Embedded System Security Mobile Hardware Platform Security

Transcription

1 1 Embedded System Security Mobile Hardware Platform Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2017

2 Acknowledgement This slide set is based on slides provided by Prof. N. Asokan, Aalto University, Finland

3 Overview General model for mobile platform security Key hardware security techniques and general architecture Example ARM TrustZone

4 Platform Security Architecture Mobile Device Third-party library Application Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software isolation Developer Platform Provider Administrator System Updater Device Management Boot Verifier Secure Storage Provider Policy Database Application Database Legacy DAC Application Installer Application Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality

5 Platform Security Architecture HW Security API Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication

6 Hardware Platform Security Trusted Execution Environment HW Security API Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication

7 What is a TEE? Execution Environment

8 What is a TEE? Processor, memory, storage, peripherals Execution Environment

9 What is a TEE? Processor, memory, storage, peripherals Trusted Execution Environment Isolated and integrity-protected From the normal execution environment (Rich Execution Environment)

10 What is a TEE? Processor, memory, storage, peripherals Trusted Execution Environment Isolated and integrity-protected Chances are that: You have devices with hardware-based TEEs in them! But you don t have (m)any apps using them From the normal execution environment (Rich Execution Environment)

11 TEE Overview 1. Platform integrity ( boot integrity ) 2. Secure storage 3. Isolated execution 4. Device identification 5. Device authentication REE App App Mobile OS TEE Trusted app Mobile device hardware Trusted OS Trusted app Verification root Cryptographic mechanisms Device certificate Identity Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication

12 Platform Integrity Boot code certificate Boot code hash Certified by device manufacturer: Sig SK (H(boot code)) M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Platform integrity Volatile memory Boot sequence Cryptographic mechanisms Launch boot code Verification root Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity Device identification

13 Launch boot code Platform Integrity Boot code certificate Boot code hash Mobile device hardware TCB Certified by device manufacturer: Sig SK (H(boot code)) M Device manufacturer public key: PK M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Device key K D Trusted Application Nonvolatile Stores measurements for (TA) authenticated boot memory TEE management Secure storage and isolated execution Base Signature identity verification algorithm Device identification

14 Secure Storage Sealed-data = AuthEnc K (data...) D Mobile device hardware TCB Insecure Storage Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Base identity Platform integrity Secure storage Device identification

15 Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Secure Storage Sealed-data = AuthEnc K (data...) D Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Insecure Storage Device key K D Nonvolatile memory Base identity Protected memory Rollback protection Encryption algorithm Platform integrity Secure storage Device identification

16 Isolated Execution Certified by device manufacturer TA code certificate TA code hash Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) Device key K D Nonvolatile memory Base identity Controls TA execution Platform integrity TEE management Secure storage and isolated execution Device identification TEE Entry from Rich Execution Environment

17 Device Identification Multiple assigned identities (Certified by device manufacturer) Identity certificate Base identity Assigned identity Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity One fixed device identity Device identification

18 Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Device certificate Identity Device public key PK D Device authentication

19 Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Sign system state in remote attestation Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile Used to protect/derive memory signature key Secure storage and isolated execution Device certificate Identity Device public key PK D Issued by device manufacturer Device authentication

20 Hardware Security Mechanisms (recap) 1. Platform integrity Secure boot Authenticated boot Identity certificate 2. Secure storage 3. Isolated execution Trusted Execution Environment (TEE) 4. Device identification 5. Device authentication Remote attestation Base identity Assigned identity Boot code certificate Boot code hash TA code certificate TA code hash External trust root Mobile device hardware TCB Legend Trust anchor (Hardware) Verification root Cryptographic mechanisms Device certificate Identity Trust anchor (Code) TEE code External certificate Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication Launch boot code TEE Entry from Rich Execution Environment

21 TEE System Architecture Device Rich execution environment (REE) App TEE API Device OS App Trusted execution environment (TEE) Trusted app TEE entry Trusted app TEE management layer Device hardware and firmware with TEE support Architectures with single TEE ARM TrustZone TI M-Shield Smart card Crypto co-processor Trusted Platform Module (TPM) Architectures with multiple TEEs Intel SGX TPM (and Late Launch ) Hypervisor

22 TEE Hardware Realization Alternatives External Peripherals Off-chip memory External Peripherals Off-chip Memory External Peripherals Off-chip Memory On-SoC On-SoC On-SoC RAM ROM Processor core(s) RAM ROM Processor core(s) RAM ROM Processor core(s) OTP Fields Internal peripherals OTP Fields Internal peripherals OTP Fields Internal peripherals On-chip Security Subsystem External Security Co-processor External Secure Element (TPM, smart card) Legend: SoC : system-on-chip OTP: one-time programmable Embedded Secure Element (smart card) Processor Secure Environment (TrustZone, M-Shield) TEE component

