Mobile Platform Security Architectures A perspective on their evolution
N. Asokan Kari Kostiainen
1 NA, KKo, JEE, Nokia Resarch Center 2011-2012 Introduction Recent interest in smartphone security
2 NA, KKo, JEE, Nokia Resarch Center 2011-2012 Jan 2011? Introduction Recent interest in smartphone security
3 Oct 2012 Introduction Securing smartphone application platforms: challenges
Smartphones “Feature phones” PCs Open software platforms Third party software Java ME Internet connectivity Packet data, WiFi Personal data Location, contacts, communication log Risk of monetary loss ? Premium calls
Is smartphone platform security different?
4 Outline Outline
• A bit of background on requirements for securing mobile phones • Basics on hardware security enablers • Comparison of modern mobile (software) platform security architectures • Discussion: open issues and summary
5 Background
6 Background Platform security requirements for mobile phones Mobile network operators; Regulators; 1. Subsidy locks immutable ID 1. RF type approval secure storage 2. Copy protection device 2. Theft deterrence immutable ID authentication, app. separation 3. … 3. …
End users; 1. Reliability app. separation 2. Theft deterrence immutable ID 3. Privacy app. separation Closed Open 4. … Different Expectations compared to the PC world
7 Background Early adoption of hardware and software security GSM 02.09, 1993
3GPP TS 42.009, 2001
Different starting points: widespread use of hardware and software platform security
~2001 ~2002 ~2005 ~2008
8 Hardware security enablers
9 Hardware security Hardware support for platform security
E.g., Public key serial hash number Trust root Base identity
Crypto Library Start of boot code Boot sequence (ROM) Basic elements in TCB for platform software immutable storage
10 Hardware security Secure bootstrapping
Code certificate Boot code hash
Validate and Trust root Base identity execute
Crypto Library
Boot sequence Secure boot (ROM) Ensure only authorized boot TCB for platform software image can be loaded
Launch platform boot code
11 Hardware security Identity binding
Identity certificate Code certificate Base identity Boot code hash Assigned identity
E.g., IMEI, link-layer addresses, …
Trust root Base identity
Validate and accept Crypto Library assigned ID
Boot sequence (ROM) Secure boot Securely assign different TCB for platform software identities to the device
Launch platform boot code
12 Hardware security Trusted execution environment (TEE)
Identity certificate Code certificate Boot code hash Base identity Validate and execute Assigned identity Code certificate
TEE code hash Isolated Why?How? execution
Trust root Base identity TEE
Basis for secure Crypto Library Device key external storage
Boot sequence TEE code Secure boot (ROM)
TCB for platform software
Launch platform boot code TEE API
Authorized13 execution of arbitrary code, isolated from the OS; access to device key Hardware security Secure state
Identity certificate Code certificate Base identity Boot code hash
Assigned identity Code certificate TEE code hash Authenticated boot
Trust root Base identity Configuration TEE register(s)
Crypto Library Device key
Boot sequence TEE code Secure boot (ROM)
TCB for platform software
Launch platform boot code TEE API
14 Hardware security
Secure boot vs Authenticated boot
…
…
OS Kernel checker pass/fail OS Kernel measurer
Boot block checker pass/fail Boot block measurer
Boot seq. checker pass/fail Boot seq. measurer state
Trust root TCB TCB
Root of Trust for measurement
15 Hardware security Secure state
Identity certificate Code certificate Base identity Boot code hash
Assigned identity Code certificate Authenticated boot, Securing TEE code hash TEE sessions
Why?How? Trust root Base identity Configuration TEE register(s)
Crypto Library Device key Non-vol. memory TEE code or Boot sequence counter Secure boot (ROM)
TCB for platform software Rollback protection for persistent secure storage Launch platform boot code TEE API 16 Integrity-protected state within the TEE Hardware security Device authentication External trust root Identity certificate Code certificate Boot code hash Base identity Device certificate Assigned identity Code certificate Identity TEE code hash Public device key
Device authentication, secure provisioning, Trust root Base identity Configuration TEE attestation register(s)
Crypto Library Device key Non-vol. memory TEE code or Boot sequence counter Secure boot (ROM)
TCB for platform software
Launch platform boot code TEE API
