Presentation's title

Dominique Bolignano

CEO

Prove & Run

dominique.bolignano@provenrun.com

3rd April 2017

B03 - In-vehicle technology enabler

Introducing myself and Prove & Run

• Dominique Bolignano, previously Founder &

CEO of Trusted Logic

• Trusted Logic is now Gemalto, Trustonic and Trusted Labs

• First EAL7 JavaCard OS,

• Introduced TEE (now a Worldwide standard for Mobile

security with Android/Trusty and IoS/Secure Enclave

ProvenCore and ProvenVisor are secured by design:

• Security properties are formally proven down to code

generation to be as close as possible to “zero bug” and

insure the highest resistance to hackers

• Certification at the highest assurance level

Unique Selling Proposition

• Starting field deployment of first devices

• Engaged in design-in discussions with reference

customers in the Automotive, Railways, Avionics, Energy,

Mobile sectors

Company Status

Prove & Run Value Proposition

We provide cost effective off-the-shelf software solutions that dramatically improve the level of security of your Connected Systems/Devices so as

to protect them against remote cyber-attacks

StingRay MITM

attacks

Attacks on

Ukrainian

power stations

StuxNet

Jeep hack

D-Link charged

by FTC

Mirai

Security is as strong as its weakest link• Toolbox:

• State of the art security methodology (security analysis, …)

• Identification phase vs

• Exploitation phase

• Root of trust, secure elements, crypto processors and libraries,

• TEE / Secure OS,

• Hypervisors,

Need for a

TEE

Need for a

extremely resistant

TEE

Need for resistant

hypervisor

TrustZone ARM Cortex A – High Level Principles

I/O devices can be configured to be

controlled by Secure World

Normal World Secure World

Hypervisor Mode

TrustZoneTM Monitor

Kernel Mode

User Mode Mode User Mode

Rich OS (Linux, Windows ..)

User Applications

ProvenCore

Security Applications

Monitor Code

Formal proof

neeeded

Guaranteed

security for the

firmware update

process

Secure Boot - Secure Firmware UpdateSecure WorldNormal World

ARM Cortex A (with TrustZone)

Formally Proven

Operating System

(ProvenCore)

Update

Server

Secure Boot - Secure Firmware UpdateSecure WorldNormal World

ARM Cortex A (with TrustZone)

Formally Proven

Operating System

(ProvenCore)

Update

Server

Autonomous

firmware update

process

IDS - IPS - Remote maintenance, Remote inspection, …

Internal

Network

IoT

Service

Formally Proven

Operating System

(ProvenCore)

Filtering

Internal

Network

Ether IP TCP Encrypted and signedIP TCP Data

IoT

Service

Formally Proven

Operating System

(ProvenCore)

Backup Slides

Addressing the Cybersecurity Challenge

“Motor Vehicles Increasingly Vulnerable to Remote Exploits”,

Title of the FBI’s Public Service Announcement,

March 2016

• After a decade of evolution mobile security architectures have converged towards a security architecture based on three pillars:

• Secure elements or hardware coprocessors for the Root of Trust, cryptography, and transactions

• TEE (Trusted Execution Environments)/Secure OS

• Hardware or Software Hypervisors

• The two last need to be significantly reinforced for connected cars (TCU, Infotainment, …), and more generally for the Internet of Things.

• The most challenging issue is with logical attacks on the complex part of the software

• Hackers will exploit errors (bugs, configuration or specification errors, …),

• New errors are reported by thousands every year in all OSes (e.g. NIST)

• OS, i.e. Android, Linux, large RTOS, … cannot be directly secured. They need to sandboxed in someway.

• Security by Design is a must. Can easily be achieved by using a Formally Proven Kernel such as ProvenCore for :

• Protecting the entry points (i.e. the TCU, the Infotainment system),

• Providing secure execution environment(s) for security critical applications (FOTA, Firewall, Logging Events, Intrusion Detection, etc.)

• Controlling accesses to peripherals.

What is the securitychallenge ?

Addressing the Cybersecurity Challenge

$1M

$10

Hackers Budget (Attack Identification Cost)

Security Budget (per vehicle)Protected

Without Any Formally Verified OS Kernel

$10M

$100

Exposed to Attacks

Addressing the Cybersecurity Challenge

$1M

$10

Hackers Budget (Attack Identification Cost)

Security Budget (per vehicle)

ProtectedProtected

With At Least One Verified OS Kernel

$10M

$100

Effect of using a

formally proven kernel

TrustZone ARM Cortex A – High Level Principles

Normal World Secure World

TrustZoneTM Monitor

I/O devices can be configured to be

controlled by Secure World

TrustZone ARM Cortex A – High Level Principles

I/O devices can be configured to be

controlled by Secure World

Normal World Secure World

Hypervisor Mode

TrustZoneTM Monitor

Kernel Mode

User Mode Mode

Kernel Mode

User Mode

Monitor ModeMonitor Mode

TrustZone ARM Cortex A – High Level Principles

I/O devices can be configured to be

controlled by Secure World

Normal World Secure World

Hypervisor Mode

TrustZoneTM Monitor

Kernel Mode

User Mode Mode

Kernel Mode

User Mode

Rich OS (Linux, Windows ..)

User Applications

Monitor ModeMonitor Mode

Securing Communication with a VPN

Thing

Operating System

(e.g., Linux)

Ether IP TCP Encrypted and signed

OpenVPN

IoT

ServiceEthernet

Driver

TCP/IP

TLS

IP TCP Data

Securing Communication with a VPN

ThingOperating System

(e.g., Linux)

Ether IP TCP Encrypted and signedIP TCP Data

IoT

Service

Protecting the VPN against hackers

Internal

Network

Ether IP TCP Encrypted and signedIP TCP Data

IoT

Service

Formally Proven

Operating System

(ProvenCore)

Practical Integrated Architecture

Ether IP TCP Encrypted and signed

Classical OS

(e.g., Linux)

Secure

World

Normal

World

IP TCP Data

Cortex A (with TrustZone)

IoT

Service

Formally Proven

Operating System

(ProvenCore)