Doc.: IEEE 802.19-10/0118r0 Submission September 2010 Alex Reznik (InterDigital)Slide 1 Device...

doc.: IEEE 802.19-10/0118r0

Submission

September 2010

Alex Reznik (InterDigital)Slide 1

Device Security Overview

Notice: This document has been prepared to assist IEEE 802.19. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

Date: 2010-09-16

Name Company Address Phone email Alex Reznik InterDigital 781 Third Ave.,

King of Prussia, PA 19406

610-878-5784 [email protected]

Authors:

doc.: IEEE 802.19-10/0118r0

Submission

Abstract

• In response to group’s request to learn more about device security

• We present a high-level overview of what device security is

• We also show examples of how existing commercial standards and products implement it

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Outline

• Emerging Threats in the New Communication Network

• What is Device Security?

• Why is it Needed?

• Some solutions that have proved useful

• Adoption in Other Products and Standardization

• Examples:

– 3GPP R9 Femtocell Autonomous Validation

– Commercial examples of mobile phone chipset device security

• Why Device Security for Communications

• Summary and Next Steps

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Sensors

Tomorrow’s Network of Networks

Cellular

WiMax

WiFi

Mesh

Ambience

Femto

Relays

Billions of subscribers, trillions of connections

SocialnetworksSocial

networks

Shopping, banking,

secure transactions

Shopping, banking,

secure transactions

HealthcareHealthcare

Intelligent Highways

& Vehicular Comms

Intelligent Highways

& Vehicular Comms

EducationEducation

SmartPower Grid

SmartPower Grid

Entertainment and gaming

Entertainment and gaming

Wireless home & Consumer electronics

Wireless home & Consumer electronics

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

New Security Threats Will Emerge

• As wireless networks become more and more distributed, new security threats are emerging– Network edge components require stronger security e.g. Femto cells,

relays and gateways– As the scale of connected devices grows the avenues of attack will

also grow• Some type of new attacks

– Physical attacks on devices– Malicious attacks on software, data and credentials– Configuration attacks– Protocol attacks against the device– Attack on the core network– User data and identity privacy

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

What is Device Security?• Device Security addresses a core need:

– To ensure devices will operate as trusted and expected, and not to operate in un-trusted or unexpected ways

• Commonly applied requirements include:– To perform security-sensitive functions (e.g. crypto key generation, authentication,

access control, etc) and do so in a way that counters unauthorized access to, disclosure of, or compromise to such functions

– To store and handle security-sensitive data (e.g. crypto keys, sensitive data, etc) without unauthorized access or compromise to the data while the data is in storage or being processed in the device

– To detect, report or prevent attempts of attacks on the device itself

– To report and remediate functionality when and if compromises do happen

– To provide reliable and secure references for time and/or location, that help other requirements such as those listed above

• Device Security is related to but different from – Communication Security, which mostly concerns how data, while in transit from

point A to point B, can be protected for confidentiality, integrity, freshness, etc.

– Without Device Security, little trust can be given to communication security!

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Why device security? • Devices can’t be inherently trusted or assumed to be secure

– They use many components that integrators don’t fully know about

– Complexity of modern computing or communication devices often makes it impossible for even its designer to know all vulnerabilities

• Rule of thumb is there is a security bug in every 1k line of code!

– Fast changes (for the worse) in attack-cost vs. benefit equation that motivates prospective attackers to attempt more attacks

• Increasing use of open standards and platforms

• Ubiquitous availability of connectivity (e.g. Internet, USB, Bluetooth,etc) and resultant access for attackers to the devices

• Devices acting more and more like multi-app computers, and handling data or perform functions that are high-value or high-impact

• Trend for flattened network architectures, pushing sensitive network-based functions toward edge-network equipments such as routers, gateways, etc

– Many compromising attacks and threats (e.g. viruses, malware, ID theft, remote high-jacking, etc) are finding ways to other devices (cell phones, gaming boxes, etc)

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Solutions that have proved useful for Device Security

• Use inherently trustable “secure environments” in devices– To perform the most fundamental or security-wise critical functions– To store and handle the most sensitive data– To build a ‘chain of trust’ to attest to the integrity of the rest of the device functionality– Requires appropriate hardware to build (e.g. secure ROM, RAM, Onetime Pads, E-Fuses, etc)

• Detect, report, and remediate deviations or compromises– To detect, use “secure environment” to measure behavior or metric (e.g. hashes) of integrity or

trustworthiness, and compare them to trusted references– To report, use “secure environment” to assure validity of alarms or fault reports. – To remediate, use “secure environment” to assure integrity of remediation/update protocol handling and

local updates procedures

• Balance local trust vs. remote enforcement– Something within the device has to be inherently trusted. Make it small and cost effective.– Everything else need to be monitored for deviation, and detected deviations need to be addressed by

controlled enforcement (e.g. deny access to network)

