T-Systems. Secure Software Download

Size: px

Start display at page:

Download "T-Systems. Secure Software Download"

Herbert Wiggins
6 years ago
Views:

1 T-Systems. Secure Software Download A Maintenance Process? , Page 1

2 Reasons for Download Business chances / Critical questions Bug Fixes A software update for a security system is cheaper and faster than changing the hardware. How often is critical hardware changed? Enhancements for staying competitive Staying ahead while in the field for years enables a business field for downloads. Is it only software defining the technological progress? Modular Business Model Selling special features to customers on demand can enable new business models and markets. Are special features relevant to security systems? , Page 2

3 Updating Certified Software Is it an Option? Going through a CC certification process may easily take a year or more. Changing security relevant parts will require re-evaluation. How do new features impact on the security evaluation? A new component requires changing at least the HLD/TDS and its dependencies, i.e. results in a major re-evaluation. Only parts without security relevance can be updated freely How to define an appropriate structure? Maintenance upgrades are desirable Is impact analysis practical for core updates? How to define an appropriate infrastructure? , Page 3

4 Updates Assurance Continuity Module 1 Module 2 Module 3 Module 4 Secure System Module Module 1 Module 2 Module 3a Module 4 Secure System? Impact Analysis: Is the module / component TSP enforcing? Is it truly seperable? Is impact analysis at all practical? Side effects of weakly separable modules, e.g. same address space. Side effects of defining new behavior for internal interfaces , Page 4

5 Updates Assurance Continuity Module 1 Module 2 Module 3 Module 4 Secure System Module Module 1 Module 2 Module 3a Module 4 Secure System? Module 1 Module 2 Module 3 Module 4 Module 5 Secure System? Impact Analysis: Is it allowed to install the module on the system? Are all interfaces for new modules existing? , Page 5

6 Upgrade Dilemma Effects, Side-Effects and Domain Separation Component not enforcing TSP Safe to change at will. Strictly requires Security Domain Separation. Component supporting TSP Consistence of interfaces: allowing a new parameter can break an existing function, which relies on an error state. Analysis of side effects or FPT_SEP / ADV_ARC Security Domain Separation is the only clean solution , Page 6

7 Field downloads Assurance Continuity Module 1 Module 2 Module 3 Module 4 Secure System Module Module 1 Module 2 Module 3a Module 4 Secure System? Field upgrades are performed automatically in uncontrolled environments. Who is the sender? Is transmission correct? Is the module intended for this system? , Page 7

8 Field downloads Assurance Continuity Module 1 Module 2 Module 3 Module 4 Secure System Module Module 1 Module 2 Module 3a Module 4 Secure System? Module 1 Module 2 Module 3 Module 4 Module 5 Secure System? Is it allowed to install the module on the system in a particular configuration? The system must decide! , Page 8

9 Field downloads Security threats Integrity and Authenticity Organizational processes specified for class ADO (resp. ALC_DEL, AGD_PRE) during initial delivery must be mapped to technical means in terms of e.g. FDP_DAU Configuration management Following several updates the installation base will be heterogeneous. ACM_SCP (resp. ALC_CMS) virtually encompasses each instance of the TOE. The TOE will enforce e.g. FDP_ACC.2 based on roles and TOE actual configuration. Testing Testing could become infeasible. If e.g. a module was allowed to be installed in any configuration of the TOE, this also applies to future configurations , Page 9

10 Field downloads Business threats Liability Failure of critical systems can severely affect reputation and finance. Worse, if the failure was induced by third parties. Intellectual Property If software defines the technological benefit, updates may leak important, confidential IP. Piracy Software can be copied arbitrarily fast and often at almost no cost without greater knowledge. If there is a market for modules, there is a market for pirates , Page 10

11 Field upgrades Integrate data from unreliable sources How to maintain security, when we cannot rely on the update data? , Page 11

12 Crosstalk Requirements require each other Target System This is how it looks: Some Software shall go to a target system. Software Update , Page 12

13 Crosstalk Requirements require each other A closer look: Someone manages the process Target System Availability Customer Database OEM Business Case Software Update , Page 13

