Lecture 3 MOBILE PLATFORM SECURITY
You will be learning: What techniques are used in mobile software platform security? What techniques are used in mobile hardware platform security? Is there a common general architecture? 2
Mobile platform security Recall classes of basic security techniques: isolation Permission-based access control signing Hardware-based security features 3
Ecosystem stakeholders Platform provider Developer Mobile device Marketplace operator Mobile operator manufacturer See also: Book section 2.1. User Administrator Think about threat models! 4
Modeling threats Identify Assets and trust assumptions Potential adversaries Adversary capabilities/limitations Possible attack vectors Cf. Software Security course 5
Ecosystem stakeholders Platform provider Developer Mobile device Marketplace operator Mobile operator manufacturer See also: Book section 2.1. User Administrator Think about threat models! 6
Mobile platform architecture Mobile Library Service Plugin Mobile Platform (OS) OS middleware OS kernel System services (Inter-process ) communication (IPC) resources System libraries Legend Mobile Platform Component Third-Party Software Component 7
Platform security architecture Mobile Third-party library Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software Isolation Developer Platform Provider Administrator System Updater Management Boot Verifier Secure Storage Provider Policy Database Database Legacy DAC Installer Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Identification Isolated Execution Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality 8
Step 1a: Developer publishes an application Mobile Developer requests permissions for his application Platform Security Architecture Developer submits the application to a centralized marketplace Developer In some platforms the application can be directly sideloaded to the mobile device Centralized Marketplace Operator Auxiliary Marketplace Operator Role Legend Some platforms support auxiliary marketplaces 9
Step 1b: Marketplace signs the application Mobile In some platforms the developer signs the app package Platform Security Architecture Developer Marketplace provider checks the application (and requested permissions) and signs the app package Centralized Marketplace Operator Auxiliary Marketplace Operator Role Legend 10
Step 2: installation Installer consults local policy database about requested permissions Mobile Installer checks application signature and requested permissions Installer may prompt the user to accept some of the requested permissions User installer component needs integrity protection Platform Security Architecture Installer stores assigned application permissions Boot Verifier Boot Integrity Permission and policy Role databases need integrity protection Policy Database Secure Storage Provider Secure Storage Legend Platform Security Component Installer Database Hardware-Security Functionality Developer Centralized Marketplace Operator Auxiliary Marketplace Operator Mobile device receives an application installation package from a marketplace (or developer) 11
Step 3a: loading Mobile Loader attaches permissions to the started process User Platform Security Architecture Developer Policy Database Installer Centralized Marketplace Operator Boot Verifier Secure Storage Provider Database Loader Auxiliary Marketplace Operator Loader reads permissions from the permission database Loader component needs integrity protection Boot Integrity Role Secure Storage Platform Security Component Legend Third-Party Software Component Integrity of installed application binaries Hardware-Security Functionality 12
Step 3b: execution OS/HW isolate applications from one another at runtime Reference monitor checks permissions to control access to system resources Some applications need secure state (e.g., DRM) Mobile Platform Security Architecture Some applications Role need Policy s and platform Database Boot Integrity secrecy for their persistent storage Platform Security Component need to communicate with each other and HW Boot Verifier Third-party library Reference Monitor Secure Storage Provider Secure Storage Database Legend Legacy DAC Identification Third-party service IPC Third-Party Software Component Software Isolation Installer Loader Isolated Execution System service System library HW Security API Execution Protection Authentication Hardware-Security Functionality User Developer Centralized Marketplace Operator Auxiliary Marketplace Operator Some applications need device identification and authentication (e.g., provisioning) 13
Step 4: System updates Platform providers issue (signed) system updates System updater rewrites parts of system software Mobile Third-party library Platform Security Architecture Reference Monitor System updater verifies received update using policy database Third-party service IPC System service System library Software Isolation User Developer Platform Provider Administrator System Updater Management Boot Verifier Secure Storage Provider Policy Database Database Legacy DAC Installer Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Administrators may update device policies and applications Boot Integrity Secure Storage Identification Isolated Execution Authentication Role System updates need secure state to prevent rollbacks to previous system version Platform Security Component Legend Third-Party Software Component System updates may Hardware-Security need device Functionality identification 14
