CSE597a - Cell Phone OS Security. Cellphone Hardware. William Enck Prof. Patrick McDaniel



Similar documents
Hardware accelerated Virtualization in the ARM Cortex Processors

ARM Microprocessor and ARM-Based Microcontrollers

The Future of the ARM Processor in Military Operations

Leveraging Thin Hypervisors for Security on Embedded Systems

Virtualization in the ARMv7 Architecture Lecture for the Embedded Systems Course CSD, University of Crete (May 20, 2014)

Sierraware Overview. Simply Secure

A Survey on ARM Cortex A Processors. Wei Wang Tanima Dey

Mobile Operating Systems. Week I

Android Virtualization from Sierraware. Simply Secure

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-12: ARM

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

ARM Processors and the Internet of Things. Joseph Yiu Senior Embedded Technology Specialist, ARM

What is a System on a Chip?

IOMMU: A Detailed view

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

Computer and Set of Robots

7a. System-on-chip design and prototyping platforms

M-Shield mobile security technology

The ARM Architecture. With a focus on v7a and Cortex-A8

Real-Time Operating Systems for MPSoCs

SOC architecture and design

COS 318: Operating Systems. Virtual Machine Monitors

Virtual Machine Security

VtRES Towards Hardware Embedded Virtualization Technology: Architectural Enhancements to an ARM SoC. ESRG Embedded Systems Research Group

ARM Webinar series. ARM Based SoC. Abey Thomas

Lesson 7: SYSTEM-ON. SoC) AND USE OF VLSI CIRCUIT DESIGN TECHNOLOGY. Chapter-1L07: "Embedded Systems - ", Raj Kamal, Publs.: McGraw-Hill Education

Ways to Use USB in Embedded Systems

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone

Full and Para Virtualization

Java and Real Time Storage Applications

ARM Architecture. ARM history. Why ARM? ARM Ltd developed by Acorn computers. Computer Organization and Assembly Languages Yung-Yu Chuang

Axis Technologies Computer Hardware and Electronics Portfolio Categories

A case study of mobile SoC architecture design based on transaction-level modeling

WIND RIVER SECURE ANDROID CAPABILITY

Architecture (SOSP 2011) 11/11/2011 Minsung Jang

Make the green IP switch Low-energy semiconductor solutions for VoIP

Network connectivity controllers

Applied Micro development platform. ZT Systems (ST based) HP Redstone platform. Mitac Dell Copper platform. ARM in Servers

Lesson 10:DESIGN PROCESS EXAMPLES Automatic Chocolate vending machine, smart card and digital camera

Virtualization: Hypervisors for Embedded and Safe Systems. Hanspeter Vogel Triadem Solutions AG

Multi-core Programming System Overview

COS 318: Operating Systems

Mobile Devices and Systems Lesson 02 Handheld Pocket Computers and Mobile System Operating Systems

DOWNLOAD COURSE PRESENTATIONS. Scan to download course presentations

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

A Study on Anatomy of Smartphone

CELLS A Virtual Mobile Smartphone Architecture

Virtualization for Hard Real-Time Applications Partition where you can Virtualize where you have to

Architectures, Processors, and Devices

Stefan Schmidt. LinuxTag

Embedded Development Tools

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Performance tuning Xen

ELEC 5260/6260/6266 Embedded Computing Systems

ARM TrustZone and KVM Coexistence with RTOS For Automotive

What marketing won t tell you about the Internet of Things

Which ARM Cortex Core Is Right for Your Application: A, R or M?

Virtualization for Cloud Computing

ARM Security Technology

Texas Instruments OMAP platform optimized for Microsoft Windows Mobile -based devices

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Topic 5a Operating System Fundamentals

Embedded Systems on ARM Cortex-M3 (4weeks/45hrs)

EEM870 Embedded System and Experiment Lecture 1: SoC Design Overview

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

x86 ISA Modifications to support Virtual Machines

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Friendly ARM MINI2440 & Dalvik Virtual Machine with Android

BEAGLEBONE BLACK ARCHITECTURE MADELEINE DAIGNEAU MICHELLE ADVENA

Open Architecture Design for GPS Applications Yves Théroux, BAE Systems Canada

Mobile System Technologies Certification Program

Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

Virtualization. Clothing the Wolf in Wool. Wednesday, April 17, 13

Android Development. Lecture AD 0 Android SDK & Development Environment. Università degli Studi di Parma. Mobile Application Development

