![Page 1: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/1.jpg)
for Facilities, Machines and Embedded Systems
Marco Blume | Product [email protected]
Rüdiger Kügler | Security [email protected]
Protection and Security
Speaker 3
![Page 2: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/2.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 2
Introduction
Current Situation
Threats for Manufacturers
Threats for Users
![Page 3: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/3.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 3
Current Situation
98% of all processors are used in embedded systems More and more embedded systems are cross-linked Industrie 4.0
New attack vectors for Cyber Physical Systems
![Page 4: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/4.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 4
IT threats for manufacturers and users
User Manipulation
Esabotage Intelligence services / disgruntled employees
Intellectual Property (IP) Recipes / operating parameters / patterns
Production data Machine logbook Production amount
Non authorized access to the machine Service incident operation / operator
Manufacturer / Machine builder Reproduction of a machine Imitation of a machine
Extraction of the intellectual property
Manipulation (warranty) Non authorized updates Modification of hour meters Modification of flight records / logs
Non authorized access to service documents
Non authorized access to source code
![Page 5: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/5.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 5
The Solution - CodeMeter
Desktop Software
Embedded Devices
Programmable Logic Controllers
![Page 6: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/6.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 6
CodeMeter - Overview
CodeMeter Secure key storage (Hardware / Software)
License models
Software Integration Automatic encryption / API
Backoffice Integration License enforcement
License management
Software Integration
Backoffice Integration
CodeMeterTechnology
![Page 7: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/7.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 7
CodeMeter @ Embedded Devices
CodeMeter Embedded Driver Lightweight driver as library / source code
Cryptographic API
Basic CodeMeter features
Support of CmDongles / CmActLicenses
Wibu Protection Suite ExProtector
AxProtector
![Page 8: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/8.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 8
CodeMeter @ Programmable Logic Controllers
CODESYS Boot project protection
API access
Source code protection
Bernecker + Rainer Technology guard
Rockwell Source code protection
![Page 9: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/9.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 9
Wibu Protection Suite
Automatic Encryption
Encryption of Executable Code
Code Signing
![Page 10: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/10.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 10
.NET
Stan
dard
Fam
ewor
k
Java
SE
Java
EE
Embe
dded
Ope
ratin
gSy
stem
s
OS
X
Win
dows
Desk
top
Linu
x
Wibu Protection Suite - Overview
Authorization of Software(Secure Loader)
Encryption on method level
Integrity Protection(Tamper Protection)
Automatic Protection(IP Protection)
ExPr
otec
tor
AxPr
otec
tor .
NET
AxPr
otec
tor
Java
Wibu Protection Suite
AxProtector
IxProtector
![Page 11: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/11.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 11
VxW
orks
QNX
Win
dows
Embe
dded
Embe
dded
Linu
x
Wibu Protection Suite @ Embedded Devices
Andr
oid
Win
dows
Embe
dded
Com
pact
Wibu Protection Suite
AxPr
otec
tor
ExPr
otec
tor
ExPr
otec
tor
AxPr
otec
tor
ExPr
otec
tor
AxPr
otec
tor
AxPr
otec
tor
ExPr
otec
tor
Embedded DriverCodeMeterRuntime Embedded Driver Embedded Driver
Authorization of Software(Secure Loader)
Individual API usage
Integrity Protection(Tamper Protection)
Automatic Protection(IP Protection)
Embedded DriverEmbedded Driver
![Page 12: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/12.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 12
AxProtector .NET – Unproteced Assembly
.Net (and Java) code can
be disassembled
very easily
![Page 13: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/13.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 13
AxProtector .NET – Protection Process
Prot
ecte
d As
sem
bly
Com
pile
d As
sem
bly
Header
Original Code
Header
Stub Code(Without Intellectual
Properties)
AxEngine(Security Engine)
Encrypted Code(Original Code with
Intellectual Properties)
AxProtector .NET
Definitionof licenses and
modulesAssembly has same structure
as original Assembly
![Page 14: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/14.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 14
AxProtector .NET – Protected Assembly
Code is protected now!
