“Generally speaking, network security refers to the protection of networks, equipment, applications (programs), and data from network attacks through technologies, processes, and other practices; network protection recovery refers to the occurrence of unfavorable network events (such as network attacks). It can still deliver the expected results continuously, which includes information security, business continuity and comprehensive organizational resilience.
“
Affected by the explosive growth of data, large-scale migration to the cloud, and the full deployment of 5G networks, cyberattacks are becoming more unbridled, and the speed and accuracy of their attacks are constantly increasing. Data from multiple analysis and research institutions confirms this phenomenon: According to Accenture’s report, in 2020, 40% of cyber user attacks originate from supply chain issues; Gartner predicts that if these companies have not done timely actions in 2022 Firmware upgrade plan, fill in the firmware security loopholes, then in 2022, 70% of companies will be invaded due to firmware loopholes.
In theory, no system can be protected from the threat of attack, and all systems are in danger of being attacked. The traditional cyber security system may prevent many attacks, but if the system firmware (Firmware) is at the lowest level, this traditional security method may sometimes be powerless.
In the long-term accumulation of practice, Lattice has discovered a truly outstanding security solution, which is to increase the level of the network security system by adding the Cyber Resiliency function, to detect any ongoing firmware attacks in real time, and to The system is restored to a known state. The core of all this is that we must ensure that no one can access any encryption keys except the owner of the encrypted firmware IP.
The difference between network security and network protection restoration
Generally speaking, network security refers to the protection of networks, equipment, applications (programs), and data from network attacks through technologies, processes, and other practices; network protection recovery refers to the occurrence of unfavorable network events (such as network attacks). It can still deliver the expected results continuously, which includes information security, business continuity and comprehensive organizational resilience.
To put it simply, the main difference between the two lies in the processing methods after the network attack is detected. Although network security includes the concept of threat detection and prevention, not all network security solutions allow the system to take real-time actions based on this concept to mitigate attacks, solve security problems caused by attacks, and maintain safe data flow without interrupting business . Real-time threat detection and recovery is the core of network protection recovery.
In 2020, Microsoft launched the Pluton security processor, which was improved on the basis of the Trusted Platform Module (TPM) concept. According to Microsoft’s description, “Pluton evolved from the existing trusted platform module in modern computers. TPM stores operating system security-related information and implements functions similar to Windows Hello.” By using the Pluton processor, Microsoft will separate The TPM function is integrated into the CPU, successfully blocking the attack on the inter-chip bus interface between the CPU and the TPM separately placed on the motherboard.
As a network security solution, Pluton is undoubtedly very powerful, but it cannot protect the system during the boot process before the operating system is loaded. In other words, the short time window between the components on the motherboard from the time the firmware is started, the operating system is loaded, and the network security measures are active, has now become an increasingly interesting attack path for cybercriminals. Therefore, in order to enhance the security performance of TPMs like Pluton, the system also needs to implement a powerful, dynamic, network protection and recovery mechanism on the hardware root of trust (HRoT).
For example, when performing a secure boot of hardware, each component on the motherboard is activated only after its firmware is confirmed to be legal, and the entire verification process is performed by HRoT; in addition, HRoT will continue to monitor the non-volatile firmware of the protected CPU , Respond to the attack with nanosecond response to prevent it from being attacked. This ability to quickly restore the normal operation of the system without external assistance is the core of the system network protection recovery mechanism.
As mentioned earlier, device firmware has become an increasingly popular attack vector. Whether it is a manufacturer’s router or an online security monitoring device, the firmware has been invaded. Therefore, for the protection of firmware attacks, the National Institute of Standards and Technology (NIST) has defined a standard security mechanism (NIST SP-800-193), which is called Platform Firmware Protection Recovery (PFR). PFR can be used as the hardware root of trust in the system, supplementing the existing BMC/MCU/TPM-based system, making it fully compliant with the NIST SP-800-193 standard, thereby providing a brand new method for protecting enterprise server firmware , Which can fully prevent attacks on all firmware of the server.
The normative requirements of NIST SP-800-193 for firmware protection on the entire hardware platform mainly include three parts: first, it can detect that hackers are attacking the firmware; the second is protection, for example, someone is illegally attacking the firmware. When reading and writing operations, these illegal actions must be prevented and reported to the upper software to issue a warning message; the third is that even if the firmware is damaged, it can be restored, such as from a backup file. These three parts (recovery, detection, protection) are integrated and coordinated with each other, and the main purpose is to protect the firmware on the hardware platform.
Sentry Security System Control Solution
The Sentry solution is not just a hardware product. It has a series of matching tools, software and services. The latest version is Sentry 2.0.