Distributed Systems. Virtualization. Paul Krzyzanowski

Architectures and Platforms

Processor Architectures

Make the green IP switch Low-energy semiconductor solutions for VoIP

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

ZigBee Technology Overview

Knut Omang Ifi/Oracle 19 Oct, 2015

The MIPS architecture and virtualization

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

User-Centric Mobile Cloud Device - Global Evolution from Mobile Era to Personal Era

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

The Case for Device Namespaces

Virtualization. Dr. Yingwu Zhu

ANDROID OPERATING SYSTEM

big.little Technology Moves Towards Fully Heterogeneous Global Task Scheduling Improving Energy Efficiency and Performance in Mobile Devices

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Virtualization. Jia Rao Assistant Professor in CS

Understand and Build Android Programming Environment. Presented by: Che-Wei Chang

Virtualization Technology

Transcription:

CSE597a - Cell Phone OS Security Cellphone Hardware William Enck Prof. Patrick McDaniel CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck 1

2 Embedded Systems Embedded systems consist of many small components put together to comprise the system. Frequenly contain many microcontrollers and mini-oses. Embedded systems design is a trade-off between performance, size, and cost. Performance comes in many flavors, e.g., processing and power consumption Frequently, performance is sacrificed for smaller and cheaper devices Small variations in price are significant at large volumes Smartphones are upper scale embedded devices, but they are still embedded systems, and subject to many such constraints

3 Handset Architecture Most mobile handsets comprise of two main processors (baseband and application) and peripheral-specific logic cores Commonly, a System-on-Chip (SoC) for the application processor and peripheral-specific logic. Sometimes the baseband processor is included on that SoC SoC means more efficient data transfers and lower exposure to potential physical attackers Camera Apps Bluetooth GPS Display Keyboard Middleware RIL OS Kernel App Processor AT cmds serial, UART, shared memory Baseband radio stack Baseband processor Modem Rx/Tx SIM Card

4 Peripherals Consumers choose devices based on functionality. Frequently, this includes hardware peripherals Standard peripherals: display, keyboard (or touchscreen), microphone, speaker (w/ headset), camera (more pixels is better) Emerging standard peripherals: GPS, accelerometer, compass, video acceleration, graphics acceleration, FM radio Functional Block Diagram for TI OMAP3530

5 Location Services GPS navigation devices are common in vehicles. A conventional GPS devices uses measurements ([x,y,z,t]) from four satellites. In certain cases, the fourth satellite used to update clock. GPS has problems while indoor or around tall buildings. This is fine when driving on the freeway, but bad in cities, and bad for phones More common in mobile phones is Assisted-GPS (A-GPS) Location of cell site (also useful without GPS) Compare fragments from phones Supply satellite positions Error correcting information (ionospheric conditions) Offload work to assistance server

6 Modem Processor Voice and data communications processing is intensive. For realtime and security reasons, a separate baseband processor and OS exist (no need for RTOS or preemption for App OS). More and more frequently, the broadband (aka modem or communications) processor is located on the same silicon chip as the application and peripheral logic. Separate ARM core (DSP extensions) and sometimes modem accelerators. Broadcom BCM2153

7 Application Processor The application processor runs the operating system that interacts with the user... consumer focus The phone is becoming a general purpose computing device New phones support full featured operating systems based on Linux, Mac OS X, and Windows Hardware includes MMU, DMA, multi-gb storage, etc... however, handsets are still embedded systems and require many optimizations for the constrained environment Sometimes like a clown on a tiny tricycle...

8 ARM Architecture Almost all mobile phones use an ARM-based processor ARM based processors are very common in embedded systems. For example, Game Boy Advance, Nintendo DS, and ipod use an ARMv4T processor. Many smartphones use ARMv5 or ARMv6 architectures. Naming is a big mess: Family vs. Architecture vs. core. Example, iphone uses ARM11 family, ARMv6KZ architecture, and ARM1176JZ(F)-S core (which has SIMD, Jazelle DBZ, and TrustZone...) ARM Ltd. doesn t actually sell hardware chips Licenses Intellectual Property (IP) to merchant foundries for chip (SoC) designs Long history of low transistor count: ARM2 was 30,000 transistors when Motorola 68000 was around 70,000 (6 year older design)