Recap: main techniques 4. Permission-based access control Platform Provider Administrator Mobile Platform Security Architecture System Updater Management Boot Verifier Third-party library Reference Monitor Secure Storage Provider Policy Database Database Third-party service IPC 3. Permission assignment Legacy DAC System service Installer Loader Execution Protection System library Software isolation 5. isolation HW Security API User Developer Centralized Marketplace Operator Auxiliary Marketplace Operator 1. Permission request 2. signing 6. API to system functionality (e.g. secure storage) Boot Integrity Secure Storage Identification Isolated Execution Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality 15
Platform security architecture Mobile Third-party library Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software isolation Developer Platform Provider Administrator System Updater Management Boot Verifier Secure Storage Provider Policy Database Database Legacy DAC Installer Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Identification Isolated Execution Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality Skip to other OSs Skip to Why Generalize? 16
Mobile platforms revisited Android ~2007 Java ME ~2001 feature phones : 3 billion devices! Not in smartphone platforms Symbian ~2004 First smartphone OS 17
Mobile platforms revisited ios ~2007 ip* devices; BSD-based MeeGo ~2010 Linux-based MSSF (security architecture) Windows Phone ~2010... Skip to Why Generalize? 18
Mobile Android Java/Dalvik/ART Library native User OS Middleware ActivityManagerService/ PackageManagerService Developer Platform Provider eg. Google System Updater Policy Database Installer Administrator Remote Management Loader Database Binder IPC Reference Monitor Execution Protection HW Security API (Java) Auxiliary Marketplace Operator Google Play and others Boot loader OS Kernel Legacy DAC Reference Monitor Binder IPC Execution Protection Boot Verifier (optional) SELinux MAC Reference Monitor Legacy IPC Boot Integrity Secure Storage Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality Android
Symbian First widely deployed smartphone OS EPOC OS for Psion devices (1990s) Microkernel architecture: OS components as user space services Accessed via inter-process communication (IPC) 20
Symbian Platform Security Introduced in ~2004 Apps distributed via Nokia Store Sideloading supported Permissions are called capabilities, fixed set (21) 4 Groups: User, System, Restricted, Manufacturer 21
Symbian Platform Security s identified by: UID from protected range, based on trusted code signature Or UID picked by developer from unprotected range Optionally, vendor ID (VID), based on trusted code signature 22
Mobile Symbian OS (C++) Shared Library (C++) Service (C++) User OS Middleware Platform Provider (Nokia) System Updater Policy Database Installer Service Database HW Security API Developer Centralized Marketplace Operator (Nokia Store) Boot loader Boot Verifier OS Kernel Reference Monitor Execution Protection IPC Software isolation Loader Boot Integrity Secure Storage Identification Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality Symbian
Apple ios Native application development in Objective C Web applications on Webkit Based on Darwin + TrustedBSD kernel extension TrustedBSD implements Mandatory Access Control Darwin also used in Mac OS X 24
ios Platform Security Apps distributed via itunes App Store One centralized signature authority Apple software vs. third party software Runtime protection All third-party software sandboxed with same profile Permissions: entitlements (post ios 6) Contextual permission prompts: e.g. location 25
Mobile ios Objective-C, C/C++ web Platform Provider Apple System Updater Policy Database Installer User Developer Administrator Apple Remote Management Database Loader Core OS Boot Verifier Reference Monitor (TrustedBSD MAC) Secure Storage Provider Execution Protection HW Security API (file system, key chain) Centralized Marketplace Operator Apple Boot Integrity Secure Storage Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality ios
MeeGo Linux-based open source OS Intel, Nokia, Linux Foundation Evolved from Maemo and Moblin development in Qt/C++ Partially buried, but lives on Linux Foundation shifted to HTML5-based Tizen MeeGo -> Mer -> Jolla s Sailfish OS 27
MeeGo Platform Security Mobile Simplified Security Framework (MSSF) Permissions: resource tokens Enforced via Smack Apps identified by signatures from software sources Policy specifies privileges grantable by software sources 28
Mobile MSSF C/C++ Library C/C++ Plugin C/C++ Service C/C++ User OS Middleware Platform Provider System Updater Policy Database Database Installer Loader HW Security API (file system) Developer Boot loader Boot Verifier OS Kernel Smack MAC Reference Monitor IPC Secure Storage (Integrity) Provider (IMA/EVM) Legacy DAC Reference monitor Software isolation Execution Protection Auxiliary Marketplace Operator Boot Integrity Secure Storage Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality MSSF
Why Generalize? The General Problem http://xkcd.com/974/ 30
Model for platform security Four processes to protect: 1. Software deployment 2. installation 3. Runtime operation 4. Platform management Skip to Big Picture 31
1. Software deployment Developing and publishing Design choices: Distribution : centralized vs. decentralized App signing: certified vs. self-signed Developer Centralized Marketplace Operator Auxiliary Marketplace Operator 32