14 Crosstalk Requirements require each other Maintaining security: Choose the correct update Test in all configurations Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 14

15 Crosstalk Requirements require each other Maintaining security: Do you know that your database is on track with the actual configuration of each single target system? Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 15

16 Crosstalk Requirements require each other Maintaining security: Ensure that what you sent is what is installed! Integrity Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 16

17 Crosstalk Requirements require each other Confidentiality Protect IP: Keep confidential information away from pirates. Integrity Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 17

18 Crosstalk Requirements require each other Maintaining security: Ensure that what you sent there is what is installed there! Confidentiality Authenticity Integrity Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 18

19 Crosstalk Requirements require each other Protocols Confidentiality Authenticity Integrity Target System Availability Correctness Customer Database OEM Business Case Configuration Database Software Update , Page 19

20 Crosstalk Protocols define it all Protocols Cryptograpic and others TOE (Interfaces, capabilities) OEM Business Case Agents involved (Who to trust?) , Page 20

21 Crosstalk Protocols define it all Update Business Case Update Issuer TOE (Interfaces, capabilities) OEM Business Case Developers Personnel Data Centers Smart Media , Page 21

22 Roles The issuer defines it all Update Issuer Business Case User Installers & Transporters Hardware Developers Software Developers , Page 22

23 Technology Media and Packages On-Site The target is returned to the issuer for upgrade. Broadcasting The update package is identical for all clients. Delivery to target by uncontrolled sending of packages. On-Line Biderectional communication between issuer and target. Information can be collected, and the package can be created individually. Stored Back-Channel Some information collected on secure, smart medium , Page 23

24 Open System Case Study Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software Domain separation Reliable software must not be affected by other modules. Distribution with back-channel Determine actual target configuration Mutually authenticate to counter men-in-the-middle , Page 24

25 Open System Case Study Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software Domain separation Reliable software must not be affected by other modules. Distribution with back-channel Determine actual target configuration Mutually authenticate to counter men-in-the-middle , Page 25

26 Domain Separation Separation physical or virtual systems A 1 1 OS ARS HW Application1 (single module) Operating system (OS) maintaining resources Application registration service (ARS) Enforce software integrity / authenticity Hardware (HW) supports OS (protected mode) Segregating modules Keeping security through defined interfaces , Page 26

27 Domain Separation Separation physical or virtual systems A OS ARS HW 1 2 A A OS ARS HW Uncontrolled Application A3 OS manages all resources OS controls all IPC HW supports OS (MMU) A2 does not trust A3 Segregating modules Keeping security through defined interfaces , Page 27

28 Domain Separation Separation physical or virtual systems A OS ARS 1 2 A 1 A 3 A A 5 A OS ARS 4 OS ARS HW HW HW Segregating modules Keeping security through defined interfaces Divide and Conquer state-space of complex applications Let the Application Registration Service (ARS) manage configuration and update suitability , Page 28

29 Conclusion Some lessons learned Systems interact with users and some deployment infrastructure. These external factors may be even more important than the system itself. Never believe data at your interfaces, unless you can prove that the source is trustworthy and correct. Therefore, all kinds of closed loops are never to be believed! It is only the module, which can decide, whether data shall be accepted or not. It is only a superordinate instance, which can distinguish modules from each other. Segregation inside the same domain provides firewalls to mitigate single faults, components, which can be updated predictably , Page 29

30 Conclusion Feasible, but... Updating secure systems is a growing issue Update processes introduce complex security requirements Implementing an update process is primarily defining a (business) process, secondarily defining a system architecture, finally implement it correctly. Don't try to add an update feature in the end! Technical measures exist to mitigate trust implementation is non-trivial benefits exist also, if no updates are intended Proper implementation of security domain separation can allow for assurance continuity by a maintenance process instead of a re-evaluation , Page 30

31 Thank you. T-Systems Enterprise Services Dr. Lars Hanke, Dr. Igor Furgel , Page 31

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr. Applied IT Security Device Security Dr. Stephan Spitz Stephan.Spitz@gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security