CSE597a - Cell Phone OS Security. Cellphone Hardware. William Enck Prof. Patrick McDaniel

Transcription

1 CSE597a - Cell Phone OS Security Cellphone Hardware William Enck Prof. Patrick McDaniel CSE597a - Cellular Phone Operating Systems Security - Spring Instructors McDaniel and Enck 1

2 2 Embedded Systems Embedded systems consist of many small components put together to comprise the system. Frequenly contain many microcontrollers and mini-oses. Embedded systems design is a trade-off between performance, size, and cost. Performance comes in many flavors, e.g., processing and power consumption Frequently, performance is sacrificed for smaller and cheaper devices Small variations in price are significant at large volumes Smartphones are upper scale embedded devices, but they are still embedded systems, and subject to many such constraints

3 3 Handset Architecture Most mobile handsets comprise of two main processors (baseband and application) and peripheral-specific logic cores Commonly, a System-on-Chip (SoC) for the application processor and peripheral-specific logic. Sometimes the baseband processor is included on that SoC SoC means more efficient data transfers and lower exposure to potential physical attackers Camera Apps Bluetooth GPS Display Keyboard Middleware RIL OS Kernel App Processor AT cmds serial, UART, shared memory Baseband radio stack Baseband processor Modem Rx/Tx SIM Card

4 4 Peripherals Consumers choose devices based on functionality. Frequently, this includes hardware peripherals Standard peripherals: display, keyboard (or touchscreen), microphone, speaker (w/ headset), camera (more pixels is better) Emerging standard peripherals: GPS, accelerometer, compass, video acceleration, graphics acceleration, FM radio Functional Block Diagram for TI OMAP3530

5 5 Location Services GPS navigation devices are common in vehicles. A conventional GPS devices uses measurements ([x,y,z,t]) from four satellites. In certain cases, the fourth satellite used to update clock. GPS has problems while indoor or around tall buildings. This is fine when driving on the freeway, but bad in cities, and bad for phones More common in mobile phones is Assisted-GPS (A-GPS) Location of cell site (also useful without GPS) Compare fragments from phones Supply satellite positions Error correcting information (ionospheric conditions) Offload work to assistance server

6 6 Modem Processor Voice and data communications processing is intensive. For realtime and security reasons, a separate baseband processor and OS exist (no need for RTOS or preemption for App OS). More and more frequently, the broadband (aka modem or communications) processor is located on the same silicon chip as the application and peripheral logic. Separate ARM core (DSP extensions) and sometimes modem accelerators. Broadcom BCM2153

7 7 Application Processor The application processor runs the operating system that interacts with the user... consumer focus The phone is becoming a general purpose computing device New phones support full featured operating systems based on Linux, Mac OS X, and Windows Hardware includes MMU, DMA, multi-gb storage, etc... however, handsets are still embedded systems and require many optimizations for the constrained environment Sometimes like a clown on a tiny tricycle...

8 8 ARM Architecture Almost all mobile phones use an ARM-based processor ARM based processors are very common in embedded systems. For example, Game Boy Advance, Nintendo DS, and ipod use an ARMv4T processor. Many smartphones use ARMv5 or ARMv6 architectures. Naming is a big mess: Family vs. Architecture vs. core. Example, iphone uses ARM11 family, ARMv6KZ architecture, and ARM1176JZ(F)-S core (which has SIMD, Jazelle DBZ, and TrustZone...) ARM Ltd. doesn t actually sell hardware chips Licenses Intellectual Property (IP) to merchant foundries for chip (SoC) designs Long history of low transistor count: ARM2 was 30,000 transistors when Motorola was around 70,000 (6 year older design)

9 9 Jazelle DBX Many embedded devices use Java (this is Java s origin), therefore, some ARM cores include the Jazelle DBX technology Direct Bytecode execution (DBX) First introduced in the ARM926EJ-S core (ARMv5TEJ architecture) A Jazelle-aware Java virtual machine can branch (BXJ) to Java bytecode Incomplete set of specifications published (allows OS to run Jazelle-aware JVM, but not enough information to the JVM)

10 10 Memory Protection MMU and protection varies between families and architectures... however, let s look at the ARM1176JZF-S Processes are either user or privileged (multiple privileged) Memory regions grouped into domains ; access permissions specified at the domain level Domains accessed as either a client or manager identified by system register (allows fast switching w/out TLB flush) Access determined by AP[1:0] and APX bits in page table (and TLB). They cause different R/W behavior depending if user or privileged Execute Never (XN) bit restricts page execution Additional protection provided by TrustZone...

