 Hello everyone, and welcome to this webinar. My name is Benjamin Mouchard. I am a product marketing manager at Proven Run, and I am glad that you could join us today. This presentation is a general topic around the solutions we can provide to enhance the security of your connected devices, and will present our offer around the STM32 MP1 board from ST Microelectronics. What about Proven Run? Proven Run is a French company founded in 2009 by Dominique Bolignano, and is specialized in cybersecurity. Our mission is to resolve the security challenges linked to the large-scale deployment of connected devices. We are independent and profitable, and have our headquarters in Paris. We also have a facility for research and development in Sofie Antipolis in the French Riviera. For numbers, we are composed of around 40 people, and we help requests from customers from all around the world. We are also an ST authorized partner, and this is why we have been promoted by ST Microelectronics to run this webinar today. We are internationally recognized as security experts. We can mention that we have been core partners of ARM PSA Certified Initiative. We are also security provider of European Processor Initiative, and our biggest achievement so far is that we developed a proven core, a formally proven secure operating system that has been certified Common Criteria EL7. This is a world premiere. To our knowledge, there is no other secure operating system at that level of certification. So Proven Run help its customers reach their security goals for connected devices through their secure by design solutions and expert consulting services. Securing connected devices against remote attacks involves various technologies, but exploitable bugs in complex part of the operating system, such as communication stacks and drivers, are currently the weakest link. With Proven Core, the formally proven operating system that runs on Cortex-A or RISC-V processors, Cortex-Proven Core M, a secure real-time operating system that runs on Cortex-M, especially for the IoT market and Provenvisor, Proven Run brings an innovative answer to the challenge. With our product, companies developing connected devices can attain unprecedented level of security. At Proven Run, we have industry-recognized experts backed up by years of experience in the digital security market with world-classed expertise in security and architectures, operating system, formal method, and security certification. We provide consulting security services, such as security analysis, security requirements, security architecture, mitigation plan, and have the knowledge and expertise to help you in case you need a security certification. Our experts are always available to work side-by-side with you on your IoT project to help you secure your existing or new IoT architectures. So why is cybersecurity the IoT's biggest challenge? First of all, IoT is one of the fastest-growing emerging technologies. According to several statistics, the global IoT market stood at hundreds of billion dollars in 2019 and is expected to grow even more in the few upcoming years. We are talking about a lot of money and business opportunities. Then, they are vulnerable to remote attacks, the bread and butter of hackers. But why is that? Simply because it means that connected devices are vulnerable anywhere, anytime, as long as they are connected. The windows of opportunity for an attack is almost limitless. And we are talking about billions of potential targets. And if a device can control remotely, it can cause a lot of harm, from service interruption to physical damage to user or nearby equipment. All of this gives hackers leverage to extort money from manufacturers, making it a very attractive business model. All of this raises the question, how do you answer this challenge? It starts by understanding what is at stake. IoT devices are easy to acquire. Hacker will get their hands on the devices and they will have unlimited time and unlimited access to reverse and generate. Flows and weaknesses will be found. We need a way to protect against hackers, but how can we perform that? If we can make an analogy here, I want you to think about a boxer. So boxer has to protect against punches. And it is really hard for him to defend against a punch that he has never saw. On the contrary, if he knows the punch, because he knows the opponent, he can properly defense against it and maybe even set up a counter. The same principle can be applied here. Manufacturer must conduct security analysis to understand the threats and define the security requirements for their devices. Most of the time, we see companies developing their product, as you can mine, only the functional aspect of it. And once the product met the desired functional requirements, they start to ask themselves about the security of the product. But sadly, it's often too late because either the product doesn't integrate the proper security architecture or adding the proper level of security turns out to be really expensive. This is why security needs to be integrated at the design state of the connected devices, using state-of-the-art technologies. Proven Run is composed of world-class security experts that can help you define more secure products and grow your team's awareness towards cyber security. Our services and solutions are divided into major topics. Our consulting services for all the study about the threats and mitigation plan for your products, and we're talking about our experience and knowledge in security analysis and security architectures, and our