Embedded System Security Mobile Hardware Platform Security

Similar documents
Embedded System Security Mobile Hardware Platform Security

Lecture Secure, Trusted and Trustworthy Computing Mobile Hardware Platform Security

Lecture 3 MOBILE PLATFORM SECURITY

Mobile Platform Security Architectures A perspective on their evolution

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Trusted Platform Module

On-board Credentials. N. Asokan Kari Kostiainen. Joint work with Jan-Erik Ekberg, Pekka Laitinen, Aarne Rantala (VTT)

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Lecture 2 PLATFORM SECURITY IN ANDROID OS

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Trustzone Security IP for IoT

Designing Security & Trust into Connected Devices

On-board Credentials. N. Asokan Nokia Research Center, Helsinki. Joint work with Jan-Erik Ekberg, Kari Kostiainen, Pekka Laitinen, Aarne Rantala (VTT)

OP-TEE Using TrustZone to Protect Our Own Secrets

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Mobile Trusted Computing

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Applications of Attestation:

ARM Security Solutions and Numonyx Authenticated Flash

Designing Security & Trust into Connected Devices

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

How to protect Automotive systems with ARM Security Architecture

Recommendations for TEEP Support of Intel SGX Technology

Protecting your system from the scum of the universe

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

Intelligent Terminal System Based on Trusted Platform Module

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Provisioning secure Identity for Microcontroller based IoT Devices

Designing Security & Trust into Connected Devices

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Securing the System with TrustZone Ready Program Securing your Digital World. Secure Services Division

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

Protecting your system from the scum of the universe

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

CIS 4360 Secure Computer Systems SGX

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Crypto Background & Concepts SGX Software Attestation

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

TPM v.s. Embedded Board. James Y

SIERRAWARE SIERRATEE FOR MIPS OMNISHIELD

Deploying Secure Boot: Key Creation and Management

Influential OS Research Security. Michael Raitza

Fundamentals of HW-based Security

6.857 L17. Secure Processors. Srini Devadas

Big and Bright - Security

Mobile Derived Credentials Purebred Information Brief

What s In Your e-wallet? Using ARM IP to Enable Security in Mobile Phones. Richard Phelan Media Processing Division TrustZone Security Technology

Binding keys to programs using Intel SGX remote attestation

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

A Proposed Standard for Entity Attestation draft-mandyam-eat-00. Laurence Lundblade. November 2018

CIS 4360 Secure Computer Systems Secured System Boot

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Intel Software Guard Extensions

Intel s s Security Vision for Xen

The Future of Security is in Open Silicon Linux Security Summit 2018

OVAL + The Trusted Platform Module

UEFI updates, Secure firmware and Secure Services on Arm

How I Learned to Stop Worrying and Love the Internet of Things

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Resilient IoT Security: The end of flat security models

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

TRUSTED COMPUTING TECHNOLOGIES

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Trusted Mobile Keyboard Controller Architecture

The Next Steps in the Evolution of Embedded Processors

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

Dawn Song

Trusted Computing and O/S Security

Module: Identity and Passwords. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Tailoring TrustZone as SMM Equivalent

Trusted Platform Modules Automotive applications and differentiation from HSM

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Trusted Mobile Platform Technology for Secure Terminals

A Developer's Guide to Security on Cortex-M based MCUs

CPS 510 final exam, 4/27/2015

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Virtualisation on Mobile Devices {Hugo Marques, Nuno Conceição, Luis Pereira}

ARM Server s Firmware Security

Xen Automotive Hypervisor Automotive Linux Summit 1-2 July, Tokyo

Securing IoT with the ARM mbed ecosystem

Transcription:

1 Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2016

Acknowledgement This slide set is based on slides provided by Prof. N. Asokan, Aalto University, Finland Slide Nr. 2, Lecture Secure, Embedded System Security, SS 2016

Overview General model for mobile platform security Key hardware security techniques and general architecture Example(s) ARM TrustZone Trusted Platform Module Slide Nr. 3, Lecture Secure, Embedded System Security, SS 2016

Platform Security Architecture Mobile Device Third-party library Application Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software isolation Developer Platform Provider Administrator System Updater Device Management Boot Verifier Secure Storage Provider Policy Database Application Database Legacy DAC Application Installer Application Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality Slide Nr. 5, Lecture Secure, Embedded System Security, SS 2016

Hardware Platform Security Trusted Execution Environment HW Security API Boot Integrity Secure Storage Device Identification Isolated Execution Device Authentication Slide Nr. 6, Lecture Secure, Embedded System Security, SS 2016

What is a TEE? Processor, memory, storage, peripherals Trusted Execution Environment Isolated and integrity-protected Chances are that: You have devices with hardware-based TEEs in them! But you don t have (m)any apps using them From the normal execution environment (Rich Execution Environment) Slide Nr. 7, Lecture Secure, Embedded System Security, SS 2016

TEE Overview 1. Platform integrity ( boot integrity ) 2. Secure storage 3. Isolated execution 4. Device identification 5. Device authentication REE App App Mobile OS TEE Trusted app Mobile device hardware Trusted OS Trusted app Verification root Cryptographic mechanisms Device certificate Identity Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication Slide Nr. 8, Lecture Secure, Embedded System Security, SS 2016

Platform Integrity Boot code certificate Boot code hash Certified by device manufacturer: Sig SK (H(boot code)) M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity Device identification Launch boot code Slide Nr. 9, Lecture Secure, Embedded System Security, SS 2016

Platform Integrity Boot code certificate Boot code hash Mobile device hardware TCB Certified by device manufacturer: Sig SK (H(boot code)) M Device manufacturer public key: PK M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Device key K D Trusted Application Nonvolatile Stores measurements for (TA) authenticated boot memory TEE management Secure storage and isolated execution Base Signature identity verification algorithm Device identification Launch boot code Slide Nr. 10, Lecture Secure, Embedded System Security, SS 2016

Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Secure Storage Sealed-data = AuthEnc K (data...) D Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Insecure Storage Device key K D Nonvolatile memory Base identity Protected memory Rollback protection Encryption algorithm Platform integrity Secure storage Device identification Slide Nr. 11, Lecture Secure, Embedded System Security, SS 2016

Isolated Execution Certified by device manufacturer TA code certificate TA code hash Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) Device key K D Nonvolatile memory Base identity Controls TA execution Platform integrity TEE management Secure storage and isolated execution Device identification Slide Nr. 12, Lecture Secure, Embedded TEE System Entry Security, SS from 2016 Rich Execution Mobile Hardware Environment Platform Security

Device Identification Multiple assigned identities (Certified by device manufacturer) Identity certificate Base identity Assigned identity Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Base identity One fixed device identity Device identification Slide Nr. 13, Lecture Secure, Embedded System Security, SS 2016

Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile memory Secure storage and isolated execution Device certificate Identity Device public key PK D Device authentication Slide Nr. 14, Lecture Secure, Embedded System Security, SS 2016

Device Authentication (and Remote Attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Verification root Cryptographic mechanisms Volatile memory Boot sequence Sign system state in remote attestation Platform integrity Trusted Application (TA) TEE management Device key K D Nonvolatile Used to protect/derive memory signature key Secure storage and isolated execution Device certificate Identity Device public key PK D Issued by device manufacturer Device authentication Slide Nr. 15, Lecture Secure, Embedded System Security, SS 2016

Hardware Security Mechanisms (recap) 1. Platform integrity Secure boot Authenticated boot Identity certificate 2. Secure storage 3. Isolated execution Trusted Execution Environment (TEE) 4. Device identification 5. Device authentication Remote attestation Base identity Assigned identity Boot code certificate Boot code hash TA code certificate TA code hash External trust root Mobile device hardware TCB Legend Trust anchor (Hardware) Verification root Cryptographic mechanisms Device certificate Identity Trust anchor (Code) TEE code External certificate Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer Device key K D Non-volatile memory Secure storage and isolated execution Base identity Device identification Device pub key PK D Device authentication Launch boot code TEE Entry from Rich Execution Environment Slide Nr. 16, Lecture Secure, Embedded System Security, SS 2016

TEE System Architecture Device Rich execution environment (REE) App TEE API Device OS App Trusted execution environment (TEE) Trusted app TEE entry Trusted app TEE management layer Device hardware and firmware with TEE support Architectures with single TEE ARM TrustZone TI M-Shield Smart card Crypto co-processor Trusted Platform Module (TPM) Architectures with multiple TEEs Intel SGX TPM (and Late Launch ) Hypervisor Slide Nr. 17, Lecture Secure, Embedded System Security, SS 2016

TEE Hardware Realization Alternatives External Peripherals Off-chip memory External Peripherals Off-chip Memory External Peripherals Off-chip Memory On-SoC On-SoC On-SoC RAM ROM Processor core(s) RAM ROM Processor core(s) RAM ROM Processor core(s) OTP Fields Internal peripherals OTP Fields Internal peripherals OTP Fields Internal peripherals On-chip Security Subsystem External Security Co-processor External Secure Element (TPM, smart card) Embedded Secure Element (smart card) Processor Secure Environment (TrustZone, M-Shield) Legend: SoC : system-on-chip OTP: one-time programmable Slide Nr. 18, Lecture Secure, Embedded System Security, SS 2016 TEE component

ARM TrustZone Architecture System on chip (SoC) On-chip memory and Normal World Modem Boot ROM Main CPU SoC internal bus (carries status flag) Memory controller Memory controller Interrupt controller Off-chip/main memory (DDR) Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture Slide Nr. 19, Lecture Secure, Embedded System Security, SS 2016

