- 12 minutes to read
Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. It comprises a secured, connected, crossover microcontroller unit (MCU), a custom high-level Linux-based operating system (OS), and a cloud-based security service that provides continuous, renewable security.
The Azure Sphere MCU integrates real-time processing capabilities with the ability to run a high-level operating system. An Azure Sphere MCU, along with its operating system and application platform, enables the creation of secured, internet-connected devices that can be updated, controlled, monitored, and maintained remotely. A connected device that includes an Azure Sphere MCU, either alongside or in place of an existing MCUs, provides enhanced security, productivity, and opportunity. For example:
- A secured application environment, authenticated connections, and opt-in use of peripherals minimizes security risks due to spoofing, rogue software, or denial-of-service attacks, among others.
- Software updates can be automatically deployed from the cloud to any connected device to fix problems, provide new functionality, or counter emerging methods of attack, thus enhancing the productivity of support personnel.
- Product usage data can be reported to the cloud over a secured connection to help in diagnosing problems and designing new products, thus increasing the opportunity for product service, positive customer interactions, and future development.
The Azure Sphere Security Service is an integral aspect of Azure Sphere. Using this service, Azure Sphere MCUs safely and securely connect to the cloud and web. The service ensures that the device boots only with an authorized version of genuine, approved software. In addition, it provides a secured channel through which Microsoft can automatically download and install OS updates to deployed devices in the field to mitigate security problems. Neither manufacturer nor end-user intervention is required, thus closing a common security hole.
Azure Sphere scenario
To understand how Azure Sphere works in a real-world setting, consider this scenario.
Contoso, Ltd., is a white-goods product manufacturer who embeds an AzureSphere MCU into its dishwashers. The DW100 dishwasher couples the MCUwith several sensors and an onboard high-level application that runs on the AzureSphere MCU. The application communicates with the Azure SphereSecurity Service and with Contoso's cloud services. The followingdiagram illustrates this scenario:
Contoso network-connected dishwashers
Starting from the top left and moving clockwise:
Microsoft releases updates for the Azure Sphere OS through the Azure Sphere Security Service.
Contoso product engineering releases updates to its DW100 application through the Azure Sphere Security Service.(Video) Introducing Azure Sphere
The Azure Sphere Security Service securely deploys the updated OS and the Contoso DW100 application software to the dishwashers at end-user locations.
Contoso dishwasher support communicates with the Azure Sphere Security Service to determine which version of the Azure Spheresoftware and the DW100 application software should be running oneach end-user device and to glean any error-reporting data that hasbeen reported to the service. Contoso dishwasher support alsocommunicates with the Contoso cloud service for additionalinformation.
Contoso cloud services support applications for troubleshooting,data analysis, and customer interaction. Contoso's cloud servicesmay be hosted by Microsoft Azure, by another vendor's cloud service,or by Contoso's own cloud.
Contoso DW100 models at end-user locations download updated OS and application softwareover their connection to the Azure Sphere Security Service. They canalso communicate with Contoso's cloud service application to reportadditional data.
For example, sensors on the dishwasher might monitor water temperature,drying temperature, and rinse agent level and upload this data toContoso's cloud services, where a cloud service application analyzes itfor potential problems. If the drying temperature seems unusually hot orcool—which might indicate a failing part—Contoso runs diagnosticsremotely and notifies the customer that repairs are needed. If thedishwasher is under warranty, the cloud service application might alsoensure that the customer's local repair shop has the replacement part,thus reducing maintenance visits and inventory requirements. Similarly,if the rinse agent is low, the dishwasher might signal the customer topurchase more rinse agent directly from the manufacturer.
All communications take place over secured, authenticated connections.Contoso support and engineering personnel can visualize data by usingthe Azure Sphere Security Service, Microsoft Azure features, or aContoso-specific cloud service application. Contoso might also providecustomer-facing web and mobile applications, with which dishwasherowners can request service, monitor dishwasher resource usage, orotherwise interact with the company.
Using Azure Sphere deployment tools, Contoso targets each applicationsoftware update to the appropriate dishwasher model, and the AzureSphere Security Service distributes the software updates to the correctdevices. Only signed and verified software updates can be installed onthe dishwashers.
Azure Sphere and the seven properties of highly secured devices
A primary goal of the Azure Sphere platform is to provide high-value security at a lowcost, so that price-sensitive, microcontroller-powered devices cansafely and reliably connect to the internet. As network-connected toys,appliances, and other consumer devices become commonplace, security isof utmost importance. Not only must the device hardware itself besecured, its software and its cloud connections must also be secured. Asecurity lapse anywhere in the operating environment threatens theentire product and, potentially, anything or anyone nearby.
