Azure Sphere Case Study
Azure Sphere Case Study
Submitted By
AKASH KUMAR CHOUDHARY – 1714110106
Roll No. - 14
A Report on
For Microsoft, it is the first “holistic solution to secure devices based on microcontroller
units” (MCUs). These devices are the millions of objects connected to the Internet that are
sold every year and that is constantly abused due to lack of security. They are the gigantic
vulnerability that the Internet has become.
Azure Sphere is not just a system, but a new class of MCUs that Microsoft has developed.
The company is also going to license the manufacturers free of royalties so that any partner
can develop and manufacture their own Azure Sphere chips. Azure Sphere is then a new chip
for things like thermostats, refrigerators, smart toys and other objects connected to the
Internet. And, at the same time, it is a custom operating system built with security in mind. A
system that incorporates a Linux kernel customized and optimized for the IoT.
Microsoft applying what it has learned from security working in Windows to a Linux kernel
implementation.
Microsoft says that Linux kernel has been reworked with security innovations that were
pioneers in Windows to create a highly secure environment. We are seeing something that
many would never have imagined, Microsoft applying what they have learned from security
working in Windows to a Linux kernel implementation.
Azure Sphere will also integrate cloud security services that will protect each device and
will work with any cloud, including private or proprietary. Microsoft will offer the ability to
update or improve device protection for up to 10 years.
Azure Sphere OS
Azure Sphere certified microcontrollers
The cloud-based security service of Azure Sphere.
This new project is the result of the company’s work to improve the security of Windows,
Office and also the Xbox chips. Azure Sphere combines what they have learned with all that,
and at least on paper, it sounds like a good step forward to improve the security of the
Internet of things.
This you can answer only: what will your smart vacuum cleaner do with Windows? The same
Brad Smith, president of Microsoft, has explained that his operating system simply remains
too large to be used in this project. It is the versatility of Linux that makes it an ideal
solution for Azure Sphere. Microsoft will continue to offer support to both the system and
the chips, it’s a smart idea (ask Red Hat ) for smart objects.
The versatility of Linux makes it the ideal solution, and more so now that Microsoft has fully
embraced its development
Nor does it make sense to develop something from scratch, when Linux makes all the sense
in the world, and the Microsoft of 2018 does not think like the Microsoft of 2012, we do not
have Ballmer labeling Linux as “cancer”, but saying that he loves it.
This is the Microsoft that is shaping part of the future of Linux, a company that has been hiring
Linux kernel developers for a long time. Azure welcomed Linux some time ago, and if anything
is clear with this, Microsoft is looking to make the most of its relatively new relationship
with open source.
Azure Sphere is a secured, high-level application platform with built-in communication and
security features for internet-connected devices. It comprises a secured, connected, crossover
microcontroller unit (MCU), a custom high-level Linux-based operating system (OS), and a
cloud-based security service that provides continuous, renewable security.
The Azure Sphere OS runs on Azure Sphere-certified chips and connects to the Azure Sphere
Security Service, and it’s designed to provide a platform for IoT app development — including
both high-level and real-time capable apps. It’s the first operating system running a Linux
kernel and the second Unix-like operating system that Microsoft has publicly released,
interestingly, the other being the decades-old and discontinued Xenix.
The Azure Sphere MCU integrates real-time processing capabilities with the ability to run a
high-level operating system. An Azure Sphere MCU, along with its operating system and
application platform, enables the creation of secured, internet-connected devices that can be
updated, controlled, monitored, and maintained remotely. A connected device that includes an
Azure Sphere MCU, either alongside or in place of an existing MCU(s), provides enhanced
security, productivity, and opportunity. For example:
The Azure Sphere Security Service is an integral aspect of Azure Sphere. Using this service,
Azure Sphere MCUs safely and securely connect to the cloud and web. The service ensures
that the device boots only with an authorized version of genuine, approved software. In
addition, it provides a secured channel through which Microsoft can automatically download
and install OS updates to deployed devices in the field to mitigate security issues. Neither
manufacturer nor end-user intervention is required, thus closing a common security hole.
Azure Sphere scenario
To understand how Azure Sphere works in a real-world setting, consider this scenario.
Microsoft releases updates for the Azure Sphere OS through the Azure Sphere Security
Service.
Contoso product engineering releases updates to its DW100 application through the
Azure Sphere Security Service.
