Microsoft Azure Sphere is a secure application development platform with built-in security and communications features for IoT devices. The platform is made up of both hardware and software components, including a crossover MCU, a custom Linux-based OS, and a cloud security service.
Microsoft is offering Azure Sphere as a solution to organizations that operate in the IoT and are looking for better security. With up to 41.6 billion connected-devices expected in the next five years alone, as well as the fast introduction of 5G, the demand for IoT security is only becoming greater.
In 2019, cyberattacks targeting IoT devices surged 300% and a 2020 report from Unit42, the threat intelligence division at Palo Alto Networks, found over half of all IoT devices are vulnerable to severe cyberattacks. 5G is only going to exacerbate this problem, as everything from Wi-Fi routers to satellite constellations used by the Department of Defense all connect to the same 5G network. 5G will facilitate the exchange of an unprecedented amount of data by billions of connected devices, creating an expansive software-based attack surface that is extremely vulnerable.
Deploying a defense-in-depth strategy is imperative to securing 5G. Azure Sphere gives you some of the security layers that you need, however, CoreGuard can help bring it home.
CoreGuard can protect data and code at every level of the Azure platform: from Azure Sphere edge nodes, through gateways, to confidential cloud enclaves. Furthermore, CoreGuard can significantly enhance the baseline set of security measures already required to participate in the Azure ecosystem.
Cyberattack Prevention, Not Just Containment
Azure Sphere MCUs implement coarse-grained compartmentalization using MMUs or similar mechanisms. Coarse-grained compartmentalization is effective in preventing one exploited process from corrupting another, however, it does not actually prevent the exploitation in the first place.
CoreGuard provides more secure compartmentalization by applying precisely-defined security rules, called micropolicies, to every instruction executed by the host processor, detecting and blocking any behavior that violates the rules. As a result, CoreGuard immunizes processors against the exploitation of software vulnerabilities, no matter what compartment the exploitable code lives in.
Fine-Grained, Lightweight Compartmentalization
Although compartmentalization does not stop an attack from actually happening, it still does provide benefit in a defense-in-depth approach by supporting the Principle of Least Privilege.
However, commonly-known compartmentalization solutions, like Arm’s TrustZone, place all code and data into two or four compartments. Compartmentalization that divides data into smaller, finer-grained compartments has traditionally been avoided because it costs too much context-switch overhead and memory to support the data structures in each compartment.
However, because CoreGuard can label instructions and data with the compartments they are in, and because CoreGuard already checks every instruction during execution, the confidentiality and integrity aspects of compartmentalization can be enforced by CoreGuard without heavyweight context switches. In a sense, CoreGuard has taken the original SFI work and implemented it in hardware to improve both security and performance.
Reinforce Microsoft Pluton Security Subsystem
Azure Sphere’s MCU comes with the Pluton security subsystem, which is a hardware-based, secured Root-of-Trust (RoT). A RoT resides in a physical layer of the cybersecurity stack. It is a hardware security measure that validates all the hardware and software on the system at boot time. This subsystem also includes a separate host processor and distinct storage, to isolate cryptographic keys and code.
CoreGuard builds upon this basic isolation of key material and code by enforcing Information Flow Control (IFC) micropolicies on key data (or data derived from key data). IFC micropolicies use metadata that flows along with application data to prevent key-derived data from flowing out of a specified compartment. IFC micropolicies can also enforce integrity constraints, requiring that supplied key material comes from a trusted source and has not been manipulated since. CoreGuard IFC micropolicies can require that any private data flowing out of a system (e.g. over a network port) must have gone through a designated encryption and signature process.
Securing the Trusted Computing Base (TCB)
Azure Sphere’s secured operating system relies on privilege modes to segregate the trusted OS code from application code. In addition, the provided Linux kernel is part of the Trusted Computing Base (TCB). CoreGuard protects software in the OS, as well as application software from cyberattack. With the combination of fine grained compartmentalization and CoreGuard information flow control micropolicies applied to the OS, invalid data exfiltration is prevented and data integrity is enforced.
For example, suppose we have a privacy micropolicy that does not allow any data labeled as "private" to be written to a network port. Such a policy will include rules that say if data passes through a trusted encryption function, then that data is no longer private. This is necessary, as it is stops any attempts to end unencrypted private data off of the system and enforces Principle of Least Privilege (PoLP), ensuring that no function other than the trusted encryption function is able to remove "private" as a label.
Fundamentally, all operating systems consist of privileged functions. In most monolithic operating systems like Linux and Windows, all functions in the OS have all privileges. This means that if an attack compromises any function in the OS, they have access to all privileges in the OS. With CoreGuard micropolicies applying the PoLP, this is prevented and any rogue functions cannot do the privileged operations that the function is granted privilege to.
Scalability from MCUs to Cloud Services
In the Azure Confidential Cloud, the current plan is to rely on enclaves to compartmentalize data and software. As noted previously, CoreGuard not only provides lighter-weight and finer-grained compartmentalization than current enclave approaches, but it is able to prevent the exploitation of software bugs in the first place. CoreGuard can be instantiated on microcontrollers up to cloud servers. CoreGuard’s scalability is due to its heavily parameterized hardware design, as well as the fact that micropolicies themselves are highly tunable.
Accurate, Insubvertible Cyberattack Detection & Response
What Azure Sphere is missing is an extremely accurate cyberattack detector and response mechanism—CoreGuard is exactly that. By monitoring every instruction executed by the host processor, CoreGuard is able to detect and stop an attack in real-time, at the byte-level. This means that an attack is stopped in its tracks before it is able to do any damage to the system—nothing is written to memory and no data is sent out peripherals. It’s insubvertible because CoreGuard enforcement is done in hardware which means it cannot be changed over the network.
Not only does CoreGuard stop an attack, but it also can report and respond to an attack in real-time. With millions of CoreGuard-enhanced Azure Sphere devices, CoreGuard can send immediate alerts with attack information to the Azure Cloud, giving it high-fidelity, situational awareness about ongoing threats. At the same time, the application is notified of the attack and can take appropriate action.
CoreGuard’s response can be customized to the needs of the system it’s protecting. In some systems, it might be best to shut down the system entirely. However, that’s not always the preferred reaction—if a drone is attacked mid-flight, shutting off that drone and crashing it is probably not a good idea.
Potential responses range from simply reporting the violation, to terminating the offending thread, to executing fail-safe code. The default response is to terminate the thread of the offending instruction and jump to a customer-defined safe mode.
Ensuring End-to-End Security of the Azure Sphere
CoreGuard has a role to play in cloud servers, IoT edge devices, and any other computing platforms within the Microsoft Azure ecosystem.
On cloud servers receiving sensitive data from (and sending to) edge devices, the code operating on sensitive data must be protected not only by coarse-grained compartmentalization (e.g. enclaves) but also by fine-grained micropolicy enforcement to prevent the exploitation of software vulnerabilities that inherently exist in the code that is running within each enclave.
On edge devices, which collect and process sensitive data, the software running on those devices also needs to be protected from exploitation of software vulnerabilities. CoreGuard can scale down to smaller devices, and it can also remove some of the overhead imposed by heavyweight compartmentalization schemes that involve context switches.
In the Azure Sphere ecosystem, CoreGuard-protected edge devices can serve as extremely accurate, fine-grained, insubvertible cyberattack detectors.
Interested in getting CoreGuard implemented on your Azure Sphere device? Contact us to learn more.