Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores

Sneaky processors look to keep lid on sensitive IoT data

Arm has released a new processor core design for Cortex-M-powered system-on-chips that will try to stop physical tampering and side-channel attacks by hackers.

The microcontroller-grade Cortex M35-P CPU cores are aimed at embedded IoT devices that operate in public or areas where there is a risk someone will either crack open the device or get close enough to perform a proximity-based attack. Think things like smart meters or connected street lights in a major city.

Rather than worry about network-based or remote side-channel attacks (that is what the Platform Security Architecture is for), Arm says the M35-P has been designed to ward off actual hands-on attempts to compromise a device by fiddling with the processor itself.

These physical attacks [PDF] on Arm chips include techniques such as recording electromagnetic radiation to spot when information is being transmitted or even cracking open the housing on the chip to manipulate the silicon itself.

A block of MediaTek Azure Sphere MCUs

Microsoft has designed an Arm Linux IoT cloud chip. Repeat, an Arm Linux IoT cloud chip


How common are such attacks? Not particularly, admits Asaf Shen, Arm's VP of marketing for security IP. When they do occur, though, they are potentially devastating, and the barrier for entry is lowering, he said.

"Success attacking one device can easily turn into a large-scale attack," explained Shen. "If one smart streetlight can be hacked, it can provide a window for potentially an entire city's smart grid to be attacked."

Because these sort of flaws would, by nature, be impossible for the vendors to patch as they are etched into the bare metal, Arm is taking it upon itself as the designers of the processor cores to beef up security.

Among the measures Arm is taking with the M35-P is an attempt to control electric current leak and electromagnetic radiation. The Softbank-owned Brit biz says it has engineered the blueprints to minimize both leakage and EM output, particularly while performing tasks such as transmitting security keys.

Those measures, Arm hopes, will combine with other technologies like PSA and TrustZone to close off side-channel attacks and attempts to get directly into the hardware itself.

At the same time, Shen noted, the security measures on the M35-P will not be able to fully prevent physical attacks. Once a hostile party is able to crack open a chip and manipulate it, a compromise is going to happen sooner or later. Rather, Arm wants to make such a compromise more trouble than it is worth.

"Nothing out there is 100 per cent bulletproof, at the end of the day everything and anything can be compromised," Shen admitted. "The goal here is to make the attack uneconomical." ®

Other stories you might like

  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Arm jumps on ray tracing bandwagon with beefy GPU design
    British chip designer’s reveal comes months after mobile RT moves by AMD, Imagination

    Arm is beefing up its role in the rapidly-evolving (yet long-standing) hardware-based real-time ray tracing arena.

    The company revealed on Tuesday that it will introduce the feature in its new flagship Immortalis-G715 GPU design for smartphones, promising to deliver graphics in mobile games that realistically recreate the way light interacts with objects.

    Arm is promoting the Immortalis-G715 as its best mobile GPU design yet, claiming that it will provide 15 percent faster performance and 15 percent better energy efficiency compared to the currently available Mali-G710.

    Continue reading
  • Arm most likely to list on the Nasdaq, says SoftBank CEO
    Hopes of securing London listing for UK chip designer may be in vain

    Arm is most likely to list on the US stock exchange Nasdaq, according to Masayoshi Son, chief executive of SoftBank Group, which bought the chip designer in 2016 for $32 billion.

    Although he stressed no final decision had been made, Son told investors that the British chip designer was better suited to a US listing. "Most of Arm's clients are based in Silicon Valley and... stock markets in the US would love to have Arm," Son told shareholders at the company's annual general meeting.

    He said there were also requests to list Arm in London without elaborating on where they came from. The entrepreneur did not say whether the conglomerate is considering a secondary listing for Arm there.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022