The Azure Sphere Security Service securely deploys the updated OS and the Contoso
DW100 application software to the dishwashers at end-user locations.
Contoso dishwasher support communicates with the Azure Sphere Security Service to
determine which version of the Azure Sphere software and the DW100 application
software should be running on each end-user device and to glean any error-reporting
data that has been reported to the service. Contoso dishwasher support also
communicates with the Contoso cloud service for additional information.
Contoso cloud services support applications for troubleshooting, data analysis, and
customer interaction. Contoso's cloud services may be hosted by Microsoft Azure, by
another vendor's cloud service, or by Contoso's own cloud.
Contoso DW100 models at end-user locations download updated OS and application
software over their connection to the Azure Sphere Security Service. They can also
communicate with Contoso's cloud service application to report additional data.
For example, sensors on the dishwasher might monitor water temperature, drying
temperature, and rinse agent level and upload this data to Contoso's cloud services, where a
cloud service application analyzes it for potential problems. If the drying temperature seems
unusually hot or cool—which might indicate a failing part—Contoso runs diagnostics
remotely and notifies the customer that repairs are needed. If the dishwasher is under
warranty, the cloud service application might also ensure that the customer's local repair
shop has the replacement part, thus reducing maintenance visits and inventory requirements.
Similarly, if the rinse agent is low, the dishwasher might signal the customer to purchase more
rinse agent directly from the manufacturer.
All communications take place over secured, authenticated connections. Contoso support and
engineering personnel can visualize data by using the Azure Sphere Security Service,
Microsoft Azure features, or a Contoso-specific cloud service application. Contoso might also
provide customer-facing web and mobile applications, with which dishwasher owners can
request service, monitor dishwasher resource usage, or otherwise interact with the company.
Using Azure Sphere deployment tools, Contoso targets each application software update to
the appropriate dishwasher model, and the Azure Sphere Security Service distributes the
software updates to the correct devices. Only signed and verified software updates can be
installed on the dishwashers.
A primary goal of the Azure Sphere platform is to provide high-value security at a low cost, so
that price-sensitive, microcontroller-powered devices can safely and reliably connect to the
internet. As network-connected toys, appliances, and other consumer devices become
commonplace, security is of utmost importance. Not only must the device hardware itself be
secured, its software and its cloud connections must also be secured. A security lapse
anywhere in the operating environment threatens the entire product and, potentially,
anything or anyone nearby.
Based on Microsoft's decades of experience with internet security, the Azure Sphere team has
identified seven properties of highly secured devices. The Azure Sphere platform is
designed around these seven properties:
2. Small trusted computing base: Most of the device's software remains outside the
trusted computing base, thus reducing the surface area for attacks. Only the secured
Security Monitor, Pluton runtime, and Pluton subsystem—all of which Microsoft
provides—run on the trusted computing base.
3. Defense in depth: Defense in depth provides for multiple layers of security and thus
multiple mitigations against each threat. Each layer of software in the Azure Sphere
platform verifies that the layer above it is secured.
Working together, the Azure Sphere hardware, software, and Security Service enable unique,
integrated approaches to device maintenance, control, and security.
The hardware architecture provides a fundamentally secured computing base for connected
devices, allowing you to focus on your product.
The software architecture, with a secured custom OS kernel running atop the Microsoft-
written Security Monitor, similarly enables you to concentrate your software efforts on value-
added IoT and device-specific features.
The Azure Sphere Security Service supports authentication, software update, and failure
reporting over secured cloud-to-device and device-to-cloud channels. The result is a secured
communications infrastructure that ensures that your products are running the most up-to-
date Azure Sphere OS.
Hardware architecture
An Azure Sphere crossover MCU consists of multiple cores on a single die, as the following
figure shows.
Each core, and its associated subsystem, is in a different trust domain. The root of trust
resides in the Pluton security subsystem. Each layer of the architecture assumes that the layer
above it may be compromised. Within each layer, resource isolation and
compartmentalization provide added security.
The Pluton security subsystem is the hardware-based (in silicon) secured root of trust for
Azure Sphere. It includes a security processor core, cryptographic engines, a hardware
random number generator, public/private key generation, asymmetric and symmetric
encryption, support for elliptic curve digital signature algorithm (ECDSA) verification for
secured boot, and measured boot in silicon to support remote attestation with a cloud service,
as well as various tampering counter-measures including an entropy detection unit.
