TEEs, hypervisor extensions) to develop this with a 'hardware-software-co-design' approach more closely with collaborative partners. This key project will result in new approaches for our EAL5+ Common Criteria certified PikeOS, which can also be efficiently implemented on RISC-V platforms", says Mario Brotz, Director Research and Technology at SYSGO.

Requirements development is initially driven from specific use cases for which OS requirements are integrated. The system view thereby combines requirements for chains of trust and isolation, which must be created or maintained during implementation. In terms of implementation, technically at the OS level, root-of-trust as well as secure boot is used to create chains of trust; modular TEEs, hypervisor extensions, resource budgeting are used by software for isolation. This is accompanied by concurrency analysis to minimize any interference. In the project, the researchers apply an iterative methodology to hardware-software code design that develops incrementally on the software side and provides early feedback to hardware development with code snippets, for example. This is done before they are integrated into higher-level system functions, and at the hardware level, through appropriate analysis (e.g., of timing properties), receives intensive attention to the (non-functional, and thus easily lost from view) isolation properties of developed components, including those used for chains of trust.

Scientific and technical Work Objectives

The goal of this project is to develop a cross-system layer concept for chains of trust with end-to-end isolation. This includes on all layers hardware and software components, the operating system, applications, cloud aspects starting from secure processor architectures, hardware-based operating system components, hardware-based root-of-trust components and TEE. In addition, a special focus will be placed on the secure and end-to-end integration of the components into a trustworthy overall system suitable for industrial applications. To achieve the broadest possible impact of the developed security technologies, SASVI relies on the open RISC-V architecture for hardware components.

The technical goals of the project, enumerated from hardware to system layer, are to develop

• flexible RoT components for chains of trust in RISC-V systems,
• consistent HW primitives for extended TEE in RISC-V architecture,
• Hypervisors as management system for chain of trust and OS isolation/TEE,
• A consideration of system-level chain of trust isolation,
• Supporting applications in IIoT services remote maintenance, remote monitoring and over-the-air updates using smart pump applications as an example.

Ultimately, SASVI will help make the digitized world a bit more secure by leveraging new as well as proven security approaches and equally on freely accessible hardware architecture. Thus, not only industry but society as a whole will benefit by having robust systems that meet regulatory requirements on the one hand and lead the way in building embedded systems as a whole on the other.