Solutions Emerge to Tackle Many Facets of Embedded Security

As the awareness and urgency surrounding security increases, technology suppliers are responding with solutions to address complex secure system design challenges.


Crack open today’s top embedded system security issues for defense, and you’ll see a wide range of challenges and corresponding solutions. For military system developers, there’s perhaps no richer topic these days than that of developing secure systems. The problems are multi-faceted: How do you prevent intrusions by hackers? How to best encrypt that data once an intruder gets in? How do you ensured the components themselves haven’ been tampered with—or will be tampered with? Over the past 12 months, a myriad of technologies have been implemented at the chip, board and box level designed to help system developers build secure applications.

Secure Data Storage

Perhaps some of the most dynamic innovations in security recently have been on the embedded data storage side. Not long ago, defense system developers using defense-grade solid-state drives (SSD) focused on the tangible attributes you can express as a datasheet spec – media endurance, wear-leveling, error correction, and power loss protection features. System developers had had little to no familiarity with the concept of security as it relates to SSDs. But today practically all storage devices incorporate some level of security. All that said, every application has its own set of application-specific requirements where a simple off-the-shelf security solution cannot address every vulnerability.

“Over the next 5 to 10 years, we expect third-party validation programs, like Federal Information Processing Standards (FIPS) 140-2 and Commercial Solutions for Classified (CSfC), to become mandatory,” said Bob Lazaravich, Technical Director at Mercury Systems, “We also anticipate the replacement of AES-256 encryption with either new algorithms or larger keys to address growing concerns about vulnerabilities from quantum computing.” Lazaravich also said he expects that new defense-grade storage products will incorporate stronger physical security. That includes security to the drive itself and security integrated through the device’s supply chain and manufacturing location.

At one time protection for data stored in modern encrypted and unpowered SSDs was a major concern. But those days are past. SDDs implemented in compliance with an appropriate National Information Assurance Partnership (NIAP) protection profile, unpowered SSDs are considered unclassified. Powered-on and authenticated devices still present significant security challenges. For instance, after a password authentication completes, how does a secure SSD determine that the authenticated user is still present?

Quick Changing NAND Flash

Technology plays a role too. The rapid pace of change in NAND flash media, such as the transition from 2D to 3D NAND flash, requires corresponding changes in the SSD controller architecture. That means a security architect designing a new storage device must always be thinking ahead at least one generation. They must consider how advances in Moore’s Law or other disruptive semiconductor technologies affect their security implementation.

Exemplifying those SSD trends, Mercury recently announced its ASURRE-Stor portfolio of self-encrypting SSDs for classified programs. Designed and manufactured in a secure domestic facility, this product has the distinction of being the first commercial SSD eligible for use in a 2-layer CSfC solution for data at rest protection of classified, secret, and top secret data. The unit integrates state-of-the-art NAND flash combined with Mercury’s ARMOR controller (Figure 1). It employs a suite of cryptographic and performance-enhancing algorithms validated to FIPS 140-2 standards.

Figure 1. ASURRE-Stor self-encrypting SSDs are designed for use in a 2-layer CSfC solution for data at rest protection of classified, secret, and top secret data. It employs algorithms validated to FIPS 140-2 standards.

Meanwhile, Curtiss-Wright’s Defense Solutions has likewise implemented CSfC technology but at the Networked Attached Storage (NAS) level. In January, the company announced support for CSfC 2-Layer Encryption on its Data Transport System (DTS1), a rugged single-slot Network Attached Storage (NAS) storage device. The small form factor SWaP-optimized DTS1 is designed to store and protect large amounts of data on military platforms that require the protection of sensitive DAR. The single-slot NAS device, which weighs only 4.0 lb. and measures only 1.5 x 5.0 x 6.5-inches and delivers up to 2 Terabytes of SSD storage. The DTS1 supports PXE protocol so that all network clients on a vehicle or aircraft can quickly boot from the encrypted files on the DTS1’s removable memory cartridge (RMC).

