Embedding Security into Embedded Systems

Anand Raghunathan
NEC Labs

Monday, February 11, 2008 at 1:00PM

54-134 Engineering IV Building
Refreshments Served

Abstract: Our experiences with personal computers and the Internet have clearly identified information security as a paramount challenge. There is increasing consensus that embedded systems represent the next frontier in the information security battle. They are used pervasively in our lives, and often contain sensitive personal data such as our identity and purchasing power, in addition to performing several safety-critical functions (examples include mobile phones, MP3 players, automotive electronics, avionics, medical appliances, sensors, and RFID tags). They are increasingly powered by complex software that inevitably will contain vulnerabilities, and are networked, making them remotely accessible - the very risk factors that made their general-purpose brethren the targets of numerous successful attacks. Furthermore, they often have unique usage models and constraints, introducing new threats or rendering conventional solutions inapplicable. Embedded system security concerns, unless adequately addressed, can impede the adoption and usage of many electronic products, applications, and services. Several technologies have been developed to address information security (cryptography, secure communication protocols, anti-virus tools, firewalls, intrusion detection, and so on), which can be adapted to embedded systems. These are "functional" security measures, since they usually specify functions that must be added to the system without any consideration of how they are embodied in hardware or software. While useful, functional measures are hardly sufficient to ensure secure embedded systems in practice. For example, most real attacks on cryptographic systems do not directly take on the theoretical strength of cryptographic algorithms; instead, they target weaknesses in the system's "implementation". An equally important concern is that it is often not feasible to use conventional security solutions due to extreme resource, power, and cost constraints in many embedded systems.

In this talk, I will introduce embedded system security challenges, and argue that effective security solutions can be realized only if they are built-in at various stages of the design process (architecture, HW design, and SW development). The objectives of secure embedded system design will be defined, from the designer's perspective, as addressing "gaps" such as (i) the assurance gap, which refers to the gap between functional security measures and truly secure implementations, (ii) the security processing gap, which arises due to the processing requirements of the additional computations that must be performed for security, and (iii) the battery gap, which is a consequence of the energy consumed in security-related functions. I will provide an overview of our research in this area, covering both embedded system architectures that address these gaps and methodologies that assist in their design. I will use mobile appliances (mobile phones, PDAs) to illustrate secure embedded system design challenges, and describe MOSES, a security platform that we have developed and deployed in NEC's next-generation mobile phones.

Biography: : Dr. Anand Raghunathan is a Senior Researcher at NEC Laboratories America, Princeton, NJ, where he leads research efforts on advanced system-on-chip and embedded system architectures and design methodologies. He also holds a visiting position at Princeton University's Department of Electrical Engineering. His recent work has focused on exploring security as a concern in embedded system and system-on-chip design, including the development of MOSES, a security solution for next-generation mobile appliances. He has also worked on various aspects of SoC and embedded system design methodologies, including tools for power analysis and reduction, and on-chip communication architectures. Dr. Raghunathan has authored a book, six book chapters, over 150 conference and journal papers, and 23 U.S patents, and has presented several invited talks and conference tutorials in these areas. He has received six best paper awards at leading IEEE and ACM conferences, NEC's Patent of the Year and Technology Commercialization awards, and IEEE's meritorious service award. He was selected by MIT Technology Review among the "TR35" top young innovators in 2006 for his work on mobile appliance security. He has served as Program and General Co-Chair for the International Symposium on Low Power Electronics & Design, Program Co-Chair for the VLSI Test Symposium, and member of the Program and Organizing Committees of several IEEE and ACM conferences. He has served on the Editorial Board of the IEEE Transactions on CAD, IEEE Transactions on Mobile Computing, IEEE Transactions on VLSI, IEEE Design & Test of Computers, and the Journal of Low Power Electronics. Dr. Raghunathan received M.A. and Ph.D. degrees from Princeton University, and a B.Tech. degree from the Indian Institute of Technology, Chennai. He is a Golden Core member of the IEEE Computer Society and a senior member of IEEE.