17 Prove device identity or properties to external verifier Hardware security Hardware platform security features: summary • Secure boot: Ensure only authorized boot image can be loaded • Authenticated boot: Measure and remember what boot image was loaded • Identity binding: Securely assign different identities to the device • Secure storage: protect confidentiality/integrity of persistent data • Isolated execution: Run authorized code isolated from the device OS • Device authentication: Prove device identity to external verifier • Remote attestation: Prove device configuration/properties to external verifier
18 Hardware security Architectural options for realizing TEEs
External External External Memories Memories Memories
Crypto On-SoC Crypto On-SoC Crypto On-SoC RAM Accelerators RAM Accelerators RAM Accelerators
Processor Processor Processor core(s) core(s) core(s)
ROM Peripherals ROM Peripherals ROM Peripherals
OTP Fields OTP Fields OTP Fields On-chip Security Subsystem
External Security Co-processor
External Secure Element Embedded Secure Element Processor Secure Environment
TEE component
19 Figures taken from “GlobalPlatform Device Technology, TEE System Architecture”, Version 1.0, December 2011 Hardware security Hardware security architectures (mobile)
ARM TrustZone and TI M-Shield
• Augments central processing unit: “Secure processor mode”
• Isolated execution with on-chip RAM: Very limited (<20kB)
• Secure storage: Typically with write-once E-fuses
• Usually no counters or non-volatile memory: Cost issue
Processor Secure Environment
20 Hardware security Hardware security architectures (TCG)
• Trusted Platform Module (TPM) −Standalone processor on PCs −Isolated execution for pre-defined algorithms −Arbitrary isolated execution with DRTM (“late launch”) −Platform Configuration Registers (PCRs) −Monotonic counters External Secure Element
• Mobile Trusted Module (MTM) −Mobile variant of TPM −Defines interface −Implementation alternatives: TrustZone, M-Shield, software
21 Hardware security Uses of hardware security
• Recap from features −Secure/authenticated boot −Identity binding/device authentication −Secure storage −Remote attestation
• Uses of hardware security (device manufacturer) −Device initialization −DRM −Subsidy lock
• How can developers make use of hardware security? −an example in the second part of this seminar 22 Software platform security
23 Software Platform security Open mobile platforms
• Java ME ~2001 • Android ~2007 −For “feature phones” −Linux-based OS −3 billion devices! −App development in Java −Not supported by most smartphone platforms • MeeGo ~2010 −Linux-based OS • Symbian ~2004 −App development in C++ (Qt) −First “smartphone” OS −MSSF (Intel Tizen) −App development in C++ (Qt) • Windows Phone ~2010 −App development in .NET
24 Software Platform security Mobile platform security model
• Common techniques −Application signing −Permission-based access control architecture −Application isolation
• Common operations 1. Permission request 2. Application signing 3. Application installation 4. Application loading 5. Run-time access control enforcement
25 Step 1: Developer publishes an application Software Platform security
Developer Developer requests permissions for his application Developer submits the application to a centralized marketplace
Centralized Auxiliary Some platforms marketplace marketplaces support auxiliary In some platforms the marketplaces application can be directly pushed to the mobile device
Mobile device
TCB
26 Step 2: Marketplace signs the application Software Platform security
Developer In some platforms the developer signs the application
Marketplace provider checks the application (and Centralized Auxiliary requested permissions) and marketplace marketplaces signs it
Mobile device
TCB
27 Step 3: Application installation Software Platform security Installer may request the Developer user to accept some of the requested permissions
User Centralized Auxiliary marketplace marketplaces Mobile device receives an application installation package from a marketplace (or developer)
Mobile device
Installer consults local After these checks, the policy database about installer assigns these TCB requested permissions permissions to the application
Application Policy permission Application Installer database database
Installer stores Installer checks application application signature and permissions Secure Platform requested storage integrity integrity permissions
Permission and policy Application installer databases need integrity component needs integrity 28 protection protection Step 4: Application loading Software Platform security
Developer
User Centralized Auxiliary marketplace marketplaces
