Download - Trusted Cells Trusted Cells: Architecture
Trusted Cells: ArchitecturebyJavier González
TRUSTED CELL - CONTEXT
IT UNIVERSITY OF COPENHAGEN Javier González - [email protected] supervisor: Philippe Bonnet June, 2014
Trusted Cells: a decentralized data platform based on Trusted Execution Environments (TEE) embedded on personal data devices (set top boxes, smart phones or smart meters) at the edges of the Internet.
ARCHITECTURE - LINUX KERNEL
GLIBC
System-Call Interface (SCI)Se
cure
Env
iron
men
t Co
mm
unic
atio
n In
terf
ace
Platform Independent
Platform Dependent
Use
r Sp
ace
Ker
nel S
pace
Rich Environment Secure Environment
VFS Metadata
CRYPTO
History Logs
Transaction Logs
TUM_confTSM_confTIM_conf
TC_conf
SYSFS/ file ops. (e.g., r,w)/ TC communication (e.g., config., eval.)
VFS file Obj
dentry Obj
inode Obj
super-block Obj
Dep
ende
ncie
sA
ttrib
utes
open()close()read()write()flush()
struct inode {...uid_t //user id of ownerdid_t //group id of ownereid_t //environ. id of owner...}; cache FSn
FS0 FS0 FSn
...
LSM Hooks
TC_m
anag
er
TUM_richTSM_richTIM_rich
TC_rich
TamperResistant Unit
App1
Secu
re A
pplic
atio
nsSe
cure
Sys
tem
Prim
itive
s
Trusted Cell Manager
Policy Manager(e.g., UCON)
Crypto Keys
TIM
TSM
TUM
Trusted Cell - Secure Component
Trusted Cell - Rich Component
Trusted Cell - Configuration App2
Appn
...
Secu
re D
evic
e D
rive
rs
...
Peripherals connected to System Bus TZPC
Memory
hash(metadata)hash(data)
encrypt(X)
create(policy)
verify(file)
decrypt(X)
evaluate(policy)modify(policy)
TIM
cac
heTS
M c
ache
TUM
cac
he
Secure App
1 2 n
TEE Dependent
Secure App Secure App
app1 app2 app3
driv.TC
Trusted Cell - System Call Evaluation
LSM Hooks
TRUSTED EXECUTION ENVIRONMENT (TEE) - FRAMEWORK
Rich Environment Secure Environment User Space
Kernel Space
Secure Space
Hardware
root
root
Cortex-A class processor
Secure External Bus AMBA3 AXI APB
KernelMonitor Mode Dispatcher
Client API
TZ Driver
Secure Kernel
Trusted Tasks
Trusted Tasks
Trusted Tasks
High Performance
Tasks
High Performance
Tasks
High Performance
TasksTrusted Apps
Trusted PeripheralsPublic PeripheralsHar
dwar
e | S
oftw
are ...
Principle 1: Self preservation first. Under the suspicion of a threat, the secure environment isolates itself logically and gives up availability in order to protect data integrity, confidentiality and durability.
Principle 2: Lead all communications. The secure environment defines all parameters that define this communication: protocol, certificates, encryption keys, etc.
Principle 3: Secure all interactions. The secure area has priority to obtain exclusive access to secure peripherals.
NEXT STEPS
Innovative Services
Usage Control
HardwareSecurity
Data Processing
Sensitive Data
Untrusted Storage
Trusted Cell
Application
Subject
Authorizations
ObjectRights
Obligations Conditions
Usage decision
UCONABC
Enforcement : a priori control of usage rights
Audit: a posteriori control of how rights were used
Secure Platforms
Level ofprotection
Comm.Abstraction
ExecutionEnv. Examples
OnlySoftware
SoftwareHardware
SW + TamperResistant HW
Low
MediumHigh
Very High
Android, LinuxiOS, Windows
SharedMemory
Narrow Interfaces
Rich OS
Rich OS + TEE
Securead-hoc OS
Msg, Sockets, SM
ARM TrustZone
IBM CC, TPM, Secure Token
Requirements:
UCON is a formal model (algebra)
UCON is a perfect candidate to model Contextual Integrity
There is no implementation!
UCON needs to be implemented within a security perimeter protected by hardware so that attackers with root privileges cannot disable it using software.
From inside the security perimeter it should be possible to “monitor” programs outside the security perimeter
Communicating with programs in the security perimeter should entail a low overhead
UCON can model complex policies: Access Control Lists, Digital Right Management, or Usage Control Policies.
Characteristics:
UCON is founded on very strong security assumptions
Contextual Integrity Digital Society
Users Service Providers
Contextual integrity gives a framework to reason about the norms that apply, in a given social context, to the flows of personal data (i.e., information norms)Privacy is not about “not sharing” personal data!
Contextual Integrity
Information Flow
Rich Execution Environment Security Perimeter
All Sorts of Applications MonitoringApplications
HW ProtectionMonitor
Low Overhead
Integrity: Trusted Integrity Module (TIM)
Confidentiality: Trusted Storage Module (TSM)
Durability: TIM + TSM + Redundancy + Dispersion
Accessibility: TEE (currently not guaranteed)
Usage Control: Trusted Usage Module (TUM)
Trusted Cells: TIM + TSM + TUM (user space, kernel space & secure space)
Trusted Cell Prototype
Integrate in Sensing Infrastructure
Data Management
Trusted Cell
Gateway ?smap
TRUSTED CELL - VISION
Alice (A) and Bob (B) are equipped with fixed and portable trusted cells, acquiring data from several data sources, synchronizing with their encrypted personal digital space on the cloud. Charlie (C) is travelling around the world and can securely access all his data from any (unsecure) terminal thanks to his portable trusted cell. All users equipped with trusted cells can securely share their encrypted data through the cloud.