Protect Your Digital Assets - with Next-Generation Security
The SANCTUARY security services can be combined in flexible ways to provide strong protection for your current and future embedded products, and enable new business models, such as in the area of digital rights management or pay-per-use subscription models.
Embedded Systems Face Diverse Security Challenges
Embedded systems are getting more and more complex since the demand for software services is every increasing, driven by megatrends such as the Internet of Things (IoT) or new applications (e.g., autonomous driving). The rich functionalities provided by embedded systems today lead to a diverse set of security and safety requirements for individual systems and generate a very complex software supply chain. Besides, embedded systems are almost never stand-alone devices but part of a system-of-systems in which sensitive data is constantly transmitted between embedded systems and the cloud.
The increased complexity of embedded systems provokes many security problems, from an increased reliance on untrusted open-source software, to a higher probability of software vulnerabilities and increased surface for cyberattacks. When an embedded system was successfully compromised, a cyberattacker can use it to steal valuable IP, perform ransomware attacks, use it as part of a bot net or for an act of sabotage, all potentially causing high financial losses.
The SANCTUARY security services are a unique set of software security solutions which can be flexibly combined to protect your embedded products.
Strong Application Isolation
- Isolating applications with hardware-based security
- Partitioning of system resources
- Preventing unintended inter-application influences
Cryptographic Services
- Transparent encrypted storage per application
- Non-interceptable connection to HSM or TPM
- Support for virtual HSM (PKCS#11)
- Support for virtual TPM (TPM2.0)
- Own vHSM/vTPM instance for each application
Public Key Infrastructures
- Designed & developed for extreme conditions, e.g., satellite missions
- Quantum-ready hybrid crypto
- Epidemic revocation information spreading, no direct contact necessary
Platform Integrity Verification
- Integrity verification of complete software stack
- Verification of each application’s configuration during boot
- Integrity checks from remote party
- Software bill of material (SBOM) generation for the complete software stack
System Health Monitoring
- Supervise application behavior at run time
- Detect liveness of applications and malicious behavior
- Secure information and execution logging
Run-time Protection
- Integrity verification of complete software stack
- Verification of each application’s configuration during boot
- Integrity checks from remote party
- Software bill of material (SBOM) generation for the complete software stack
Strong Application Isolation
- Isolation of applications based on hardware access control
- Partitioning of system resources
- Prevention of unintended influences between applications (safety)
- Strictly controlled communication based on unique IDs
Cryptographic Services
- Transparent encrypted storage per application
- Non-interceptable connection to HSM or TPM
- Support for virtual HSM (PKCS#11)
- Support for virtual TPM (TPM2.0)
- Own vHSM/vTPM instance for each application
Public Key Infrastructures
- Designed & developed for extreme conditions, e.g., satellite missions
- Quantum-ready hybrid crypto
- Epidemic revocation information spreading, no direct contact necessary
System Health Monitoring
- Supervise application behavior at run time
- Detect liveness of applications and malicious behavior
- Policy-based handling of unintended behaviors
- Secure logging of workload accesses or tracing information
Platform Integrity Verification
- Integrity verification of complete software stack
- Verification of each application’s configuration during boot
- Integrity checks from remote party
- SBOM generation for the complete software stack
Run-time Protection
- Run-time isolation of applications
- Protect applications against advanced software attacks without requiring modifications
- All SANCTUARY software is already hardened against run-time attacks
- Continuous fuzz testing and static analysis
The SANCTUARY Benefits
Unified Security
Unified Security
The SANCTUARY security services can be integrated into all software layers of existing solutions as well as serve as fundamental security primitives for future systems.
Fitting your Security Needs
Fitting your Security Needs
The SANCTUARY Security Services elevate your products to a new security level – from system state verification, over cryptographic services, up to monitoring applications on the system.
Forward-thinking Security
Forward-thinking Security
The SANCTUARY Security Services are built with the latest advances in security research in mind in order to provide protection for your products from state-of-the-art and future software attacks.
Combine all Security Services on one Embedded Platform
The security technologies that we provide safeguard your sensitive data and protect your embedded platforms based on your individual requirements. Our Zero-Trust Platform combines all these technologies into a real-time-capable security architecture for embedded platforms. Click here to find out more.