10/07/2014

How Significant is ARM’s mbed OS?

For microcontrollers (MCUs) used in embedded devices, intellectual property supplier ARM is the clear market leader. In a recent forecast for VDC Research’s report “The Global Market for Embedded Processors,” ARM-based MCUs accounted for more than half of the unit shipments using non-proprietary architectures in 2013 (see chart).

MCU Shipments by Architecture

The Cortex-M series is the main line of ARM MCUs, and is the most prevalent architecture used in embedded devices for the IoT. So when ARM announced on October 1 at the TechCon convention and trade show that the company would provide a free operating system—the mbed OS—for the M-series, it created considerable buzz in the industry, as well as some consternation and a bit of confusion.

ARM has been using the mbed name since 2005 for “maker”-style development platforms based on Cortex-M series MCUs, along with a large community of developers and an extensive software library. But the new announcement greatly expands the original mbed concept. The mbed name now encompasses not only the new operating system, but also: a cloud connectivity platform (mbed Device Server); a set of development tools (mbed Tools); and an ecosystem of partners (mbed Partners). Effectively, mbed has become a line of both products and services. ARM says that collectively, mbed will “accelerate Internet of Things deployment.” In this blog post, we’ll focus on the mbed operating system.

The embedded industry is already rife with many dozens of operating systems, ranging from bare bones to fully-featured. These include commercially-licensed binaries (closed source), commercially-licensed open source, free open source, as well as proprietary in-house OSs.

For resource-constrained embedded devices, the free open source offerings have been popular but limited in the extent of their development. Generally, commercially-licensed OSs are more professionally designed, thoroughly tested, and robust.

Several aspects of the mbed OS are noteworthy. First, ARM says that its free OS will be commercial grade. By offering it for free, the mbed OS will compete with some of the commercial embedded OSs already on the market. However, in his keynote speech at TechCon, ARM’s CTO Mike Muller emphasized that the mbed OS will not be a real time operating system (RTOS). Many IoT devices require the time-critical determinism of an RTOS, most notably in safety critical applications such as avionics, automotive systems, factory automation, and the like. The lack of real time functions will limit the breadth of applicability for mbed OS, and the extent to which it will compete with many of the commercial OSs on the market.

Second, ARM said its main intention of releasing the OS along with the mbed Device Server was to ease embedded software development to handle the many security concerns and communications protocols used in IoT, as those are often sticking points for developers not previously experienced with connected devices. Zach Shelby, Directory of Technical Marketing for the ARM’s IoT initiatives, noted that even devices running competing commercial OSs will be able to take advantage of mbed Device Server connectivity services. As Shelby described it, ARM isn’t trying to compete with OS vendors, the company is trying to ensure that IoT developers have adequate support to bring products to market in a timely manner.

Third, although ARM did not mention this in its press information Shelby told VDC that much of the mbed OS source code would be made available as open source. He also said that a few specific software components (such as some security modules) would be released only as binaries, i.e. closed source, which is why the company hasn’t been touting the OS as “open source.”

And fourth, ARM’s announcement only described the mbed OS as being for the M-series MCUs, but Shelby told us that partners will be able to adapt the open source code for ARM’s other series of processors. Indeed, at least one hardware vendor on the show floor was demonstrating a working version of the mbed OS on a Cortex A-series microprocessor. However, the higher performance A-series line is often used with more fully featured operating systems (e.g. Linux), and VDC doesn’t consider it to be a major target for the mbed OS.

All-in-all, VDC believes that the mbed OS will be significant for how it should speed up development for new entrants in the IoT. It probably won’t cause a major upheaval in the broad market for commercial embedded OSs, but a few of the OS vendors at the low end of the market are likely to be adversely impacted.

10/02/2014

Notable Demos from ARM TechCon 2014 and JavaOne

Semiconductor intellectual property supplier ARM kicked off its annual TechCon conference and trade show in Santa Clara, CA with expansion of the mbed IoT Device Platform, including a free operating system as well as server side IoT technologies. We describe the mbed OS in more detail in a separate blog post. In this post, we’ll highlight a couple of notable demos from other vendors on the show floor, plus one from Oracle’s concurrent JavaOne conference and trade show in San Francisco. In a literal sign-of-the-times at both events, you couldn’t swing a dead cat without hitting a sign that read, “Internet of Things.”

