Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms

Transcription

1 Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms (with Onur Aciicmez and Xinwen Zhang) Jean-Pierre Seifert TU Berlin & Deutsche Telekom Laboratories, Berlin, Germany

2 Agenda 1. Background of this work 1. Final paper in a series of papers about a real commercial Trusted Mobile Phone development (not my first one, but my last one!) 2. TCG MPWG 2. Some problems of Trusted Computing in Practice 1. No hw TPM/MTM on phones although not really required, but would be quite sexy 2. Phones = limited processing power, boot time, power consumption 3. Virtualization on cellphones 4. IMA and PRIMA from IBM the quasi standard 3. Our original Prototype and its transfer problemsto Samsung s cellphone BU 4. Intrinsic and unique features of real cellphones to make it happen 5. Some architectural highlights 6. Conclusion

3 Paper Series (for this specific platform) Extending SELinux Policy Model and Enforcement towards Trusted Computing Paradigms Usage control platformization via trustworthy SELinux A trusted mobile phone reference architecture via secure kernel, ACM STC 2007 A Trusted mobile phone prototype Integrity Protection for Open Mobile Platforms Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms T. Jaeger et alii, Measuring integrity on mobile phone systems, SACMAT 2008

4 rusted Computing platforms today? Some TC activities: TCG Specifications of TPM (Trusted Platform Module) and many other things TPM is hardware root of trust Needs to be ubiquitous cheap, cheap, cheap therefore a performance bottleneck Additional Hardware already existing Intel s LaGrande Technology (LT, VT, iamt, TXT) AMD s Pacifica ARM s TrustZone OS/Software Microsoft Palladium NGSCB Longhorn Vista ->??? Linux, Xen, SE Linux, Trusted BSD, sel4, etc. Mostly NSA funded Supporting PKI needed

5 Architecture proposal from TCG TCG Mobile Trusted Module Specification (aka MTM) Spec v 1.0 released in June 2007 Some significant differences from TPM: Some simplified commands and some extra commands Local and remote platform owners To satisfy the business model of mobile phone Multiple MTM instances on a single devices Four different types of stakeholders Device manufacturer Network service provider General service provider End-user (customer)

6 Architecture proposal from TCG

7 Some problems of Trusted Computing in Practice No hw TPM/MTM on phones although not really required, but would be quite sexy No real estate on PCB board for extra chip No $ for extra chip from manufacturers No $ generating killer apps which cannot be realized otherwise in a good is good enough fashion Existing silicon embedded TPM s of Intel s Xscale series Bulverde, Monahan, etc. which are sold from Marvell as PXA 300, 310, 320 are not enabled in phones

8 Some problems of Trusted Computing in Practice Real world cell-phones: 200 Mhz Mb RAM Power consumption has #1 priority No extra instructions (LT, VT, Pacifica) as provided by x86 ARM TrustZone is not really available and not good enough Never change the internals of the OS: Symbian, Windows CE,

9 Trusted/Secure Boot Transitive Trust in the Boot process Enables extension of the trust boundary from layer to layer Each layer is responsible for determining the trustworthiness of the following layer

10 Secure Boot (via 96 MHz you are running into some problems if you have no hw acceleration and just measure the Linux kernel: usec Secure Boot pre OS start SHA1 Calculation Get_RSA_PubKey RSA_Verify Others 0 OpenSSL SHA1 throughput is 196 Mhz

11 irtualization on phones? VM Ware is for x86 Not happening very soon on ARM XEN comes from the server world Sure, was ported to ARM, but overhead??? so far not real-time capable as needed for phones! additionally to real-time we need to integrate security! as it is now, not productizable! VirtualLogix is real-time, but more or less just context-switching and no inherent security or isolation L4 microkernel Severe real-time issues, overhead??? Trango real-time, overhead??

12 Integrity Measurement Imagine a real world cell-phone 200 Mhz with a damnslowflash filesystem And implementing IBM Integrity Measurement Architecture (IMA) IMA extends GRUB to measure the kernel, ramdisk images, and grub.conf Also, a kernel module is implemented to measure OS components after the kernel is loaded (post-boot), including libraries, usual command and tool binaries, configuration files, and application modules. IMA has measurements and is even on desktops impractical!!! PRIMA extends IMA for mobile phone devices and simplifies the integrity measurements. However it still has more than 200 measurements for the OpenMoko Freerunner

13 So we built our own real prototype with a real TPM! Deutsche Telekom Laboratories 5. Juni

14 How to solve Virtualizaion, i.e., Domain Isolation Four different types of stakeholders Device manufacturer Network service provider General service provider End-user (customer) Generalizes the concept of a platform to a set of conventional TCG-enabled platforms called trusted engines. Each belongs to a stakeholder

15 TCG Mobile Ref Architecture Main security requirements: Isolation of resources from different stakeholders Controlled resource sharing information flow between stakeholders Flexible and configurable policy management No specific solution is defined.