• Protect the network from compromises in devices– Enable the network to become cognizant of compromised devices and be able to control access of devices

suspected of compromises– Design network and end-point protocols that enable or help detection, reporting, access control and

remediation– Make sure such protocols and mechanisms can handle shades of grey, gradations, and multiple

scopes/contingencies

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Product Adoptions and Standardization

• Device Security has been adopted for many products, and are being standardized for other products too

– Communication network equipments• Femto-cell or Home (e)NB devices (3GPP stds Rel9/10, 2009 and onward)

• 3GPP eNodeBs (stds Rel8, 2008) and relay nodes (Rel10 /11– 2010+)

• ETSI M2M Gateway (Rel1, end of 2010)

– Communication terminal devices, and chipsets & modules for them• Smart cards / SIM / UICC modules (since 1990s and onward)

• Embedded security on commercial mobile phones (mid 2000s and onward)

• CableCARD™ or DCAS™ security for Cable STBs (early 2000s & on)

• ETSI TC M2M Devices (being standardized for Rel1 release in 2010)

– Other devices – computers, laptops, gaming devices, etc• Most current laptops have on-board Trusted Platform Modules (TPM™)

• Gaming boxes such as Xbox and PS-2/3 have built-in dev sec.

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Trusted Processing for Wireless DevicesWireless Device

Perform chain of trust based

integrity check of platform

√Integrity Self Check

Pass/Fail

Authentication and Access to

Network Allowed

CertCert

CredentialsMeas. Data

Measured Value

ReferenceMetric

Reference Metrics (RIM) protected by Trust Environment

COMPARE

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: Autonomous Validation of 3GPP R9 Femtocell*

Femto Cell

Femto Cell

X

√

A. An internal Trusted Environment (TrE) of a Femto measures and verifies the integrity of software and configuration of the Femto.

B. Femto is ONLY allowed to authenticate as a device with the Network after passing integrity check

C. Network infers device trust in Femto by virtue of implication from successful device authentication

XA

BC

* 3GPP TS 33.320 H(e)NB Security Aspects sections 6, 7, and 8.

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: Open Mobile Terminal Platform (OMTP) Advanced Trusted Environment TR1 for Mobile Terminal Security (*)

Overview of TR1 Recommendations

•Enhances the Basic Trusted Environment (TR0) specs•New, expanded threat model•Protects the Application Security Framework on a device•Different profiles for different levels of security in the terminal•Enables high security platforms and devices•Grounding for future high-security services on mobile phones

Source: * http://www.omtp.org/Publications/Display.aspx?Id=3531a022-c606-42ad-bf02-4c8d10dc253e# **http://docbox.etsi.org/Workshop/2009/200901_SECURITYWORKSHOP/OMTP_DavidRogers_OMTPSecurityRecommendationsandtheAdvancedTrustedEnvironment_OMTP_TR1.pdf

September 2010


**

doc.: IEEE 802.19-10/0118r0

Submission

Example: Mobile Phone Security (Freescale product example)

• Secure ROM and RAM

• Hardware-based binding of DevID to crypto key

• Security Controller

• Onchip secure monitor

• Crypto engines

• Run-time integrity check (RTIC)

Source: http://www.freescale.com/files/training_pdf/WBT_27207_IMX31_SECURITY.pdf

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: Freescale i.MX-31 High-Assurance Boot (HAB)

Source: http://cache.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf?

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: i.MX-31 Runtime Integrity Checker (RTIC)

Source: http://www.freescale.com/files/training_pdf/WBT_27207_IMX31_SECURITY.pdf

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: Qualcomm SecureMSM™ Software Architecture

Source: http://www.writefayewrite.com/images/pdfs/DatasheetII.pdf

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Example: Texas Instruments M-Shield™ Embedded Security

Source: http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

September 2010


doc.: IEEE 802.19-10/0118r0

Submission

Summary and Next Steps

• Cognitive Communication Systems and Network are particularly susceptible to device-oriented threats– Reliance on complex and dynamic policies to meet regulatory and

standards compliance• These increasingly need to be soft and updatable

– Reliance on other devices to follow rules

• Device Security is Here– Technology is available– Already being used to secure communication systems

• And it is the right solution to this problem

• The proper role of a communications standard– Enable device security through support of required signaling– Incorporate device security into appropriate security procedures (e.g.

network access)– When applicable require device security capability for access to certain

services

September 2010


Doc.: IEEE 802.19-10/0118r0 Submission September 2010 Alex Reznik (InterDigital)Slide 1 Device...

Documents

Transcript of Doc.: IEEE 802.19-10/0118r0 Submission September 2010 Alex Reznik (InterDigital)Slide 1 Device...