1. Software deployment Design choices: App identification: global vs. local Developer Centralized Marketplace Operator More design choices discussed in book chapter 4. Auxiliary Marketplace Operator 33
Software deployment Android ios MSSF Symbian Distribution model Multiple marketplaces, sideloading Centralized marketplace Multiple marketplaces, sideloading Centralized marketplace, limited sideloading signing Developer signature Centralized signature Marketplace and developer signature Centralized or developer signing: affects set of permissions identifier Package ID, local Linux UID for permissions ID 3-part ID: Marketplace - package - application ID, vendor ID 34
2. App installation Acquiring/installing a new app Design choices: Permission assignment: user vs. authority? Permission granularity? updates: same origin vs. centrally authorized? Policy Database Installer Database 35
App permissions Ask user? Install or use time? Automatic granting? Revocation? What about libraries? Symbian ios Android 36
App permissions Android ios MSSF Symbian Granularity Fine-grained Pre-defined profiles (ios6 entitlements) Assignment Ask user: presentation Ask user or app signature by group (11), install time & runtime (6.0) Fixed profile for all apps by name, runtime Fine-grained Marketplacespecific rights profiles Coarse-grained Ask user or centralized signature never ask by name (21), install time Both Android (> 6.0) and ios allow revocation of granted permissions 37
App permissions Runtime permission changes Android ios MSSF Symbian Changes in process permissions at runtime Pre 6.0: Constant (except URI permissions) > 6.0: User can change rights User can change rights Rights can increase by plugin loading, decrease by request Constant (library loading can fail) Permissions of libraries App s permissions App s permissions Union of app and library permissions App s permissions (library perms must be a superset) 38
App updates Who can update an app? Same-origin: same dev. key Trusted marketplace(s) Allow anyone Android ios MSSF Symbian Updates allowed if Same-origin: must match old version s developer key Centrally signed Marketplace s trust level high enough Protected? Same-origin; Unprotected? Anyone 39
3. Runtime operation Design choices: Permission enforcement: where? App data protection: how to secure storage? Reference Monitor IPC Database Loader Hardware support: Lecture 4 Secure Storage Provider Legacy DAC Execution Protection 40
Runtime operation Access control enforcement: where is reference monitor? Where is access control enforced? Android ios MSSF Symbian UID/GID-based in kernel + IPC access control in Binder + application code Centralized D-Bus framework + socket IPC in kernel + application code Reference monitor for IPC calls + application code 41
Protecting data & code s: isolation for data access Platform: executables (see later) Android ios MSSF Symbian data integrity Own directory and Linux access control Access to own directory only Permissionbased policies Own directory 42
4. Platform management Bootup, platform integrity, updates Design choices: Boot integrity: secure vs. authenticated? Platform Provider System Updater Policy Database Boot Verifier Administrator Management Database 43
Secure boot vs. authenticated boot OS Kernel checker pass/fail OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state Secure boot Authenticated boot 44
Boot integrity Secure boot Only authorized images can be booted Authenticated boot Access levels depend on booted image Android ios MeeGo Symbian Platform boot integrity Vendor-specific, verified boot Secure boot Secure boot, authenticated boot Secure boot 45
Platform data integrity Android ios MeeGo Symbian Platform data integrity Linux A/C, SELinux, UIDbased sandboxing Dedicated directory, code signing enforcement Linux A/C, Smack, IMA, EVM Dedicated directory IMA: Integrity measurement architecture EVM: Extended validation module (see An Overview of The Linux Integrity Subsystem ) 46
The big picture Recurring common themes Permission-based security architectures VAX /VMS privileges (~1970 s): adapted for applications Code signing (mid 1990 s): adapted for application installation /process isolation 47
The big picture Different choices in the design space lead to different architectures Open issues remain: can you think of some? More in Lecture 6 48
Platform security architecture Mobile Third-party library Third-party service System service System library User Platform Security Architecture Reference Monitor IPC Software isolation Developer Platform Provider Administrator System Updater Management Boot Verifier Secure Storage Provider Policy Database Database Legacy DAC Installer Loader Execution Protection HW Security API Centralized Marketplace Operator Auxiliary Marketplace Operator Boot Integrity Secure Storage Identification Isolated Execution Authentication Legend Role Platform Security Component Third-Party Software Component Hardware-Security Functionality
Hardware platform security Trusted Execution Environment HW Security API Boot Integrity Secure Storage Identification Isolated Execution Authentication
What is a TEE? Processor, memory, storage, peripherals Trusted Execution Environment Isolated and integrity-protected Chances are that: You have devices with hardware-based TEEs in them! But you don t have (m)any apps using them From the normal execution environment (Rich Execution Environment) 51