16 Our Solution Policy Model Mandatory access control (MAC) based security model in OS kernel Strong isolation Secure resource sharing and communication between engines Via strong information flow control Loadable policy modules for different stakeholders Over-the-air policy management and update Architecture Kernel-level reference monitor Integrate integrity measurement with reference monitor Prototype Secure boot on OMAP 5912 (ARM-based) reference board with hwtpm Ported SELinuxon board with NSA Sample Policy and a simplified policy with few domains Integrity measurement and verification

17 SELinux Policy Model Extension Current SELinux policy model: Security context: user:role:type Security mechanism in SELinux is Type Enforcement Simple role-based access control We extend the security context of objects (including subjects): user:role:type:profile:system Each object can be categorized as a set of general and customizable attributes defined by profile. Time Location Other context-aware attributes Trusted computing information will be provided by system: Integrity values, PCR s Platform boot and runtime states Configurations Extensible model When new functions become available on a platform Especially on user-space services on mobile platforms More generalized and flexible constraints: Attributes are then checked against specified values in the constrain expression E.g., Constrained role inheritance with time or location information

18 Policy Specifications High-level policy specifications for trusted mobile platform Cross-domain security framework

19 Platform Architecture of Prototype Data Data Data Services Services Services Services User Applications Device Manufacture Service Provider User System Calls/APIs Hooks SELinux Module MAC Policies Kernel CRTM MTM Device Device Conditional SELinux policy: Hardware

20 Performance study of SE Linux overhead on OMAP 5912

21 BU feedback after seeing our machine at CES 2008 Yes, we like your trusted platform and would like to integrate you security functionality to our next product, but Max 1% performance overhead 2. It must be hardware independent 3. No extra security hardware 4. 6 months development time 5. You must make it a standard

22 Integrity Models Integrity protections on traditional systems: Biba Clark-Wilson CW-lite UMIP SELinux/AppArmor/LIDS Andorid/Symbian/Qt/J2ME Problems: Not efficient on mobile platforms Needs to switch integrity level during runtime Hard to identify filter Complex policy specification No high level security goals (e.g., integrity model) Android/Symbian/Qtopia/J2ME SELinux-like solution has not integrity model

23 Mobile Integrity Model Biba-like isolation between trusted and untrusted processes Communication controlled via trusted subjects (daemons) Architecture for LiMo-like platform But for Symbian and Android also. Trusted (a) Unrusted Trusted Trusted Unrusted Trusted Untrusted (b)

24 Implementation Filesystem and memory space Clearly defined trusted/untrusted boundary Security-enhanced application installation and launch Controlled communication via trusted daemons between trusted and untrusted domains

25 Policy design Rule1 about store: All trusted program and resources stored in trusted file systems All untrusted program and resources stored in untrusted file systems Rule2 about new process launch: Process launched from trusted fs is regarded as trusted process Trusted program only can be launched by kernel or trusted process Process launched from untrusted fs is regarded as untrusted process Trusted Domains jvm_t, sysxo_t, gconfd_t,... controlled communication Untrusted Domains read read-write read-write read-only filesystems (e.g, cramfs) read-write filesystems (e.g, ext3)

26 Implementation Secure inter-process communication Most Linux mobile platforms use D-Bus LiMo, OpenMoko, GPE, Maemo, Qtopia, Andorid Security context transferred via D-Bus messages Local enforcement in individual daemons Gconfd (for configuration storage) Telephony server (voice, messages, SIM, etc)

27 Secure Dbus Dameon Architecture Sender process Libnoti, libdbus, libgconf dbus message dispatch dbus-daemon Pid=get_sender_pid(connection) Set_sender_pid(message, pid) noti-service gconfd libgconf Pid=get_sender_pid(message) getpidcon(pid) getkeycon( key) check_avc( pcon, kcon, perm) ; Subscription / Publication module Filter module Adapter Container module adapter1 adapter2 If target app is not running, it can be auto-activated by dbusdaemon. process dbusd gconfd SElinuxKernel Gconf_key_co ntexts SELinux policy Dbusmsg (write, key, value) Assign Pid to msg send msg (write, key, value, pid) libselinux: ggetpidcon(pid) Getkeycon(key) Query policy with (Pidcon, keycon, gconf_gconf SET_VALUE) and make decision Write the key the value Or deny silently

28 Visualization-based Policy Analysis Policy View

29 Performance

30 Simplified new architecture for Trusted Platform

31 Real LiMo security architecture

32 Questions??? Global Mobile Linux Initiative