Mobile device Loader attaches permissions to the Application started process
TCB
Application Policy permission Application loader Application Installer database database
Loader reads permissions from the permission database Secure Platform storage integrity integrity
Also loader component 29 needs integrity protection Step 5: Application execution Software Platform security
Developer
User Centralized Auxiliary marketplace marketplaces OS/HW isolate applications from one another at runtime
Mobile device Application Application Application
TCB Reference monitor
Application Reference monitor controls access to permission Policy Application Installer Application loader system resources database database Some applications need Some applications need device identification with permissions secrecy for their persistent (e.g., DRM) storage
secrecy Platform Secure Secure Device Random integrity storage state identification integrity Some applications may also need source of Some applications randomness need secure state 30 (e.g., DRM) Step 6: System updates Software Platform security
Developer
User Platform provider Centralized Auxiliary marketplace marketplaces
Platform providers issues (signed) system updates
Mobile device Application Application Application
System updater verifies TCB received update using policyReference database monitor
Application Application Installer Policy permission Application loader database database System updater System updater rewrites parts of system software
secrecy Platform Secure Secure Device RandomSystem updates may integrity storage state identification need device integrity identification
System updates need secure 31 state to prevent rollbacks to previous system version Recap – main techniques Software Platform security
Developer 1. Permission request
User Platform provider Centralized Auxiliary marketplace marketplaces 2. Application signing
5. Application isolation Mobile device Application Application Application
6. API to system functionality 4. Permission-based OS (e.g. secure storage) access control Reference monitor
Application Application Installer Policy permission Application loader 3. Permission database database assignment System updater
secrecy Platform Secure Secure Device Random integrity storage state identification integrity
32 Software Platform security Software platform security design choices
Device boot − How is platform integrity verified? Application development and installation − How finely are access control policies defined? − What is the basis for granting permissions? Application installation − What is shown to the user? Application runtime − How is the integrity of installed applications protected? − How can applications protect the confidentiality and integrity of their data? Application updates − How is a new version of an existing application verified?
33 Software Platform security OS bootstrapping
Is hardware security used to secure OS bootstrapping?
Symbian Java ME Android MSSF Windows Phone Secure boot Not applicable Typically no Authenticated boot: Secure boot “Normal mode” vs “Developer mode”
39 Software Platform security Permission granularity
How finely is access control defined?
Symbian Java ME Android MSSF Windows Phone Fixed set of Fine-grained Fine-grained Fine-grained Fixed set of “capabilities” (21) permissions permissions (112) resource-tokens “capabilities” (16) (many) Linux access Linux access control control
Android and MSSF: Each application is installed under a separate Linux UID
40 Software Platform security Permission assignment (basis)
What is the basis for granting permissions?
Symbian Java ME Android MSSF Windows Phone 4 categories Trusted signatures 4 protection Trusted signatures Trusted signatures for protection levels Trusted signature domains Local policy file (user prompt for (also user prompts) location) 4 permission modes
User Blanket, Normal (automatic) System, Session, Dangerous (user-granted) Restricted, One-shot, Signature (developer-controlled) Manufacturer No SystemOrSignature (Google-controlled)
41 Software Platform security Permission assignment (user prompting)
Symbian Java ME Android Windows Phone Capability description Function group Permission group User prompted only for • 21 capabilities description description location capability • 15 groups • 11 groups
E.g., LOCATION,
E.g.,Read user data, NETWORK, Use network, Access E.g., NetAccess ACCOUNTS, … positioning, … PhoneCall Location, …
Only LOCATION
42 What is shown to the user? Skip to “Application Updates” Software Platform security Permission assignment (timing)
When are permissions assigned to a principal?
