Security: “the devil is in the details!”
As security breaches at device level are dramatically increasing, the whole embedded industry welcomes Arm’s security certification of the Cortex-M33 and Cortex-M35P cores the company has been recently announced. It is a great achievement, the first high level certification (CC EAL6+) for software macro IPs.
However, the devil is in the details.
A few days after the Arm announcement, Eurosmart(*) issued a position paper highlighting the limitations of Arm’s soft macro security certification performed on Verilog Hardware Description Language (HDL), especially as physical attacks are not considered: “Due to the form of the certification scope (Verilog), only a limited amount of attacks is directly applicable and countered by the TOE. For example, physical attacks are not countered by this TOE”.
We can understand Eurosmart publication as a concern regarding a possible misinterpretation of the Arm’s security certification.
Developers and vendors of connected or unconnected devices must be aware that without state-of-the-art protection against physical attacks, such as side-channel and fault injection attacks, their devices are still at threat. Even if a certified soft macro provides a good security basis, it does not bring a comprehensive protection against physical security attacks.
Solutions do exist to fill the gap. A new concept has recently been announced of lightweight secure software libraries, which dramatically enhance the resistance against physical attacks, once programmed into the device. A highly reputed security lab has confirmed the benefits of adding a secure library in term of resistance to side-channel and fault injection attacks.
A small step for a great result!
(*): Eurosmart is an association committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.
Eurosmart and its members are also active in many other security initiatives and umbrella organisations at EU-level, like CEN, ECIL, ETSI, ECSO, ESIA, ETSI, GP, ISO, SIA, TCG and others.
About this blog…