[Press Release] ZAYA Secure AWS IoT μContainers
Updated: Feb 17
Cambridge, UK—February 17, 2020 Marking a key milestone in IoT security, Zaya has been announced ZAYA Secure AWS IoT μContainers.
An IoT device needs to be monitored from the Cloud, and one of the major Cloud Service Provider is Amazon Web Services (AWS). Fortunately, Amazon provides SDKs for IoT devices to manage the communication between the IoT device and AWS Cloud Services. AWS SDK’s make use of strong authentication (SSL/TLS) for secure communication, which makes communication almost un-hackable.
Attacking to secure TLS channels is one of the attack types, but there are still different type of attacks in the connected device world. In a secure communication, there can still be backdoors for the attackers. For example, if even the communication channel is encrypted; the device needs to keep the AWS certificates somewhere in the device for encryption/decryption. So, if the key is somewhere accessible in a device, the attacker could use the keys to listen to the encrypted channels. Herein, the attacker attacks the device directly instead of the attacking to the secure channels. Therefore, the device "functional security" is important as communication security. In the lack of device security, it does not matter which cryptography algorithm or key length is used.
At ZAYA, we develop products to secure the whole ecosystem from bottom to top.
ZAYA offers a secure operating system, called ZAYA Secure Kernel; ZAYA Secure Kernel is a Security Certified Operating Systems which meets Security Certification Requirements. ZAYA Kernel is a secure operating system itself but also secures the custom middlewares and user applications from the external attacks.
ZAYA is also a Rich Operating Systems for IoT Edges and offers Rich OS Features such as Containers; ZAYA Secure μContainers are Containers for Arm Cortex M Microcontrollers and offers secure, user, certification and deployment friendly environment for resource constraint IoT Edges.
If you haven’t seen ZAYA Secure μContainers, you can see the following link : [Press Release] ZAYA Secure μContainers for Arm Cortex M Microcontrollers
ZAYA makes use of ZAYA Kernel Security and ZAYA μContainer features to solve the functional security issues and offers Turnkey μContainers
Herein, ZAYA proudly announces ZAYA AWS IoT μContainer.
ZAYA AWS μContainer is a pre-built and turnkey ZAYA Secure μContainer to offer a functionally secure AWS Solution for the IoT Edges; it is a turnkey solution, so the one can just download ZAYA AWS μContainer to have Secure AWS Communication capabilities.
Once the system has the ZAYA AWS μContainer, then other independent ZAYA user application calls ZAYA AWS IoT μContainer to communicate with AWS IoT Cloud.
ZAYA AWS μContainer is a secure solution and makes use of security features. The following section explains some of the security features.
ZAYA AWS μContainer Security;
Limitation of Traditional Platforms/RTOSes: There is no device/platform level security such as Isolation when the AWS IoT SDKs run on a microcontroller; If an attacker attacks(e.g. Code Injection) to the device directly instead of attacking to the encrypted channel(SSL/TLS) established by AWS SDK, the attacker can get the whole device control and can get AWS certificates and keys to listen to the encrypted network(SSL/TLS) easily.
1. ZAYA AWS μContainer Authentication;
In ZAYA, ZAYA μContainers are individual executables, and a trusted source(e.g. the manufacturer) must sign them.
At device startup, ZAYA Secure Kernel checks integrity and authenticity (public key authentication) of the ZAYA AWS μContainer and runs the ZAYA AWS μContainer if it is not corrupted and if it is authenticated.
2. Isolation of the ZAYA AWS μContainer;
ZAYA Secure Kernel provides different levels of isolation which is required for high-level Security Certification Requirements;
2.1. Isolation of Platform; Isolation of Platform is a requirement for Security Certifications. In the Arm Platform Security Architecture (PSA), PSA Level 1 requires isolation between SPE and NSPE. Also, in SESIP Security Certification, Isolation of the Platform is a requirement.
ZAYA Secure Kernel is responsible for all sensitive operations such as cryptography and key management and it is isolated from ZAYA AWS μContainer and ZAYA AWS μContainer cannot access ZAYA Kernel Space.
2.2. Isolation from Other Containers; Isolation of Application Parts is a requirement for Security Certifications such SESIP.
ZAYA AWS μContainer is isolated from other user applications and μContainers. If a malicious application/μContainers tries to access ZAYA AWS μContainer address space, the malicious application is terminated by the ZAYA Secure Kernel and the rest of the system, e.g. ZAYA AWS μContainer, continues running.
3. Make use of PSA Functional API
ZAYA is a PSA CertifiedTM Level 1 and PSA CertifiedTM Functional API Kernel and implements PSA Functional API for security services such as Cryptography and Secure Storage.
ZAYA AWS μContainers are security-free executables, and they don’t have any security(cryptography) and AWS certificates/Device Private Keys inside. Instead, ZAYA AWS μContainers make use of ZAYA’s certified PSA Functional API for cryptography and secure key storage which is isolated in Certified Kernel Space.
ZAYA Secure μContainers are Containers for Arm Cortex M Microcontrollers and ZAYA Secure μContainers can be run on Armv7-m (e.g. Cortex M3, M7) or Armv8-m (e.g. Cortex M33) Cortex M Microcontrollers.
Security is as strong as the weakest link so all modules need to be secure and certified. ZAYA runs secure AWS IoT Demonstration on PSA Certified Arm Microcontrollers.
A public demonstration on NXP i.MX RT 105x EVK (Cortex M7) will be published soon.
Please contact us for more details and demonstrations; firstname.lastname@example.org