Microsoft engineer details how the company's IoT security solution operates - at multiple layers starting with the microcontroller.

4 Min Read

MICROSOFT IGNITE - Orlando, Fla. - Galen Hunt sat at a table during Microsoft Ignite, with a holder filled with scores of square microcontroller chips on the table in front of him. One of the chips was missing. "Someone took one of my chips!" he exclaimed and then laughed. "I think I know who it was—and I've got more where these came from."

Hunt, a Microsoft distinguished engineer and managing director of the Azure Sphere/Azure hardware systems group, has spent a lot of time with MCUs (microcontroller units) while building Sphere, a service and framework that Microsoft offers for securing devices at the network's edge. 

The industry's concern about security of connected devices has been late in coming. "About nine billion devices a year ship where a microcontroller is the brain of the device," Hunt said in an interview at Ignite this week. "Most of those devices are not connected; ninety-nine point something-percent of them have no connectivity whatsoever." 

But a few years ago that situation began to change. "Four years ago, somebody walked into my office with a schematic description of the specs for a microcontroller with Wi-Fi built into it. And that was one of those 'a-ha' moments for me when I realized I was looking at the future of computing."

One of the problems with these connected devices is that the network stack built into the MCU is very primitive, he said. Most have no security capabilities whatsoever, depending on an "air-gap" to keep attackers at bay. And with the explosion of the IoT, that air-gap has disappeared, replaced with constant connectivity to the Internet at large. 

Microsoft ultimately created Azure Sphere, a three-part solution that allows manufacturers to rely on built-in security for their connected intelligent products. It begins with the sort of chips that Hunt has on the tray in front of him. "We're not building chips. We have an IP block that goes into the chips, Hunt said. "The IP block is to hardware what a library is to software."

The IP block in this case is called the Pluton Security Subsystem and it's part of every Azure Sphere MCU. Its primary function is providing a hardware root of trust for the device in which the MCU will sit. During the chip manufacturing process, the silicon die generates a unique key for the chip — a key that is used as the basis for cryptography and authentication. "It provides secure boot on top of the crypto identity, some other crypto accelerators, key storage, and some other basic hardware root of trust capabilities," Hunt said.

The second part of Azure Sphere is the operating system, a Linux-based operating system with multiple layers of defense for the firmware and the application code. "The outer layers not only might get attacked, they might be compromised, so then the inner layers know how to protect and restore the security outer layers," Hunt explained.

The layers come in an open source package that manufacturers can modify to suit the needs of their individual devices, Hunt said, with the goal of making the system sufficiently flexible to meet a wide range of demands.

Then there's the Azure Sphere security service, a cloud-based service that keeps every device updated with the latest version of firmware and application software. It also provides certificate-based authentication between the device and the manufacturer's application cloud.

A typical installation checks with Azure Sphere for software updates once a day, and Microsoft recommends that manufacturers build their code so that the Azure Sphere software runs on one core, while the application code runs on an entirely separate core — one that will allow for "fail-safe" operation even if network connectivity is completely lost.

Azure Sphere is built around the points made in a paper, The Seven Properties of Highly Secure Devices, which Hunt co-authored. "I use 'property' very precisely as opposed to principle or standards," Hunt said, "because property is something you can measure."

Azure Sphere developer kits are now available from Microsoft.

Related content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights