1 Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2016
Acknowledgement This slide set is based on slides provided by Prof. N. Asokan, Aalto University, Finland Slide Nr. 2, Lecture Secure, Embedded System Security, SS 2016
Overview General model for mobile platform security Key hardware security techniques and general architecture Example(s) ARM TrustZone Trusted Platform Module Slide Nr. 3, Lecture Secure, Embedded System Security, SS 2016
Platform Security Architecture Mobile Device Third-party library Application Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software isolation Developer Platform Provider Administrator System Updater Device Management Boot Verifier Secure Storage Provider Policy Database Application Database Legacy DAC Application Installer Application Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality Slide Nr. 5, Lecture Secure, Embedded System Security, SS 2016
Hardware Platform Security Trusted Execution Environment HW Security API Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication Slide Nr. 6, Lecture Secure, Embedded System Security, SS 2016
What is a TEE? Processor, memory, storage, peripherals Trusted Execution Environment Isolated and integrity-protected Chances are that: You have devices with hardware-based TEEs in them! But you don t have (m)any apps using them From the normal execution environment (Rich Execution Environment) Slide Nr. 7, Lecture Secure, Embedded System Security, SS 2016
TEE Overview 1. Platform integrity ( boot integrity ) 2. Secure storage 3. Isolated execution 4. Device identification 5. Device authentication REE App App Mobile OS TEE Trusted app Mobile device hardware Trusted OS Trusted app Verification root Cryptographic mechanisms Device certificate Identity Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication Slide Nr. 8, Lecture Secure, Embedded System Security, SS 2016
Platform Integrity Boot code certificate Boot code hash Certified by device manufacturer: Sig SK (H(boot code)) M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity Device identification Launch boot code Slide Nr. 9, Lecture Secure, Embedded System Security, SS 2016
Platform Integrity Boot code certificate Boot code hash Mobile device hardware TCB Certified by device manufacturer: Sig SK (H(boot code)) M Device manufacturer public key: PK M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Device key K D Trusted Application Nonvolatile Stores measurements for (TA) authenticated boot memory TEE management Secure storage and isolated execution Base Signature identity verification algorithm Device identification Launch boot code Slide Nr. 10, Lecture Secure, Embedded System Security, SS 2016
Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Secure Storage Sealed-data = AuthEnc K (data...) D Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Insecure Storage Device key K D Nonvolatile memory Base identity Protected memory Rollback protection Encryption algorithm Platform integrity Secure storage Device identification Slide Nr. 11, Lecture Secure, Embedded System Security, SS 2016
Isolated Execution Certified by device manufacturer TA code certificate TA code hash Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) Device key K D Nonvolatile memory Base identity Controls TA execution Platform integrity TEE management Secure storage and isolated execution Device identification Slide Nr. 12, Lecture Secure, Embedded TEE System Entry Security, SS from 2016 Rich Execution Mobile Hardware Environment Platform Security
Device Identification Multiple assigned identities (Certified by device manufacturer) Identity certificate Base identity Assigned identity Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity One fixed device identity Device identification Slide Nr. 13, Lecture Secure, Embedded System Security, SS 2016
Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Device certificate Identity Device public key PK D Device authentication Slide Nr. 14, Lecture Secure, Embedded System Security, SS 2016
Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Sign system state in remote attestation Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile Used to protect/derive memory signature key Secure storage and isolated execution Device certificate Identity Device public key PK D Issued by device manufacturer Device authentication Slide Nr. 15, Lecture Secure, Embedded System Security, SS 2016
Hardware Security Mechanisms (recap) 1. Platform integrity Secure boot Authenticated boot Identity certificate 2. Secure storage 3. Isolated execution Trusted Execution Environment (TEE) 4. Device identification 5. Device authentication Remote attestation Base identity Assigned identity Boot code certificate Boot code hash TA code certificate TA code hash External trust root Mobile device hardware TCB Legend Trust anchor (Hardware) Verification root Cryptographic mechanisms Device certificate Identity Trust anchor (Code) TEE code External certificate Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication Launch boot code TEE Entry from Rich Execution Environment Slide Nr. 16, Lecture Secure, Embedded System Security, SS 2016
TEE System Architecture Device Rich execution environment (REE) App TEE API Device OS App Trusted execution environment (TEE) Trusted app TEE entry Trusted app TEE management layer Device hardware and firmware with TEE support Architectures with single TEE ARM TrustZone TI M-Shield Smart card Crypto co-processor Trusted Platform Module (TPM) Architectures with multiple TEEs Intel SGX TPM (and Late Launch ) Hypervisor Slide Nr. 17, Lecture Secure, Embedded System Security, SS 2016
TEE Hardware Realization Alternatives External Peripherals Off-chip memory External Peripherals Off-chip Memory External Peripherals Off-chip Memory On-SoC On-SoC On-SoC RAM ROM Processor core(s) RAM ROM Processor core(s) RAM ROM Processor core(s) OTP Fields Internal peripherals OTP Fields Internal peripherals OTP Fields Internal peripherals On-chip Security Subsystem External Security Co-processor External Secure Element (TPM, smart card) Embedded Secure Element (smart card) Processor Secure Environment (TrustZone, M-Shield) Legend: SoC : system-on-chip OTP: one-time programmable Slide Nr. 18, Lecture Secure, Embedded System Security, SS 2016 TEE component
ARM TrustZone Architecture System on chip (SoC) On-chip memory and Normal World Modem Boot ROM Main CPU SoC internal bus (carries status flag) Memory controller Memory controller Interrupt controller Off-chip/main memory (DDR) Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture Slide Nr. 19, Lecture Secure, Embedded System Security, SS 2016
ARM TrustZone Architecture System on chip (SoC) On-chip memory and Normal World Modem Access control hardware Boot ROM Main CPU TrustZone system architecture Access control hardware Memory controller Off-chip/main memory (DDR) Access control hardware Memory controller Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture SoC internal bus (carries status flag) Interrupt controller Slide Nr. 20, Lecture Secure, Embedded System Security, SS 2016 Normal world (REE) App App Mobile OS Device hardware TEE entry Secure world (TEE) Trusted app Trusted OS Trusted app
TrustZone Overview Normal World (NW) User mode Privileged mode SCR.NS=1 User SCR.NS := 1 Secure Monitor Call (SMC) SCR.NS=0 User Monitor SCR.NS := 0 (SW) Boot sequence Address space controllers TZ-aware MMU SW RO NW WO NW RW Legend: MMU: memory management unit On-chip ROM On-chip RAM Main memory physical address range Slide Nr. 21, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (1/2) 1. Boot begins in mode (set access control) On-chip ROM Boot sequence On-chip RAM Main memory (off-chip) Slide Nr. 22, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM code (trusted OS) device key On-chip ROM On-chip RAM Main memory (off-chip) Slide Nr. 23, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip) Slide Nr. 24, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) 4. Prepare for Normal World boot code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW Slide Nr. 25, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) 4. Prepare for Normal World boot code (trusted OS) device key code (boot loader) On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW Slide Nr. 26, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) NW RW Slide Nr. 27, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) NW RW Slide Nr. 28, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) trusted app and parameters NW RW Slide Nr. 29, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) 7. Execute trusted application Normal World Monitor trusted app and parameters NW RW SMC, SCR.NS 0 Slide Nr. 30, Lecture Secure, Embedded System Security, SS 2016
TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) 7. Execute trusted application Normal World Monitor trusted app and parameters NW RW SMC, SCR.NS 0 Slide Nr. 31, Lecture Secure, Embedded System Security, SS 2016
Secure Boot vs. Authenticated Boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state Secure Boot Authenticated Boot Slide Nr. 32, Lecture Secure, Embedded System Security, SS 2016
Secure Boot vs. Authenticated Boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state aggregated hash Secure Boot Authenticated Boot Why? How will you implement a checker? - hardcode H(boot code) as reference value in checker (in Firmware)? Slide Nr. 33, Lecture Secure, Embedded System Security, SS 2016 Why? State can be: - bound to stored secrets (sealing) - reported to external verifier (remote attestation)
Mobile TEE Deployment TrustZone support available in majority of current smartphones Mainly used for manufacturer internal purposes Digital rights management, Subsidy lock APIs for developers? Normal world Secure world App App Mobile OS Trusted app Trusted OS Trusted app TEE entry Smartphone hardware Slide Nr. 34, Lecture Secure, Embedded System Security, SS 2016
Android Key Store example Android Key Store API // create RSA key pair Context ctx; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx); spec.setalias( key1") spec.build(); KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); gen.initialize(spec); KeyPair kp = gen.generatekeypair(); // use private key for signing AndroidRsaEngine rsa = new AndroidRsaEngine("key1", true); PSSSigner signer = new PSSSigner(rsa, ); signer.init(true, ); signer.update(signeddata, 0, signeddata.length); byte[] signature = signer.generatesignature(); Elenkov. Credential storage enhancements in Android 4.3. 2013. Slide Nr. 35, Lecture Secure, Embedded System Security, SS 2016
Android Key Store Implementation Android device Selected devices Normal world Android app Android app Secure world Android 4.3 Nexus 4, Nexus 7 Java Cryptography Extensions (JCE) Android OS libqseecomapi.so ARM with TrustZone TEE entry Keymaster Trusted app Qualcomm Secure Execution Environment (QSEE) Keymaster operations GENERATE_KEYPAIR IMPORT_KEYPAIR SIGN_DATA VERIFY_DATA Persistent storage on Normal World Elenkov. Credential storage enhancements in Android 4.3. 2013. Slide Nr. 36, Lecture Secure, Embedded System Security, SS 2016
What Protects Hardware Platform Security? A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's tortoises all the way down! - Stephen Hawking, in A Brief History of Time http://transversalinflections.files.wordpress.com/2011/06/turtles-all-the-way-down.png Slide Nr. 53, Lecture Secure, Embedded System Security, SS 2016