solution to secure by design connected devices. In this presentation, we're gonna talk about our advanced expertise and custom development for Opti and Proven Core, our ultra-secure operating system that we developed here at Proven Run. So that concludes our introduction. The rest of this webinar will focus on the presentation of the services and solutions to understand how we can help you meet your security requirements. So let's dive into our IoT Security Consulting Suite. It is composed of three different services. We have Training and Workshop, an IoT security requirement and a certification landscape. We have Security Analysis. We already talked about this one, but I could not insist enough on the importance of these services, so we will come back to that. And finally, our certification support for any kinds of needs. It can be from self-assessment to the highest level of security. So why do you need a training? Because security is complicated and very meticulous, but there is no mystery in it. It is based on experience and knowledge. We use methodology, protocols and standards that prove to be efficient. The purpose of this training is to get you familiar with these methodologies we use for risk analysis, a contour measure that can be applied to your product, and the standard and scheme that are relevant to your needs. And finally, we can also help you identify an internal team that could be involved in the security aspect of your product in the future. So to summarize about the training and workshop, the objectives are to have the key elements to shape an evaluation strategy and to be ready to set the relevant internal team for all the security aspect of your products. The benefit of our training will be to enrich your team's awareness towards cybersecurity and understand where you need to go to meet your security requirements. So why do you need a security analysis? We already mentioned this, but it's such a critical step toward enabling a secure product that we will have to say it again. So remember the boxer and how we can defend against punches that you know are coming and even set up for a counter-attack. Basically, the boxer defines the strategy to beat his opponent based on his habits. It's the same principle with the security analysis. We need to understand the threats in order to define the proper security requirement that will allow us to defense against attacks. With that in mind, we are going to define an evaluation strategy to measure and prove the security level of your connected devices. So about the process and how it is conduct, the first step is the information exchange. This phase is quite simple. We ask everything we need to know about your product in order to identify the applicable regulation and the desired security level. In order to conduct a security analysis, we also need to understand the architecture of your product. So then comes the concrete study phase. This will be done by our consultant and it will be based on our methodology and knowledge. And then when the study is complete, we will present the results to you and discuss all the potential security and evaluation strategies. And finally, the last services of our IoT consulting suite is the certification support. The purpose of these services is to optimize the efforts towards certification. But why would you need that? Because certify the product is no easy task. Certification is a complex and meticulous process that requires a lot of experience and implicit knowledge. That's why it can turn out to be time-consuming and very costly for newcomers. It is a risky process. Certification is never warranted. But we help de-risk the process with our know-how of the certification ecosystem, our knowledge of the scheme and certification procedures, and our expertise with certification documentation. All of this comes from our rich experience of having successfully supported the evaluation of our customer in the past. To sum up about the certification support, the objective is straightforward. Take the shortest path to certification. We can help you de-risk the certification process. We are talking about time, money, and success ratio. We can also mention that we have a direct line with certification bodies and labs. So we have now gone through the detail of our consulting service suite. I hope it was clear and that you have a good understanding about how the different services can help you design more secure product and potentially work for a certification. It is true that the requirements in the IoT market are not well-defined yet, but they will surely grow a lot in the future. So we will now focus on the solutions to secure by design your connected devices. But first, let's talk about cybersecurity-basic concept. So cybersecurity is the concept of securing connected devices. Connected devices, as the name suggests, are devices that communicate with one another. So we are talking about information exchange through messages. The four pillars of cybersecurity are meant to secure the communication between the devices by ensuring their confidentiality, authenticity, integrity, and availability. If we want an easy explanation we can take an example here. For example, you want to send an email to your boss. The confidentiality means that if any other than your boss receives the mail, he will not be able to read it. The authenticity is a way available to your boss to know that the mail is indeed coming from you. Integrity means that when the mail is received, its content has not been modified. Availability means that whenever you need to