A Modern Approach to IP Protection in Embedded Systems

Why is security important?  What purpose does it ultimately serve?  For some its purpose is to ensure uninterrupted operations.  For others, it is important to protect sensitive customer data, avoid reputational damage, or address liability risk.  The cost of compromise takes many forms. 

However, at the intelligent edge there is a unique occurrence that transpires -- a company’s valuable intellectual property, its algorithms, software, models, etc., is installed, configured, and executed on an edge device that is then placed in an environment that is connected, contested, and complex.  Essentially, a company’s IP is at its most vulnerable … vulnerable to remote attacks and physical attacks.  Moreover, an attacker can acquire a target device and take their time using sophisticated tools to pry loose and reverse engineer the IP they wish to steal.   

It is common for many organizations to implement some IP protection.  The most popular approach is the use of a license dongle that provides software confidentiality and copy protection.  Other, less popular approaches, involve adding protections to software binaries or creating watchdog processes.  Unfortunately, all of these are easily defeated.  They are like bike locks; they deter opportunistic thieves but have no real affect on someone intent on stealing your bike.      

At Star Lab, our vision is to take a modern approach to IP protection.  We are not interested in providing a bike lock!  Our vision is to bring the determination and skill we use to defeat the most well-funded, technically advanced adversaries to customers developing medical technologies, additive manufacturing equipment, robots, IoT devices, AI platforms, and critical infrastructure.  We have been providing IP protection solutions since our inception and we can make a difference helping these industries maintain their technological edge.

So, we’re left with a question to answer. What is our approach to IP Protection? Let’s talk about it. 

Our approach to ultimately provide modern IP Protection is bound by these guideposts: 

  • Protect IP by first protecting the host through a system level design 

  • Use Zero Trust Principles to design and implement protections 

  • Provide adaptable solutions that can be shaped according to a diverse set of platforms and requirements 

First, our approach is to protect a host. Many people believe you can secure an edge system by deploying observability solutions and employing an efficient vulnerability patching program. These are important, but they are not providing security. They are reducing risk for sure, but they are still just remediation techniques. Any organization who sets their bar this low will inevitably experience a compromise.  Our approach is to cripple an attacker’s capability to manipulate the system when they obtain access, either through a remote means or through physical tamper.  Further, our system level design approach assumes the attacker will explore a device’s entire attack surface from direct memory access using a physical interface to a software vulnerability.  Furthermore, we assume they will gain root access.  Thus, our protections take many forms and can often be used out-of-band from the operating system.    

We also use a zero trust paradigm. Yes, this is a buzzword, but it is important at the intelligent edge because, again, the device no longer operates in an environment under the owner’s control.  Our protections are deployed such that they form overlapping layers across a devices attack surface and around the IP under protection. We don’t assume any one layer will be sufficient, nor do we assume security based on user roles.  We also do not use any compiled-in binary protections. 

Click to read the next blog in this series!

Finally, we know that the Linux-based embedded market is full of diverse platforms and configurations, so a solution that can be adapted to your specific system is critical. Kevlar Embedded Security is currently compatible with both Intel and ARM hardware platforms, as well as yocto-based Linux distributions and WindRiver Linux (LTS21/22). We are continually building new out-of-the-box compatibility, in addition to our Professional Services that enable us to ensure custom compatibility with your configuration if it doesn’t align with our current out-of-the-box offerings.

To partner with Star Lab and bring our modern approach to IP protection to your system design, let’s start a conversation. We typically start with a threat assessment to help you understand the threat model for your system and how you should ideally defend against those potential threats. Further, we can identify how Kevlar Embedded Security can be part of your IP Protection solutions to ensure your system is cyber resilient and thwarts attacks.

 
Adam Fraser