Prove & Run’s Secure Firewall Solution is a set of software components designed to securely filter communications coming in and out of a connected embedded device. It is pre-integrated with a number of SoCs and boards and is available directly from Prove & Run.

The Need for Firewalling

Connected devices are islands floating in an unpredictable sea of connectivity:

• A connected device hosts one or more applications, all of them constantly exchanging data with applications running on other devices.
• Applications running on a device are constantly added, removed, modified and updated.
• Devices are constantly added or removed from the network, as well as updated and modified.
• In a real network the whole configuration is never controlled by a single entity.
• Complexity brings risks and then successful attacks.

Connected devices are exposed to hackers but must still communicate with peers:

• Applications must be able to receive messages from the outside, but today everything is reachable from the Internet, so attackers will try to break in through these applications. Applications can perform their own filtering and validation, but it is impossible to ensure that every application developer performs this task correctly and consistently.
• Applications must be able to send messages to the outside, but not every kind of messages to every device in the network. However there is no way to check that application developers actually implement only what they are supposed to implement.

Even devices that carry little value can present an important security risk if they can be used as stepping-stones toward larger attacks. Therefore firewalls help to secure connected devices and networks as they:

• Filter incoming and outgoing communications between a device and a peer (another device or a server).
• Operate at the OS level to capture all exchanges.
• Enforce formal security policies to dictate “Who can communicate with What and How”.

A firewall per device helps to secure the whole network as it provides defense-in-depth. Successful attacks always exploit chains of vulnerabilities: firewalls block whole families of attacks and help to break this chain.

Limitations of Traditional Device-level Firewalls

Firewalls can only be trusted if they are themselves protected from attacks: if an application can modify the operating system or its configuration, the application can easily disable the firewall. Furthermore, when a successful attack is detected, the compromised device cannot be recovered as it is impossible to trust any application running on the device. As a summary, device-level firewalls must be protected from attacks performed by local applications.

The Secure Firewall Solution

Prove & Run’s Secure Firewall (SFW) Solution offers a pre-integrated solution to these concerns, focused on one crucial goal: Filtering TCP/IP communications in and out of your device. The SFW Solution:

• Comes pre-integrated with specific SoCs and boards,
• Requires almost no modifications to the OS of a device,
• Is easily adaptable to the requirements and architecture of each device and network,
• Is cheaper than building your own: Requirements for the core part are similar across markets so there is little value in building a specific firmware update mechanism for each new device,
• Is backed by Prove & Run’s years of expertise in the area of security architectures for embedded devices,
• Includes a top quality Secure Boot implementation based on available hardware security features to offer a consistent and high quality root of trust.

Architecture

The SFW Solution is composed of two software bricks: the SFW Proxy and the Secure Firewall.

Security Rationale

Device-level firewalls cannot be fully trusted because they run in the same address space as the OS (Android, Linux, etc), where they are vulnerable to the huge numbers of local and remote attacks that affect traditional operating systems This also means that compromised devices cannot be recovered or controlled remotely.

The Secure Firewall Solution is secure because:

• Thanks to TrustZone, the Secure Firewall executes in a secure area, protected from attacks from applications running on the OS.
• Thanks to TrustZone, the Secure Firewall takes control over the Ethernet peripheral, preventing every application from bypassing the Secure Firewall.
• Even is the OS is compromised, its communications can still be turned off or restricted by the Secure Firewall.
• The kernel of the Secure Firewall is formally proven for higher security.
• The Secure Firewall’s implementation benefits from Prove & Run’s years of expertise developing security applications for embedded applications.
• The authenticity of the Secure Firewall is protected by a Secure Boot mechanism anchored in the hardware security features of the board.

Deploying the SFW Solution

Integrating the SFW Solution with a device

The SFW Solution is available as pre-integrated Packages targeted at specific boards. In order to deploy the solution, one needs to:

• Obtain the pre-integrated SFW Package for your board from Prove & Run,
• Integrate the SFW Proxy with your operating system,
• Create the SFW Image using the provided scripts and the filtering configuration,
• Configure the Secure Boot process using Prove & Run’s documentation,
• Load the SFW Image along with the other images.

Compatibility

The SFW Solution requires an ARM® Cortex®-A microprocessor. To obtain a list of compatible boards please contact Prove & Run at moc.n1540279433urnev1540279433orp@s1540279433elas1540279433.

Content of a SFW Package

• Binary code of the Secure Firewall
• Source and binary code of the reference implementation of the SFW Proxy
• Scripts to create the Secure Firewall Image
• Integration and deployment documentation

Licensing

To obtain a license of the SFW Solution, please contact Prove & Run at moc.n1540279433urnev1540279433orp@s1540279433elas1540279433.