Doc.: IEEE 802.19-10/0118r0 Submission September 2010 Alex Reznik (InterDigital)Slide 1 Device...
-
Upload
griffin-walsh -
Category
Documents
-
view
223 -
download
7
Transcript of Doc.: IEEE 802.19-10/0118r0 Submission September 2010 Alex Reznik (InterDigital)Slide 1 Device...
doc.: IEEE 802.19-10/0118r0
Submission
September 2010
Alex Reznik (InterDigital)Slide 1
Device Security Overview
Notice: This document has been prepared to assist IEEE 802.19. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Date: 2010-09-16
Name Company Address Phone email Alex Reznik InterDigital 781 Third Ave.,
King of Prussia, PA 19406
610-878-5784 [email protected]
Authors:
doc.: IEEE 802.19-10/0118r0
Submission
Abstract
• In response to group’s request to learn more about device security
• We present a high-level overview of what device security is
• We also show examples of how existing commercial standards and products implement it
September 2010
Alex Reznik (InterDigital)Slide 2
doc.: IEEE 802.19-10/0118r0
Submission
Outline
• Emerging Threats in the New Communication Network
• What is Device Security?
• Why is it Needed?
• Some solutions that have proved useful
• Adoption in Other Products and Standardization
• Examples:
– 3GPP R9 Femtocell Autonomous Validation
– Commercial examples of mobile phone chipset device security
• Why Device Security for Communications
• Summary and Next Steps
September 2010
Alex Reznik (InterDigital)Slide 3
doc.: IEEE 802.19-10/0118r0
Submission
Sensors
Tomorrow’s Network of Networks
Cellular
WiMax
WiFi
Mesh
Ambience
Femto
Relays
Billions of subscribers, trillions of connections
SocialnetworksSocial
networks
Shopping, banking,
secure transactions
Shopping, banking,
secure transactions
HealthcareHealthcare
Intelligent Highways
& Vehicular Comms
Intelligent Highways
& Vehicular Comms
EducationEducation
SmartPower Grid
SmartPower Grid
Entertainment and gaming
Entertainment and gaming
Wireless home & Consumer electronics
Wireless home & Consumer electronics
September 2010
Alex Reznik (InterDigital)Slide 4
doc.: IEEE 802.19-10/0118r0
Submission
New Security Threats Will Emerge
• As wireless networks become more and more distributed, new security threats are emerging– Network edge components require stronger security e.g. Femto cells,
relays and gateways– As the scale of connected devices grows the avenues of attack will
also grow• Some type of new attacks
– Physical attacks on devices– Malicious attacks on software, data and credentials– Configuration attacks– Protocol attacks against the device– Attack on the core network– User data and identity privacy
September 2010
Alex Reznik (InterDigital)Slide 5
doc.: IEEE 802.19-10/0118r0
Submission
What is Device Security?• Device Security addresses a core need:
– To ensure devices will operate as trusted and expected, and not to operate in un-trusted or unexpected ways
• Commonly applied requirements include:– To perform security-sensitive functions (e.g. crypto key generation, authentication,
access control, etc) and do so in a way that counters unauthorized access to, disclosure of, or compromise to such functions
– To store and handle security-sensitive data (e.g. crypto keys, sensitive data, etc) without unauthorized access or compromise to the data while the data is in storage or being processed in the device
– To detect, report or prevent attempts of attacks on the device itself
– To report and remediate functionality when and if compromises do happen
– To provide reliable and secure references for time and/or location, that help other requirements such as those listed above
• Device Security is related to but different from – Communication Security, which mostly concerns how data, while in transit from
point A to point B, can be protected for confidentiality, integrity, freshness, etc.
– Without Device Security, little trust can be given to communication security!
September 2010
Alex Reznik (InterDigital)Slide 6
doc.: IEEE 802.19-10/0118r0
Submission
Why device security? • Devices can’t be inherently trusted or assumed to be secure
– They use many components that integrators don’t fully know about
– Complexity of modern computing or communication devices often makes it impossible for even its designer to know all vulnerabilities
• Rule of thumb is there is a security bug in every 1k line of code!
– Fast changes (for the worse) in attack-cost vs. benefit equation that motivates prospective attackers to attempt more attacks
• Increasing use of open standards and platforms
• Ubiquitous availability of connectivity (e.g. Internet, USB, Bluetooth,etc) and resultant access for attackers to the devices
• Devices acting more and more like multi-app computers, and handling data or perform functions that are high-value or high-impact
• Trend for flattened network architectures, pushing sensitive network-based functions toward edge-network equipments such as routers, gateways, etc
– Many compromising attacks and threats (e.g. viruses, malware, ID theft, remote high-jacking, etc) are finding ways to other devices (cell phones, gaming boxes, etc)
September 2010
Alex Reznik (InterDigital)Slide 7
doc.: IEEE 802.19-10/0118r0
Submission
Solutions that have proved useful for Device Security
• Use inherently trustable “secure environments” in devices– To perform the most fundamental or security-wise critical functions– To store and handle the most sensitive data– To build a ‘chain of trust’ to attest to the integrity of the rest of the device functionality– Requires appropriate hardware to build (e.g. secure ROM, RAM, Onetime Pads, E-Fuses, etc)
• Detect, report, and remediate deviations or compromises– To detect, use “secure environment” to measure behavior or metric (e.g. hashes) of integrity or
trustworthiness, and compare them to trusted references– To report, use “secure environment” to assure validity of alarms or fault reports. – To remediate, use “secure environment” to assure integrity of remediation/update protocol handling and
local updates procedures
• Balance local trust vs. remote enforcement– Something within the device has to be inherently trusted. Make it small and cost effective.– Everything else need to be monitored for deviation, and detected deviations need to be addressed by
controlled enforcement (e.g. deny access to network)
• Protect the network from compromises in devices– Enable the network to become cognizant of compromised devices and be able to control access of devices
suspected of compromises– Design network and end-point protocols that enable or help detection, reporting, access control and
remediation– Make sure such protocols and mechanisms can handle shades of grey, gradations, and multiple
scopes/contingencies
September 2010
Alex Reznik (InterDigital)Slide 8
doc.: IEEE 802.19-10/0118r0
Submission
Product Adoptions and Standardization
• Device Security has been adopted for many products, and are being standardized for other products too
– Communication network equipments• Femto-cell or Home (e)NB devices (3GPP stds Rel9/10, 2009 and onward)
• 3GPP eNodeBs (stds Rel8, 2008) and relay nodes (Rel10 /11– 2010+)
• ETSI M2M Gateway (Rel1, end of 2010)
– Communication terminal devices, and chipsets & modules for them• Smart cards / SIM / UICC modules (since 1990s and onward)
• Embedded security on commercial mobile phones (mid 2000s and onward)
• CableCARD™ or DCAS™ security for Cable STBs (early 2000s & on)
• ETSI TC M2M Devices (being standardized for Rel1 release in 2010)
– Other devices – computers, laptops, gaming devices, etc• Most current laptops have on-board Trusted Platform Modules (TPM™)
• Gaming boxes such as Xbox and PS-2/3 have built-in dev sec.
