DOCSLIB.ORG

Building Private-By-Design Iot Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Building Private-By-Design Iot Systems Building Private-by-Design IoT Systems Igor Zavalyshyn INESC-ID / Instituto Superior Técnico, Universidade de Lisboa, Lisbon, Portugal UCLouvain, ICTEAM, Louvain-la-Neuve, Belgium [email protected] Abstract growing amount and variety of sensitive data they collect, Internet of Things (IoT) devices have revolutionized the way there is still a deficit of mechanisms to ensure user privacy we interact with our physical environment. With a single tap and security. In fact, existing IoT systems often resemble a on a smartphone screen or a voice command one can control “black hole“ that collects sensitive sensor data from the con- home lighting, thermostats and cameras, monitor physical nected devices leaving the end users clueless about further activity, and keep track of personal belongings. However, data whereabouts. Unfortunately, this situation has already while these devices become more and more embedded in our caused numerous incidents of massive data leackage [7], daily lives, there are growing concerns over the privacy and security breaches [8], insider-related eavesdropping or peep- security of highly sensitive data they collect. Numerous cases ing [1, 6], as well as created opportunities for unauthorized of data abuse, unauthorized sharing and leakage have been surveillance and forensic investigations [3, 4]. reported. Unfortunately, existing IoT systems have not only To fill this gap, we propose a clean-slate approach to build- failed to prevent such cases, but often contributed to those. ing secure and private-by-design IoT systems. It aims to em- To address this issue, we propose a clean-slate approach to power end users with full control over sensor-collected data, building secure and private-by-design IoT systems, in which and enable them to specify and enforce privacy and security users retain full control and ownership of their IoT data. The preferences regarding sensor data collection, processing and approach builds upon key design concepts: (1) a dataflow sharing. Our approach builds upon two key design concepts. programming model for building IoT apps and services, and First, we introduce a novel dataflow programming model for (2) a mechanism to track sensitive sensor data flows inside IoT developers and service providers to create their privacy- these apps and automatically verify their compliance with aware data processing applications, apps. It allows to keep user-defined privacy and security preferences. track not only (1) of how the sensor data flows within the app, but also (2) of the semantics of the data as it gets processed CCS Concepts: • Security and privacy ! Information inside the app. Our second key design concept enables end flow control; Access control. users to automatically verify if a given app can violate any of Keywords: IoT, privacy, data flows tracking and verification their privacy expectations. To this end, we generate a formal model of the app’s elements graph using Prolog predicates, ACM Reference Format: and issue a set of queries to determine the existence of data Igor Zavalyshyn. 2020. Building Private-by-Design IoT Systems. flows that are in conflict with user-defined privacy policy. A In 21st International Middleware Conference Doctoral Symposium user can, e.g., determine if an app that requires access to a (Middleware ’20 Doctoral Symposium), December 7–11, 2020, Delft, Netherlands. ACM, New York, NY, USA, 5 pages. https://doi.org/10. camera feed for motion detection can potentially send raw 1145/3429351.3431750 camera images to a security company instead of the ‘motion detected’ events as expected. 1 Introduction We applied these concepts in the design of three systems that span across local (home), cloud and mobile domains. For With the rising popularity of IoT systems, such as Ama- the local domain, we present HomePad [10], a privacy-aware zon Alexa, Google Home or Samsung SmartThings, and a smart home hub that provides a runtime environment for Permission to make digital or hard copies of all or part of this work for IoT apps that follow the dataflow programming model to pro- personal or classroom use is granted without fee provided that copies cess sensitive sensor data in accordance with user-defined are not made or distributed for profit or commercial advantage and that rules. It offers a rich API with an extensive set of built-in copies bear this notice and the full citation on the first page. Copyrights elements for IoT app development, and a verification engine for components of this work owned by others than the author(s) must for the end users to assess the apps’ privacy properties. For be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific the cloud domain, we introduce PatrIoT, a private-by-design permission and/or a fee. Request permissions from [email protected]. IoT platform that extends a dataflow programming model Middleware ’20 Doctoral Symposium, December 7–11, 2020, Delft, Netherlands to the cloud. It leverages Intel SGX to prevent unauthorized © 2020 Copyright held by the owner/author(s). Publication rights licensed access to the sensor data when processed at an untrusted to ACM. cloud environment, and offers the end users an intuitive ACM ISBN 978-1-4503-8200-7/20/12...$15.00 security abstraction named flowwall which allows them to https://doi.org/10.1145/3429351.3431750 Middleware ’20 Doctoral Symposium, December 7–11, 2020, Delft, Netherlands Igor Zavalyshyn App Graph (1) Rule type? Allow Block Motion HTTP IPCamera App Code frame Detection motion motion Request (2) event Sandbox detected Source? Data type? Sink? When? Anywhere Image Anywhere Time 12h-14h Figure 1. Element graph of a MotionAlert app. IP Cameras (3) Video (4) Web sites (5) LivRoomCam Audio Dropbox Day specify flexible yet effective policies for controlling sensitive FrontDoorCam Everything Any Wednesday sensor data flows within the apps they install. Finally, for AllCameras the mobile domain, we propose Flowverine [2], a system for building privacy-aware mobile apps handling sensitive IoT data on Android phones. Flowverine adapts the dataflow Figure 2. Schematic representation of the UI workflow to specify programming model to a more complex Android program- a privacy rule using dataflow model. ming and runtime environment, and uses Aspect-Oriented Programming (AOP) for dynamic taint analysis. Policy specification and rule syntax: Since the app de- Complementary to these three systems, we introduce ad- scribed above requires access to both camera and the net- ditional techniques that aim to enhance the security and work, the user will want to make sure that the app cannot privacy properties of IoT systems using N-version program- leak raw camera images to the security company. To pre- ming and software hardening. Next, we provide more details vent that, he can specify a ‘block’ privacy policy rule with a on the proposed dataflow programming model, developed particular camera (e.g. LivRoomCam) selected as a source, systems, and complementary security enhancing techniques. an Image data type, and the Internet sink (to denote any web host). More concretely, a privacy policy consists of a 2 Dataflow Programming Model sequence of allow / block rules which are evaluated sequen- Our idea of a private-by-design IoT system is one where the tially and applied atomically by the underlying application end users retain full control over their IoT device data, and runtime. In general, the format of a rule is as follows: can decide themselves on how this data can be shared and allow j block hdata type listi from hsource endpoint listi processed by various IoT apps and services. Unfortunately, to hsink endpoint listi [at htime period listi] a permission-based access control model used in existing IoT systems can only control the range of devices an app The keywords “allow” or “block” indicate the rule type, can interact with, and fails to capture apps’ data process- i.e., whether the rule allows or disallows the data flows ing and sharing capabilities. As a result, the apps are often matched by the rule, respectively. The data type list indi- overprivileged and may leak sensitive sensor data. cates one or multiple types of data to be matched. They can API based on element graphs: The dataflow programming be simple types, e.g., Video, or the wildcard Everything to indi- model aims to address the problem of permission-based sys- cate all possible simple types. The keywords “from” and “to” tems. It provides easy-to-use programming abstractions for are followed by a list of source and sink endpoints, respec- IoT developers to build privacy-aware apps with all inter- tively, that may specify individual devices, e.g., LivRoomCam, nal data flows made explicit and easy to analyze. Theapp types of devices, e.g., IPCamera to refer to all IP cameras, is implemented as a directed elements graph, in which ele- or include wildcards, such as Anywhere to refer to any valid ments represent functional units offered by the system itself endpoint. Optionally, it is possible to specify temporal restric- (as part of an API) or implemented by the app developer, tions by using the keyword “at” followed by a time period, and the edges describe the only paths through which data e.g., “12:00-14:00”, and one or multiple weekdays. can flow within an app. With each element having awell- User interface for policy specification: To simplify the defined specification, both in terms of interface and expected process of policy rules specification, our dataflow model ex- behavior, such element-based app structure allows for sound poses a simple UI that guides the user along a five step pro- and efficient data flow tracking. To illustrate our program- cess (see Figure 2) and allows to reason in terms of privacy- ming model, consider an element-graph of a MotionAlert sensitive/insensitive data flows the user wants to be blocked app at Figure 1.
Load more

Recommended publications
  • Secure App and Data Delivery
    White Paper Secure app and data delivery - across devices, networks, and locations How Citrix Virtual Apps dramatically simplifies data protection, access control, and other critical security tasks Citrix | Secure app and data delivery 2 Most discussions of application and Growing IT security challenges desktop virtualization focus on cost Corporate IT groups are continuously challenged to support critical new business initiatives and improve reduction, simplifying IT operations, and end user computing experiences, while facing limited increasing convenience for employees. budgets and mounting pressures to improve information These factors are extremely important, security. Many of these challenges involve making computing resources easier to utilize, regardless of but IT professionals should not overlook physical and geographical boundaries. Employees are the immense impact of workspace demanding the following: virtualization on information security. • Work anywhere, with a consistent experience, from In fact, application and desktop PCs, laptops, tablets and smartphone virtualization have profound advantages • Freedom from rigid IT security controls that restrict for key security functions such as performance and inhibit productivit data protection, access control, user • Access to corporate data and self-provision provisioning and compliance. They can applications on-demand also give administrators extremely Rethink Security granular control over how employees, Clearly these trends are not sustainable with current contractors and business partners use approaches to security and remote access. How can IT and share application data. groups provide easier access to resources, in the face of more sophisticated threats, with multiplying endpoints to defend? And the challenges are not just related to the quantity of end points, but to the increasing diversity.
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • The Six Dumbest Ideas in Computer Security Marcus J Ranum
    The Six Dumbest Ideas in Computer Security Marcus J Ranum http://www.ranum.com/security/computer_security/editorials/dumb/ There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems? Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well- meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
    [Show full text]
  • Secure by Design, Secure by Default: Requirements and Guidance
    Biometrics and Surveillance Camera Commissioner Secure by Design, Secure by Default Video Surveillance Products Introduction This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Biometrics and Surveillance Camera Commissioners (BSCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design. It also contains certain component requirements that will ensure a configuration that is Secure by Default when the component is shipped, thereby making it more likely that the system will be installed and left in a secure state. This guidance forms part of a wider suite of documentation being developed as part of the SCC Strategy, in support of the SCC Code of Practice. Background and Context The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred. The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a username and password being set by the manufacturer as ‘admin’) and poor security configuration of devices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix. An evolution of Mirai, called Reaper, has also been discovered. Reaper used publicly and easily available exploits that remained unfixed (patched) and highlighted the problem around non patching of known security vulnerabilities, allowing attackers to utilise them to cause harm.
    [Show full text]
  • From Insider Threats to Business Processes That Are Secure-By-Design∗ Dieter Gollmann† Hamburg University of Technology Hamburg, Germany [email protected]
    From Insider Threats to Business Processes that are Secure-by-Design∗ Dieter Gollmanny Hamburg University of Technology Hamburg, Germany [email protected] Abstract We argue that insider threat is a placeholder term that accompanies the transition from securing IT infrastructures to securing the socio-technical systems made possible by these IT infrastructures. The term insider in its literal interpretation loses meaning in a context where there are no stable perime- ters one can refer to. Business practices such as outsourcing, employing temporary contractors, and the very use of IT, have removed security perimeters in the search for short-term efficiency gains, which may result in mid-term losses due to increased vulnerabilities. We conclude that securing socio-technical systems calls for the design of organisational (business) processes that remain viable once inside information about their implementation becomes available to potential attackers rather than for the deployment of secure IT infrastructures. Keywords: Insider threats, business process, IT security 1 Introduction Security is a fashion industry. Ever so often a new buzzword gets adopted that dresses up issues that had been around for a long time. Insider threats are an example in case. This term has entered discourses about security in recent years, reaching also into the research community, see e. g. [1, 2, 3]. However, the observation that threats to an organization can emanate from insiders is old news in IT security. Back in the early 1990s depending on whom you asked, 70%, 80%, or 90% of security incidents in commercial entities were due to insiders, where counts may have referred to the number of incidents or to the size of the damage.
    [Show full text]
  • Secure by Design White Paper
    WHITE PAPER Secure by Design: UniPrint Infinity’s Multi-Layer Approach to Cloud Printing Security © Process Fusion The moving of IT infrastructure up to the cloud usually results in companies being obliged to give up monitoring of their IT, with this being delegated to third-party vendors. Naturally, the thought of losing security controls over sensitive corporate data leads to decision-makers raising concerns surrounding the security of their files in the cloud! UniPrint Infinity’s innovative product empowers users with end-to-end cloud printing security. With its multi- layer approach, UniPrint Infinity secures your cloud printing architecture from all angles. This whitepaper will discuss the four key security features offered by UniPrint’s cloud printing solution. One Virtual Print Queue In today’s IT-driven enterprise world, user-friendliness, cost-savings, and enhanced security protection are paramount to the success of any organization! Enterprises must ensure that all their IT systems and related workflows incorporate all three of these features. Printing, over the course of time, has developed a reputation of being a source of pain for both enterprise employees and administrators. With complicated user interfaces, poor user experience, issues with driver misconfigurations, printer mapping errors, print data security concerns, and network maintenance costs, enterprise printing has been a nightmare for everyone involved. The advent of cloud printing has helped to solve some of these issues, with organizations moving their infrastructure to the cloud, effectively lowering costs and eliminating printer mapping and related misconfiguration issues. UniPrint Infinity’s Virtual Print Queue (VPQ) adds a whole new level of security to cloud printing! The implementation of UniPrint’s VPQ to your cloud printing environment means users printing from cloud environments such as Microsoft Azure send their print jobs to a single virtual print queue when they print from their workstations or mobile devices.
    [Show full text]
  • Proficy Webspace 6.0 from GE Digital
    Proficy Webspace Version 6.0 from GE Digital Deliver advanced control and visualization over iPad, Android, and a Web browser Increase operator agility and Extend your HMI/SCADA with the 01 power of the Industrial Internet effectiveness to improve business Proficy Webspace extends 100% of your iFIX and CIMPLICITY system Performance viewing and control abilities into a Web browser or tablet. A “zero- install” HTML5 client allows you to your applications from popular Web Proficy Webspace from GE Digital offers an easy-to-use, full-featured browsers on Windows, Mac, and Linux computers. For MAC OS X users, Web and mobile client that enables you to extend, expand, and enhance a dedicated app multi-monitor support, client sound, and Max OS X your new or existing iFIX or CIMPLICITY applications systems from GE Gatekeeper support Digital. It enables full control and visualization over your company Proficy Webspace doesn’t compromise your proven applications, Intranet or secure Internet without the need to change or alter your graphics, or functionality— providing a full-featured client and delivering software application and can be set up within minutes. comprehensive functionality over a browser. With Proficy Webspace, you can reduce costs, improve time to action, Increase information sharing with and expand analytic capability—driving sustainable advantages across 02 flexible, secure-by-design technology all levels of your business, including management, operators, With support for up to 70 simultaneous clients, Proficy Webspace engineering, and IT levels. enables new and existing systems to be dynamically expanded across the facility or globe. The solution enhances your user experience with Outcomes the ability to run multiple Webspace clients and view many systems from one point.
    [Show full text]
  • Secure by Design?
    SECURITY BY DESIGN by M. James Tanner A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science University of Advancing Technology August 10, 2009 © M. James Tanner, 2009 SECURITY BY DESIGN by M. James Tanner has been approved August 10, 2009 APPROVED: VICTORIA SCHAUFUSS, PhD (ABD), Chair GREG MILES, PhD, CISSP, CISA, CISM, IAM, IEM, Independent Reviewer SHELLEY KEATING, MSIT, IEM, IAM, CCNA, MCSE+l, Network+, A+, CTT+, Independent Reviewer AL KELLY, MSIS, MCSA, MCSE 2000m /2003, IEM, IAM, Network+, A+, MCT, Independent Reviewer ACCEPTED AND SIGNED: __________________________________________ VICTORIA SCHAUFUSS, PhD (ABD) Abstract Securing a computer from unwanted intrusion requires astute planning and effort to effectively minimize the security invasions computers are plagued with today. While all of the efforts to secure a computer are needed, it seems that the underlying issue of what is being secured has been overlooked. The operating system is at the core of the security issue. Many applications and devices have been put into place to add layers of protection to an already weak operating system. Security did not used to be such a prominent issue because computers were not connected 24/7, they used dialup and did not experience the effects from connecting to multiple computers. Today computers connect to high speed Internet and seem useless without access to email, chat, Internet, and videos. This interconnectedness of computers has allowed the security of many computers to be compromised because they have not been programmatically secured. The core component of computer security might best be done through security layers protecting the operating system.
    [Show full text]
  • Building Secure and Reliable Systems
    Building Secure & Reliable Systems Best Practices for Designing, Implementing and Maintaining Systems Compliments of Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea & Adam Stubblefi eld Praise for Building Secure and Reliable Systems It is very hard to get practical advice on how to build and operate trustworthy infrastructure at the scale of billions of users. This book is the first to really capture the knowledge of some of the best security and reliability teams in the world, and while very few companies will need to operate at Google’s scale many engineers and operators can benefit from some of the hard-earned lessons on securing wide-flung distributed systems. This book is full of useful insights from cover to cover, and each example and anecdote is heavy with authenticity and the wisdom that comes from experimenting, failing and measuring real outcomes at scale. It is a must for anybody looking to build their systems the correct way from day one. —Alex Stamos, Director of the Stanford Internet Observatory and former CISO of Facebook and Yahoo This book is a rare treat for industry veterans and novices alike: instead of teaching information security as a discipline of its own, the authors offer hard-wrought and richly illustrated advice for building software and operations that actually stood the test of time. In doing so, they make a compelling case for reliability, usability, and security going hand-in-hand as the entirely inseparable underpinnings of good system design. —Michał Zalewski, VP of Security Engineering at Snap, Inc. and author of The Tangled Web and Silence on the Wire This is the “real world” that researchers talk about in their papers.
    [Show full text]
  • Improving the Cyber Security of Consumer Internet of Things Report
    Secure by Design Report Secure by Design: Improving the cyber security of consumer Internet of Things Report Secure by Design Report Contents Foreword by the Minister for Digital and Creative Industries Executive Summary 1. The Internet of Things (IoT) - new opportunities and risks for consumers 2. Context of the Review 3. Promoting a Secure by Design Approach to Consumer IoT Security 4. Code of Practice for Industry on Consumer IoT 5. Supporting Actions by the Government and Industry 6. Building an International Consensus 7. Conclusion 8. Annex A: Glossary of Terms 9. Annex B: Options Analysis Summary 1 Secure by Design Report Foreword As we deliver our vision for the UK to be the safest place to live and do business online, it is critical that we make sure the internet works for everyone. That means, as Government and industry work together to ensure we protect the UK from cyber attacks, we must also reduce the burden on end users by embedding effective cyber security Margot James practices at every stage of a Minister for Digital and Creative Industries connected product’s life cycle. Increased connectivity via the internet of things (“IoT”) provides fantastic opportunities for the UK. A key part of this Government’s ambition is to expand on the aspirations set out in our Digital Strategy through enhancing our status as an international leader in the development and uptake of IoT. However, we must ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity.
    [Show full text]
  • Certified Security by Design Using Higher Order Logic
    Certified Security by Design Using Higher Order Logic1 Shiu-Kai Chin and Susan Older Department of Electrical Engineering and Computer Science Syracuse University, Syracuse, New York 13244 Fall 2018 Version 2.0 (August 2018) 1The development of this book was partially supported by the US National Science Foundation (Award #1245867). 2 VERSION 2.0 Copyright © 2018 by Shiu-Kai Chin All rights reserved. No part of this publication may be reproduced, stored, or transmitted in any form without permission of the author In memory of Lockwood Morris for his unwavering support To the engineers and computer scientists who design and deliver the systems on which we depend 4 VERSION 2.0 Contents Preface 15 I Introduction and Motivation 17 1 Introduction 19 1.1 What this book is about . 19 1.2 Our audience . 20 1.3 What computer engineers and scientists need to know . 21 1.4 Certified Security by Design . 22 1.4.1 Concepts of Operation . 22 1.4.2 A motivating example . 24 1.4.3 What you will learn . 25 II Lab Exercises: Introduction to ML 27 2 Getting Started with Linux, ML, and Emacs 29 2.1 Getting set up . 29 2.2 Looking around using Linux commands within a terminal . 30 2.3 Starting HOL and Evaluating ML Expressions . 31 2.4 Starting Emacs . 32 2.5 Exercises . 34 3 An Introduction to ML within HOL 37 3.1 Values and Types in ML . 38 3.2 Compound Values . 42 3.3 Value Declarations . 44 3.4 Exercises . 49 4 Functions in ML 51 4.1 Functions, Evaluation Rules, and Values .
    [Show full text]
  • Apple at Work Platform Security
    Apple at Work Platform Security Secure by design. At Apple, we care deeply about security—both for the user and for protecting corporate data. We’ve built advanced security into our products from the ground up, making them secure by design. And we’ve done this in a way that’s in balance with a great user experience, giving users the freedom to work the way they want. Only Apple can provide this comprehensive approach to security, because we create products with integrated hardware, software, and services. Hardware security Secure software requires a foundation of security built into hardware. That’s why Apple devices—running iOS, iPadOS, macOS, tvOS, or watchOS—have security capabilities designed into silicon. These include custom CPU capabilities that power system security features and silicon dedicated to security functions. The most critical component is the Secure Enclave coprocessor in modern iOS, iPadOS, watchOS, and tvOS devices and in all Mac computers with the Apple T2 Security Chip. The Secure Enclave provides the foundation for encrypting data at rest, secure boot in macOS, and biometrics. All modern iPhone, iPad, and Mac computers with a T2 chip include a dedicated AES hardware engine to power line-speed encryption as files are written or read. This ensures that Data Protection and FileVault protect users’ files without exposing long-lived encryption keys to the CPU or operating system. Secure boot of Apple devices ensures that the lowest levels of software aren’t tampered with and that only trusted operating system software from Apple loads at startup. In iOS and iPadOS devices, security begins in immutable code called the Boot ROM, which is laid down during chip fabrication and known as the hardware root of trust.
    [Show full text]