At ARM TechCon the Cryptography Research division of Rambus showed an interesting demo of differential power analysis (DPA). This is a type of side channel attack based on sensing power consumption and/or emission patterns of a processor during cryptographic operations, with the objective of extracting encryption keys. Prior to seeing this demo, we had thought of DPA as an academic or theoretical exercise that either wouldn't work in the real world or would take so long as to be insignificant. But Rambus showed us exactly how it works, measuring power emissions from a Xilinx chip while it was repeatedly performing AES 128-bit symmetric encryption on short blocks of data, and running statistical analysis on the power readings to uncover the encryption key one byte worth at a time. The entire key was recovered in about two minutes. Because the process is linear with the number of bits, AES 256-bit only would have taken about four minutes. (To break 256-bit encryption by brute force methods is orders of magnitude more difficult than to break 128-bit.) In addition, the company demonstrated a simple power analysis (SPA) side channel attack by handholding a receiver antenna to the back side of an Amazon Kindle tablet (see Picture 1), and directly reading a signal containing the asymmetric key from RSA 2048-bit encryption running in software on the device. No statistical analysis was required, as a viewer could see a graphical form of the signal representing the zeros and ones (Picture 2).

Rambus3

Picture 1: Readng power emissions from a Kindle tablet running encryption software.

Rambus2

Picture 2: Kindle emissions isolated in the frequency band of the encryption key. Narrow distances between the gaps are zeros, and wider double distances between the gaps are ones. The section of the key shown reads as 0011000001.

Needless to say, we were impressed with how easily these attacks were executed, which of course was the entire point of the demos. Rambus offers side channel attack countermeasures in the form of hardware cores and software libraries, and the demos also showed how such countermeasures confound the measurements and analysis.

Green Hills Software teamed up with Freescale to demonstrate a retail POS simulation of a RAM scraper malware technique similar to the type implicated in the Target data breach, as well as a solution using INTEGRITY hypervisor to negate the malware. The protection method keeps the credit card data encrypted in a secured application space before it gets to the normal execution area, then sends the data via secure channel to the payment processor server. Only a one-time token is passed to the normal execution area of the POS system. When that token is submitted to the payment processor, the funds are approved, without the credit card data ever existing in the normal execution area, and thus rendering RAM scraping irrelevant for theft of the card data. This type of tokenization has been done before in the payment card industry (PCI), and we expect the Target data breach will increase its uptake.

And at the JavaOne event, Oracle and the French software firm Oberthur Technologies demonstrated an Android device with a Java Virtual Machine running within an ARM TrustZone trusted execution environment (TEE). Oberthur’s software runs on the server side of an Internet connection, and enables specially designed Java apps to be securely installed into the device also using a tokenization method. This is the only solution we’ve seen to date that enables applications to be remotely installed into a TEE. Although the demo was run on an Android phone, we see the potential for its use in many other types of IoT devices.

09/23/2014

VDC Research is Attending ARM TechCon 2014 in Santa Clara October 1-2

We are attending ARM TechCon 2014 in Santa Clata

ARM TechCon 2014 at the Santa Clara Convention Center is designed to facilitate collaborative design by connecting the hardware and software communities in one event. The event delivers a comprehensive forum created to ignite the development and optimization of future ARM-based embedded products. The conference includes about 75 intriguing sessions offering insight and education into new products, advanced development techniques, security issues, and much more. For more information about ARM TechCon 2014 and to register for the event, click here.

Contact us directly to schedule a meeting!

We would like to learn more about your company’s solutions and personal experiences, and we welcome the opportunity to meet attending vendors. VDC will be at the conference on Wednesday, October 1st and Thursday, October 2nd. Please contact us directly if you would like to arrange a meeting.

Contact Steve Hoffenberg, Director, M2M Embedded Software, VDC Research Group at shoffenberg@vdcresearch.com or 508.653.9000 x143.

About VDC Research

VDC has been covering the embedded systems market since 1994. To learn more about VDC’s coverage of Embedded Hardware & Platforms, check out our website here, and to see what other research and products are offered by VDC Research’s Embedded Hardware and Software practices, click here.

