The ARM mbed uVisor is the supervisory kernel at the lowest level of mbed OS. It creates isolated security domains on ARM Cortex-M3, M4 and M7 microcontrollers with a Memory Protection Unit (MPU). We call these security domains "boxes". Through judicious use of the uVisor to partition and isolate sensitive parts of the software stack, mbed OS provides a set of secure component boxes for your application. These can then provide trusted identities, secure firmware updates and internet services access, and protected encryption keys, defending your applications against exploits, attacks and malware.
For the latest information on uVisor please visit the GitHub repository.
It’s obvious that security-critical functions like SSL libraries need thorough vetting. It is less obvious that the same level of attention is needed for all other components in the system if we’re to prevent a bug in a single system component compromising all others. And even our attention may not be enough; because of the huge amount of code involved in maintaining WiFi connections or enabling ZigBee or BLE communication, the resulting attack surface is almost impossible to verify and therefore compromises device security – especially as important parts of the stack are often available only in binary format.
To make things even harder, the recovery from a common class of security flaws – the execution of arbitrary code by an attacker – can make remote recovery impossible. The attacker can run code on the target device that infects updates, making the malware resident. Even a hardware-enforced root of trust and a secure boot loader will not fix that problem: the resident malware can run safely from RAM and block reset commands or flash erasing as part of a denial-of-service attack.
The same is true for extraction of security keys by an attacker; it is impossible to rotate security keys safely, as an attacker running their code on the device will see key updates in real time and as plain text.
The solution: hardware-enforced IoT security
To fix this situation, we need to reduce the attack surface as much as we can by using uVisor to shield critical peripherals from most of the code base. The design philosophy of uVisor is to provide hardware-enforced compartments (sandboxes) for individual code blocks by limiting access to memories and peripherals using the existing hardware security features of the Cortex-M microcontrollers.
Breaking the conventional flat security model of microcontrollers into compartmentalized building blocks results in high security levels, as the reach of flaws or external attacks can be limited to less sensitive function blocks. Attackers can now compromise the untrusted side containing the application logic and communication stack without affecting security on the private side, which holds basic crypto functions and the actual keys. As the private side is now quarantined from attacks and hard to compromise, it can safely reason about the security state of the public side.
The uVisor code and documentation are available on GitHub.