As part of the secured boot process, the Pluton subsystem boots various software
components. It also provides runtime services, processes requests from other components of
the device, and manages critical components for other parts of the device.
The high-level application core features an ARM Cortex-A subsystem that has a full memory
management unit (MMU). It enables hardware-based compartmentalization of processes by
using trust zone functionality and is responsible for executing the operating system, high-level
applications, and services. It supports two operating environments: Normal World (NW),
which executes code in both user mode and supervisor mode, and Secure World (SW), which
executes only the Microsoft-supplied Security Monitor. Your high-level applications run in NW
user mode.
Real-time core(s)
The real-time core(s) feature an ARM Cortex-M I/O subsystem that can run real-time capable
applications as either bare-metal code or a real-time operating system (RTOS). Such
applications can map peripherals and communicate with high-level applications but cannot
access the internet directly.
The first Azure Sphere MCU provides an 802.11 b/g/n Wi-Fi radio that operates at both
2.4GHz and 5GHz. High-level applications can configure, use, and query the wireless
communications subsystem, but they cannot program it directly. In addition to or instead of
using Wi-Fi, Azure Sphere devices that are properly equipped can communicate on an
Ethernet network.
Multiplexed I/O
The Azure Sphere platform supports a variety of I/O capabilities, so that you can configure
embedded devices to suit your market and product requirements. I/O peripherals can be
mapped to either the high-level application core or to a real-time core.
Microsoft firewalls
Hardware firewalls are silicon countermeasures that provide "sandbox" protection to ensure
that I/O peripherals are accessible only to the core to which they are mapped. The firewalls
impose compartmentalization, thus preventing a security threat that is localized in the high-
level application core from affecting the real-time cores' access to their peripherals.
Integrated RAM and flash
Azure Sphere MCUs include a minimum of 4MB of integrated RAM and 16MB of integrated
flash memory.
The high-level application platform runs the Azure Sphere OS along with a device-specific
high-level application that can communicate both with the internet and with real-time capable
applications that run on the real-time cores. The following figure shows the elements of this
platform.
Microsoft provides and maintains all software other than your device-specific applications. All
software that runs on the device, including the high-level application, is signed by the
Microsoft certificate authority (CA). Application updates are delivered through the trusted
Microsoft pipeline, and the compatibility of each update with the Azure Sphere device
hardware is verified before installation.
Application runtime
Application libraries support networking, storage, and communications features that are
required by high-level applications but do not support direct generic file I/O or shell access,
among other constraints. These restrictions ensure that the platform remains secured and
that Microsoft can provide security and maintenance updates. In addition, the constrained
libraries provide a long-term stable API surface so that system software can be updated to
enhance security while retaining binary compatibility for applications.
OS services
OS services host the high-level application container and are responsible for communicating
with the Azure Sphere Security Service. They manage network authentication and the
network firewall for all outbound traffic.During development, OS services also communicate
with a connected PC and the application that is being debugged.
The custom Linux-based kernel runs in supervisor mode, along with a boot loader. The kernel
is carefully tuned for the flash and RAM footprint of the Azure Sphere MCU. It provides a
surface for preemptable execution of user-space processes in separate virtual address spaces.
The driver model exposes MCU peripherals to OS services and applications. Azure Sphere
drivers include Wi-Fi (which includes a TCP/IP networking stack), UART, SPI, I2C, and GPIO,
among others.
Security Monitor
The Microsoft-supplied Security Monitor runs in SW. It is responsible for protecting security-
sensitive hardware, such as memory, flash, and other shared MCU resources and for safely
exposing limited access to these resources. The Security Monitor brokers and gates access to
the Pluton Security Subsystem and the hardware root of trust and acts as a watchdog for the
NW environment. It starts the boot loader, exposes runtime services to NW, and manages
hardware firewalls and other silicon components that are not accessible to NW.
Azure Sphere Security Service
Update: The update service distributes automatic updates for the Azure Sphere OS and
for applications. The update service ensures continued operation and enables the
remote servicing and update of application software.
Failure reporting: The failure reporting service provides simple crash reporting for
deployed software. To obtain richer data, use the reporting and analysis features that
are included with a Microsoft Azure subscription. All data stored with the Azure
Sphere Security Service is encrypted at rest by default. The Security Service stores data
in Azure Storage, Cosmos DB, and Azure Key Vault, using the data encryption at rest
implementation for each such service.