09/18/2014

Tasktop unveils new Tricentis offering

Yesterday, at Tricentis Accelerate 2014, Tasktop previewed an upcoming release of Sync featuring increased integration of the Tricentis Tosca Testsuite across multiple software delivery disciplines and tools. Tasktop’s Sync platform provides authoring tools for tasks, data, workflow connectivity and integration between multiple Application Lifecycle Management solutions. Its new partner, Tricentis, is known for its software testing solutions to accelerate business innovation. The partnership between Tricentis and Tasktop represents an exciting advancement along the path of broader Agile and DevOps adoption within the software development industry.

The two companies first partnered in February 2014, to provide a combination of Tricentis Tosca Testsuite and Tasktop Sync. The new software offers a means of automated functional testing in Testsuite and a platform for collaborating across the multiple disciplines of software development with Sync. The evolution of software development has revealed a clear problem of the integration of tools across the design of software. The partnership of Tasktop and Tricentis is an example of a method of addressing this issue. Their tools enable collaboration and testing across different components, removing a disconnect that has hampered software development in the past. We think this software integration can help developers using Agile or DevOps methods to continue to deliver thoroughly tested solutions for customers more rapidly, ultimately lowering the risk of business failure.

 

Upcoming VDC Research reports

In the next few weeks, the VDC M2M and Embedded Software team will publish several reports analyzing important trends impacting the software and system development tool landscape such as the growing need for improved tooling integration. These reports, listed below, also provide VDC’s granular market estimates and growth forecasts through 2016.

  • Automated Test and Verification Tools
  • Software and System Modeling Tools
  • Requirements Management/Definition and Source/Change/Configuration Management tools

To learn more about the research and products offered by VDC Research’s Embedded Software & Tools practice, click here.

 

By Joseph Botsch, Research Assistant and

André Girard, Senior Analyst

 

08/14/2014

Will SafeNet Acquisition Lead to Growth in Gemalto’s IoT Business?

On August 8, France-based security technology provider Gemalto announced a definitive agreement to acquire US-based firm SafeNet for US$890 million. Gemalto’s press release can be seen here, so we won’t rehash all the details in this blog post. However, we will provide a few comments regarding the potential synergies between the companies in the IoT/M2M market.

Both Gemalto and SafeNet have significant businesses in the banking and financial services markets. Among its many offerings, Gemalto is a leading supplier of EMV (Europay, MasterCard, and Visa) smartcards, as well as e-banking authentication solutions. SafeNet is a leading supplier of Hardware Security Modules (HSMs), which are dedicated appliances used for authentication, encryption, and cryptographic key management within datacenters at banks and financial institutions. (SafeNet says that its products protect over 80% of the world’s intra-bank fund transfers, nearly $1 trillion a day.)

About the only area where Gemalto and SafeNet products overlap is in end-user authentication devices, such as smartcards, one-time password (OTP) generators, and USB tokens. In an investor webcast announcing the SafeNet acquisition, Gemalto CEO Olivier Piou stated that within the market for such devices, “We have a very different distribution channel and type of customer. We very seldom compete against each other...”

Gemalto is also quite active outside the banking/financial sector.

In 2010, Gemalto acquired Cinterion, maker of wireless radios for cellular communications in embedded devices such as vehicles and industrial machinery. And in 2011, Gemalto acquired the assets of SensorLogic, a cloud-based service delivery platform for M2M devices. (At the time of the SensorLogic acquisition, that company had been on shaky financial grounds, and notably Gemalto did not acquire the SensorLogic company and its debts.)

With the SafeNet acquisition, Gemalto has assembled yet another piece of an end-to-end IoT/M2M solution.

In March 2014, VDC published a “Security Vendor Profile” on SafeNet. In that analysis, we noted:

“SafeNet has been in the information security business for nearly as long as there has been an information security business. Within its designated areas of focus — authentication, encryption, and software monetization — its depth of expertise is likely unmatched elsewhere. Currently, SafeNet’s solutions are suited primarily to enterprise data centers for authentication and encryption, and embedded devices based on PC hardware [e.g. ATMs and gaming machines] for software monetization. VDC believes that SafeNet could leverage its expertise to become a major provider of similar technologies in the smaller embedded device market. If the company can scale down some of its offerings to make them better suited to devices at the outer edges of the Internet of Things, SafeNet has the potential to scale up its business considerably.”