![Page 15: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/15.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 15
AxProtector – Protection Process
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Com
pile
d Ex
ecut
able
/ Li
brar
y
Header
Code Section
Header
EncryptedCode Section
AxEngine(Security Engine)
AxProtector
Definitionof licenses and
modules
Data SectionEncrypted
Data Section
EncryptedResource Section
Resource Section
![Page 16: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/16.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 16
ExProtector – Protection Process
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Encrypted Code
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code
Signing
![Page 17: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/17.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 17
ExProtector – Keys and Credentials
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Encrypted Code
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code
Signing
AES Key (FSB)
ECC Private Key
Certificate(s)
Encrypted Random AES Key
Firm Code | Product Code
Hash
Signature
Certificate(s)
ExProtector
Credentials(Hash, Signature, …)
![Page 18: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/18.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 18
ExProtector – Integration into Loader
Operating System
ExEngine(ExProtector Runtime)
CodeMeter Embedded Driver
Operating System(without modification)
Engineering
Modified LoaderOriginal Loader
Root Public Key
![Page 19: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/19.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 19
ExProtector – During Runtime (Load of Executable / Library)
Mem
ory
of E
mbe
dded
Dev
ice
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Header
Encrypted Code
Header
Decrypted CodeExEngine
Public Root KeyLicense with
Firm Code and Product Code
Credentials(Hash, Signature, …)
Credentials(Hash, Signature, …)
Additional Security:
Watchdog
![Page 20: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/20.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 20
Secure Key Storage
CmDongles
CmActLicenses
License Server in Network
![Page 21: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/21.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 21
CmDongle – Secure Smart Card Chip
Smart card chip Protected against side channel attacks
Differential Power Analysis (DPA)
Firmware update New security features
New features
Secure update channel
64 kByte | 384 kByte secure storage for licenses
![Page 22: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/22.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 22
CodeMeter – Firm Code and Product Code
License Entry = Firm Code | Product Code Firm Code: defined by Wibu-Systems Product Code: Defined by software vendor Each license entry can have different license
options: Product Item Options (PIOs) Up to 6,000 per CmDongle or CmActLicense
…
Firm Code: 10
PIOs
Product Code: 301.000
PIOs
Product Code: 301.001
PIOs
Product Code: 301.002
![Page 23: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/23.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 23
Activation via Internet (Online)
Vendor UserSOAP (XML), JSON,HTTP Post
Ticket +License Request
License Update
Receipt
![Page 24: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/24.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 24
Activation via File (Offline)
UserVendor
ü
![Page 25: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/25.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 25
CmActLicenses
Virtual CmDongles Same features
Remote Activation
License Models / Product Item Options
CodeMeter SmartBind® for desktop systems Adapter for embedded devices License bound to individual hardware properties
![Page 26: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/26.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 26
CmActLicenses – Binding to hardware
Public Key (Fingerprint)
License File
C
Computer VendorCC VV
Data(Encryption Keys)
Hash
Signature
AES Key Encrypts
Signs
C
V
Signs with Private Key of Vendor
Encrypts with Public Key of computer
![Page 27: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/27.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 27
Key Features
Symmetric Encryption 128-Bit AES (Advanced Encryption Standard)
Usage for software encryption / data encryption
Asymmetric Encryption 224-Bit ECC (Elliptic Curve Cryptography)
2048-Bit RSA (Rivest Shamir Adleman)
Usage for Signatures and Authentication
Protection of Software as a Service (SaaS)
![Page 28: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/28.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 28
Secure Boot
Forward Check
Backward Check
Anchor of Trust
![Page 29: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/29.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 29
Secure Boot
Integrity Protection starts at boot Integration into boot loader Signature and encryption of complete operating system Forward check and backward check (state engine) of integrity
![Page 30: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/30.jpg)
04/13/2023
Secure Boot
Application / Runtime / PLC
Operating System (VxWorks, …)
Boot Loader (UEFI, …)
Hardware / Pre-Boot Loader
Load Check Start Check
Load Check Start Check
Load Check Start Check
Protection and Security for Facilities, Machines and Embedded Systems 30
![Page 31: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/31.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 31
Forward and Backward Check
InnerShell
OuterShell
TrustedDevice
Sets state
Checks stateUses state
Not allowed
InnerShell
OuterShell
Hash &Signature
Forward check Backward check
CmDongleor
TPM
![Page 32: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/32.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 32
Challenges
It needs to be performed for each shell Certificate Chain
Process of creating private keys and certificates
Allowed Controllers How to get a unique ID of the computer / Different CmActLicenses for identification
Performance of Solution Amount of certificates in certificate chain
Anchor of Trust
![Page 33: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/33.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 33
Certificate Chain
Definition of a certificate (similar to X.509)
Definition of rules by vendor Public Root Key hard codes in
device Distribution by CodeMeter
License Central
Authority ID Subject ID Name of subject Public key Signature of private key Certificate chain Access level (Boot | OS |
App | Config) * Device class / ID range * Expiration Data
Trusted
Certificate
![Page 34: Protection and security for facilities, machines and embedded systems](https://reader035.vdocuments.us/reader035/viewer/2022062514/55876933d8b42ad30b8b4591/html5/thumbnails/34.jpg)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 34
Thank you very much
WIBU-SYSTEMS AG
www.wibu.com