Fall ESC08 Boston Preview: "Security, Son, Security"

Given the increasing complexity of embedded devices and their ubiquitous connectivity, making designs secure from malicious hacking is becoming more difficult, it is the view of Christof Paar, Kai Schramm and Andre Weimerskirch of encrypt Inc., that security will become one of the most intensively researched areas in embedded systems design in future years.

In their class at the Embedded Systems Conference on "Challenges of and solutions for embedded data security (ESC-228)," Paar, Schramm and Weimerskirch look at the trend toward ubiquitously connected embedded devices and the impact that is having on how these devices are designed and deployed. In the class, they attempt to give an overview of the challenges but also of the opportunities which strong pervasive security solutions can offer.

"We are already surrounded by embedded devices. A typical household already has dozens of them in cell phones, home entertainment, printers, household appliances, cars, etc.," said Paar, a founder of encrypt and is the holder of the chair for Communication Security at the Electrical Engineering Department of the University of Bochum. "Once all these devices are equipped with a wireless communication channel, we have arrived in the area of pervasive computing."

And with ubiquitous embedded devices becoming the backbone of the pervasive computing world, he said, new security issues arise, noting that there is not just one single threat against pervasive computing systems. "Rather, due to the extremely diverse nature of embedded applications, there is a wide range of damage that can be done through abuse in a pervasive world," said Paar.

According to Schramm, ecrypt's chief technology officer, the potential threats, ranging from privacy violation to financial loss or even bodily harm. "We argue that pervasive security is needed due to following developments: risk potential, financial aspects, new business models, privacy, reliability and legislation."

Pervasive computing will introduce new security threats, ranging from a loss of privacy, over reduced revenues, to bodily injuries. Some of the new security threats are well known from conventional IT systems, whereas others are unique to the pervasiveness of the devices.

At the same time, said Weimerskirch, encrypt's chief executive officer, strong security in pervasive applications, e.g., fee-based feature activation in products, offers new opportunities for businesses and users. Pervasive security is an emerging discipline and there is an active academic and industrial community working on strong security solutions

While embedded systems have become a centrally important aspect in a wide variety of applications, ranging from hand-held devices to household appliances and RFID tags and constitute 98 percent of the global processor market, Parr points out that many solutions developed for securing general IT systems, such as computer networks or databases, are not applicable or not sufficient for embedded security.

"For instance, in many pervasive applications, communications must be kept to a minimum due to the mobile nature of applications," he said, "the target systems are often computationally extremely weak (8-bit processors are by far the most common embedded platform), an attacker often has physical control over the device, and there is a lack of IT infrastructure such as a public key infrastructure (PKI). "

In addition to those technical boundary conditions, Weimerskirch said embedded applications tend to be extremely cost-sensitive because they are more often than not extremely highvolume devices in very competitive markets. It is important to note, he said, that pervasive security serves not only the purpose of assuring the smooth functioning of applications, but is also an enabling technology for new business models, such as fee-based feature activation in embedded systems.

Fortunately, said Schramm, although there are significant challenges ahead, "most of the technologies needed for embedded security are currently under development in industry and academia, and embedded security is arguably one of the most active areas within applied security and cryptography."

To sign up for this and other courses at the conference, go to the ESC Boston registration page.