Cog’s tech is now embedded in Qualcomm’s chips

Today is a big day for Cog Systems as we can finally announce a great leap forward our vision to make foundational security in IoT the norm, rather than best practice.

Our team is on a mission to secure the world’s IoT devices, and enable compelling virtualisation use cases. Our partnership with Qualcomm means our technology will be easily available for a very large segment of IoT device makers.

Qualcomm has embedded Cog’s D4 Secure technology in their Snapdragon chips, including the recently released 855 chip. This means any device maker using a Snapdragon chip need only get in touch with Qualcomm or our team to turn on our defence-grade security.

What is exciting about this is that by having great foundational security we take care of limitations that prevented OEMs from creating new and innovative products using technology like AI and machine learning for biometrics, real-time (which robots and autonomous vehicle need).  This is particularly important where they seek to combine different technologies together but leverage our security to keep them separate from one another.

It’s a result of many months of careful due diligence with Qualcomm and years of engineering. I’m incredibly proud of the Cog team.

This partnership is a really important step for IoT because while there has been excellent innovation in IoT security over the recent years, most of the work has been focused on solving specific problems. This is needed but most of the solutions have been for symptoms, rather than the root problem. Because no product is truly secure without foundational security.

A good example of this is some of the great encrypted and secure messaging apps. These are important, but if the device itself is compromised or vulnerable, their security benefits are minimal.

Securing the core of a device is must-have for IoT, not a nice-to-have. The major risk to our current IoT environment is how vulnerable it is to attacks, bad actors and bugs. This insecurity is holding the industry back from truly life-changing innovations, such as autonomous cars and entirely automated smart medical devices.

There have been hacks and attacks, and there will be many more if device makers don’t secure the core of their products. We know from the computers and smartphones that hacks, bugs and viruses can and will cause huge issues in the IoT industry. The good news is we also know from these previous technologies that foundational security, such as the virtualisation of the cloud, is possible.

Our vision for Cog is to achieve for IoT what VMWare achieved for cloud computing. Thanks to their success, no one think it’s remotely risky to have fiercely competitive products hosted on the same cloud infrastructure. The fact we can have both Coke and Pepsi on Amazon Web Services is evidence of security and virtualisation done right. They do this through having separate virtualised machines, which is part of the approach Cog uses also.

Virtualisation is a building block for great security. The complication with mobile and IoT is the software needs to be lean and light so it doesn’t impede performance so much it stops people from using it. A lot of these existing virtualisation solutions are very big in their code size and software, which not only impacts performance but also has a higher chance of both threat vectors and bugs.

Security has been an afterthought for virtualisation companies so far, but for Cog it’s our core business – it’s embedded because you need both security and performance.

We are only in the very early stages of our hyper-connected future. In less than two decades we’ve gone desktop-only computing to extraordinarily powerful smartphones in our pockets, to having an average of 75 connected devices in our homes (according to Gartner).

The risk is significant, urgent and impossible to entirely contain. The emergence of Cog, with its Qualcomm validated technology, as the first truly foundational security solution for the IoT. We’re preventing millions of attacks, so our direct customers as well as anyone with a Qualcomm Snapdragon chip that activates their Cog tech can focus on accelerating the rate of innovation in the IoT, enabling products we haven’t been able to imagine yet as the security issues have been so significant.

Cog Q&A: Gernot Heiser, the Godfather of Modularity

For those of us in the business of devices, Gernot Heiser needs no introduction. But for the rest of you, here’s a summary:

Gernot’s primary occupation is leading research in Trustworthy Systems, aiming to make software systems truly trustworthy. He also teaches Advanced Operating Systems at UNSW, which also has its own prize for the best-performing student, the Advanced Operating Systems Alumni Prize.

In 2006 he founded Open Kernel Labs (OK Labs) for commercializing L4 microkernel technology developed in his research lab. He served as Chief Technology Officer from 2006–2010, and as a Director from 2006 until OK’s acquisition by General Dynamics in August 2012.

Gernot’s trailblazing work in the microkernel industry has led some of us around here to nickname him the “Godfather of Modularity,” and I had the privilege to catch up with him for a quick conversation.