TEE overview 1. Platform integrity ( boot integrity ) 2. Secure storage 3. Isolated execution 4. identification 5. authentication REE App App Mobile OS TEE Trusted app Mobile device hardware Trusted OS Trusted app Verification root Cryptographic mechanisms certificate Identity Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer key K D Non-volatile memory Secure storage and isolated execution Base identity identification pub key PK D authentication More information in the 2014 IEEE S&P article 52
Secure boot vs. authenticated boot OS Kernel checker OS Kernel measurer Boot block checker pass/fail Boot block measurer Firmware checker pass/fail Firmware measurer state Secure boot Why? How will you implement a checker? - hardcode H(Boot block checker) as reference value in checker (in Firmware)? Why? Authenticated boot State can be: - bound to stored secrets (sealing) - reported to external verifier (remote 54 attestation)
Boot code certificate Boot code hash Mobile device hardware TCB Platform integrity Certified by device manufacturer: Sig SK (H(boot code)) M manufacturer public key: PK M Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Cryptographic mechanisms Launch boot code Verification root key K D Trusted Nonvolatile Stores measurements for (TA) authenticated boot memory TEE management Secure storage and isolated execution Base Signature identity verification algorithm identification 55
Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Mobile device hardware TCB Secure storage Sealed-data = AuthEnc K (data...) D Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted (TA) TEE management Insecure Storage key K D Nonvolatile memory Base identity Protected memory Rollback protection Encryption algorithm Platform integrity Secure storage identification 56
Isolated execution Certified by device manufacturer TA code certificate TA code hash Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted (TA) key K D Nonvolatile memory Base identity Controls TA execution Platform integrity TEE management Secure storage and isolated execution identification TEE Entry from Rich Execution Environment 57
identification Multiple assigned identities (Certified by device manufacturer) Identity certificate Base identity Assigned identity Mobile device hardware TCB Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Platform integrity Volatile memory Boot sequence Verification root Cryptographic mechanisms Trusted (TA) TEE management key K D Nonvolatile memory Secure storage and isolated execution Base identity One fixed device identity identification 58
authentication (and remote Mobile device hardware TCB attestation) External trust root Legend Trust anchor (Hardware) Trust anchor (Code) TEE code External certificate Verification root Cryptographic mechanisms Volatile memory Boot sequence Sign system state in remote attestation Platform integrity Trusted (TA) TEE management key K D Nonvolatile Used to protect/derive memory signature key Secure storage and isolated execution certificate Identity public key PK D Issued by device manufacturer authentication 59
Hardware security mechanisms (recap) 1. Platform integrity Secure boot Authenticated boot Identity certificate 2. Secure storage 3. Isolated execution Trusted Execution Environment (TEE) 4. identification 5. authentication Remote attestation Base identity Assigned identity Boot code certificate Boot code hash TA code certificate TA code hash External trust root Mobile device hardware TCB Legend Trust anchor (Hardware) Verification root Cryptographic mechanisms certificate Identity Trust anchor (Code) TEE code External certificate Boot sequence Platform integrity Volatile memory Trusted application TEE mgmt layer key K D Non-volatile memory Secure storage and isolated execution Base identity identification pub key PK D authentication Launch boot code TEE Entry from Rich Execution Environment 60
Rich execution environment (REE) App TEE API OS TEE system architecture App Trusted execution environment (TEE) Trusted app TEE entry Trusted app TEE management layer hardware and firmware with TEE support Architectures with single TEE ARM TrustZone TI M-Shield Smart card Crypto co-processor Trusted Platform Module (TPM) Architectures with multiple TEEs Intel SGX TPM (and Late Launch ) Hypervisor Figure adapted from: Global Platform. TEE system architecture. 2011. 61
Legend: SoC : system-on-chip OTP: one-time programmable TEE hardware realization alternatives TEE component External Peripherals Off-chip memory External Peripherals Off-chip Memory External Peripherals Off-chip Memory On-SoC On-SoC On-SoC RAM ROM Processor core(s) RAM ROM Processor core(s) RAM ROM Processor core(s) OTP Fields Internal peripherals OTP Fields Internal peripherals OTP Fields Internal peripherals On-chip Security Subsystem External Security Co-processor External Secure Element (TPM, smart card) Embedded Secure Element (smart card) Processor Secure Environment (TrustZone, M-Shield) Figure adapted from: Global Platform. TEE system architecture. 2011. 62
Did you learn: What techniques are used in mobile software platform security? What techniques are used in mobile hardware platform security? Is there a common general architecture? Contributors: Kari Kostiainen, N. Asokan, Sini Ruohomaa, Luca Davi, Ahmad-Reza Sadeghi 63
Plan for the course Lecture 1: Platform security basics Lecture 2: Case study Android Lecture 3: Mobile platform security Lecture 4: Hardware security enablers Lecture 5: Usability of platform security Extra lecture: IoT Security Invited lecture: SE Android policies Extra lecture: Machine learning and security Lecture 6: Summary and outlook 64