send an email, the service will be available and it will work, basically. So in order to further advance in this presentation and talk about some concrete architecture and implementation with the MP1, I will give the lead to Thierry, STM32 security marketing manager as STM microelectronic. My name is Thierry Crespo, working as security marketing manager at STMicro for STM32 microcontrollers and microprocessors. Due to help customers build strong end-to-end security products, STM is proposing a security framework that we called STM32 trust. Targeted towards IoT, it's purpose is to protect customer assets by providing all means to cover 12 fundamental security functions, mapping multiple worldwide security assurance schemes. This function will be covered either by means of hardware IPs or software from SC or some parties and by services. STM trust base its strategy to provide a security assurance level for IoT using either CSIP from trust TV and published by a global platform or PSA by ARM. These are aligned to multiple national and applicative security standards, allowing our customers to reach their own application security assurance requirements. ST is leading the race in general purpose microcontroller security, increasing year after year its security offer. An example of this can be seen in the certification obtained by various STM32s. ST was first to introduce PSA level one followed by a CSIP level three product on the market. This slide shows the current certification available on the STM32 project families. STM32 security can also be augmented by secure element companionship from the SD safe or TPM or authentication and with ST4 SIM connected device. These devices are certified command criteria for the L5 plus TCG, PHEAPS or GSMA. STM32 MP1 has been launched back in February 2019. It provides the following key values, 10 years, longevity commitment, strong technical support and recognized solid supply chain. The STM32 MP1 includes the dual Cortex A7 running up to 800 megahertz combined with a real-time Cortex M4 at 209 megahertz, providing a flexible architecture targeting real-time and HMI application at reduced cost. Thanks to the broad open line distribution, open source software and third party partners, customers can drastically reduce time to market. The MP1 comes with an ST power management unit called STMPIC1. This gimmick provides the right level of power optimized for low power applications. Looking at the MP1.5 family, you can find in this table, the list of hardware security IP proposed mapped on the 12 security functions from STM32 trust. An immutable secure boot in ROM allows to start the route of trust. Secure keys are stored into the OTP area and an STM32 HSM can be used to program the secure data. Trust zone with MMU provide the isolation between secure and the unsecure resources. Anti-tempering mechanisms are also present to detect board intrusions. Detection can be programmed, for example, on IOs and also on environmental factors such as temperature, voltage, and real-time clock. In terms of software, ST has been working on OPTI, an open source trusted execution environment maintained by ST. It ensures the route of trust and isolation. GFA also is a trusted firmware for Cortex-A from ARM initially running on ARM V8-A was back ported by ST on ARM V7-A. Thank you for your attention. Have a nice webinar. We hope we'll be using ST product in the near future and do not hesitate to visit us. Exhaustive information is available at www.st.com. Slash MP. Thank you. So thank you, Cherie, for this presentation. So we are going to talk about what we can do to secure the STM32 MP1 board. But first, here at proven run, we think that all connected devices should at least have a basic set of security application. And we are talking about a secure boot for ensuring the integrity of the firmware and software running on the platform. The firmware update over the air because we are talking about connecting devices and a very large number of them. So you need a way to remotely and securely update your devices because you can't just bring them all back every time you need an update. Secure communication because we need our communication to be secure as it is a very critical entry point for Haccus and the firmware version and device attestation to verify that the device has not been tampered before it is connected to the network. So this is the set of application we provide for ST Microelectronic STM32 MP1 board. And we developed this security application based on IoT general threat analysis and making proper use of the MP1 software and hardware mechanism. So before going into the details of the different security options, let's start by adding some context here and talk about the MP1 architecture. So Thierry introduced a bit about this architecture, but I'm gonna explain again. So the MP1 integrates the ARM trust zone technology that offer an efficient system-wide approach to security with hardware and for isolation built into the CPU. So basically trust zone develop the concept of normal world and the secure world that goes beyond just the isolation goes beyond the processor to encompass the memory, software, boost transaction, interruption and peripheral within the system and chip. So this technology is commonly used to run trusted boot and a trusted OS also called trusted execution environment like Thierry mentioned like Opti or proven core our secure operating system. So in this slide here are the different MP1 systems and security options. Like you can see a range of options with increasing level of