SlideShare a Scribd company logo

Security Consideration for Set-top box SoC

Download as PPTX, PDF
Wesley Li
Wesley Li

Provide options on selecting STB SoC while considering security including CA, DRM and system-level security.

Devices & Hardware
1 of 8
Security Consideration for Set-Top Box SoC Wesley Li, 12/2016
Summary • Current Trend on Set-top Box SoC Market • Security Is Getting Complicated • Trust Levels on Different HW/SW Architecture • Why Bother with Security Processor? • Consideration from Marketing to Hardware and System Software • Goal: The Complete System Level Security Solution
CurrentTrendon Set-topBoxSoCMarket • Service providers needs isolated environments running DRM and Conditional Access (CA) for security reasons. • Therefore, hardware-based Trusted Execution Environment (TEE) is necessary, especially on open platform like Android • That means, secure OS environment on a security processor is needed for security applications, flexibility and extensibility. Security is Key Differentiator on STB SoC
SecurityIsGettingComplicated Conditional Access (CA) Meets Open Platforms • CA on open platform like Android is dangerous • Smartcard-less CA is dream of service providers • Secure API for security or service providers to hide their secrets is key DRM Is Getting “Harder” (Hardware Support Is Necessary) • Secure storage for keys or binary without host CPU access is a must • Secured Video Path (SVP) without host access on encrypted and decrypted video contents became mandatory for 4K contents • Hardware unique key provisioning per device is extremely critical System-Wide Security • Firmware binary protection, secure boot and monitoring are needed • Process and memory isolation are just basic requirements Hard-wired Security Is Not Enough
Trust LevelsonDifferentHW/SWArchitecture Virtualization TrustZone Security Processor + General open source implementation + Multiple guest OSes flexibility < < + Security specific execution space + System-level security on CPU, memory, interrupt, crypto, etc. + Proprietary API for enhanced security + External memory isolation with hardware enforce + True TEE-based security algorithms + Proprietary crypto and key provisioning + Extensibility for vendor specific implementation - Complexity on VM synchronization with hypervisor - Limited peripheral access - Performance impact on additional guest VM - No security specific hardware optimization - Lots of known attacks - Simple secure software required - DRM and CA may not be secure enough - High overhead on context switching - Complicated system software design - Time to market
WhyBotherwithSecureProcessor? • Security Processor should be: • a dedicated CPU core inside STB SoC • running a secure RTOS and secure applications including DRM, CA, key management, etc. • communicating with host CPU through secure and proprietary interface • Security Processor can provide: • secure boot, secret storage, priority crypto access and restricted memory access for security and SVP hardware • true system-level Trusted Execution Environment (TEE) • hardware-based memory isolation from rich OS such as Android, Linux • Benefits for the system manufacturer: • Rely on hardware root of trust for crypto keys and secure boot • Better security than TrustZone • Smartcard-less CA and CA on Android platform • Hardware DRM support such as Widevine Level 1 and PlayReady 3.0
ConsiderationfromMarketingto Hardwareand SystemSoftware Marketing - Collecting info from security vendors or partners - Collect marketing requirements for security - Define system architecture for security Hardware Requirement - Co-processor for secure OS and applications - Priority access on crypto engine and secure host i/f - Secure boot, secure storage and binary protection System Software Consideration - Easy use of secure processor interface and API - Secure memory region for secure processor and SVP - CA and DRM implementation and key provisioning
Goal:TheCompleteSystemLevelSecuritySolution • Complete System Security: • Security Processor provides hardware level security, also flexibility and extensibility • Hardware memory isolation for DRM/CA, firmware protection and SVP • Key provisioning for unique hardware protection • System Software Knowledge: • Streaming integration including DASH, HLS, Smooth Streaming • Whole-home streaming with DTCP-IP, external PVR • Hardware DRM/CA/Crypto Support: • Widevine Level 1, PlayReady 3.0 and Adobe PrimeTime • NDS, Nagra, Irdeto, Verimatrix, Alticast, etc. • RSA, TLS, OpenSSL, RNG, HDCP 2.2, forensic watermarking System Level Security with Security Processor

Recommended

CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
Peter Schneider
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Futurex Slides at ACI Exchange 2013, Boston
Futurex Slides at ACI Exchange 2013, BostonFuturex Slides at ACI Exchange 2013, Boston
Futurex Slides at ACI Exchange 2013, Boston
Greg Stone
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code Scanner
Luigi Perrone
 