11 11 ARM TrustZone TrustZone provides a processor abstraction providing two virtual CPUs that execute on one physical CPU. This defines a normal world and a secure world. The secure OS is often used less frequently. We want the isolation, but don t want to waste chip real estate. TrustZone is typically only a 5% area overhead Virtual CPUs also allow fast and efficient (speed, power) data transfers Included in ARM1176JZ(F)-S (good for documentation) (from ARM1176JZF-S Documentation)

12 12 Why TrustZone? The Secure OS can perform tasks such as protect access to keys (SIM lock functionality) or DRM (decode music). It allows arbitrary secure services to be defined with client stubs (using TrustZone API) in normal OS. Also protects security sensitive hardware (e.g., secure storage) SoC provides many security advantages. Of most note is the inability to place a reader on data lines (or at least much harder). Security state is propagated on the SoC bus

13 13 Memory Address Spaces TrustZone adds the Non Secure (NS) bit to the address space {NS, address[31:0]} {1,0xFFFFFFFF} {1,0x } {0,0xFFFFFFFF} {0,0x } Normal World Operation Peripherals (OS and Apps) Normal page tables Normal vectors Not accessible Secure World Operation Peripherals (OS and Apps) Normal page tables Normal vectors Peripherals (OS and Apps) Secure page tables Secure vectors

14 14 Secure Bus via ARM AXI On memory access, CPU security state provided on bus Use ARM s AXI (AMBA Extended Interface) Two bits: awprot[1] (write) and arprot[1] (read) Low = secure; high = nonsecure (just like NS bit) If a secure device (e.g., co-processor) on the bus is access when the processor is in nonsecure mode, it can detect the state and return peripheral does not exist at this address error E.g., crypto key in register

15 Mode Switching There are three basic modes that a TrustZone enhanced CPU can be put into: normal, secure, and monitor. The normal OS initiates a change into the secure OS via an exception model, e.g., the explicit secure monitor call (SMC). This puts the CPU in monitor mode, which stores the normal OS CPU registers, restores secure OS CPU registers, and branches to the secure OS. A similar process occurs in reverse. Each mode has it s own vector table. The monitor mode vector table can be to automatically override vector entries in normal and secure worlds Note: The monitor is a small OS in of itself (must be developed) CSE597a - Cellular Phone Operating Systems Security - Spring Instructors McDaniel and Enck Priv Mode SMC User Mode Normal World Monitor Priv Mode User Mode Secure World 15

16 16 TrustZone for Virtualization You may have noticed that the monitor OS acts as a limited hypervisor to switch between the normal and secure worlds However, the TrustZone model allows normal world OS to schedule secure world... but this need not be the case Recall that 1) the monitor stores and restores registers and 2) the monitor s vector table can override normal vectors This can give us an architecture similar to Xen (work being done at Samsung) Secure world OS acts as dom0 Monitor switches between multiple guest normal world OSes Do we gain anything over Xen w/out TrustZone?

17 17 TrustZone Software The TrustZone software suite provides secure service and client APIs. Along with cryptography and secure storage facilities for use by services Client API includes secure channel driver operates similar to DMA and controls secure world scheduling Software API allows new services to be created (type-safe API) e.g., for DRM or SIM-locking Native services in SSDI Java services in STIP (Small Terminal Interoperability Platform API), which includes a byte-code verifier Limited public implementations (combined with TCG by Winter, STC 08)