How Australia’s Cog Systems is working to secure IoT

Cog Systems’ D4 Secure platform is finding a home in mobile and IoT devices around the world

Gartner expects that by 2021, there will be some 25 billion ‘connected things’ in use. With everything from children’s teddy bears to cars to medical implants now being at increasing risk of either infection by malware or a new means to exfiltrate data, it is not a surprise that the analyst firm expects that by 2021 worldwide spending on IoT will reach US$3.12 billion.

Australian-headquartered Cog Systems is one of the businesses working to help secure the exponentially growing Internet of Things (IoT). Cog’s D4 Secure is a microkernel-based platform that employs virtualization and a modular architecture to help lock-down a range of embedded systems as well as mobile devices designed to run the world’s most popular mobile operating system, Android.

D4 uses a Type-1 (bare metal) hypervisor based on an L4 microkernal. The system allows an OS, services such as a VPN and firewall, and even specific applications to be isolated.

That D4 is based on L4 microkernels is no surprise for several reasons — the widespread use in mobile devices is an obvious one but it also speaks to Cog’s heritage. Many of the founding members of the company were drawn from the engineering team at Open Kernel Labs, which was acquired by General Dynamics in 2012.

OK Labs, originally spun out of NICTA (the predecessor to the CSIRO’s Data61), developed the OKL4 microkernel, which is heavily employed by Cog. “It's a great production-proven hypervisor kernel,” says CEO Daniel Potts.

Cog, founded in 2014, also employs the (similarly NICTA-developed) open source seL4 microkernel. As well, Potts says that Cog is developing its “own capabilities that match requirements for commercial use cases”.

“From a technical standpoint, we try to encourage everyone to embrace a more modular approach to software architecture as opposed to monolithic, and to do that one of the key technology underpinnings of our solution is virtualization,” Potts says.

“One way of thinking of Cog is we’re really virtualization for IoT, so just like VMware is for cloud now—it's had massive success in the cloud — think of us as being virtualization for IoT.”

Cog Systems CEO Dr. Daniel PottsCredit: Cog Systems
Cog Systems CEO Dr. Daniel Potts

“In the operating system space alone, particularly for the little devices, there's probably over 400 real-time operating systems out there, so it's really, really fragmented — and then you've got your applications and your libraries and all that on top of that,” Potts adds.

“This is where virtualization's really cool: What it enables us to do is allow those legacy systems to run inside one of these modules, one of these virtual machines, so that the device-maker is able to reuse what they have — or they're able to choose really best-in-class software from the ecosystem, whether it’s open source or otherwise.”

The focus is squarely on the ARM architecture given its dominance in mobile and embedded systems.

The company’s initial reference product was a smartphone based on the HTC A9 handset. Although the handset still runs Android, the Google-developed OS runs on top of D4 Secure. Security policy enforcement takes place outside of Android, and in addition there is an isolated key store, a second layer of full disk encryption, and a VPN and firewall — also running outside of Android.

“We started that project really as a proof point, because it’s one of the hardest things to secure,” Potts says. “It has a very rich environment with Android and so on; it’s really quite demanding from a battery life point of view, and so we wanted to start with something very hard, to demonstrate that we could secure it using commercial off-the-shelf technology.”

For Cog in many ways it was “really about showing that you can do that with a very high-end device” as opposed to specifically trying to secure a mobile device, he says.

If the Android operating system is compromised, the damage is contained, he adds.

“We're not trying to make devices that are ‘unhackable’; rather what we're trying to do is contain the vulnerability or the exploit and build it in a way that a failure in one component doesn't mean a complete failure or access to whatever it wants.”

Encryption bill

Potts says that the company has been following the controversy in Australia over the Telecommunications and Other Legislation Amendment (Assistance and Access) Act — better known as the “encryption bill”. There have been concerns over a possible blowback for local companies in the security space; a recent survey of the cyber security sector found many businesses were concerned about the impact of the legislation.