security. They are all based on the basic set of applications we just talked about, but use different solution and implementation for better security. To make another analogy here, let's take the example of a house. You can protect it by adding a three point lock on the door and then add on top of it a big dog because it can turn out to be quite this specific and you can also add an alarm system and even video surveillance and so on. So this is what all these options represent. It starts with our custom services for any customer willing to use Opti. Then we propose to enhance the security by securing Opti with proven core our secure operating system. And the next options will focus on advanced use cases such as the secure firmware update as it is one of the most critical security function for connected devices. So we propose with the protected offer integrity protection and with the secured offer availability protection. And obviously all the options that are higher integrate the security from the lower level. And the last offer, the last services that we can have on top of that is the advanced option with runtime check monitoring of the normal world. So we are going to explain all these options in detail right now. So about the Opti development and integration services. With this option, we provide solution for people willing to use Opti. In order to properly secure your product using Opti, you must understand the pros and cons of this solution. So Opti is an open source trusted execution environment standardized for global platform. It is widely used and make uses of trust zone hardware mechanism. So basically Opti is an entry point for people willing to make a first step into security. If implemented well, it can be a decent solution, but it is critical for trusted applet driver and secure boot implementation to be developed by security experts. So that's what we propose to do for you. We propose to wrote every critical security function for you, basically. For the secure boot, secure boot ensure the integrity of the firewall and software running on the platform. It is a critical step in the security boot chain and it is a complex operation. Proven run as a long and solid expertise in implementing secure boots and integrated to cover the most complex requirements. So we can help you set up the proper level of security by enabling a good implementation for the secure boot. Okay, so now let's say you already has developed a solution based on Opti, but you want more security. We propose to secure Opti by using proven core on top of it and use a service that we developed which is the Opti abstraction layer. Thanks to this layer, you will be 100% compatible with everything you already have designed with Opti, but you will be using proven core to protect your system. But what is the benefits of using proven core in such an architecture? Well, proven core is an ultra secure operating system. It has been formally proven down to the generated code. What does it mean? It means that some properties like integrity and confidentiality has been formally proven. Formally proven means they are guaranteed whatever the OS execution pass. Thanks to the properties, proven core defines ultra secure containers for strong isolation between application. Because proven core does not assume that trusted application and drivers need to be trusted. Why is that? Because rogue trusted application and faulty drivers are usually identified as the major source of vulnerability for trusted execution environment security solutions. Because in practice, trusted application and driver are produced by different third party sources with different skills and expertise in security. So proven core act as a first line of defense against malichutes or vulnerable drivers and trusted outlets. So this built-in security enables flexible project organization that is adapt to the industrial requirements. In conclusion, we can achieve cost-effective development of security applications. So now let's talk about the secure Fireware Update Service. Providing a Fireware Update to device on the field is now a requirement for IoT devices because it improves the value of existing devices by enhancing their functionality and performance. It eliminates costly recalls or physical replacement because of functional or security bugs. And it reduces testing and support costs by keeping all your devices at the same version. But over-the-air Fireware Updates is a massive security risk. As many issues with the process enables an attacker to take over the whole device with potentially dire consequences such as breaking the device or leaking confidential or private data. So proven runs secure Fireware Update solution focus on one goal. Making sure that the Fireware of your device stays authentic and cannot be done great by an attacker. The secure Fireware Update solution or SFU solution is composed of two software brick, the SFU client and the SFU agent. The SFU client propose is to download the Fireware Update image and forward it to the SFU agent. The SFU agent apply the Fireware Update image to the board after checking the authenticity and integrity of the Fireware Update image using stored public keys. This application is executed in proven core while secure Fireware Update client is executed on the rich OS of the normal world. This solution is secure for several reasons. Because we have set up a VPN for secure communication and the key are managed by proven cores. Also because the secure Fireware Update process does not rely on the rich OS, but only on the SFU agent. And the SFU