Securing the Internet of Things with virtualisation
prpl's Galati: "No single system can be 100 percent secure, so the way to create security is to add more layers to it."
Prpl (pronounced 'Purple') is an open-source foundation which aims to support the MIPS processor architecture anywhere from the datacenter, networking, and storage through to connected consumer devices and embedded and Internet of Things applications.
ZDNet recently spoke to the foundation's chief security office, Cesare Garlati, to find out how their projects are progressing.
You have been with prpl for a year now -- what's your take on the company's current position?
prpl's Garlati: "Success is getting these people aligned -- and then getting them to agree on some master plan."
My job at prpl is partly about supporting people from a technical perspective and partly about promoting and developing the community. That is all about bringing people together.
Our membership is all Tier 1 suppliers: Qualcomm, Intel, and, of course, our parent Imagination Technology, the owners of MIPS Technologies and one of the main players in microprocessor technologies along with ARM.
Now we also have a lot of interest from carriers like BT and others who are keeping a close eye on what is happening.
What we have already done is produce a skeleton -- actual APIs and software -- and what is coming next is a full, open source hypervisor.
It was developed by a university and performs extremely well. In the summer we will be rolling out another product which in this case will be an Internet of Things processor which will be made by Microchip, as it is probably number one for controllers that can run Linux. The aim is to produce an extremely low cost controller.
Do you think that this is where the future lies, in these inexpensive devices?
That will be one segment. We see a future in which there are many segments in the market and one of those will be the disposable segment. You will see a lot of innovation in chip technology, things like chips that you can spray on a wall like paint. I think that all of this is a very exciting area. That is where the innovation lies. Things that are printed into the fabric of things.
When was the organisation founded?
A little over three years ago. It was an initiative by MIPS. MIPS is really the common denomination of this initiative that has attracted all of these companies together. But what we do is not specific to MIPS -- there is nothing in our by-laws that says that we have to be MIPS-only.
And Intel is a member of the foundation?
Intel is a member through the acquisition of Lantiq [a wireless and home networks company]. In one year we had all sorts of acquisitions and M&A activities -- and also changes of logos -- but they are absolutely part of us. I think you would be surprised to see how open Intel have been.
So this organisation is about forming one standard?
It is about connected devices. You look at the Internet of Things. I use it a lot and it is attracting people's attention but when it comes to practical use that can be a different thing.
I have been in business for a while and I have seen in previous waves similar things but people want to know, 'what is new, what is different?'
Now it is all about embedded software. The Internet of Things is not really about things, it is about embedded software and a different software -- and that is what will distinguish these kinds of mobile devices.
And then it comes down to doing things naturally with these kinds of mobile devices. So it is not only about devices that connect to the internet, it is about forming an intimate connection with them.
It will be the connection that will make these things different. Then it is about the connected nature of the device and about making the whole thing scalable.
Is that all about standards?
It is more than standards. Standards will give you an overall view of what it would take to secure mobile devices because it is not that evident what it would take.
More and more we see in any kind of connected devices multiple vendors coming in on the same platform. You will see something come in and then you have products and services that are not coming in from the carrier. You see all sorts of different devices. A lot of this is based on things like the app store model. That is where multiple vendors can be authorised with their own software and a share of the revenue.
Now if you think about moving that model into the security world where you have the secure world and the not secure world. So then tell me who should be in one and not the other one.
How it works now is that the carrier is in one world and once you are trusted by him you can create damage. So the model that we are looking at is to provide secure domains through virtualisation.
Virtualisation allows you to create as many secure domains as you want. But it is not that you have one secure world and you are either in or out. Instead you can have multiple domains so any kind of attack on one will be in isolation because you will have secure separation.
And there is another aspect, because this is not just about virtualising the secure world because it will extend to the whole fabric so that any intruder, any I/O is isolated.
But this isn't going to be something that will happen quickly. It is a vision of how the world can be protected. So what we do is create containerisation where each device can communicate but cannot damage other devices.
So this organisation is about creating a world that is secure but any device can communicate with any other device and organisations can be relaxed about it?
Well you may still be worried but at least you will know that if something happens with a provider it is not going to effect you. We know that in so many attacks the aim is to get in and affect one place knowing it will spread and then affect others. They all follow the same pattern: you attack the system at its weakest point and rely on the software to replicate the problem.
The aim of our work is to create standards that make systems secure by creating security by separation.
Now realistically no single system can be 100 percent secure, so the way to create security is to add more layers to it. So in our model there is a security layer, which has all the network firewalls and so on, then there is an application layer, an end-point layer but there is no hardware layer. That was because to do things at a hardware level was expensive but then because the silicon is so sophisticated these days that security is built-in anyway.
We have been working on producing standards with the aim that these will be used by all of the software and hardware vendors to build in security.
Our first guidelines will be out shortly but we have already created working prototypes that can show how the new standards would work so that all the vendors can see them.
And these are all full, open systems stacks. This is not one process but a number of them and all completely separated from each other. So this is what we do at prpl, we get all of these people together and try and agree on something and all based on open source APIs.