原创 Embedded Security Modeling - The beginning

Embedded Security is increasingly becoming an important area of concern. Embedded security encompasses components, sub-systems and networks of systems.

Modern embedded systems incorporate several components including many that are active. Software and hardware from different sources is integrated into a single system often by teams that may not fully understand or have little control over the functioning of the individual components. This poses a major threat and area of concern for system architects.

System level design offers a significant advantage in terms of allowing a system architect to incorporate a security framework that can impose system and inter-system level security constraints. A system level security framework will need to be architectural [meta]model driven, "synthesizable" to the security model of the hardware or software level implementation and easily integrate into the inter-system level security standards already in place.

A component / thread requesting a service on a modern embedded system may have little knowledge of where that request will be transported and processed. Some constraints are required on where it CAN be sent by the system - sort of a Security Impedance Policy.

A component processing a request may have little knowledge about the origin of the request. Some constraints are required on what credentials and rights need to be presented that will allow the request to be processed, a Security Access Policy

There needs to be an association between principals - machines or humans, and their run-time credentials ( id, authentication level, authentication status assigned roles) - Identity and Authentication Policy and their privileges in a particular sub-system - Domain Access Policy

Finally in really complex systems there needs to be a run-time component that can return a dynamic "domain access policy" for individual components, preferably at system startup.

Those principals, credentials, privileges, identity and authentication, security  access policy model and domain access policy are part of enterprise class systems already. The security impedance policy may be unique to embedded systems, even though it will increasingly become important in enterprise and Internet grade systems (example content at what level of trust must be returned by a google search ?).

Early unix systems did an excellent job of simplifying the security model for the then security requirements into all of 9 bits (rwxrwxrwx). Today every system architect faces the challenge of creating a simple model of security (The Security Compuational Model) for their architecture.

Trust (!) me - the null security model may just be the single reason for your entire system to become obsolete and insecure leading to complete product failure in the very near future.