The DTS1 houses one RMC that provides quick off load of data. The RMC, which can store from 128 Gbytes to 2 Terabytes of data, can be easily removed from one base station DTS1 and installed into any other vehicle-mounted DTS1, providing seamless full data transfer between one or more networks in separate locations while Suite B encryption protects the data. It also supports a packet capture software (PCAP) option. This Ethernet recording capability allows DTS1 users to record all Ethernet packets flowing over a platform’s LAN during the course of a mission. This enables the system to record network traffic for later analysis. The DTS1 also supports iSCSI protocol so that network clients can store, share, and retrieve block data. An RMC is small enough to fit in a shirt or flight-suit pocket and yet rugged enough for transport. Error correction, wear-leveling, and bad block management are performed to ensure data integrity.

Secure Operating Systems

Another important trend is the teaming of embedded computing vendors with secure embedded operating system suppliers. In an example along those lines, earlier this year Extreme Engineering Solutions (X-ES) announced an NXP QorIQ T2081 processor- based board solution, the XPedite6101, with a certification-ready multi-core operating system environment, Wind River VxWorks 653 3.0 Multi-core Edition platform (Figure 2). In addition to being fully ARINC 653-compliant, this solution is integrated with Wind River’s Information Assurance Framework (IAF) to support secure booting for applications requiring enhanced levels of security.

Figure 2. The XPedite6101 board supports Wind River VxWorks 653 3.0 Multi-core Edition platform enabling secure booting for applications requiring enhanced levels of security.

The Wind River VxWorks 653 platform lets users independently develop and deploy multiple applications on a single multi-core hardware platform, supporting rigorous avionics safety standards. These supported standards include RTCA DO-178C for certifying compliance with the applicable airworthiness regulations for the software aspects of airborne systems and equipment, and ARINC 653 for space and time partitioning in safety-critical avionics real-time operating systems (RTOS). The enhanced security of this solution is derived from the integration of Wind River’s IAF. The IAF utilizes the PowerPC/NXP Trust Architecture, known as the QorIQ Platform Trust Architecture, to enable secure boot, including a built-in security engine that can hide a One Time Programmable Master Key (OTPMK) in a write-only register. This security engine is ideal for performing cryptographic offload of hashing, encryption, and decryption.

Hypervisor Virtualization

Along similar lines Curtiss-Wright’s Defense Solutions announced support for the LynxSecure separation kernel hypervisor, a real-time secure virtualization platform capable of leveraging multi-core CPU hardware virtualization features on Curtiss-Wright’s SBC and Parvus DuraCOR small form factor processor product families. The expanded collaboration between Curtiss-Wright and Lynx Software Technologies enables customers to deploy Curtiss-Wright hardware with LynxSecure hypervisor technology to satisfy high assurance computing requirements on in support of the NIST, NSA Common Criteria, and NERC CIP evaluation processes used to regulate military and industrial computing environments. The first Curtiss-Wright products pre-validated for LynxSecure support are the rugged DuraCOR 80-41 tactical mission computer subsystem and the VPX3-1257 3U OpenVPX SBC, both based on quad-core, Intel Core i7 processors.

Curtiss-Wright and Lynx Software Technologies anticipate availability of additional pre-validated SBCs and subsystems in the near future. The use of LynxSecure on these hardware platforms speeds and eases the deployment of robust secure compute solutions, such as those requiring security capabilities for Red/Black separation and a Cross Domain Guard in embedded network edge applications.

Red/Black Domain Security

For its part, General Micro Systems likewise provides cross domain (Red/Black) security technology in some of its systems. Among those is its S1U-MD, a 1U rackmount, multi-domain server and managed Ethernet switch/router based on the Intel Xeon D server CPU. According to GMS, the S1U-MD boasts 12x the performance of traditional blade-servers, but in one-twelfth the size of traditional systems.

Isolating Red and Black domains to ensure security or designing for redundancy is normally accomplished with one full-depth box for each Red and Black domain: 1) two physically separate servers, 2) two separate Ethernet multi-port switches; and 3) two separate routers. The engineering breakthrough with the S1U-MD was putting this capability into a single, 1U high and 17-inch deep (Short Rack) server blade (Figure 3). S1U-MD takes one-twelfth the rack space of a competing multi-domain solution. The S1U-MD has six network functions in one, making it well suited for the Navy’s evolution of secure Navy Marine Corps Intranet (NMCI) and Base Level Information Infrastructure (BLII) networks worldwide. S1U-MD targets all rugged rackmount installations, from ships and ground vehicles, to mobile command posts, mission command centers, first responders and airborne C4ISR platforms.

