ProvenCore is a formally proven OS kernel designed to help secure embedded devices based on application processors such as gateways, infotainement units, communication and mobile devices, etc. ProvenCore provides security architects with an off-the-shelf certifiable foundation to build or reinforce the security architecture of their solution, whether for new or existing devices.

ProvenCore is available for ARM Cortex-A application processors. For Cortex-M microcontrollers, please inquire about our ProvenCore-M product.

Why Use ProvenCore

Embedded devices are increasingly facing cybersecurity issues originating from the lack of robustness of their software stacks, with hackers exploiting bugs and weaknesses, in particular of Operating Systems. On one hand, devices are more connected than ever, through a variety of communication links: deeply embedded devices are now just one hack away from the Internet. On the other hand, they are required to carry increasingly sensitive industrial operations, involving cyber-physical systems or dealing with confidential and/or personal data, performing payment transactions, creating or forwarding valuable data while safekeeping their authenticity, etc. At the same time, time-to-market and cost pressures are unyielding, and designers need to use feature-rich OSs (Linux, Android, Windows, etc) that cannot be trusted and secured as such.

Prove & Run addresses these challenges with ProvenCore. ProvenCore is formally proven for security – down to the generated code. Applications running on ProvenCore are securely isolated from each other, from the applications running elsewhere on the same device and from the outside world. Therefore ProvenCore can be used to build an in-depth defense system for your device and to bring the level of resistance against attacks at an unmatched level. It is designed to integrate easily into new and existing devices and to provide a flexible and certifiable secure execution area for security sensitive applications. By bringing strong foundations, ProvenCore simplify the construction, maintenance and certification of secure embedded systems.

Use Cases

ProvenCore - UC1
Thanks to the TrustZone™ security feature provided by ARM microprocessors, ProvenCore can run alongside an existing OS, transparently
ProvenCore - UC2
ProvenCore is also compatible with hypervisors designed for the ARM Cortex-A family

ProvenCore is perfectly suited to create a “security perimeter”, transparently around any unsecured Rich OS. A few examples of potential applications running on ProvenCore:

  • VPN Client: Forcing applications to communicate with remote servers only through a secure VPN using specific certificates and options,
  • FIDO Client: Authenticating users using credentials never disclosed to the existing OS,
  • Application Firewall: Filtering high-level commands and responses between two applications or between an application and a remote server,
  • Secure Container: Isolating third-party drivers that cannot be fully trusted,
  • Over-the-Air Firmware Update: Remotely updating the firmware of the Rich OSs.

ProvenCore At a Glance

  • Robust high security microkernel architecture which enforces proven isolation (integrity and confidentiality) between processes, both on code and on data
  • Compatible with ARM application processors such as the Cortex-A family
  • POSIX-Conformant API makes porting or developing applications easy
  • Preemptive, deterministic, multitasking scheduler
  • Allows for time and cost controlled security certification processes even at the highest security levels, with easy maintenance
  • Available under flexible licensing terms

Formally Proven Security

ProvenCore uses a microkernel architecture implemented using formally proven code to get as close as possible to zero-defects, to guarantee the security properties and to ease the path to any required certifications. This architecture and these formal proofs insure the sustainability of the maintenance process of systems based on ProvenCore.

Most existing OS kernels (Linux, Windows, etc) rely on a monolithic architecture where every component of the kernel executes in “privileged mode”: the scheduler, the memory manager but also all the drivers for the peripherals. Such kernels are therefore quite large, from dozens of thousand lines of codes to millions. Any security bug in one of these components completely comprises the kernel. ProvenCore uses a microkernel architecture, where the software components executing in privileged mode are as small as possible (usually less than ten thousand lines), and additional components such as device drivers execute as conventional processes. A security issue in one of these components cannot propagate itself to the other components.

ProvenCore has been completely modeled in Smart and proven using ProvenTools, Prove & Run’s formal software development toolchain. This means that it is mathematically proven that processes running on ProvenCore will always retain their integrity (no other process can tamper with their internal data) and confidentiality (no other process can read their internal data). A misbehaving or malicious process has no practical way to modify a running process or to practically spy on another process.

Professional Services

In addition to ready-made security COTS such as ProvenCore, ProvenCore-M and ProvenVisor, Prove & Run offers a range of professional services to:

  • Help our customers design/build/develop secure software and/or integrate our COTS,
  • Help our customers secure their existing architectures:
    • Performing security analyses
    • Revamping existing architectures for security with ad-hoc solutions: Secure Boot, secure Over-the-Air firmware update, firewalling, intrusion detection/protection solutions, authentication, secure storage, etc…
Print Print