Gernot, care to weigh in on the monolithic vs. modularity debate for device design?

Sure, that’s easy. The monolithic OS design model, used by Linux, Windows, macOS, is fundamentally and irreparably broken from the security standpoint.

Security is only achievable with a microkernel design, that minimizes the “trusted computing base” (TCB), i.e. the part of the system on which security depends. Ideally the microkernel is verified, mathematically proved correct, as in seL4. That is only feasible with a really small system. Systems like Linux have a TCB that is far too large and complex to get right, they are inherently full of security holes. Their use in security- or safety-critical applications is at best grossly negligent and should be considered professional malpractice. It must stop.

And you have some serious research to back this up. Tell us about it.

Absolutely. I recently performed an analysis of Linux vulnerabilities listed as critical – meaning it is easy to exploit and leads to full system compromise, including full access to sensitive data and full control over the system.

For each of those vulnerabilities we analyzed how it would be affected if the attack were performed against a feature-compatible, componentized OS. In other words, an application running on this OS should only be dependent on a minimum of services required to do its job, and no others.

We evaluated all Linux vulnerabilities that had been classified “critical”, a total of 112 vulnerabilities.

You have my attention – what was the result?

Well, for starters, only 5 compromises (4%) were not affected by OS structure.

29% were eliminated simply by implementing the OS as a componentized system on top of a microkernel! The example I like to give is if a Linux USB device driver is compromised, the attacker gains control over the whole system, because the driver runs with kernel privileges. In a well-designed microkernel-based system, only the driver process is compromised, but since our application does not require USB, it remains completely unaffected.

Wow. What else did you uncover?

A further 11% of the vulnerabilities are eliminated if the underlying microkernel is formally verified (proved correct), as we did with seL4. These are exploits against functionality, such as page-table management, that must be in the kernel, even if it’s a microkernel. A microkernel could be affected by such an attack, but in a verified kernel, such as seL4, the flaws which these attacks target are ruled out by the mathematical proofs.

So, taken with the previously mentioned 29%, we proved that 40% of the exploits would be completely eliminated by an OS designed based on seL4.

So, the case for modularity keeps building.

Definitely. We also found that another 17% of exploits are strongly mitigated. These are the kinds of attacks where a required component, such as NIC driver or network stack, is compromised, and as a result compromising the whole Linux system, while on the microkernel it might lead to the network service crashing without being able to compromise any data.

So if my math is correct, 57% of attacks are either completely eliminated or reduced to low severity?

That’s absolutely correct.

Gernot, thanks for your time and data as it relates to device vulnerability. Where can readers learn more about what you’re up to?

Thanks, Carl. People can find me at https://microkerneldude.wordpress.com/

WARNING: A Cybersecurity Revolution is Upon Us, With Consumers Taking the Power Seat

The world today has entered into a new era where consumers and enterprise alike have come to expect cyber attacks. However, as attacks become more severe with greater reach, a power shift is occurring among consumers who are losing trust in the enterprise and government to protect their privacy and data. Now, consumers are choosing to leverage their power and make choices based on their confidence in security.

 Increased Attacks and Lack of Trust are Fueling the Revolution

The PwC survey conducted in 2017 measuring consumer perceptions around cybersecurity and privacy risks demonstrates that a revolution is upon us and the findings are telling:

  • Just 25% of respondents believe most companies handle their sensitive personal data responsibly. Even fewer—only 15%—think companies will use that data to improve their lives.
  • Only 10% of consumers feel they have complete control over their personal information.
  • 88% of respondents say the amount of data they share with a company depends on how much they trust it.

So how could this revolution impact you? Manufacturers and enterprises serving these consumers will pay the ultimate price as 85% of respondents surveyed say they will not do business with a company if they have concerns about its security practices.

Prioritizing Cybersecurity

I’ve said it before and I’ll say it again: today’s manufacturers and enterprises can no longer afford apathy and lip service when it comes to cybersecurity. It needs to be in the forefront of your business strategy, which should include adopting and implementing proven security tactics that address consumer concerns to gain their loyalty. This applies to mobile, but especially IoT.