Symbian Java ME Android MSSF Windows Phone Install-time Run-time prompts Install-time Install-time Install-time assignment assignment assignment assignment Run-time privilege shedding possible
Symbian and MSSF: Permissions of app loading a DLL is a subset of permissions of DLL
43 Software Platform security Access control policy
How does a resource declare the policy for accessing it? How is it enforced?
Symbian Java ME Android MSSF Windows Phone Declare in code [System resources] Declare in manifest Declare in manifest [System resources] Enforced by VM Enforced by VM Enforced by IPC Enforced by VM Enforced by Smack framework or code or via libcreds
44 Software Platform security Application identification
How are applications identified at install and runtime?
Symbian Java ME Android MSSF Windows Phone Install and run- Install: Install: Install: Install and run- time: • Signing key • Signing key • Software source time: • Protected range • Midlet attributes (signing key) • Unique ID SID and VID Runtime: • Package name (assigned by (managed) • Unix UID marketplace) • UID (unmanaged) • Package name Runtime: (locally unique) • Software source • Package name • Application ID
45 Software Platform security Application integrity
How is the integrity of installed applications protected?
Symbian Java ME Android MSSF Windows Phone Dedicated Java sandboxing Java sandboxing IMA, Smack .NET sandboxing directory Linux access Offline protection control with EVM and TEE
Integrity Measurement Architecture (IMA) store hash of file (in extended attribute security.ima) and verify on launch Extended Validation Module (EVM) store MAC of all extended attributes (in security.evm) and verify on access
46 Software Platform security Application update
How is a new version of an existing application verified?
Symbian Java ME Android MSSF Windows Phone Protected SID/VID: Signed midlets: “Same origin” policy “Same or higher Trusted signature • trusted signature • “same-origin” origin” policy policy Rest: • no controls Unsigned midlets: • user prompt
47 Software Platform security Application data protection
How can applications protect the confidentiality and integrity of their data?
Symbian Java ME Android MSSF Windows Phone Runtime: Runtime: Runtime: Runtime: Runtime: • private • private record • dedicated UID • fine-grained • private directory stores • file system data caging directory
Off-line: Off-line: • private secure • private secure storage storage
48 Discussion
49 Discussion Recurring themes (hardware enablers)
• Hardware-support for platform security −Cambridge CAP etc. (~1970’s) Extended to Processor Secure Environments
• Hardware-assisted secure storage • Secure and authenticated boot −Academic research projects (mid 1990’s) −TCPA and TCG (late 1990’s) Extended (private secure storage for applications) Adapted (normal vs. developer mode in MSSF)
50 Discussion Recurring themes (software platforms)
• Permission-based platform security architectures −VAX /VMS privileges for user (~1970’s) Adapted for applications −Code signing (mid 1990’s) Used for application installation
• Application/process isolation
51 Discussion Open issues
• Permission granularity −Coarse-grained permissions vs. principle of least privilege
−Fine-grained permissions vs. user/developer confusion [Felt et al, CCS ‘12] • Permission assignment −Is it sensible to let end users make policy assignment decisions? [Chia et al, WWW ’12] [Felt et al, SOUPS ‘12]
• Centralized vetting for appropriateness −Can central authority decide what is offensive? −Can there be crowd-sourced alternatives? [Chia et al, Nordsec ’10, Amini et al, CMU ’12] • Colluding applications −How to detect/prevent applications from pooling their privileges? [Marforio et al, ETHZ ’11] [Schlegel et al, NDSS ’11] [Bugiel et al, NDSS ‘12]
52 Discussion Summary
• Mobile phone security −Requirements: operators, regulators, user expectations −Closed open −Early adaptation of hardware security mechanisms
• Platform security architecture 1. Application signing 2. Permission based access control 3. Application isolation −Many features borrowed or adapted
• Open issues remain…
• This tutorial is based on an earlier survey paper [Kostiainen et al, CODASPY 2011]; expanded version in preparation. 53