foreword
Haha, in fact, I have been copying and recording the articles of my predecessors. I haven't output anything useful, mainly because I don't have much technical accumulation and precipitation, and I don't know what I don't know, so as not to write some uncertain things but mislead myself and others.
However, recently I arranged to do some hardware learning, which is also related to security, so I have come into contact with quite a lot. If you think about it, you should go back to the security-related things by yourself, and show some of my shallow understanding and views on security. After thinking, I decided to divide the content into two parts: the fields involved in security and the knowledge involved in security.
I don’t know how much content I can write, haha, write freely and keep learning.
Safety related knowledge
When it comes to security, in fact, encryption algorithms are the easiest to think of, so cryptography must be understood. Secondly, some open source libraries such as Open ssl and so on.
The second is the implementation of these algorithmic logics, such as some communication protocols, etc. The communication protocols here include communication and Internet exchange protocols.
The last is the specific business knowledge. You must know what your security is for. For version protection, you must know about widewine, playready, drm, etc.; encrypted communication, then you must know about wifi wap, zigbee, BLE, etc. Communication transmission security; secure boot, you must have an understanding of the CoT (chain of trust) design of the system; if the system is secure, you must not escape the security-related Linux and security systems such as OPTEE.
Of course, this is still the tip of the iceberg. This is the business of contact, and then the process of slowly accumulating.
But the point is that there must be common things. One product will definitely have a common base part with another product, but it is true that you may not be able to touch it, because a product is very large and requires many brothers and sisters to work together. , Those who are close to the business level may know less about the foundation. After all, human energy is limited.
So which aspects may be more common?
- 1. Common things in business: knowledge about cryptography
- 2. Things close to the system: Linux operating system,
- 3. Things close to hardware: ARM architecture, RISCV architecture
- 4. Hardware modules: RPMB memory, OTP, TRNG and other hardware modules
The fourth point is that these are some small modules that need to be accumulated.
So at this stage, I finally sort out and summarize the points in five aspects:
- 0. The business itself: the business itself
- 1. Common things in business: knowledge about cryptography
- 2. Things close to the system: Linux operating system,
- 3. Things close to hardware: ARM architecture, RISCV architecture
- 4. Hardware modules: RPMB memory, OTP, TRNG and other hardware modules
There is one more business itself. Only when you have a sufficient understanding of the business itself, can you know why you need to implement some security protection, where to implement security protection, and what requirements the implementation of these protections will bring to the next level.
Let's take a look at the areas involved in security.
Areas covered by security
Why do you need to know these things? I think if you are not a safe friend, you can also find out. I think that with the explosion of numbers, security is definitely a place of great need. Like many foreign businesses, the requirements for security are very high. However, many scenarios in China still do not pay much attention to these scenarios, such as the Internet of Things, Internet of Vehicles, and industrial networks, which are all very necessary. For example, the improvement of the quality of the people, the improvement of copyright awareness; the transmission and storage of personal data, all of which must be considered safe.
So there are quite a few ways to classify security. In fact, it is better for me to classify with my materials, but one is lazy, and the other is that writing things with such retrospectives will make my brain feel a little fuzzy.
It can be divided according to the field, but I still use a vertical way to divide it here, and divide it in a more general way of coverage: software security and hardware security
1. Hardware security
Hardware has always been seen as a trusted platform that supports the entire computer system, an abstraction layer responsible for running instructions passed from the software layer.
Hardware security is very important, but most of the time, software is used for protection. After all, the attacks in my mind are all hackers and penetrations are at the software level. However, due to development, the hardware is now beginning to expose some security risks. .
Hardware security is not only its own protection, but also the support for software.
- 1. Hardware Trojans, hardware Trojans will attack the hardware itself, and its own security issues
- 2. Prevent the chip from being pirated; ensure that the third-party IP used is genuine; and whether the chip has a backdoor; and these chip cores have been copied by others.
- 3. Are there some new devices (unconventional CMOS) to protect chip security from some aspects?
- 4. Provide lower-level protection and functional support for software security, such as the TrutZone we know
The fourth point is what software designers need to consider learning to understand, and the previous points are what chip designers need to consider.
2. Software security
Software is a very complex framework. In order to avoid confusion here, we first describe it in layers, and then break down some scenes to divide it.
- 0. Firmware layer (ATF, here is a firmware layer specially added for ATF, edited, haha, ATF is quite interesting and important)
- 1. Driver layer (learn how to write drivers, and then write drivers for some security-related hardware, such as OTP, encryption modules, etc.)
- 2. System layer (Here, I think the first thing to know about Linux is: Linux’s own security technology (address randomization KASLR, signature, CFI, harden usercopy, kernel symbol table hiding HKSP, application sandbox, file system permissions, Root permissions); Memory Security (MTE Memory Tag Extensions, XOM Execute-Only Memory, Zero-Initialized Memory); SELinux (Security Enhanced Linux (SELinux)); Samsung's RKP ("Real-time Kernel Protection"); Secure OS (OTTEE, Trusty, Itrustee wait);)
- 3. Application layer (code obfuscation of the application itself, process protection, signature mechanism, reverse reverse prevention, permission control, etc.)
Let's take a look at the scene again:
- 1. Safe standby and upgrade
- 2. Secure boot (chain of trust)
- 3. Safe storage
In fact, dismantling any aspect is a lot of knowledge. It takes time to understand all of it, not to mention how can your work content be arranged by yourself at work? Hahaha, that's the reality.
The above is the superficial understanding at this stage. Maybe I will read the book and my previous blog by myself, and I will summarize it more comprehensively and in detail after normalizing it. But this is my superficial real feedback, and the superficial understanding at this stage is expressed here.
The record is just starting one day at this 26-year-old, and I hope to not stop and learn more about it. I am grateful for the excellent materials of my predecessors and learn from the shoulders of giants.
It's raining outside~~~It's good for sleeping.