The Gemalto acquisition positions SafeNet to do what we suggested in that analysis.

Within Gemalto, VDC believes that SafeNet’s technologies could be applied particularly well in the automotive and vehicle telematics markets, where device authorization and data encryption are critical to vehicle-to-infrastructure (and forthcoming vehicle-to-vehicle) wireless communications. The combined Gemalto/SafeNet business has the potential to become a major player, for example, in the market for automotive Hardware Security Modules, competing with the likes of automotive powerhouse Bosch (and its security subsidiary ESCRYPT). What’s uncertain, however, is whether Gemalto will seek to take SafeNet in such a direction.

In his webcast announcing the SafeNet acquisition, Gemalto CEO Olivier Piou did not mention the automotive market, focusing on the payment/identity and mobile phone markets, leaving vague (presumably by intention) the company’s plans for its newest subsidiary in the rest of the IoT.

08/07/2014

IoT Lessons from the Russian CyberVor Hacking

Widely reported during the first week of August was the revelation that a group of Russian hackers known as CyberVor had amassed a database of 1.2 billion usernames and passwords, as well as more than 500 million email addresses. The New York Times originally broke the story, based on findings from the firm Hold Security. Unlike the Target retail data breach of late 2013 and the more recent eBay breach, CyberVor’s loot is not the result of one or two large breaches, but rather a large number of breaches of all sizes. Hold Security says that the data came from 420,000 websites, ranging from large household-name dotcoms down to small sites. Most of the sites were breached using SQL injection techniques through malware infecting the computers of unwitting legitimate users.

Breaches of major websites or retailers tend to be highly concentrated, narrowly focused efforts, whereas the database collected by CyberVor appears to be the result of casting a very wide (bot)net, trawling the world wide web for anything the group could catch.

What lessons can the CyberVor revelation teach us (or reinforce) about the Internet of Things?

Lesson #1: No IoT site (either physical or virtual) is too small to be attacked. Many users are tempted to think, “Why would anyone bother to hack my little IoT network?” The answer is, “Because they can.”

Lesson #2: Even data that has little or no value to hackers on its own may have value when aggregated.  If you think your data is worthless to others, you’re probably wrong. Big data is comprised of a whole lot of little data.

Lesson #3: Authorized users or devices are not necessarily safe just because they are authorized. Follow the principle of least privilege, in which users or devices only have access to the minimum amount of data and system resources necessary to perform their functions.

Lesson #4: Monitor your networks for atypical or unexpected movements of data. This is challenging in practice, because valid usage occasionally may not follow past patterns. Nevertheless, at a minimum the system should have a way to throw up a red flag if a user or device is attempting to copy large portions of a database.

Lesson #5: Don’t neglect the basics. SQL injection attacks as well as buffer overflows and cross-site scripting are common and easily preventable. Most software code analysis tools can check for vulnerabilities to such attacks early in the development process.

Lesson #6: Conduct independent penetration tests on your devices and networks. If you think that your own engineers already have covered every possible attack vector, you’re probably wrong. You need outside eyeballs incentivized to find flaws without concern about stepping on coworkers’ toes.

And lastly, Lesson #7: At the risk of stating the obvious, encrypt your data. Any database that is accessible either directly or indirectly from the Internet is worth encrypting. Passwords in particular are keys to the kingdom. Encrypt them with salted hash techniques and strong algorithms. There is never a valid reason to store passwords in plain text.

If the websites breached by CyberVor already had learned these lessons, the hack wouldn’t even have been newsworthy.

For more insights into IoT security issues, check out VDC’s research program on Security & the Internet of Things.

07/22/2014

VDC Research is attending Agile2014 in Orlando July 28-29

We are attending the Agile2014 conference in Orlando

Agile2014 is organized by the Agile Alliance, and it is intended to promote the principles of Agile and serve as an opportunity for all of the foremost experts and innovators in the field to come together. The conference boasts over 240 talks and workshops across 16 program tracks and over 1,800 attendees. For more information about Agile2014 and to register for the event, click here.

Make sure to attend the Industry Analyst Panel Discussion: Agile Trends and Future Directions on Tuesday, June 29 to see VDC’s Chris Rommel speak on the panel.