September 2010
Alex Reznik (InterDigital)Slide 9
doc.: IEEE 802.19-10/0118r0
Submission
Trusted Processing for Wireless DevicesWireless Device
Perform chain of trust based
integrity check of platform
√Integrity Self Check
Pass/Fail
Authentication and Access to
Network Allowed
CertCert
CredentialsMeas. Data
Measured Value
ReferenceMetric
Reference Metrics (RIM) protected by Trust Environment
COMPARE
September 2010
Alex Reznik (InterDigital)Slide 10
doc.: IEEE 802.19-10/0118r0
Submission
Example: Autonomous Validation of 3GPP R9 Femtocell*
Femto Cell
Femto Cell
X
√
A. An internal Trusted Environment (TrE) of a Femto measures and verifies the integrity of software and configuration of the Femto.
B. Femto is ONLY allowed to authenticate as a device with the Network after passing integrity check
C. Network infers device trust in Femto by virtue of implication from successful device authentication
XA
BC
* 3GPP TS 33.320 H(e)NB Security Aspects sections 6, 7, and 8.
September 2010
Alex Reznik (InterDigital)Slide 11
doc.: IEEE 802.19-10/0118r0
Submission
Example: Open Mobile Terminal Platform (OMTP) Advanced Trusted Environment TR1 for Mobile Terminal Security (*)
Overview of TR1 Recommendations
•Enhances the Basic Trusted Environment (TR0) specs•New, expanded threat model•Protects the Application Security Framework on a device•Different profiles for different levels of security in the terminal•Enables high security platforms and devices•Grounding for future high-security services on mobile phones
Source: * http://www.omtp.org/Publications/Display.aspx?Id=3531a022-c606-42ad-bf02-4c8d10dc253e# **http://docbox.etsi.org/Workshop/2009/200901_SECURITYWORKSHOP/OMTP_DavidRogers_OMTPSecurityRecommendationsandtheAdvancedTrustedEnvironment_OMTP_TR1.pdf
September 2010
Alex Reznik (InterDigital)Slide 12
**
doc.: IEEE 802.19-10/0118r0
Submission
Example: Mobile Phone Security (Freescale product example)
• Secure ROM and RAM
• Hardware-based binding of DevID to crypto key
• Security Controller
• Onchip secure monitor
• Crypto engines
• Run-time integrity check (RTIC)
Source: http://www.freescale.com/files/training_pdf/WBT_27207_IMX31_SECURITY.pdf
September 2010
Alex Reznik (InterDigital)Slide 13
doc.: IEEE 802.19-10/0118r0
Submission
Example: Freescale i.MX-31 High-Assurance Boot (HAB)
Source: http://cache.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf?
September 2010
Alex Reznik (InterDigital)Slide 14
doc.: IEEE 802.19-10/0118r0
Submission
Example: i.MX-31 Runtime Integrity Checker (RTIC)
Source: http://www.freescale.com/files/training_pdf/WBT_27207_IMX31_SECURITY.pdf
September 2010
Alex Reznik (InterDigital)Slide 15
doc.: IEEE 802.19-10/0118r0
Submission
Example: Qualcomm SecureMSM™ Software Architecture
Source: http://www.writefayewrite.com/images/pdfs/DatasheetII.pdf
September 2010
Alex Reznik (InterDigital)Slide 16
doc.: IEEE 802.19-10/0118r0
Submission
Example: Texas Instruments M-Shield™ Embedded Security
Source: http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
September 2010
Alex Reznik (InterDigital)Slide 17
doc.: IEEE 802.19-10/0118r0
Submission
Summary and Next Steps
• Cognitive Communication Systems and Network are particularly susceptible to device-oriented threats– Reliance on complex and dynamic policies to meet regulatory and
standards compliance• These increasingly need to be soft and updatable
– Reliance on other devices to follow rules
• Device Security is Here– Technology is available– Already being used to secure communication systems
• And it is the right solution to this problem
• The proper role of a communications standard– Enable device security through support of required signaling– Incorporate device security into appropriate security procedures (e.g.
network access)– When applicable require device security capability for access to certain
services
September 2010
Alex Reznik (InterDigital)Slide 18