Developing Devices with Windows Embedded CE 6.0 for Critical Security Markets

Rajesh KakdeSenior Windows Embedded ConsultantAdeneo CorporationSession Code: WEM302

Agenda

Adeneo at a glanceSecuring a Windows Embedded CE deviceSecurity markets: overview and trendsSystem architecture for secured devices using Windows Embedded CE

Gold partner with MSFT on firmware and application development

Adeneo at a Glance

Involved in CE development since 1998

Strong partnership with SVs and board manufacturers

Edition of BSP with maintenance & support to secure reliability

Training and consultation services

BSP, drivers, application development & turnkey services

2007 Excellence Awards

Systems Integrator

ISV/Software Solutions

Mobility Solutions

Securing a Windows Embedded Device

Trusted environment features

Secured shells

Windows Embedded CE Secured Devices

Open platforms

Semi-open platforms

Closed platforms

Windows CE Trusted Environment

Modules execute either in user or kernel mode

Critical APIs available only for kernel mode modules

All applications (.exe) executed in user mode

Only libraries (.dll) can execute in kernel mode

Certification function implemented in a dedicated module of the kernel

Allow restricting execution to certified application

CertMod.dll in public\common\oak\drivers\security\certmod

Windows Embedded CE Secured Shells

Handles user interaction with the system

Command shell Graphical shell

Local shell

Mono applications Multi applications

Remote shellvs.

Components of a typical graphical multi applications shell

Desktop window Taskbar Task manager

Windows Embedded CE Secured Shell

Standard Windows

shell

Final application

shell

Secured application

shell

Full open platform

Multi applications

Closed platform

Mono applications

Closed or semi-opened platform

Multiple applications support

Open platform device

Windows Embedded CE Secured Shell

Typical application – PDA like device

CharacteristicsStandard shell allowing max user interactionNo trusted environment for max flexi

BenefitsLots of flexibility for end user/third party

Security risksMalware when connected to external world3rd party malware apps installed locallyEnd user wrong usage

Windows Embedded CE Secured Shell

Closed platform device

Typical application – dedicated device

CharacteristicsDirect application shell; mono applicationFully trusted environment

BenefitsCompletely secured

Security risksNone, if well designed

Windows Embedded CE Secured Shell

Semi-opened platform deviceTypical application – dedicated device with 3rd party expansion

Characteristics Direct application shell Trusted environment

BenefitsCompletely secured with some flexibility

Security risksNone, if well designed

Security Markets Overview Different types of markets

Critical life marketsMedicalAvionics

Critical economic marketsBankingPayment

Key characteristics: Norm driven

FDA DO178B PCIPED

Security Markets OverviewTypical requirementsPerformance – real time / deterministic

Completely secured against external access

Software piracy

Hardware piracy

100% test coverage

Need for specific certified software and hardware

Secured communication – authentication/cryptography

Security Markets OverviewEmerging Needs

More connectivityWired and wireless

More multimediaAudio, video etc…

More opennessNew markets access through third party add-ons

Incompatibility with specific certified softwareHuge work to develop from ground-upRequires complete re-certification of the system

Designing Secured DevicesSystem architecture

Identify critical and non-critical

functions

Hardware and software isolation between critical and non-critical

parts

Secure the interfaces

Designing Secured DevicesIdentification

Which hardware and which peripheralsMedical – all peripherals handling vital functionsPayment terminal – peripherals related to pin entry & identification

Which CPUDedicated certified ASIC for critical featuresDedicated MCUs with specific security features

Which softwareProprietary or dedicated certified OSProprietary or dedicated certified applicationIdentify critical software functions

Designing Secured DevicesIsolation

Be certain critical part of the design cannot be corrupted by non-critical part

Hardware based isolationDedicated secured ASIC for critical part

Hardware design to ensure hardware securityASIC/CPU with secured storage area for encryption keysViolation detections (mechanical access, tamper detections…)

Software based isolationSW Hypervisor/ Virtual Machine manager

Secured Device System ArchitectureSecuring the interfaces

Control all communication between critical and non-critical parts

Full independence between critical and non-critical peripherals

Only one interface, certified as part of critical part

Dedicated ASIC when using h/w isolationRole of Hypervisor when using s/w isolation

Startup and update of non-secured part is controlled by secured part

Case Study: Payment Terminal

Electronic Fund Terminal

Compliant with PCIPED certification

Advanced features

Allowing PIN based bank transactions

Playing advertisement videos

Wireless communication support (Bluetooth, Wi-Fi…)

CPU

Keypad

Battery

Printer

SAM

Modem

Display

Touchscreen

USBDev

USBHost

Bluetooth

Wi-Fi

Ethernet SDIO

Camera

Serial

Audio

GPRS

ASICProp.O

S

ARMCE 6.0FPGA

Case Study: Payment TerminalBlock diagram

Case Study: Payment TerminalSecuring the interfacesOnly one communication interface, handled by FPGA

FPGA is critical part of the design

Communication using mailbox mechanism

Interfaces availableAccess to secure peripherals from Windows CEAccess to non-secure peripherals from certified OSWindows CE firmware update

FPGA driver on Windows CE side, with trust environment enabled

JTAG controlled by certified OS through FPGA

Windows CE firmware update handled by certified side

WEB serverStock Mgt

Appli

Windows Embedded CE

ARM Based Platform w/Security capabilities

LCDTouchscree

n

Ethernet / Wi-Fi

Secured

Payment

VM

HID Secured

VMTSdrive

r

LCDdrive

r

WindowsEmbedded CEVM

vTS

dri

ve

r

vLC

Ddri

ve

r

Hypervisor

Ordering

Appli.NET CF

3.5

Case Study: Payment TerminalSystem architecture

Summary

Windows Embedded CE provides all the mechanism needed to build secure devices.

These mechanisms are also a key part of the design of devices for security markets, where strong certification requirements apply.

Strong system architecture using hardware or software isolation is required.

question & answer

ResourcesWindows Embedded: http://www.microsoft.com/windowsembedded/en-us/default.mspx

Books for reference:http://msdn.microsoft.com/en-us/embedded/cc294468.aspx

Email: rkakde@adeneocorp.com

Windows Embedded Resources

Website: www.windowsembedded.com

Social Channels: blogs.msdn.com/mikehallblogs.msdn.com/obloch

Technical Resources: http://msdn.microsoft.com/embedded

Tools evaluations: www.windowsembedded.com/downloads

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.