ARM TrustZone Architecture System on chip (SoC) On-chip memory and Normal World Modem Access control hardware Boot ROM Main CPU TrustZone system architecture Access control hardware Memory controller Off-chip/main memory (DDR) Access control hardware Memory controller Peripherals (touchscreen, USB, NFC ) TrustZone hardware architecture SoC internal bus (carries status flag) Interrupt controller Slide Nr. 20, Lecture Secure, Embedded System Security, SS 2016 Normal world (REE) App App Mobile OS Device hardware TEE entry Secure world (TEE) Trusted app Trusted OS Trusted app

TrustZone Overview Normal World (NW) User mode Privileged mode SCR.NS=1 User SCR.NS := 1 Secure Monitor Call (SMC) SCR.NS=0 User Monitor SCR.NS := 0 (SW) Boot sequence Address space controllers TZ-aware MMU SW RO NW WO NW RW Legend: MMU: memory management unit On-chip ROM On-chip RAM Main memory physical address range Slide Nr. 21, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (1/2) 1. Boot begins in mode (set access control) On-chip ROM Boot sequence On-chip RAM Main memory (off-chip) Slide Nr. 22, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM code (trusted OS) device key On-chip ROM On-chip RAM Main memory (off-chip) Slide Nr. 23, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip) Slide Nr. 24, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) 4. Prepare for Normal World boot code (trusted OS) device key On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW Slide Nr. 25, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (1/2) 1. Boot begins in mode (set access control) Boot sequence 2. Copy code and keys from on-chip ROM to on-chip RAM 3. Configure address controller (protect on-chip memory) 4. Prepare for Normal World boot code (trusted OS) device key code (boot loader) On-chip ROM SW NA On-chip RAM Main memory (off-chip) NW RW Slide Nr. 26, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) NW RW Slide Nr. 27, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) NW RW Slide Nr. 28, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) trusted app and parameters NW RW Slide Nr. 29, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) 7. Execute trusted application Normal World Monitor trusted app and parameters NW RW SMC, SCR.NS 0 Slide Nr. 30, Lecture Secure, Embedded System Security, SS 2016

TrustZone Example (2/2) 5. Jump to Normal World for traditional boot On-chip ROM Normal World SCR.NS 1 SW NA 6. Set up trusted application execution Normal World User An ordinary boot follows: Set up MMU, load OS, drivers On-chip RAM Main memory (off-chip) 7. Execute trusted application Normal World Monitor trusted app and parameters NW RW SMC, SCR.NS 0 Slide Nr. 31, Lecture Secure, Embedded System Security, SS 2016

Secure Boot vs. Authenticated Boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state Secure Boot Authenticated Boot Slide Nr. 32, Lecture Secure, Embedded System Security, SS 2016

Secure Boot vs. Authenticated Boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state aggregated hash Secure Boot Authenticated Boot Why? How will you implement a checker? - hardcode H(boot code) as reference value in checker (in Firmware)? Slide Nr. 33, Lecture Secure, Embedded System Security, SS 2016 Why? State can be: - bound to stored secrets (sealing) - reported to external verifier (remote attestation)

Mobile TEE Deployment TrustZone support available in majority of current smartphones Mainly used for manufacturer internal purposes Digital rights management, Subsidy lock APIs for developers? Normal world Secure world App App Mobile OS Trusted app Trusted OS Trusted app TEE entry Smartphone hardware Slide Nr. 34, Lecture Secure, Embedded System Security, SS 2016

Android Key Store example Android Key Store API // create RSA key pair Context ctx; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx); spec.setalias( key1") spec.build(); KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); gen.initialize(spec); KeyPair kp = gen.generatekeypair(); // use private key for signing AndroidRsaEngine rsa = new AndroidRsaEngine("key1", true); PSSSigner signer = new PSSSigner(rsa, ); signer.init(true, ); signer.update(signeddata, 0, signeddata.length); byte[] signature = signer.generatesignature(); Elenkov. Credential storage enhancements in Android 4.3. 2013. Slide Nr. 35, Lecture Secure, Embedded System Security, SS 2016

Android Key Store Implementation Android device Selected devices Normal world Android app Android app Secure world Android 4.3 Nexus 4, Nexus 7 Java Cryptography Extensions (JCE) Android OS libqseecomapi.so ARM with TrustZone TEE entry Keymaster Trusted app Qualcomm Secure Execution Environment (QSEE) Keymaster operations GENERATE_KEYPAIR IMPORT_KEYPAIR SIGN_DATA VERIFY_DATA Persistent storage on Normal World Elenkov. Credential storage enhancements in Android 4.3. 2013. Slide Nr. 36, Lecture Secure, Embedded System Security, SS 2016

What Protects Hardware Platform Security? A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's tortoises all the way down! - Stephen Hawking, in A Brief History of Time http://transversalinflections.files.wordpress.com/2011/06/turtles-all-the-way-down.png Slide Nr. 53, Lecture Secure, Embedded System Security, SS 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback