Hello Azure Sphere!

Hello Azure Sphere!


Azure Sphere is all about Microcontroller

9 Billions of Microcontroller (MCU) devices shipped around the world every year and only about 1% of them are connected to Internet. By connecting these devices to internet basically changed of how human interact with our daily electronic devices around us.

From our home, to work place or to your holiday villas, microcontroller devices are everywhere. As long as the device has some form of button, sensors or a screen, there are a microcontroller inside. Microcontroller make our daily electronic devices smart and by connecting them to internet, these devices will be “smarter”.

All these smart devices aren’t come without risk. Let’s take an example, a Smart TV set that live in your living hall. It is connect to the internet and knowing your favorite sports schedules. Hours before the WorldCup final, there is a message pop up on your screen and said:

“Please paid 0.1 bitcoin to the following address, to unlock your TV to watch the WorldCup final match”

And your TV just being take ransom by some hackers. You may think this is no way happened or just one of the lame jokes. No manufacturers want to build such an unsecured device, as for the result, we are seeing such a low percentage of connected devices. You may think the above example is a bit sarcastic, but back in year 2016, hackers do bring down the access to major websites across US by using malware called Mirai that in thousands of internet connected devices.

The October 2016 attacks only involved around 100K units of connected devices, but the future will be much more, and the impact could be catastrophic.

Security On Connected Device is Important

Sometimes ago, Microsoft published a research paper on how to secure the future of Internet of Thing should be build: The Seven Properties of Highly Secure Devices. This paper had identified seven important properties to make the future prove secure connected devices.

Some security solutions required hardware and software have to work together to make the future connected devices safe. Hardware to Create Barriers where Software to Create Compartments. The question to ask here is:

Can your device’s security protection improve after deployment?

Some other security solutions not only require hardware and software, but cloud is also required. In these scenario, where the Cloud to Provide Updates after device being deployed, Software to Apply the Updates and Hardware to Prevent Rollbacks.

What’s Azure Sphere?

In short, Azure Sphere empowers manufacturers to create highly secured, connected MCU devices. Microsoft provide 10 years support for every device that built with Azure Sphere, time to market also cut short by using familiar development tools by Microsoft, developers and OEM makers can create more customer experiences and business mode.

Azure Sphere is a Linux based operating system created by Microsoft for Internet of Things (IoT) applications. The aims of Azure Sphere is to provide a secure environment for Internet of Things from the level of Microcontroller Unit (MCU), Operating System (OS) and Secure Cloud.


Secure Microcontroller

Let’s look into the details of what make Azure Sphere special.

Azure Sphere secure Microcontroller with Microsoft Security technology from

Secure Microcontroller

At first, The Pluton Security Subsystem which created a hardware root of truest, stores private keys and executes complex cryptographic operation.

Pluton features implemented in silicon include:

A hardware root of truest that:

  • Accelerates common cryptographic operation (ECC & AES)
  • Generate public/private keypairs
  • Implements secure boot via ECDSA

A dedicated core and memory (TCM) that:

  • Resists side-channel attacks that focus on a single core

A true random number generator that:

  • Defends against low-entropy attacks

Measured boot and remote attestation that:

  • Uses a digest accumulator register and nonce register

Combined the versatility and power of a Cortext-A processor with the low overhead and real-time Cortex-M class processor, it provide a new crossover in MCU space. This is particular important as Cortex-A processor provide the Security, Portability and Extensibility where Cortex-M provide Real-time, Low friction migration and maximum flexibility.

From Contex-A, this is what we get:

Security:

  • Isolation
    Cortex-A provides process-level isolation via its Memory Management Unit (MMU) which allowed Azure Sphere OS to contain the application and services from attacks.
  • Specialized Operating System
    Custom Linux kernel with special IoT function reduce its attack surface by not using passwords, shell or login. It further reduce the overhead too.
  • Authentication
    Using Client and Server certificate authentication for all cloud communication.
  • Authorization
    Authorizes access to resources via a custom capability system secured by Pluton.

Portability:

  • Accelerated time to market
    Application code is written once and portable across Azure Sphere chips
  • Source portability
    Azure Sphere OS includes a large subset of the POSIX standard, which allow rapid porting of OSS software to your application platform.

Extensibility:

  • Enable post-sale monetization
    It allow post deployment security and features updates, create new potential market.
  • A7 headroom for the future
    Cortex-A has headroom for future integration with Machine learning, translation, vision, AI and more.

On the other hand, Cortex-M provide:

Real-time computation and interaction with peripherals.

Low-friction migration: It is compatible with your existing Cortex-M series MCU.

Maximum flexibility, manufacturers are free to run any Cortex-M runtime.


Secure Communication between resources are important too.

Silicon counter-measures

A secure foundation in silicon which Microsoft firewalls Implement the principle of least-privilege. Software behind the firewall is given access to only those resources that it is given explicit permission.

Comprehensive protection to every resource in the system: RAM, network, flash and peripherals.

Hacker have no way out, compromised software cannot access new resources.

Firewall are sticky, the Chip need to be reset before it can reconfigured if the layer of firewall controls is compromised.

Silicon partners for Azure Sphere

Azure Sphere Class of MCUs

Microsoft don’t build their own silicon. In fact, Microsoft licensing the Pluton security subsystem royalty free to any silicon partners who want to build their microcontroller with build-in Microsoft security technologies. With this move, Microsoft aim to improve entire ecosystem to more secure environment.


Azure Sphere OS

The Azure Sphere Operating System is optimized for IoT, Security and MCU agility. A special Linux version of Operating System with harden security by Microsoft to power the devices and it come with 10-years lifetime support.

Azure Sphere OS Architecture

Azure Sphere OS provide up to four layer of security protection. From the lowest level of Security Monitor up to the top level by leverage the power of Cortex-A and Cortex-M to provide secure Application containers layer.

OS Layer 1: Security Monitor

Guards integrity and access to critical resources.
Security monitor protects the access to critical resources such as Flash memory and using an unique technique called “erasure coding” function to protect and prevent the corruption code being executed. Both health-check detects and self-heals corrupted data.

OS Layer 2: HLOS Kernel

Empowers agile silicon evolution and reuse of code.
A special Linux version of operating system harden security with Microsoft Pluton service, it protecting the resources acquisition.

OS Layer 3: On-chip Cloud Services

Provide update, authentication and connectivity.
Secure communication for TLS connection, mutual authentication, peripheral access.

OS Layer 4: Secure Application Container

Compartmentalize code for agility, robustness & security.
No password, No Shell, No user accounts approach not only provide the long term compatibility and support, it also reduce the footprint that hackers can find the way in. Operating system can be updated without the interruption of the application running on it.


Azure Sphere Security Service

Certificate-based Authentication for all communication

From the moment Azure Sphere certified MCU connected to the cloud, it will connected Azure Sphere Security Service, authenticate, attestation and check for the updates that required. If updates are required, it will push the update to the device.

Once the update is completed, it can be connected to Azure IoT or other IoT or cloud services.

Control access to online services

All up-to-date devices are issued a short-lived certificate. The certificate can be presented to any online services. The online services can validate the certificate via certificate chain.

If the device is out-of-date, Azure Sphere Security Service will force update the device to the latest version, only then will issue the certificate.

Modernize MCU development with Azure Sphere and Visual Studio

Azure Sphere is deeply integrated with Visual Studio, it simplify the development effort, streamline your debugging and provide quick and easy connection to Azure IoT.

If you feel you don’t want to use Visual Studio for Azure Sphere development, you are always free to use command lines or other IDE for the task.


No Subscription Required

When you purchase an Azure Sphere certified MCU, developer are not require to subscribe to Azure Sphere licensing or services. All Azure Sphere certified MCUs are licensed by Microsoft under royalty free program to their silicon partners.

Azure Sphere is not only royalty free, but it also come with 10-years on device support, it also open to any cloud not only limited to Azure. MCU manufacturers are free to innovate with Microsoft GPL’s OSS Linux kernel code base.

Azure Sphere Development Kits

MT3620 Development Kit is an Azure Sphere compliant MCU from MediaTek, which combines for the first time both real-time and application processors with built-in Microsoft security technology and connectivity.

Azure Sphere Development Kits are available for pre-order now, and it is expecting to be shipped by September 2018.


In the next few weeks, I will be working and testing the MT3620 development kits. Once ready, I will post the review here. 🙂

Comments are closed.