 

“The improved communication and expanded collaboration of Agile software development is helping early adopters discover new engineering synergies and increase their planning predictability. There is wider recognition for the effectiveness of more flexible and iterative strategies such as Agile and cross-engineering domain integration in addressing systems development challenges and rapidly responding to shifting customer needs or market expectations. Better management of design interdependencies through cross-domain integration can often increase operational efficiencies, resulting in cost savings. Use of these methods helps organizations further advance toward a continuous engineering approach, accelerating the pace of software content creation.”

-From André Girard, VDC Research

 

Contact us directly to schedule a meeting!

We would like to learn more about your company’s solutions and personal experiences, and we welcome the opportunity to meet attending vendors. VDC will be at the conference on Monday, June 28 and Tuesday, June 29. Please contact us directly f you would like to arrange a meeting.

Contact André Girard, Senior Analyst, M2M Embedded Technology Practice, VDC Research Group at agirard@vdcresearch.com or 508.653.9000 x153.

About VDC Research

VDC has been covering the embedded systems market since 1994 and the use of lifecycle management solutions since 2000. To learn more about VDC’s coverage of Software and System Lifecycle Management Tools, check out our website here, and to see what other research and products are offered by VDC Research’s Embedded Software & Tools practice, click here

 

-Patrick McGrath

Research Associate, VDC Research

07/21/2014

VDC Embedded Jama Software Webinar

How to Understand Requirements Management to Develop and Deliver Faster

For Embedded Systems Developers, Time to Market is Critical. Learn the No. 1 Strategy to Develop and Deliver Faster.

During this free webinar on Wednesday, July 23 at 1:00pm ET / 10:00am PT, VDC Research analyst André Girard and Jama Software co-founder Derwyn Harris will present on the growing necessity for requirements management (RM) tools in the face of today’s increasingly complex code bases, distributed development teams, and stricter budgets.

OEMs are facing constant pressure for innovation even with tight budgets, and they are dedicating more of their resources towards software development. Despite the importance of well-written requirements in the software development lifecycle, usage rates of RM tools are still dangerously low, with only 23% of embedded engineers polled by VDC in 2014 indicating they were using a formal RM solution on their current project. To meet demands for an accelerated pace of software content creation, developers will need to better utilize RM tools to monitor and manage the development lifecycle from beginning to end.

This webinar will explore: 

  • How has the software development process changed? 
  • What challenges are OEMs facing today? 
  • How do RM tools help deal with these challenges? 
  • How can RM tools save time and money for OEMs?

Tune in to this webinar to learn the answer to these questions and more. Those who register for this webinar will also receive a free copy of VDC Research’s report, “Pinching Pennies on Requirements Management is Too Costly”, by André Girard.

Click here to register for the webinar. To learn more about the research and products offered by VDC Research’s Embedded Software & Tools practice, click here.

 

Patrick McGrath

Research Associate, VDC Research

06/18/2014

IoT Necessitates Changes in Both People and Technology

The requirements of the devices composing the Internet of Things are changing rapidly. The embedded market no longer consists of dedicated-purpose devices that may or may not be connected. Engineering organizations and deploying enterprises must now design scalable system topologies that can integrate new devices and adapt to the IoT’s evolution. While these next-generation systems are required to facilitate downstream device/node management as well as efficient upstream data transfer and analytics, they must also do so dynamically, allowing for more intelligence and flexibility in node role and workloads within sub-network architectures.

This recognition of a need for change in legacy technologies can already be seen in the shift in programming languages used by embedded engineers. In the past five years, the percentage of engineers using Java in the embedded market has more than doubled. Embedded industry stalwarts such as C will certainly maintain a substantial footprint going forward given the existing software assets and expertise at OEMs, but the results confirm that the market is rapidly looking to new and/or multi-language development to satisfy the requirements of next-generation projects.

Picture1

IoT Skill Set Gap Exacerbated by Existing Embedded Resource Gap

The existing embedded engineering resources unfortunately cannot keep pace with the IoT’s time-to-market and content creation requirements. Already this community has been struggling to meet the needs of pre-IoT development projects. Now, the industry is faced with a dynamic in which not only does it need more efficiency, but the existing population of embedded engineers also cannot scale organically to meet the new software content creation requirements. Today, there are just over 1 million embedded engineers globally, with only 35% of that community holding software engineering-specific primary roles. In order to adapt to the new IoT development demands and respond to this dearth of traditionally skilled resources, OEMs must look to new labor pools.