As can be seen from the above figure, the underlying hardware platform of Sentry 2.0 is based on MachXO3D and Mach-NX FPGA, which is Lattice’s control-oriented FPGA that meets the NIST platform firmware protection and restoration standards. When the above hardware is used for system control functions, they are usually the “first power-on/last power-off” devices on the circuit board. By integrating security and system control functions, MachXO3D and Mach-NX become the system protection trust chain. The first link.
Unlike the control process and timing of the TPM/MCU solution that use serial processing, the FPGA solution can monitor and protect multiple peripherals at the same time, so the real-time performance is relatively strong. In terms of detection and recovery, FPGA devices can be actively verified, and they can identify and respond faster in the face of time-sensitive applications or severe damage.
Above the hardware platform is a series of pre-verified and tested IP cores, software tools, reference designs, demonstration examples, and custom design services, which together form a complete Sentry solution. With its blessing, the development time of PFR applications can be shortened from 10 months to 6 weeks.
Supporting the next generation hardware root of trust (HRoT) that complies with the NIST Platform Firmware Protection and Recovery (PFR) specification (NIST SP-800-193) and 384-bit encryption is the core highlight of the Sentry 2.0 solution. Its main features include:
• Stronger security performance—Considering that many next-generation server platforms require support for 384-bit encryption, the Sentry solution set supports Mach-NX security control FPGA and secure Enclave IP module, which can achieve 384-bit encryption (ECC-256 /384 and HMAC-SHA-384) to better prevent unauthorized access to firmware protected by Sentry.
• Pre-launch authentication speed increased by 4 times-Sentry 2.0 supports faster ECDSA (40 ms), SHA (up to 70 Mbps) and QSPI performance (64 MHz). These features allow Sentry 2.0 to provide faster startup time, minimize system downtime, and reduce the risk of firmware attacks during startup.
• Real-time monitoring of up to five firmware images-In order to further expand the functionality of the PFR-compliant hardware root of trust based on Lattice Sentry, the solution can monitor up to five motherboard components in the system in real time during startup and operation . In contrast, MCU-based security solutions lack sufficient processing performance to accurately monitor so many components in real time.
At the same time, in order to allow developers to develop quickly without any FPGA design experience, Sentry can drag and drop the verified IP module into the Lattice Propel design environment and modify the given RISC-V/C language reference Code.
Concluding remarks
In the face of cyber attacks, the emerging mindset is changing from “of course we can prevent attacks” to “when attacks occur, can we have better management methods to deal with them?” or, “how can we become more Adapt to attacks?” Perhaps, the answer lies in starting from the firmware level to create a network protection and recovery system down-to-earth.
Affected by the explosive growth of data and large-scale migration to the cloud, as well as the full deployment of 5G networks, cyberattacks are becoming more unbridled, and the speed and accuracy of their attacks are constantly increasing. Data from a number of analysis and research institutions confirmed this phenomenon: According to Accenture’s report, in 2020, 40% of cyber user attacks originate from supply chain issues; Gartner predicts that if these companies have not done timely actions in 2022 Firmware upgrade plan, fill in the firmware security loopholes, then in 2022, 70% of companies will be invaded due to firmware loopholes.
In theory, no system can be protected from the threat of attack, and all systems are in danger of being attacked. The traditional cyber security system may prevent many attacks, but if the system firmware (Firmware) is at the lowest level, this traditional security method may sometimes be powerless.
In the long-term accumulation of practice, Lattice has discovered a truly outstanding security solution, which is to increase the level of the network security system by adding the Cyber Resiliency function, to detect any ongoing firmware attacks in real time, and to The system is restored to a known state. The core of all this is that we must ensure that no one can access any encryption keys except the owner of the encrypted firmware IP.
The difference between network security and network protection restoration
Generally speaking, network security refers to the protection of networks, equipment, applications (programs), and data from network attacks through technologies, processes, and other practices; network protection recovery refers to the occurrence of unfavorable network events (such as network attacks). It can still deliver the expected results continuously, which includes information security, business continuity and comprehensive organizational resilience.
Simply put, the main difference between the two lies in the way they deal with the network attack after it is detected. Although network security includes the concept of threat detection and prevention, not all network security solutions allow the system to take real-time actions based on this concept to mitigate attacks, solve security problems caused by attacks, and maintain safe data flow without interrupting business . Real-time threat detection and recovery is the core of network protection recovery.
In 2020, Microsoft launched the Pluton security processor, which was improved on the basis of the Trusted Platform Module (TPM) concept. According to Microsoft’s description, “Pluton evolved from the existing trusted platform module in modern computers. TPM stores operating system security-related information and implements functions similar to Windows Hello.” By using the Pluton processor, Microsoft will separate The TPM function is integrated into the CPU, successfully blocking the attack on the inter-chip bus interface between the CPU and the TPM separately placed on the motherboard.
