Embedded Security - Building solid cybersecurity to stay ahead of the bad guys

Embedded devices are now clear and present targets for security breach.  From edge IoT devices, to cars and medical devices, and industrial infrastructure facilities, hackers have taken control of these devices for their own financial, destructive, or notorious end. And this trend will continue to increase in frequency and depth, challenging enterprises and developers deploying devices in emerging markets like IoT, SDN, and NFV. These markets make available new attack vectors and avenues to potentially exploit vulnerabilities. Nine months ago, one may not have imagined simple purposed but unsecure sensor endpoints could be exploited to participate in an organized DDOS attack. And this has now called for more industry and government compliance standards around cyber security that manufacturers will have to comply with. Thus shipping devices that can withstand cybersecurity attacks will be critical to your product's success and continued growth. The good news is there are several security features available to embedded developers to make their products highly secure.  And MontaVista can help you bring them to market.

Solution Overview

Solutions Overview

CGX Security Profile

MontaVista’s CGX Security Profile encompasses both reactive and proactive security features so embedded developers can stay ahead of emerging threats. Reactive approaches like CVE patching, secure live updates, auditing, and monitoring give you peace of mind your product stays resistant to emerging vulnerabilities. As important, proactive measures give developers more “weapons” to withstand attacks, even those that are new and not yet detected. MontaVista also offers the ability to securely isolate applications using Docker/Containers or KVM.

For IoT, key security initiatives are implementing a solid Root of Trust, identity management and authentication (using secure keys), and real-time monitoring for unauthorized applications (i.e. preventing Trojan Horses).  MontaVista’s CGX Security Profile implements security features to address these initiatives.  Developers can use TrustZone or Trust Platform Module (TPM) to implement Secure Boot, identity authentication, and secure key management.  TrustZone also offers the ability to create secure “sandboxes” using Trusted Execution Environments (TEE).

The benefit to our customers is they can seamlessly incorporate advanced and robust security prevention measures to withstand known and unknown attacks.  This helps reduce maintenance cost, increase product reliability, and build confidence in your reputation of being a secure product provider.

At a high level, CGX Security features are:

Proactive
  • Trust Platform Module (TPM) 1.2/2.0
  • Trustzone
  • SELinux
  • ASLR/kASLR
  • TPM Library (TrouSers)
  • Common Criteria EAL4+ Profile
  • Secure Boot
  • vTPM
  • Mutex W/E Pages (PaX)
  • Linux IME/EVM
  • Encryption (offload with hardware partners)

Reactive
  • Quarterly CVE updates
  • Samhain
  • Tripwire auditing
  • ASLR/kASLR
  • Auditd
  • Secure Update Manager

Implementing Security Easier

We understand the critical role an operating system plays in building a Root of Trust for Network Systems, IoT Edge Computing, NFV, and other emerging markets. Our intent is to provide our customers security technology they can incorporate effortlessly. We integrate the above security packages and test them. In addition, we provide example uses case (i.e. for Secure Boot, IME, etc.) to get you started. MontaVista Professional Services can be leveraged in addition to address the exact security measures you wish to deploy.

MontaVista uses the following specifications as guides to determine the best technology and practices to include in our CGX platform:

Security Technology Implementation Guide (STIG) UNIX version 5.0 r1
Common Criteria Operation System Protection Profile (OSPP) version 2.0

We proactively monitor emerging CVEs. Moreover, we pay for membership into groups that provide early warnings of CVE’s before they go public. When a priority CVE hits (like Heartbleed or BASH), we provide an immediate fix after the vulnerability embargo is lifted.  The benefit to our customers is they are covered quickly to avoid any high priority security attacks.

Related Products


Security Resource Center


CGE7 Data Sheet
CGE7 Datasheet
CGX Datasheet
CGX
Security Whitepaper
CGX