Presentation's title
Dominique Bolignano
CEO
Prove & Run
3rd April 2017
B03 - In-vehicle technology enabler
Introducing myself and Prove & Run
• Dominique Bolignano, previously Founder &
CEO of Trusted Logic
• Trusted Logic is now Gemalto, Trustonic and Trusted Labs
• First EAL7 JavaCard OS,
• Introduced TEE (now a Worldwide standard for Mobile
security with Android/Trusty and IoS/Secure Enclave
ProvenCore and ProvenVisor are secured by design:
• Security properties are formally proven down to code
generation to be as close as possible to “zero bug” and
insure the highest resistance to hackers
• Certification at the highest assurance level
Unique Selling Proposition
• Starting field deployment of first devices
• Engaged in design-in discussions with reference
customers in the Automotive, Railways, Avionics, Energy,
Mobile sectors
Company Status
Prove & Run Value Proposition
We provide cost effective off-the-shelf software solutions that dramatically improve the level of security of your Connected Systems/Devices so as
to protect them against remote cyber-attacks
StingRay MITM
attacks
Attacks on
Ukrainian
power stations
StuxNet
Jeep hack
D-Link charged
by FTC
Mirai
Security is as strong as its weakest link• Toolbox:
• State of the art security methodology (security analysis, …)
• Identification phase vs
• Exploitation phase
• Root of trust, secure elements, crypto processors and libraries,
• TEE / Secure OS,
• Hypervisors,
Need for a
TEE
Need for a
extremely resistant
TEE
Need for resistant
hypervisor
TrustZone ARM Cortex A – High Level Principles
I/O devices can be configured to be
controlled by Secure World
Normal World Secure World
Hypervisor Mode
TrustZoneTM Monitor
Kernel Mode
User Mode Mode User Mode
Rich OS (Linux, Windows ..)
User Applications
ProvenCore
Security Applications
Monitor Code
Formal proof
neeeded
Guaranteed
security for the
firmware update
process
Secure Boot - Secure Firmware UpdateSecure WorldNormal World
ARM Cortex A (with TrustZone)
Formally Proven
Operating System
(ProvenCore)
Update
Server
Secure Boot - Secure Firmware UpdateSecure WorldNormal World
ARM Cortex A (with TrustZone)
Formally Proven
Operating System
(ProvenCore)
Update
Server
Autonomous
firmware update
process
IDS - IPS - Remote maintenance, Remote inspection, …
Internal
Network
IoT
Service
Formally Proven
Operating System
(ProvenCore)
Filtering
Internal
Network
Ether IP TCP Encrypted and signedIP TCP Data
IoT
Service
Formally Proven
Operating System
(ProvenCore)
Backup Slides
Addressing the Cybersecurity Challenge
“Motor Vehicles Increasingly Vulnerable to Remote Exploits”,
Title of the FBI’s Public Service Announcement,
March 2016
• After a decade of evolution mobile security architectures have converged towards a security architecture based on three pillars:
• Secure elements or hardware coprocessors for the Root of Trust, cryptography, and transactions
• TEE (Trusted Execution Environments)/Secure OS
• Hardware or Software Hypervisors
• The two last need to be significantly reinforced for connected cars (TCU, Infotainment, …), and more generally for the Internet of Things.
• The most challenging issue is with logical attacks on the complex part of the software
• Hackers will exploit errors (bugs, configuration or specification errors, …),
• New errors are reported by thousands every year in all OSes (e.g. NIST)
• OS, i.e. Android, Linux, large RTOS, … cannot be directly secured. They need to sandboxed in someway.
• Security by Design is a must. Can easily be achieved by using a Formally Proven Kernel such as ProvenCore for :
• Protecting the entry points (i.e. the TCU, the Infotainment system),
• Providing secure execution environment(s) for security critical applications (FOTA, Firewall, Logging Events, Intrusion Detection, etc.)
• Controlling accesses to peripherals.
What is the securitychallenge ?
Addressing the Cybersecurity Challenge
$1M
$10
Hackers Budget (Attack Identification Cost)
Security Budget (per vehicle)Protected
Without Any Formally Verified OS Kernel
$10M
$100
Exposed to Attacks
Addressing the Cybersecurity Challenge
$1M
$10
Hackers Budget (Attack Identification Cost)
Security Budget (per vehicle)
ProtectedProtected
With At Least One Verified OS Kernel
$10M
$100
Effect of using a
formally proven kernel
TrustZone ARM Cortex A – High Level Principles
Normal World Secure World
TrustZoneTM Monitor
I/O devices can be configured to be
controlled by Secure World
TrustZone ARM Cortex A – High Level Principles
I/O devices can be configured to be
controlled by Secure World
Normal World Secure World
Hypervisor Mode
TrustZoneTM Monitor
Kernel Mode
User Mode Mode
Kernel Mode
User Mode
Monitor ModeMonitor Mode
TrustZone ARM Cortex A – High Level Principles
I/O devices can be configured to be
controlled by Secure World
Normal World Secure World
Hypervisor Mode
TrustZoneTM Monitor
Kernel Mode
User Mode Mode
Kernel Mode
User Mode
Rich OS (Linux, Windows ..)
User Applications
Monitor ModeMonitor Mode
Securing Communication with a VPN
Thing
Operating System
(e.g., Linux)
Ether IP TCP Encrypted and signed
OpenVPN
IoT
ServiceEthernet
Driver
TCP/IP
TLS
IP TCP Data
Securing Communication with a VPN
ThingOperating System
(e.g., Linux)
Ether IP TCP Encrypted and signedIP TCP Data
IoT
Service
Protecting the VPN against hackers
Internal
Network
Ether IP TCP Encrypted and signedIP TCP Data
IoT
Service
Formally Proven
Operating System
(ProvenCore)
Practical Integrated Architecture
Ether IP TCP Encrypted and signed
Classical OS
(e.g., Linux)
Secure
World
Normal
World
IP TCP Data
Cortex A (with TrustZone)
IoT
Service
Formally Proven
Operating System
(ProvenCore)