As a network security solution, Pluton is undoubtedly very powerful, but it cannot protect the system during the boot process before the operating system is loaded. In other words, the short time window between the components on the motherboard starting from the firmware startup, the operating system loading, and the time when network security measures are active, has now become an increasingly interesting attack path for cybercriminals. Therefore, in order to enhance the security performance of TPMs like Pluton, the system also needs to implement a powerful, dynamic, network protection and recovery mechanism on the hardware root of trust (HRoT).
For example, when performing a secure boot of hardware, each component on the motherboard is activated only after its firmware is confirmed to be legal, and the entire verification process is performed by HRoT; in addition, HRoT will continue to monitor the non-volatile firmware of the protected CPU , Respond to the attack with nanosecond response to prevent it from being attacked. This ability to quickly restore the normal operation of the system without external assistance is the core of the system network protection recovery mechanism.
As mentioned earlier, device firmware has become an increasingly popular attack vector. Whether it is a manufacturer’s router or an online security monitoring device, the firmware has been invaded. Therefore, for the protection of firmware attacks, the National Institute of Standards and Technology (NIST) has defined a standard security mechanism (NIST SP-800-193), which is called Platform Firmware Protection Recovery (PFR). PFR can be used as the hardware root of trust in the system, supplementing the existing BMC/MCU/TPM-based system, making it fully compliant with the NIST SP-800-193 standard, thereby providing a brand new method for protecting enterprise server firmware , Which can fully prevent attacks on all firmware of the server.
The normative requirements of NIST SP-800-193 for firmware protection on the entire hardware platform mainly include three parts: first, it can detect that hackers are attacking the firmware; the second is protection, for example, someone is illegally attacking the firmware. When reading and writing operations, these illegal actions must be prevented and reported to the upper software to issue a warning message; the third is that even if the firmware is damaged, it can be restored, such as from a backup file. These three parts (recovery, detection, protection) are integrated and coordinated with each other, and the main purpose is to protect the firmware on the hardware platform.
Sentry Security System Control Solution
The Sentry solution is not just a hardware product. It has a series of matching tools, software and services. The latest version is Sentry 2.0.
As can be seen from the above figure, the underlying hardware platform of Sentry 2.0 is based on MachXO3D and Mach-NX FPGA, which is Lattice’s control-oriented FPGA that meets the NIST platform firmware protection and recovery standards. When the above hardware is used for system control functions, they are usually the “first power-on/last power-off” devices on the circuit board. By integrating security and system control functions, MachXO3D and Mach-NX become the trust chain of system protection The first link.
Unlike the control process and timing of the TPM/MCU solution that use serial processing, the FPGA solution can monitor and protect multiple peripherals at the same time, so the real-time performance is relatively strong. In terms of detection and recovery, FPGA devices can be actively verified, and they can identify and respond faster in the face of time-sensitive applications or severe damage.
Above the hardware platform is a series of pre-verified and tested IP cores, software tools, reference designs, demonstration examples, and custom design services, which together form a complete Sentry solution. With its blessing, the development time of PFR applications can be shortened from 10 months to 6 weeks.
Supporting the next generation hardware root of trust (HRoT) that complies with the NIST Platform Firmware Protection and Recovery (PFR) specification (NIST SP-800-193) and 384-bit encryption is the core highlight of the Sentry 2.0 solution. Its main features include:
• Stronger security performance—Considering that many next-generation server platforms require support for 384-bit encryption, the Sentry solution set supports Mach-NX security control FPGA and secure Enclave IP module, which can achieve 384-bit encryption (ECC-256 /384 and HMAC-SHA-384) to better prevent unauthorized access to firmware protected by Sentry.
• Pre-launch authentication speed increased by 4 times-Sentry 2.0 supports faster ECDSA (40 ms), SHA (up to 70 Mbps) and QSPI performance (64 MHz). These features allow Sentry 2.0 to provide faster startup time, minimize system downtime, and reduce the risk of firmware attacks during startup.
• Real-time monitoring of up to five firmware images-In order to further expand the functionality of the PFR-compliant hardware root of trust based on Lattice Sentry, this solution can monitor up to five motherboard components in the system in real time during startup and operation . In contrast, MCU-based security solutions lack sufficient processing performance to accurately monitor so many components in real time.
At the same time, in order to allow developers to develop quickly without any FPGA design experience, Sentry can drag and drop the verified IP module into the Lattice Propel design environment and modify the given RISC-V/C language reference Code.
Concluding remarks
In the face of cyber attacks, the emerging mindset is changing from “of course we can prevent attacks” to “when attacks occur, can we have better management methods to deal with them?” or, “how can we become more Adapt to attacks?” Perhaps the answer lies in starting from the firmware level to create a network protection and recovery system down-to-earth.
The Links: CM150RX1-24T LB104S02-TD02