Figure 3. Red and Black security domains domain are typically designed two physically separate servers. The S1U-MD integrates them securely into a single, 1U high and 17-inch deep (Short Rack) server blade.

Cryptography for Embedded Computing

While embedded system technologies and Information Technology (IT) have traditionally operated in separate sphere, in today’s networked, connected world, those disciplines are intersecting more and more—and security is among those overlapping points. Certainly, a lot of Information Assurance and Cryptography technology is focused on IT Enterprise kinds of systems. The Trusted Platform Module (TPM) is a good example of an IT Commercial and Enterprise technology that is becoming popular as a way to solve complex authentication and key management issues in military applications. Military applications using existing Enterprise IT technologies will differ slightly in implementation; however, well-vetted and universally available technologies can significantly speed up product development for military applications. Systems engineers have to be aware of those technologies if they help bring a security product to the defense market faster.

Exemplifying those trends is Trenton Systems’ TCS2504. The Trenton Cryptographic System TCS2504 is an IBM approved x86 architecture 2U, 19-inch rackmount server featuring a dual-processor system host board, butterfly form-factor PCIe backplane and the IBM 4767-002 PCIe Cryptographic Coprocessor (Hardware Security Module (HSM)) (Figure 4). The server chassis is made of lightweight, rugged aluminum, allowing for SWaP considerations in server room or rugged field deployments. The IBM 4767-002 PCIe Cryptographic Coprocessor (HSM) is a high-end, secure coprocessor implemented on a PCIe card with a multi-chip embedded module. It is a foundation for secure applications such as high-assurance digital signature generation or financial transaction processing, utilizing the IBM Common Cryptographic Architecture (CCA) API and security architecture, as well as custom software options.

Figure 4. The TCS2504 is a 2U, 19-inch rackmount server featuring a dual-processor system host board, butterfly form-factor PCIe backplane and the IBM 4767-002 PCIe Cryptographic Coprocessor HSM.

The IBM 4767 Hardware Security Module (HSM) has been designed to meet the FIPS 140-2 Level 4 requirements by protecting against attacks that include probe penetration or other intrusion into the secure module, side-channel attacks, power manipulation and temperature manipulation. From the time of manufacture, the hardware is self-protecting by using tamper sensors to detect probing or drilling attempts. If the tamper sensors are triggered, the 4767 HSM destroys critical keys and certificates, and is rendered permanently inoperable.

FPGA-Level Cryptography

Cryptography at the chip level was once primary the domain of custom, proprietary solutions. Bucking that trend, Microsemi and The Athena Group last month announced Athena’s TeraFire cryptographic microprocessor is included in Microsemi’s new PolarFire field programmable gate array (FPGA) “S class” family members. As the most advanced cryptographic technology offered in any FPGA, the TeraFire hard core provides Microsemi customers access to advanced security capabilities with high performance and low power consumption.

Athena’s highly secure TeraFire cryptographic microprocessor technology addresses these requirements, offering a comprehensive selection of the most commonly used cryptographic algorithms, including all those allowed for military/government use by the U.S. National Institute of Standards and Technology’s (NIST’s) Suite B, up to the top-secret level, as well as those recommended in the U.S. Commercial National Security Algorithm (CNSA) Suite. The TeraFire cryptographic microprocessor also supports additional algorithms and key sizes commonly used in commercial Internet communications protocols such as TLS, IPSec, MACSec and KeySec. The core has been leveraged in both application-specific integrated circuit (ASIC) and FPGA implementations since its introduction eight years ago, and the inclusion of differential power analysis (DPA) countermeasures in the PolarFire FPGA core is designed to increase its popularity with both defense and commercial customers.

Curtiss-Wright Defense Solutions
Ashburn, VA
(703) 779-7800

Extreme Engineering Solutions
Middleton, WI
(608) 833-1155

General Micro Systems
Rancho Cucamonga, CA
(909) 980-4863

Lynx Software Technologies
San José, CA
(408) 979-3900

Mercury Systems
Chelmsford, MA
(978) 967-1401

Aliso Viejo CA
(949) 380-6100

Trenton Systems
Gainesville, GA
(770) 287-3100

Wind River
Alameda, CA
(510) 748-4100