Protect Your Digital Assets - with Next-Generation Security

The SANCTUARY security services can be combined in flexible ways to provide strong protection for your current and future embedded products, and enable new business models, such as in the area of digital rights management or pay-per-use subscription models.

Embedded Systems Face Diverse Security Challenges

Embedded systems are getting more and more complex since the demand for software services is every increasing, driven by megatrends such as the Internet of Things (IoT) or new applications (e.g., autonomous driving). The rich functionalities provided by embedded systems today lead to a diverse set of security and safety requirements for individual systems and generate a very complex software supply chain. Besides, embedded systems are almost never stand-alone devices but part of a system-of-systems in which sensitive data is constantly transmitted between embedded systems and the cloud.

The increased complexity of embedded systems provokes many security problems, from an increased reliance on untrusted open-source software, to a higher probability of software vulnerabilities and increased surface for cyberattacks. When an embedded system was successfully compromised, a cyberattacker can use it to steal valuable IP, perform ransomware attacks, use it as part of a bot net or for an act of sabotage, all potentially causing high financial losses.

The SANCTUARY security services are a unique set of software security solutions which can be flexibly combined to protect your embedded products. 

Strong Application Isolation

  • Isolating applications with hardware-based security
  • Partitioning of system resources
  • Preventing unintended inter-application influences

Cryptographic Services

  • Transparent encrypted storage per application
  • Non-interceptable connection to HSM or TPM
  • Support for virtual HSM (PKCS#11)
  • Support for virtual TPM (TPM2.0)
  • Own vHSM/vTPM instance for each application

Public Key Infrastructures

  • Designed & developed for extreme conditions, e.g., satellite missions
  • Quantum-ready hybrid crypto
  • Epidemic revocation information spreading, no direct contact necessary

Platform Integrity Verification

  • Integrity verification of complete software stack
  • Verification of each application’s configuration during boot
  • Integrity checks from remote party
  • Software bill of material (SBOM) generation for the complete software stack

System Health Monitoring

  • Supervise application behavior at run time
  • Detect liveness of applications and malicious behavior
  • Secure information and execution logging

Run-time Protection

  • Integrity verification of complete software stack
  • Verification of each application’s configuration during boot
  • Integrity checks from remote party
  • Software bill of material (SBOM) generation for the complete software stack

Strong Application Isolation

  • Isolation of applications based on hardware access control
  • Partitioning of system resources
  • Prevention of unintended influences between applications (safety)
  • Strictly controlled communication based on unique IDs

Cryptographic Services

  • Transparent encrypted storage per application
  • Non-interceptable connection to HSM or TPM
  • Support for virtual HSM (PKCS#11)
  • Support for virtual TPM (TPM2.0)
  • Own vHSM/vTPM instance for each application

Public Key Infrastructures

  • Designed & developed for extreme conditions, e.g., satellite missions
  • Quantum-ready hybrid crypto
  • Epidemic revocation information spreading, no direct contact necessary

System Health Monitoring

  • Supervise application behavior at run time
  • Detect liveness of applications and malicious behavior
  • Policy-based handling of unintended behaviors
  • Secure logging of workload accesses or tracing information

Platform Integrity Verification

  • Integrity verification of complete software stack
  • Verification of each application’s configuration during boot
  • Integrity checks from remote party
  • SBOM generation for the complete software stack

Run-time Protection

  • Run-time isolation of applications
  • Protect applications against advanced software attacks without requiring modifications
  • All SANCTUARY software is already hardened against run-time attacks
  • Continuous fuzz testing and static analysis

The SANCTUARY Benefits

1

Unified Security

Unified Security

The SANCTUARY security services can be integrated into all software layers of existing solutions as well as serve as fundamental security primitives for future systems.

2

Fitting your Security Needs

Fitting your Security Needs

The SANCTUARY Security Services elevate your products to a new security level – from system state verification, over cryptographic services, up to monitoring applications on the system.

3

Forward-thinking Security

Forward-thinking Security

The SANCTUARY Security Services are built with the latest advances in security research in mind in order to provide protection for your products from state-of-the-art and future software attacks.

Combine all Security Services on one Embedded Platform

The security technologies that we provide safeguard your sensitive data and protect your embedded platforms based on your individual requirements. Our Zero-Trust Platform combines all these technologies into a real-time-capable security architecture for embedded platforms. Click here to find out more.

Contact us to learn how your embedded products benefit from the SANCTUARY Security Services!

Any Questions?

Contact us to learn how your embedded products benefit from the SANCTUARY Security Services!