![]()
Tuesday 1 July 2025
System cybersecurity and code storage flash technology
This article outlines the various code storage flash technologies used today and their contribution to platform cybersecurity and resiliency. It also outlines the minimal set of requirements to meet the demands of cyber protection in 2025 and beyond.Non-volatile storage media contain all the essential platform assets. The platform code, operational data, user data, and various states of the platform. For that reason, the content of the non-volatile storage is considered to be the most vulnerable to cyberattacks. Such attacks may try to extract user data (privacy), platform or network data (stability and resiliency) or modify the platform code as an extended attack vector for more complex attacks.Previously, standalone devices with no network connectivity were common, requiring attackers to have physical access to compromise system code. Such equipment had to be physically manipulated in order to gain access to the content of the non-volatile (NVM) storage. In those platforms, we would have one of three possible configurations for the non-volatile storage:*Embedded flash - where the NVM would be part of the controller silicon*External flash - where the NVM would reside side by side with the controller device*Multi-Chip-Module (MCM) - where the NVM die would be placed in the same plastic package as the controllerEach of these configurations would have its pros and cons. The embedded NVM would be the most secure, as it could be made almost impossible for an attacker to probe and access the embedded NVM portion of the silicon die. However, embedded flash does not allow easy expansion in storage capacity, and is not available in advanced manufacturing processesThe external flash would prove to be the easiest to attack. Connecting simple bus "sniffing" equipment to the flash would allow an attacker to extract information, modify code and perform any other actions required to compromise the platform and its data.Unauthorized NVM Access & Bus SniffingThe MCM approach seems to have the benefit of limited physical access to the NVM Flash device, while offering better cost structure. However, it is fairly easy today to decap (open) any chip package and access internal connecting signals, making the MCM approach nearly as (non) secure as the external flash configuration.MCMIn order to mitigate attacks on NVM, a special type of flash was developed, called "Secure Flash" where the interface signals between the controller and flash are encrypted. This prevents the traditional probing attacks from being successful.Secure flashWith modern devices increasingly connected to networks, security risks have expanded beyond physical threats to remote cyberattacks. All the above attacks required physical access to the attacked platform because of no networking connectivity. This rather limited the scope of such attacks. However, most of the platforms today, regardless of their functions, become network-connected. This trend is driven by a few key concepts:*Extended functionality (by using network resources)*Ease of use*Remote management and information/statistics collection*Frequent, automatic firmware updates*Easier deployment and life cycle controlThe key driver for network connectivity is remote firmware update. This is mandated by all the latest standards and regulations, such as EU RED EN18031, US CNSA2.0, and the coming EU Cyber Resiliency Act. It is well understood today that orderly firmware updates are a must in order to keep systems resilient and protected, and their users safe.Making platforms network-connected and set up for automatic remote system updates opens up a whole new landscape of potential security attacks. This makes the physical protection, mentioned here before, an outdated issue in most cases, with the exception being open-loop financial transactions and ID cards (such as passports).Modern platforms must be protected from a completely different set of threats:*Unprotected and outdated updates - attempt to force a platform to revert to an older version of its software with known vulnerabilities or lack critical security features, making them easier for attackers to exploit.*Supply chain attacks - attempt to insert Trojan hardware or install malicious software at some point within the manufacturing, transportation, or distribution of platforms.*Storage breeching (keys, user data, credentials theft) - unauthorized access or compromise of stored sensitive information.*Threats to the resiliency of the platforms - attempt to infect systems with malicious code, exploit vulnerabilities in platform firmware, or make the platform unavailable by destroying critical data in NVM.It is well understood that large-scale attacks can be leased upon millions of devices without a need to physically access any of them. It is thus required to implement protection mechanisms against such potential attacks.Firmware update protection - latest standards call for protection of firmware updates in terms of integrity, authenticity, and freshness, allowing only a complete, signed, and newer version of firmware to replace an existing version. Moreover, the cryptographic signature mechanisms to be used must be quantum-safe, meaning algorithms developed to resist being attacked by quantum computers.Supply chain protection - this topic is at the top of the list for potential large-scale attacks published by EU ENISA in 2024. Due to the distributed nature of supply chains used in the production of electronic equipment, it is relatively easy for rogue players to replace key components such as the NVM devices and basic firmware code with devices and code that include malicious capabilities. These capabilities can then be employed to unleash a large-scale attack on infrastructure.Storage protection - if a platform is allowed to access any information in the NVM at any time, a rogue piece of code, even temporarily loaded into memory, can scan the NVM and access secret or sensitive data, transmit it back to the attacker, and even modify this data. It is essential to maintain privileged access restrictions on such data in the non-volatile memory.Platform resiliency - as more and more platforms become online and network-connected, it is essential to ensure they are kept in correct working order or otherwise gracefully brought down to ensure no harm is done if they are somehow compromised. To facilitate this, strong internal diagnostics of the NVM content (code and data) are required, and in the case of some malfunction, allow the platform to either fix the problem or go offline and shut itself down. Platform firmware resiliency is detailed in NIST SP 800-193.Given these contemporary threats, it is clear that NVM packaging technology plays a diminished role, if any, in platform cyber protection. The focus should be on using the appropriate NVM built-in security capabilities and configurations to minimize and eliminate these threats.The Winbond W77Q Secure Flash is introduced as a robust solution to address the outlined threats. The key features of W77Q Secure Flash relevant to the document's topics include:*Code and Data Protection: robust protection for both code and data, making it exceedingly difficult for hackers to tamper. RoT implementation follows the TCG DICE attestation mechanism.*Authentication: Winbond Secure Flash devices employ stringent authentication protocols, ensuring that only authorized actors and software layers gain access. *Secure Software Updates with Rollback Protection: The devices facilitate remote secure software updates while safeguarding against rollback attacks, ensuring that only legitimate updates are executed. To maintain the highest level of security and integrity during software updates, W77Q employs Quantum-Safe Leighton-Micali Signature (LMS) algorithms, as recommended by NIST Special Publication 800-208. This method guarantees the authenticity and integrity of the updated software, thereby providing an additional layer of security for years to come.*Platform Resiliency: following NIST 800-193 recommendations, unauthorized code changes are automatically detected, enabling the system to automatically recover to a secure state and disturbing potential cyber threats.*Secure Supply Chain: The origin and integrity of flash content are guaranteed by Secure Flash at every stage of the supply chain. W77Q implements remote attestation based on LMS-OTS (NIST 800-208). This advanced approach effectively prevents content tampering and misconfiguration during platform assembly, transportation, and configuration, safeguarding against cyber adversaries.Winbond W77Q Secure Flash addresses critical security concerns discussed in the paper, providing strong protection for code and data storage while ensuring platform integrity, resiliency, and compliance with emerging cybersecurity frameworks.For more information on how Winbond can support your security and compliance needs, visit Winbond's website or contact Winbond directly, or download the latest Hardware Security White Paper.