23 ARM TrustZone Architecture System on chip (SoC) On-chip memory Secure World and Normal World Modem Boot ROM Main CPU Memory controller Memory controller Interrupt controller Off-chip/main memory (DDR) Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture

24 ARM TrustZone Architecture System on chip (SoC) On-chip memory Secure World and Normal World Modem Access control hardware Boot ROM Main CPU Access control hardware Access control hardware SoC internal bus (carries status flag) Memory controller Memory controller Interrupt controller Off-chip/main memory (DDR) Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture

25 ARM TrustZone Architecture System on chip (SoC) On-chip memory Secure World and Normal World Modem Access control hardware Boot ROM Main CPU Access control hardware Access control hardware SoC internal bus (carries status flag) Memory controller Memory controller Interrupt controller Off-chip/main memory (DDR) Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture

26 ARM TrustZone Architecture System on chip (SoC) On-chip memory Secure World and Normal World Modem Access control hardware Boot ROM Main CPU TrustZone system architecture Access control hardware Memory controller Off-chip/main memory (DDR) Access control hardware Memory controller Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture SoC internal bus (carries status flag) Interrupt controller Normal world (REE) App App Mobile OS Device hardware TEE entry Secure world (TEE) Trusted app Trusted OS Trusted app

27 TrustZone Overview Normal World (NW) SCR.NS=1 SCR.NS=0 Secure World (SW) User mode User User Privileged mode Boot sequence SCR.NS := 1 Secure Monitor Call (SMC) Monitor SCR.NS := 0 Address space controllers TZ-aware MMU SW RO NW WO NW RW Legend: MMU: memory management unit On-chip ROM On-chip RAM Main memory physical address range

28 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) On-chip ROM Boot sequence Secure World On-chip RAM Main memory (off-chip)

29 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) On-chip ROM Boot sequence Secure World On-chip RAM Main memory (off-chip)

30 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) Boot sequence Secure World 2. Copy code and keys from on-chip ROM to on-chip RAM Secure World code (trusted OS) device key On-chip ROM On-chip RAM Main memory (off-chip)

31 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) Boot sequence Secure World 2. Copy code and keys from on-chip ROM to on-chip RAM Secure World 3. Configure address controller (protect on-chip memory) Secure World code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip)

32 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) Boot sequence Secure World 2. Copy code and keys from on-chip ROM to on-chip RAM Secure World 3. Configure address controller (protect on-chip memory) Secure World 4. Prepare for Normal World boot Secure World code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW

33 TrustZone Example (1/2) 1. Boot begins in Secure World mode (set access control) Boot sequence Secure World 2. Copy code and keys from on-chip ROM to on-chip RAM Secure World 3. Configure address controller (protect on-chip memory) Secure World 4. Prepare for Normal World boot Secure World code (trusted OS) device key code (boot loader) On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW

34 TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Secure World Normal World SCR.NS 1 SW NA An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) NW RW

35 TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Secure World Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) trusted app and parameters NW RW

36 TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Secure World Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) 7. Execute trusted application Normal World Secure World Monitor SMC, SCR.NS 0 trusted app and parameters NW RW

37 Secure Boot vs. Authenticated Boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware Secure Boot checker pass/fail Why? How will you implement a checker? - hardcode H(boot code) as reference value in checker (in Firmware)? Firmware measurer Authenticated Boot state aggregated hash Why? State can be: - bound to stored secrets (sealing) - reported to external verifier (remote attestation)

38 Mobile TEE Deployment TrustZone support available in majority of current smartphones Mainly used for manufacturer internal purposes Digital rights management, Subsidy lock APIs for developers? Normal world Secure world App App Mobile OS Trusted app Trusted OS Trusted app Smartphone hardware TEE entry

39 Android Key Store example Android Key Store API // create RSA key pair Context ctx; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx); spec.setalias( key1") spec.build(); KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); gen.initialize(spec); KeyPair kp = gen.generatekeypair(); // use private key for signing AndroidRsaEngine rsa = new AndroidRsaEngine("key1", true); PSSSigner signer = new PSSSigner(rsa, ); signer.init(true, ); signer.update(signeddata, 0, signeddata.length); byte[] signature = signer.generatesignature(); Elenkov. Credential storage enhancements in Android

40 Android Key Store Implementation Android device Selected devices Normal world Android app Android app Secure world Android 4.3 Nexus 4, Nexus 7 Java Cryptography Extensions (JCE) Android OS libqseecomapi.so ARM with TrustZone TEE entry Keymaster Trusted app Qualcomm Secure Execution Environment (QSEE) Keymaster operations GENERATE_KEYPAIR IMPORT_KEYPAIR SIGN_DATA VERIFY_DATA Persistent storage on Normal World Elenkov. Credential storage enhancements in Android

41 What Protects Hardware Platform Security? A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's tortoises all the way down! - Stephen Hawking, in A Brief History of Time