Potts says that although he has been concerned about the potential effect because of Cog’s global customers, so far he hasn’t seen any impact. “We're spending a lot of effort internally in understanding really what the bill means and the amendments mean and mitigating against any commercial risks around that, so we actually think we're in good shape,” the CEO says.

Securing the IoT

Cog was started by OK Labs alumni looking to continue offering support to commercial customers that were trying to build secure devices, Potts says. The proliferation of IoT devices caught the founders’ attention, the CEO says.

“We were looking at that going, ‘Wow, if this trend in an increased number of connected devices continues, and they continue to be built the same way they have in the past — like mobile phones and laptops — then we’re going to have a problem,’” he explains.

He cites Gartner’s IoT forecast predicting massive growth in ‘connected things’.

“I think a few years ago they were quoting 200 to 300 per household by 2020, which sounds like a lot,” Potts says. “If you multiply sort of the failures you saw in the mobile phones back then [when Cog was founded] by 300, there's going to be a lot of failures.

“So we were worried about that. The success of the connected device ecosystem requires everything to be super-reliable, to not support running of malware — and if it does, it’s contained — so we saw the opportunity in the concern we had that it was just going to be a mess.”

Cog’s aim is to help device manufacturers build devices that have security embedded from the ground-up. Potts says many of the company’s customers are reluctant to be named because of the sensitivity of security, but they are known to have included General Dynamics and Northrop Grumman. Closer to home, South Australian startup Fleet Space Technologies is a customer.

“The motivation for our business is really to help the device manufacturers, the people building these devices, to help them build it better with a much better security posture,” Potts says. “We believe that by doing so, we really pave the way towards enabling them to innovate and build the next wave of really cool products that we’re starting to see now.”

In recent years the company has, almost literally, been a poster child for Australia’s cyber security industry — AustCyber (aka the Australian Cyber Security Growth Network) used Cog as an example in Australia’s first Cyber Security Sector Competitiveness Plan as a local business conducting world-leading R&D.

Potts says that Cog has benefited from AustCyber and other government-backed programs to promote the sector.

“I think in general selling cyber security software is really hard,” the CEO says. “If I look back a few years I think we were kind of crazy to try and do it, but since initiatives like AustCyber have kicked off it’s been night and day in terms of the support and awareness of cyber security issues in the public as well as the private sector.”

In addition to AustCyber being a “massive help” — Cog was one of the companies to benefit from a grants program run by the network — the business has benefited from the government’s landing pad program run by Austrade and AustCyber.


The company is continuing to invest heavily in R&D, Potts says.

“We have a very strong emphasis on really good secure code, and so we invest in things like formal methods — using maths and automation to write code with mathematical proofs for properties like correctness and behaviour,” the CEO says.

The other key area of investment by Cog is boosting the chipsets that the company’s platform can support to enable more device-makers to rapidly and cheaply leverage D4. Cog is also growing its sales force, he adds.

The company has been working with mobile device OEMs as well as chipset-makers to help enable Cog’s D4 Secure products on their platforms.

Potts says he is excited about the potential for the platform in a range of IoT verticals. One that Potts says he finds “super interesting” is robotics — both consumer and industrial.

“From a software architecture point of view, the interesting thing there is that a lot of these robots have existing operating systems with existing software stacks, but [manufacturers are] wanting to maybe combine that with something new,” he says.

“Obviously the cool thing with virtualization is you can start to consolidate the different chips, the different chipsets you might have that go into your product, into your robot. For example, if I've got some extra microcontrollers running alongside my big processor, we could virtualize what’s running on the microcontroller and run it on the big processor. That ends up being a cost reduction for them, so that’s an interesting space.”

While the CEO says Cog believes its platform holds relevance for most categories of connected device, naturally there is a “lot of firm attraction” in areas that are heavily regulated or where safety or security are paramount — areas such as automotive and medical devices. “There's all sorts of consumer use cases in terms of trying to protect IP assets or algorithms and that kind of thing,” Potts says.