At Cog, we firmly believe that the world’s connected and IoT devices can be secured by leveraging virtualization at the architecture level . This is the only way to engineer tomorrow’s connected marketplace to deliver security and productivity.

 

 

How to Address Cybersecurity Unforced Errors in 2019

Looking back on the progress that the cybersecurity industry made in 2018, I remain optimistic that advancements will continue over the next year ahead. But there were some big misses that the industry made where we all share some accountability.

From my perspective, there were some unforced errors in 2018 that have continued to plague our industry. What does this mean going into 2019? Read on…

Apathy

We hear about data breaches almost everyday so it’s no surprise that cyber fatigue is plaguing consumers, government and enterprise alike. In fact, a recent survey found that one in three government employees believed they were more likely to be struck by lightning than have their work data compromised.

Government and enterprise have created an environment and a culture that is nothing short of numbing to the public. We remain indifferent until we hear about cyber attacks like the latest “Collection #1,” which has exposed a record breaking 773 million email addresses and 21 million passwords. Perhaps a breach like this will awaken consumers to DEMAND more from the businesses and organizations who hold personal information with such clear disregard.

Lip Service

Over the course of my travels this past year, I’ve had the opportunity to hear some of the smartest people in the business talk about cybersecurity. The themes are all the same – huge growth, big problem, critical need, market demand, essential to our future, and investment in all kinds of time and money to solve the problem.

This is not isolated to just consulting firms (we expect them to be hyperbolic), but some of the leading technology companies in a position to directly impact the industry in a huge way. These big players have slideware that is impressive, spectacular even, yet it’s still just talk.  I contend the single most common element of all this talk is simple – “the problem is big, and you better pay attention. However, I have no practical solutions for you today, but don’t worry we are working on it.”

 Cybersecurity Needs to Show Business Value

Apathy and lip service are just a few of many key drivers that affect any culture. But wait, there’s more.  The reality is evident in the facts. Since the CISO is still a fairly new position, they rarely are invited to a seat in the boardroom or even report to the CEO.  When it comes to budget, holiday celebration expenditures have a better chance of getting approved than the newest cybersecurity tool.

So what can any good organization do to address these issues while we wait for the public to assemble and protest? They make a change. That means elevating cybersecurity to demonstrate itself as a profit center that demonstrates measurable business value. This is the opportunity we must work to embrace.

Here at Cog, our tagline is all about security via the virtualization of IoT. Yet, our customers find the value in the measurable ROI that they incur through the use of our technology, and security just comes along for the ride. The approach to security must be proactive and demonstrate real value to the business by minimizing risk, reducing cost and improving performance. All of this leads to company profit, which is how the CISO earns a seat in the boardroom. If we do that, then we can break through the apathy and lip service that has become our new reality.

In spite of it all, I still have nothing but optimism for the future. It’s a good time to be bold and elevate cybersecurity to a new level that will eventually change the industry and the world for the better.

 

 

Cog Joins GSA IoT Security Working Group

Addressing today’s IoT security challenge takes more than technology solutions. It requires experience, industry knowledge and expertise, collaboration and creativity. Most importantly, it takes a group of leaders that share a common goal.

Today, we are honored to announce that Cog has become a member of the Global Semiconductor Alliance (GSA) and the GSA IoT Security Working Group. The GSA IoT Security Working Group was established to address end-to-end issues in IoT Security. It is comprised of various IoT ecosystem security stakeholders including chipset vendors, platform companies, cloud vendors and service providers. The goal is to promote best practices on IoT Security, share information on threats and attacks, define security requirements and inform standards bodies.

In collaboration with the other members of the GSA IoT Security Working Group, Cog is honored to have the opportunity to lead a project focused on using Rich Execution Environments to drive enhanced security on End-Point Devices. This is but one of the many projects currently under sponsorship of the GSA, but is critical to supporting the industry with recommendations on standards and best practices to secure the rapidly expanding number of IoT devices being deployed in the home, workplace, and manufacturing segments

As cyber threats and attacks continue to become more aggressive and complex, organizations like the GSA will be critical to staying ahead of the hackers and providing the IoT industry with a security framework based on best practices and standards. We look forward to being a part of that effort and contributing to improving IoT security for enterprise and consumers alike.