By Richard Grisenthwaite SVP, Chief Architect & Fellow, Arm
As Matt Griffin wrote in the previous chapter, we face serious threats, but we can manage the risks as long as we put as much effort into strengthening security as we put into areas such as performance and AI.
In the first Arm Security Manifesto four years ago, I wrote about the collective efforts of hardware and software developers to break the cycle of attack-and-repair. I described an architectural direction for improving code security that included defense-in-depth techniques and compartmentalization at the silicon level.
Concurrently, we continued our relentless push to improve secure-by-design by collaborating with the Arm ecosystem with programs such as PSA Certified and SystemReady, which collectively help the ecosystem apply industry best practices, enabling security. PSA Certified was cofounded by Arm in 2017 to provide a security framework for the IoT sector. Back then, it was a vision to change the way embedded security was being deployed, but today it’s a successful reality where the ecosystem has revolutionized the way we approach security centered around the Root of Trust (RoT). In fact, today we have over 70 products PSA Certified across the world. The effort is backed by the majority of world-leading semiconductor companies, OEMs, ODMs, and even recommended by governments, insurers, and many more industry leaders.
Over these last few years, our work on security has accelerated and intensified, inside Arm and in partnership with the ecosystem. In this manifesto, I will delve into new innovations we’re working on which will continue to enable a more secure-by-design process, including technologies announced recently during the Armv9 architecture launch that focused on Confidential Computing and memory vulnerabilities.
Confidential Computing
We think we’ll soon see 100 percent of all shared digital data securely processed on an Arm-based device at some point in its life; either on an endpoint device, in the data networks or in the cloud – or across all three. This is an important fact as it brings the opportunity to standardize an approach to security.
The collection point for data today can be almost anywhere, either through the sensing performed by ultra-low-power IoT devices based on Arm Cortex M-profile processors or from the Arm-based smartphones that almost all of us carry around with us all of the time. Perhaps the origin point sits deep within the data networks themselves, or in the cloud, or maybe even inside one of the world’s most powerful Arm-based supercomputers.
We don’t have to look too far into the future to see computing as a distributed utility where sessions can be run on the most appropriate platform at that time. In this environment, the ability to trust the computing infrastructure and the system, is a crucial element in ensuring people feel confident about the security and privacy of their information. This data infrastructure is now arguably the most important stronghold we have to defend as it’s one of the most attractive targets for cybercriminals intent on stealing our data.
Companies use various methods to secure data against cybercriminals. (Source: Pulse/Arm Survey, 2021)
Enter Confidential Computing, the end-to-end protection of data in use, at-rest and in-motion. The key is performing computation in hardware-based secure environments that shield portions of code and data from access or modification, even from privileged software.
Today, the traditional model of computing places a huge amount of trust in the operating systems and hypervisors that the applications are run on. Confidential Computing removes the assumption that the privileged software, which is responsible for running the computing system, needs to be able to see or manipulate the data of those running sessions. That removal will make it far easier to trust the computing infrastructure.
The Arm Confidential Compute Architecture (Arm CCA) introduces the concept of dynamically created Realms, useable by ordinary programs, in
From the Arm- Pulse Survey on the Future of Security Technology (2021)
a separate computation world from either the non-secure or secure worlds that we have today in TrustZone. Realms use a small amount of trusted and attestable management software that is inherently separated from the operating system and hypervisor.
For example, because ordinary programs use Realms, a driver’s ride-sharing application downloaded from a standard app store and installed on a personal device could dynamically create a Realm to hold and work with our secrets in a world away from the operating system and hypervisor. This ensures the protection of an employer’s data even if the operating system of an employee device is compromised.
By preventing the theft of commercially valuable algorithms and data, and ensuring that mission-critical supervisory controls needed by the employer cannot be subverted, it’s no longer necessary for drivers (or couriers) to be provided with dedicated corporate devices.
Similarly, over the past year, the pandemic has increased the use of technology to record and manage personal health data, and it is hard to imagine information that needs to be better safeguarded. While the security of current systems is very good, Realms will make it possible for such personal health information to be safeguarded from end to end. This will give much more security to this data, even if the operating systems of the computers holding this information have been subverted.
Realms allow ordinary programs, when necessary, to function in a separate computation world from either the non-secure or secure worlds.
Memory issues
In analyzing the large number of security issues that get reported in the world’s software, a depressing reality is that many relate to the same old memory safety issues that have plagued computing for the past 50 years.
Two particularly common memory-safety problems – buffer overflow and use-after-free – have been incredibly persistent, and a huge part of the problem is they frequently sit undetected in software for years before they are discovered and exploited. For example, Heartbleed was dormant in OpenSSL for a couple of years before it was found.
Uncovering these memory-safety vulnerabilities before they can be exploited is a vital step in improving the security of the world’s software. For this reason, Arm collaborated with Google to develop a technology, called Memory Tagging Extensions (MTE) which can be used to find spatial and temporal memory safety issues in software. These extensions allow software to associate a pointer to memory with a tag, and to check the tag is correct on use of the pointer. If the access is out of range, or if the use of the memory has moved on, the tag check will fail, eliminating the sort of memory-safety issue that has been the cause of so many problems.
MTEs are an integral part of the first-generation Armv9 CPUs available in the next year, and software support for MTE is being introduced as part of Android 11 and into OpenSUSE.
Morello: Secure by design
While finding and fixing security vulnerabilities in existing code is a great step, it would be better if, at a more fundamental level, the hardware made it easier to encapsulate accessibility information with the data.
This approach, encompassed in the Morello Program, would provide a fundamentally more secure building block for software. To this end, Arm has been collaborating with Cambridge University on its CHERI architecture, a new approach to security that we are exploring within our research teams, which defines hardware capabilities that offer precisely this sort of encapsulation. The approach promises an inherently more secure computing platform, though it also involves some substantial changes in the way that some systems will have to be programmed. I’ve frequently been asked for ways to evaluate this technology for real industrial uses as it does seem to be extremely powerful.
Morello takes the concept of encapsulation further, promising inherently more secure computing platforms.
Fortunately, we’ve been given an opportunity by the UK government’s Industrial Strategy Challenge Fund to create an industrial scale prototype of this technology. This is a major UKRI program called Digital Security by Design7, in which Arm is working with the Universities of Cambridge and Edinburgh, Linaro, Microsoft, Google, and others to explore a major architectural enhancement using capabilities as a new paradigm in computing security and robustness. The hardware demonstrator system, called Morello, is being finished at the moment within Arm, and the system should be available for all Morello partners to start working with around the end of 2021. This sort of fundamental shift in computer architecture takes a lot of time, but we have huge interest from within Arm’s partnership. If the Morello Program is successful, it will feed into the Arm architecture as a major component of Armv9-A toward the middle of this decade.
The technical foundation of the world’s most thriving technology ecosystem is the Arm architecture, which in essence defines the behavioral contract between the hardware, for which Arm is responsible, and the software that runs on it. All of the 200 billion Arm-based devices that have shipped over the past 30 years use the Arm architecture and so can run software from the Arm ecosystem. But the architecture is not a static thing: We keep on innovating and evolving it to meet the ever-changing needs of the computing world.
The powerful security enhancements we’ve introduced with Armv9 will not only ease the process of secure-by-design for our partners but they will form a new foundation for trusted end devices for users. Security is what keeps us up at night but it’s also what propels us forward to continually seek new ways to secure devices and systems for the benefit of society at large. We maintained that philosophy long before the first Arm Security Manifesto and have kept that focus and dedication ever since. We’ll continue to do so in the future. That’s our pledge to you.