Fortinet
FortinetFortinet
Fortinet
ABEP123
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
Nick Straughan
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access Security
Precisely
 

Recommended

CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
Peter Schneider
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Futurex Slides at ACI Exchange 2013, Boston
Futurex Slides at ACI Exchange 2013, BostonFuturex Slides at ACI Exchange 2013, Boston
Futurex Slides at ACI Exchange 2013, Boston
Greg Stone
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code Scanner
Luigi Perrone
 
Fortinet
FortinetFortinet
Fortinet
ABEP123
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
Nick Straughan
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access Security
Precisely
 
Quantum brochure
Quantum brochureQuantum brochure
Quantum brochure
Mail Box Production
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
NCS Computech Ltd.
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
UTM Basic Rev 1.2 (Modified)
UTM Basic Rev 1.2 (Modified)UTM Basic Rev 1.2 (Modified)
UTM Basic Rev 1.2 (Modified)
NCS Computech Ltd.
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
Sam Bowne
 
kali linix
kali linixkali linix
kali linix
Mirza Baig
 
Fortinet
FortinetFortinet
Fortinet
Petre-doru Dragus
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Why QuickBooks Premier Hosting
Why QuickBooks Premier HostingWhy QuickBooks Premier Hosting
Why QuickBooks Premier Hosting
Jhonny Edward
 
Secure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, EnglishSecure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, English
Askozia
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
RanjithKumar428
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
 
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
John Wallix
 
DEF CON 23 - vivek ramachadran - chellam
DEF CON 23 - vivek ramachadran - chellamDEF CON 23 - vivek ramachadran - chellam
DEF CON 23 - vivek ramachadran - chellam
Felipe Prado
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
PROIDEA
 
Fortinet av
Fortinet avFortinet av
Fortinet av
Lan & Wan Solutions
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
TheCreativedev Blog
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social Engineering
Sam Bowne
 
lmplementing Firewall Technologies
lmplementing Firewall Technologieslmplementing Firewall Technologies
lmplementing Firewall Technologies
Abdulrahman AL-shobaki
 
Defense-in-depth for embedded devices
Defense-in-depth for embedded devicesDefense-in-depth for embedded devices
Defense-in-depth for embedded devices
Jiggyasu Sharma
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
LennartF
 

More Related Content

What's hot

kali linix
kali linixkali linix
kali linix
Mirza Baig
 

What's hot (20)

Quantum brochure
Quantum brochureQuantum brochure
Quantum brochure
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
UTM Basic Rev 1.2 (Modified)
UTM Basic Rev 1.2 (Modified)UTM Basic Rev 1.2 (Modified)
UTM Basic Rev 1.2 (Modified)
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
 
kali linix
kali linixkali linix
kali linix
 
Fortinet
FortinetFortinet
Fortinet
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Why QuickBooks Premier Hosting
Why QuickBooks Premier HostingWhy QuickBooks Premier Hosting
Why QuickBooks Premier Hosting
 
Secure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, EnglishSecure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, English
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
 
DEF CON 23 - vivek ramachadran - chellam
DEF CON 23 - vivek ramachadran - chellamDEF CON 23 - vivek ramachadran - chellam
DEF CON 23 - vivek ramachadran - chellam
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Fortinet av
Fortinet avFortinet av
Fortinet av
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social Engineering
 
lmplementing Firewall Technologies
lmplementing Firewall Technologieslmplementing Firewall Technologies
lmplementing Firewall Technologies
 
Defense-in-depth for embedded devices
Defense-in-depth for embedded devicesDefense-in-depth for embedded devices
Defense-in-depth for embedded devices
 

Similar to Security Consideration for Set-top box SoC

BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
LF Events
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
Amazon Web Services
 

Similar to Security Consideration for Set-top box SoC (20)

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Trusted Computing security _platform.ppt
Trusted Computing security _platform.pptTrusted Computing security _platform.ppt
Trusted Computing security _platform.ppt
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
 
Why TPM in Automotive?
Why TPM in Automotive?Why TPM in Automotive?
Why TPM in Automotive?
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overview
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 

Recently uploaded

怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
ehyxf
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
oopacde
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
wpkuukw
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
drmarathore
 
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
ehyxf
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
uodye
 
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
vershagrag
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
tufbav
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
wpkuukw
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
uodye
 
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
wpkuukw
 
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy CytotecAbortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
gajnagarg
 

Recently uploaded (20)

Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime GuwahatiGuwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
 
怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
怎样办理伍伦贡大学毕业证(UOW毕业证书)成绩单留信认证
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
 
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
 
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
 
Point of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratoryPoint of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratory
 
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURELANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
 
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
Low Cost Patna Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Gi...
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
 
Mass storage systems presentation operating systems
Mass storage systems presentation operating systemsMass storage systems presentation operating systems
Mass storage systems presentation operating systems
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
 
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
 
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy CytotecAbortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy Cytotec
 
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
 

Security Consideration for Set-top box SoC

  • 1. Security Consideration for Set-Top Box SoC Wesley Li, 12/2016
  • 2. Summary • Current Trend on Set-top Box SoC Market • Security Is Getting Complicated • Trust Levels on Different HW/SW Architecture • Why Bother with Security Processor? • Consideration from Marketing to Hardware and System Software • Goal: The Complete System Level Security Solution
  • 3. CurrentTrendon Set-topBoxSoCMarket • Service providers needs isolated environments running DRM and Conditional Access (CA) for security reasons. • Therefore, hardware-based Trusted Execution Environment (TEE) is necessary, especially on open platform like Android • That means, secure OS environment on a security processor is needed for security applications, flexibility and extensibility. Security is Key Differentiator on STB SoC
  • 4. SecurityIsGettingComplicated Conditional Access (CA) Meets Open Platforms • CA on open platform like Android is dangerous • Smartcard-less CA is dream of service providers • Secure API for security or service providers to hide their secrets is key DRM Is Getting “Harder” (Hardware Support Is Necessary) • Secure storage for keys or binary without host CPU access is a must • Secured Video Path (SVP) without host access on encrypted and decrypted video contents became mandatory for 4K contents • Hardware unique key provisioning per device is extremely critical System-Wide Security • Firmware binary protection, secure boot and monitoring are needed • Process and memory isolation are just basic requirements Hard-wired Security Is Not Enough
  • 5. Trust LevelsonDifferentHW/SWArchitecture Virtualization TrustZone Security Processor + General open source implementation + Multiple guest OSes flexibility < < + Security specific execution space + System-level security on CPU, memory, interrupt, crypto, etc. + Proprietary API for enhanced security + External memory isolation with hardware enforce + True TEE-based security algorithms + Proprietary crypto and key provisioning + Extensibility for vendor specific implementation - Complexity on VM synchronization with hypervisor - Limited peripheral access - Performance impact on additional guest VM - No security specific hardware optimization - Lots of known attacks - Simple secure software required - DRM and CA may not be secure enough - High overhead on context switching - Complicated system software design - Time to market
  • 6. WhyBotherwithSecureProcessor? • Security Processor should be: • a dedicated CPU core inside STB SoC • running a secure RTOS and secure applications including DRM, CA, key management, etc. • communicating with host CPU through secure and proprietary interface • Security Processor can provide: • secure boot, secret storage, priority crypto access and restricted memory access for security and SVP hardware • true system-level Trusted Execution Environment (TEE) • hardware-based memory isolation from rich OS such as Android, Linux • Benefits for the system manufacturer: • Rely on hardware root of trust for crypto keys and secure boot • Better security than TrustZone • Smartcard-less CA and CA on Android platform • Hardware DRM support such as Widevine Level 1 and PlayReady 3.0
  • 7. ConsiderationfromMarketingto Hardwareand SystemSoftware Marketing - Collecting info from security vendors or partners - Collect marketing requirements for security - Define system architecture for security Hardware Requirement - Co-processor for secure OS and applications - Priority access on crypto engine and secure host i/f - Secure boot, secure storage and binary protection System Software Consideration - Easy use of secure processor interface and API - Secure memory region for secure processor and SVP - CA and DRM implementation and key provisioning
  • 8. Goal:TheCompleteSystemLevelSecuritySolution • Complete System Security: • Security Processor provides hardware level security, also flexibility and extensibility • Hardware memory isolation for DRM/CA, firmware protection and SVP • Key provisioning for unique hardware protection • System Software Knowledge: • Streaming integration including DASH, HLS, Smooth Streaming • Whole-home streaming with DTCP-IP, external PVR • Hardware DRM/CA/Crypto Support: • Widevine Level 1, PlayReady 3.0 and Adobe PrimeTime • NDS, Nagra, Irdeto, Verimatrix, Alticast, etc. • RSA, TLS, OpenSSL, RNG, HDCP 2.2, forensic watermarking System Level Security with Security Processor