9 Jazelle DBX Many embedded devices use Java (this is Java s origin), therefore, some ARM cores include the Jazelle DBX technology Direct Bytecode execution (DBX) First introduced in the ARM926EJ-S core (ARMv5TEJ architecture) A Jazelle-aware Java virtual machine can branch (BXJ) to Java bytecode Incomplete set of specifications published (allows OS to run Jazelle-aware JVM, but not enough information to the JVM)

10 Memory Protection MMU and protection varies between families and architectures... however, let s look at the ARM1176JZF-S Processes are either user or privileged (multiple privileged) Memory regions grouped into domains ; access permissions specified at the domain level Domains accessed as either a client or manager identified by system register (allows fast switching w/out TLB flush) Access determined by AP[1:0] and APX bits in page table (and TLB). They cause different R/W behavior depending if user or privileged Execute Never (XN) bit restricts page execution Additional protection provided by TrustZone...

11 ARM TrustZone TrustZone provides a processor abstraction providing two virtual CPUs that execute on one physical CPU. This defines a normal world and a secure world. The secure OS is often used less frequently. We want the isolation, but don t want to waste chip real estate. TrustZone is typically only a 5% area overhead Virtual CPUs also allow fast and efficient (speed, power) data transfers Included in ARM1176JZ(F)-S (good for documentation) (from ARM1176JZF-S Documentation)

12 Why TrustZone? The Secure OS can perform tasks such as protect access to keys (SIM lock functionality) or DRM (decode music). It allows arbitrary secure services to be defined with client stubs (using TrustZone API) in normal OS. Also protects security sensitive hardware (e.g., secure storage) SoC provides many security advantages. Of most note is the inability to place a reader on data lines (or at least much harder). Security state is propagated on the SoC bus

13 Memory Address Spaces TrustZone adds the Non Secure (NS) bit to the address space {NS, address[31:0]} {1,0xFFFFFFFF} {1,0x00000000} {0,0xFFFFFFFF} {0,0x00000000} Normal World Operation Peripherals (OS and Apps) Normal page tables Normal vectors Not accessible Secure World Operation Peripherals (OS and Apps) Normal page tables Normal vectors Peripherals (OS and Apps) Secure page tables Secure vectors

14 Secure Bus via ARM AXI On memory access, CPU security state provided on bus Use ARM s AXI (AMBA Extended Interface) Two bits: awprot[1] (write) and arprot[1] (read) Low = secure; high = nonsecure (just like NS bit) If a secure device (e.g., co-processor) on the bus is access when the processor is in nonsecure mode, it can detect the state and return peripheral does not exist at this address error E.g., crypto key in register

Mode Switching There are three basic modes that a TrustZone enhanced CPU can be put into: normal, secure, and monitor. The normal OS initiates a change into the secure OS via an exception model, e.g., the explicit secure monitor call (SMC). This puts the CPU in monitor mode, which stores the normal OS CPU registers, restores secure OS CPU registers, and branches to the secure OS. A similar process occurs in reverse. Each mode has it s own vector table. The monitor mode vector table can be to automatically override vector entries in normal and secure worlds Note: The monitor is a small OS in of itself (must be developed) CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Priv Mode SMC User Mode Normal World Monitor Priv Mode User Mode Secure World 15

16 TrustZone for Virtualization You may have noticed that the monitor OS acts as a limited hypervisor to switch between the normal and secure worlds However, the TrustZone model allows normal world OS to schedule secure world... but this need not be the case Recall that 1) the monitor stores and restores registers and 2) the monitor s vector table can override normal vectors This can give us an architecture similar to Xen (work being done at Samsung) Secure world OS acts as dom0 Monitor switches between multiple guest normal world OSes Do we gain anything over Xen w/out TrustZone?

17 TrustZone Software The TrustZone software suite provides secure service and client APIs. Along with cryptography and secure storage facilities for use by services Client API includes secure channel driver operates similar to DMA and controls secure world scheduling Software API allows new services to be created (type-safe API) e.g., for DRM or SIM-locking Native services in SSDI Java services in STIP (Small Terminal Interoperability Platform API), which includes a byte-code verifier Limited public implementations (combined with TCG by Winter, STC 08)