agent is executed in proven core, which meaning that it's protected from attack coming from the inside like other application running on the rich OS or the outside. On top of that, the authenticity of the SFU agent is protected by the secure boot mechanism that we talked about in the basic set of secure application provided in the STM32 MP1 board. So for the flow of a secure update, in this example, we will first start the VPN connection. And once the VPN connection is established, then we can download the package using the secure Fireware Update client as a communication with the server and then forward the image to the SFU agent which will run the authenticity and integrated check. So with the protected option, the secure update service is secure and will prevent any malicious software from being installed on the device. That is most of the time enough to ask from the secure Fireware Update services. But there are still a vulnerability that is not covered by the previous implementation. What happens if the rich OS gets corrupt? Yes, we will not be able to install any malicious software from the secure update service, but an attacker can still deny the update service itself. The reason is because in protected implementation, Provencore is working like a standard trusted execution environment as a slave of the normal world. With this implementation, we are going to see the full potential of Provencore. Provencore can work in a mode where trusted applications are completely autonomous and continue to run, even if the rich operating system is not behaving properly or crashed. The communication with the normal world can either be synchronous, meaning triggered by the normal world, or asynchronous. This enables advanced use cases, such as the secure option. With this implementation, trusted applications will implement a full VPN and TCP IP stack for secure communication with the server. The integrity protection will still remain inside Provencore, and the secure Fireware Update service process will be autonomous and fully protected, if the normal world is corrupt. Another advanced use cases that is enabled by Provencore acting as an autonomous secure operating system is the runtime integrity monitoring function. The purpose of this service is to detect and shut down a potential attack on the rich OS. On top of being independent from the normal world, Provencore can also perform integrated check initiated at regular intervals to verify that the normal world is behaving properly. If the integrated check fails, then we can trigger a customizable response. Like, for example, it can be to restart the rich operating system to limit the time frame from penetration to attack. This will reduce the time available to the attacker to perform an attack. So we reduce the surface of attack of our device. One of the key functions of any secure operating system is to provide cryptographic functionality. Therefore, we implement OpenSSL, a general proposed cryptographic library in Provencore. This will allow you to perform all the standard cryptographic operations such as key and certificate generation, encryption, decryption standard cryptographic algorithm. And all these crypto operations will be available to the rich OS, rich operating system through a set of well documented APIs. We also help you integrate hardware modules like secure element, trusted platform module and hardware security module. What is of interest with this integration is that Provencore will have the exclusive control of the module, meaning that it will benefit from the isolation property of Provencore for more security. In addition, we can also enforce security policies on each module request to filter malicious attempt toward hardware modules. So that concludes our presentation. And I propose to summarize how you and us can work together to make the IoT secure. So at ProvenRun, we have industry recognized experts backed up by years of experience in the digital security market with world-class expertise in security and architectures, operating system, formal methods and security certification. We developed secure by design solutions that are designed to address all kinds of security requirements up to the highest level. We are security experts and have an advanced understanding of the trust zone. So we propose a one-stop shop offer for trusted execution environment and related security services either by helping you with your opti integration and development to achieve your security goals or with Provencore and all the IoT security suite to drastically improve the level of security of your connected devices. Regarding the differentiator, we have to mention Provencore as a key differentiator for several reasons. The fact that Provencore is formally proven, therefore it is as close as possible to zero defect and enables the ultra secure container that provide cost-effective development of security applications. With Provencore, you can easily achieve unprecedented levels of security for your connected devices and at an industrial cost. In addition, Provencore can act as an autonomous secure operating system enabling advanced use cases such as the secured option we saw, the runtime monitoring and a lot more like an autonomous secure storage or recovery operating system function. So the presentation is now finished and we are going to answer your question. I hope there are going to be many of them. If you seek more information about us, you can still visit our website at www.provenrun.com or contact us directly by mail at contact www.provenrun.com Thank you very much.