Based on Microsoft's decades of experience with internet security, theAzure Sphere team has identified seven properties of highly secureddevices. The Azure Sphere platform is designed around these sevenproperties:
Hardware-based root of trust. A hardware-based root of trustensures that the device and its identity cannot be separated, thuspreventing device forgery or spoofing. Every Azure Sphere MCU isidentified by an unforgeable cryptographic key that is generated andprotected by the Microsoft-designed Pluton security subsystemhardware. This ensures a tamper-resistant, secured hardware root oftrust from factory to end user.
Defense in depth. Defense in depth provides for multiple layers ofsecurity and thus multiple mitigations against each threat. Each layerof software in the Azure Sphere platform verifies that the layer aboveit is secured.
Small trusted computing base. Most of the device's softwareremains outside the trusted computing base, thus reducing the surfacearea for attacks. Only the secured Security Monitor, Pluton runtime,and Pluton subsystem—all of which Microsoft provides—run on thetrusted computing base.
Dynamic compartments. Dynamic compartments limit the reach of anysingle error. Azure Sphere MCUs contain silicon counter-measures,including hardware firewalls, to prevent a security breach in onecomponent from propagating to other components. A constrained,"sandboxed" runtime environment prevents applications fromcorrupting secured code or data.
Password-less authentication. The use of signed certificates,validated by an unforgeable cryptographic key, provides much strongerauthentication than passwords. The Azure Sphere platform requiresevery software element to be signed. Device-to-cloud andcloud-to-device communications require further authentication, which is achieved with certificates.
Error reporting. Errors in device software or hardware aretypical in emerging security attacks; errors that result in device failureconstitute a denial-of-service attack. Device-to-cloud communicationprovides early warning of potential errors. Azure Sphere devices canautomatically report operational data and errors to a cloud-basedanalysis system, and updates and servicing can be performed remotely.
Renewable security. The device software is automatically updatedto correct known vulnerabilities or security breaches, requiring nointervention from the product manufacturer or the end user. The AzureSphere Security Service updates the Azure Sphere OS and your applicationsautomatically.
Azure Sphere architecture
Working together, the Azure Sphere hardware, software, and SecurityService enable unique, integrated approaches to device maintenance,control, and security.
The hardware architecture provides a fundamentally secured computingbase for connected devices, allowing you to focus on your product.
The software architecture, with a secured custom OS kernel running atopthe Microsoft-written Security Monitor, similarly enables youto concentrate your software efforts on value-added IoT and device-specific features.
The Azure Sphere Security Service supports authentication, software updates, and errorreporting over secured cloud-to-device and device-to-cloud channels. The result is asecured communications infrastructure that ensures that your products are running the mostup-to-date Azure Sphere OS. For architecture diagrams and examples of cloud architectures, seeBrowse Azure Architectures.
An Azure Sphere crossover MCU consists of multiple cores on a singledie, as the following figure shows.
Azure Sphere MCU hardware architecture
Each core, and its associated subsystem, is in a different trust domain.The root of trust resides in the Pluton security subsystem. Each layerof the architecture assumes that the layer above it may be compromised.Within each layer, resource isolation and dynamic compartments provideadded security.
Microsoft Pluton security subsystem
The Pluton security subsystem is the hardware-based (in silicon)secured root of trust for Azure Sphere. It includes a security processorcore, cryptographic engines, a hardware random number generator,public/private key generation, asymmetric and symmetric encryption,support for elliptic curve digital signature algorithm (ECDSA)verification for secured boot, and measured boot in silicon to supportremote attestation with a cloud service, as well as various tamperingcounter-measures including an entropy detection unit.
As part of the secured boot process, the Pluton subsystem boots varioussoftware components. It also provides runtime services, processesrequests from other components of the device, and manages criticalcomponents for other parts of the device.
High-level application core
The high-level application core features an ARM Cortex-A subsystem that has afull memory management unit (MMU). It enables hardware-basedcompartmentalization of processes by using trust zone functionality andis responsible for running the operating system, high-level applications, andservices. It supports two operating environments: Normal World (NW),which runs code in both user mode and supervisor mode, and SecureWorld (SW), which runs only the Microsoft-supplied Security Monitor.Your high-level applications run in NW user mode.
The real-time cores feature an ARM Cortex-M I/O subsystem that can run real-time capable applications aseither bare-metal code or a real-time operating system (RTOS).Such applications can map peripherals and communicate with high-level applications but cannot access the internet directly.