The global Java community, which is estimated to consist of approximately 9 million developers, offers an opportunity to draw upon an increasingly relevant labor and expertise pool. The value of traditional embedded engineering skill sets has already been partially devalued due to IoT system evolution. Now, knowledge of connectivity stacks and UI development often must be placed at a premium over skills such as footprint optimization. Furthermore, technology like Java’s virtual machines create an abstraction layer that can reduce hardware dependencies and the subsequent rework and optimization that would have previously required more traditional embedded firmware engineers. Despite the already rapid adoption of Java (by embedded standards), we believe that the impending blurring of the distinction between embedded and IT Java developers will reinforce the technology’s adoption and relevance going forward. The wide access to the existing ecosystem of Java tools and third-party software, combined with a growing embedded partner ecosystem spanning semiconductor/IP companies, tool, and hardware/system manufacturers will no doubt further reduce switching costs and any lingering reservations held within many embedded industries.

We will be exploring the business and technical impact of the IoT in a webcast tomorrow with Oracle:

Date: Thursday, June 19, 2014 

Time: 9:30 AM PDT, 12:30 PM EDT, 17:30 GMT

Join this webcast to learn about:

  • Driving both revenue opportunities and operational efficiencies for the IoT value chain
  • Leveraging Java to make devices more secure
  • How Java can help overcome resource gaps around intelligent connected devices
  • Suggestions on how to better manage fragmentation in embedded devices

Register here:

http://bit.ly/1oOuuS9

06/16/2014

PTC Acquires Atego, Broadens ALM Support for Product Development

What happened?

PTC (NASDAQ: PTC) announced today it has entered into a definitive agreement to acquire Atego, a leading developer of model-based systems and software engineering applications based in the UK, for $50 million in cash. The transaction is expected to be completed in PTC’s fiscal fourth-quarter 2014, which begins in July. According to PTC’s press release, Atego had approximately $20 million in revenue over the course of the past 12 months, and the company expects it will achieve approximately $5 million in revenue from Atego in PTC’s fiscal fourth-quarter 2014.

VDC’s View

Several recent acquisitions by PTC have targeted services lifecycle management (SLM). The combination of PTC’s SLM portfolio and their IOT capabilities through ThingsWorx provides an impressive depth and breadth of solutions for extending customer relationships post-deployment.

This newest addition of modeling tools from Atego strengthens PTC’s portfolio of product lifecycle management and application lifecycle management solutions and helps reinforce a systems engineering focus. Atego’s Model-Based Systems Engineering solutions connects requirements engineering, architecture modeling, physical product definition, and system verification functions.

Today’s smart, connected products depend on the tight integration of sophisticated components from multiple engineering domains, raising the value proposition of increased cross-discipline coordination and communication. The combination of Artisan Studio from Atego with their existing tooling portfolio enables PTC to offer solutions that help their customers increase efficiency and product standardization in embedded industries where increasingly connected products are created from systems of complex mechanical, electrical, and software systems.

Stay tuned here for further insight in the coming days.

VDC will be exploring these and other trends in greater depth within our upcoming Software & System Lifecycle Management Tools research program.  Please contact us for additional information.

 

By Patrick McGrath, (Research Assistant, M2M & Embedded Technology) and Andre' Girard (Senior Analysis, M2M & Embedded Software)

 

Recent Posts

How Significant is ARM’s mbed OS?

Notable Demos from ARM TechCon 2014 and JavaOne

VDC Research is Attending ARM TechCon 2014 in Santa Clara October 1-2

Tasktop unveils new Tricentis offering

Will SafeNet Acquisition Lead to Growth in Gemalto’s IoT Business?

IoT Lessons from the Russian CyberVor Hacking

VDC Research is attending Agile2014 in Orlando July 28-29

VDC Embedded Jama Software Webinar

IoT Necessitates Changes in Both People and Technology

PTC Acquires Atego, Broadens ALM Support for Product Development


Related Posts Plugin for WordPress, Blogger...