Embedded systems often provide critical functions that could be sabotaged
by malicious entities. Before discussing the common security requirements
of embedded systems, it is important to note that there are many entities
involved in a typical embedded system design, manufacturing, and usage
chain. Security requirements vary depending on whose perspective we consider.
For example, let us consider a state-of-the-art cellular handset that is capable
of wireless voice, multimedia, and data communications. Figure 2 illustrates
security requirements from the viewpoint of the provider of HW/SW components
inside the cell phone (e.g., baseband processor, operating system), the
cell phone manufacturer, the cellular service provider, the application service
provider (e.g., mobile banking service), the content provider (e.g., music or
video), and the end user of the cell phone.
Fig. 2. Security requirements for a cell phone
Fig. 3. Common security requirements of embedded systems
The end user’s primary concerns may include the security of personal data
stored and communicated by the cell phone, while the content provider’s
primary concern may be copy protection of the multimedia content delivered to
the cell phone, and the cell phone manufacturer might additionally be concerned
with the secrecy of proprietary firmware that resides within the cell phone. For
each of these cases, the set of untrusted (potentially malicious) entities can also
vary. For example, from the perspective of the content provider, the end user of
the cell phone may be an untrusted entity. While this section outlines broad
security requirements typical of embedded systems, the security model for each
embedded system will dictate the combination of requirements that apply.
Figure 3 lists the typical security requirements seen across a wide range of
embedded systems, which are described as follows:
1. User identification refers to the process of validating users before allowing them to use the system.
2. Secure network access provides a network connection or service access only if the device is authorized
3. Secure communications functions include authenticating communicating peers, ensuring confidentiality and integrity of communicated data, preventing repudiation of a communication transaction, and protecting the identity of communicating entities.
4. Secure storage mandates confidentiality and integrity of sensitive information stored in the system.
5. Content security enforces the usage restrictions of the digital content stored or accessed by the system.
6. Availability ensures that the system can perform its intended function and service legitimate users at all times, without being disrupted by denial-of service attacks.
by malicious entities. Before discussing the common security requirements
of embedded systems, it is important to note that there are many entities
involved in a typical embedded system design, manufacturing, and usage
chain. Security requirements vary depending on whose perspective we consider.
For example, let us consider a state-of-the-art cellular handset that is capable
of wireless voice, multimedia, and data communications. Figure 2 illustrates
security requirements from the viewpoint of the provider of HW/SW components
inside the cell phone (e.g., baseband processor, operating system), the
cell phone manufacturer, the cellular service provider, the application service
provider (e.g., mobile banking service), the content provider (e.g., music or
video), and the end user of the cell phone.
Fig. 2. Security requirements for a cell phone
Fig. 3. Common security requirements of embedded systems
The end user’s primary concerns may include the security of personal data
stored and communicated by the cell phone, while the content provider’s
primary concern may be copy protection of the multimedia content delivered to
the cell phone, and the cell phone manufacturer might additionally be concerned
with the secrecy of proprietary firmware that resides within the cell phone. For
each of these cases, the set of untrusted (potentially malicious) entities can also
vary. For example, from the perspective of the content provider, the end user of
the cell phone may be an untrusted entity. While this section outlines broad
security requirements typical of embedded systems, the security model for each
embedded system will dictate the combination of requirements that apply.
Figure 3 lists the typical security requirements seen across a wide range of
embedded systems, which are described as follows:
1. User identification refers to the process of validating users before allowing them to use the system.
2. Secure network access provides a network connection or service access only if the device is authorized
3. Secure communications functions include authenticating communicating peers, ensuring confidentiality and integrity of communicated data, preventing repudiation of a communication transaction, and protecting the identity of communicating entities.
4. Secure storage mandates confidentiality and integrity of sensitive information stored in the system.
5. Content security enforces the usage restrictions of the digital content stored or accessed by the system.
6. Availability ensures that the system can perform its intended function and service legitimate users at all times, without being disrupted by denial-of service attacks.
Great ! I was unaware of all these security techniques. From this article I became familiar with so many new and useful security applications which are used these days. Thanks for providing this detail.
ReplyDeleteelectronic signature