Connectivity and communications
The first Azure Sphere MCU provides an 802.11 b/g/n Wi-Fi radio that operates at both 2.4GHz and 5GHz. High-level applications can configure, use, and query the wireless communications subsystem, but they cannot program it directly. In addition to or instead of using Wi-Fi, Azure Sphere devices that are properly equipped can communicate on an Ethernet network.
The Azure Sphere platform supports a variety of I/O capabilities, sothat you can configure embedded devices to suit your market and productrequirements. I/O peripherals can be mapped to either the high-level application coreor to a real-time core.
Hardware firewalls are silicon countermeasures that provide "sandbox"protection to ensure that I/O peripherals are accessible only to thecore to which they are mapped. The firewalls imposecompartmentalization, thus preventing a security threat that islocalized in the high-level application core from affecting the real-time cores' access totheir peripherals.
Integrated RAM and flash
Azure Sphere MCUs include a minimum of 4MB of integrated RAM and 16MB ofintegrated flash memory.
Software architecture and OS
The high-level application platform runs the Azure Sphere OS along with a device-specific high-level application that can communicate both with the internet and with real-time capable applications that run on the real-time cores. The following figure shows the elements of this platform.
Microsoft-supplied elements are shown in gray.
High-level Application Platform
Microsoft provides and maintains all software other than your device-specific applications. All software that runs on thedevice, including the high-level application, is signed by the Microsoftcertificate authority (CA). Application updates are delivered throughthe trusted Microsoft pipeline, and the compatibility of each updatewith the Azure Sphere device hardware is verified before installation.
The Microsoft-provided application runtime is based on a subset of thePOSIX standard. It consists of libraries and runtime services thatrun in NW user mode. This environment supports the high-level applications that you create.
Application libraries support networking, storage, and communications features that are required by high-level applications but do not support direct generic file I/O orshell access, among other constraints. These restrictions ensure thatthe platform remains secured and that Microsoft can provide security andmaintenance updates. In addition, the constrained libraries provide along-term stable API surface so that system software can be updated toenhance security while retaining binary compatibility forapplications.
OS services host the high-level application container and are responsible forcommunicating with the Azure Sphere Security Service. They manage networkauthentication and the network firewall for all outbound traffic. During development, OS services also communicate with aconnected PC and the application that is being debugged.
Custom Linux kernel
The custom Linux-based kernel runs in supervisor mode, along with a bootloader. The kernel is carefully tuned for the flash and RAM footprint ofthe Azure Sphere MCU. It provides a surface for preemptable execution ofuser-space processes in separate virtual address spaces. The drivermodel exposes MCU peripherals to OS services and applications. AzureSphere drivers include Wi-Fi (which includes a TCP/IP networking stack),UART, SPI, I2C, and GPIO, among others.
The Microsoft-supplied Security Monitor runs in SW. It is responsiblefor protecting security-sensitive hardware, such as memory, flash, andother shared MCU resources and for safely exposing limited access tothese resources. The Security Monitor brokers and gates access to thePluton Security Subsystem and the hardware root of trust and acts as awatchdog for the NW environment. It starts the boot loader, exposesruntime services to NW, and manages hardware firewalls and other siliconcomponents that are not accessible to NW.
Azure Sphere Security Service
The Azure Sphere Security Service comprises three components:password-less authentication, update, and error reporting.
Password-less authentication. The authentication componentprovides remote attestation and password-less authentication.The remote attestation service connects via a challenge-responseprotocol that uses the measured boot feature on the Plutonsubsystem. It verifies not merely that the device booted with thecorrect software, but with the correct version of that software.
After attestation succeeds, the authentication service takes over.The authentication service communicates over a secured TLSconnection and issues a certificate that the device can present toa web service, such as Microsoft Azure or a company's private cloud. The web service validates thecertificate chain, thus verifying that the device is genuine, thatits software is up to date, and that Microsoft is its source. Thedevice can then connect safely and securely with the online service.
Update. The update service distributes automatic updates for the Azure Sphere OS and for applications. The updateservice ensures continued operation and enables the remote servicing and update of application software.(Video) AZ-900 Episode 14 | Azure IoT Services | IoT Hub, IoT Central, Azure Sphere
Error reporting. The error reporting service provides simple crash reporting for deployed software. To obtainricher data, use the reporting and analysisfeatures that are included with a Microsoft Azure subscription.
All data stored with the Azure Sphere Security Service is encrypted at rest by default. The Security Service stores data in Azure Storage, Azure Cosmos DB, and Azure Key Vault, using the data encryption at rest implementation for each such service.