se-4101, trustworthy multi-tenancy for the modern application ecosystem, by jon geater
DESCRIPTION
Presentation SE-4101 by Jon Geater from the AMD Developer Summit (APU13) November 11-13, 2013.TRANSCRIPT
TRUST THY NEIGHBOR? TRUSTWORTHY MULTI-‐TENANCY FOR THE
MODERN APPLICATION ECOSYSTEM
2 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
ABOUT TRUSTONIC JON GEATER, CHIEF TECHNICAL OFFICER
The changing landscape
4 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AND THE CONNECTED SOCIETY
0
100
200
300
400
500
600
700
2005 2006 2007 2008 2009 2010 2011 2012 2013E
Desktop
Laptop
Smartphone
Source data: Morgan Stanley Research
5 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AND THE CONNECTED SOCIETY
0
100
200
300
400
500
600
700
2005 2006 2007 2008 2009 2010 2011 2012 2013E
All PC
Smartphone
Source data: Morgan Stanley Research
6 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AFFECTS THE ENTIRE CHAIN
! So why are we talking about Smartphones at an AMD conference?
! What is a mobile device?
7 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
JUST A FEW YEARS AGO… MOBILE SECURITY
! I was working for an Enterprise Security company making encryp^on and key management products
! We were asked by a major US bank to help them with the problem they had with informa^on security on mobile devices
! 2 primary device types:
‒ Laptops This one’s fairly obvious. But this was easier because of established security vendors and no real no^on of BYOD for laptops
‒ Tape drives (!) They are very mobile… But compara^vely simple security problem .
8 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AFFECTS THE ENTIRE CHAIN
! We now (try to) do everything on the mobile internet that we used to do by PC, ordinary phone and post
! That blurs the lines between device types: phones, tablets, laptops – truly heterogeneous!
! It forces applica^ons on-‐line, so the whole informa^on system from chip to cloud needs consistent security
! It also leads to a significant rise in the number of types of informa^on processed on mobile devices
! …and a consequent rise in the value of that informa^on
9 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AFFECTS THE ENTIRE CHAIN
! We now (try to) do everything on the mobile internet that we used to do by PC, ordinary phone and post
! That blurs the lines between device types: phones, tablets, laptops
! It forces applica^ons on-‐line, so the whole informa^on system from chip to cloud needs consistent security
! It also leads to a significant rise in the number of types of informa^on processed on mobile devices
! …and a consequent rise in the value of that informa^on
Sensi^ve Informa^on
Security and trust
11 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS RISK?
Risk = probability x severity
12 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS RISK?
Risk = ^me x remedia^on
13 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS RISK?
Risk = likelihood x cost
14 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS RISK?
Risk = likelihood x cost
How much should I care about this? When will it happen? What’s the impact if it does?
15 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS SECURITY?
A Venn diagram
SECURE NOT SECURE
16 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS SECURITY?
A Venn diagram
SECURE?
17 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WHAT IS SECURITY?
Security Is
Contextual
18 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
THE RISE OF MOBILE AFFECTS THE ENTIRE CHAIN
! Things are much more complicated now
! The different use cases present a set of conflic^ng use cases that a single extant planorm has to sa^sfy
! And that’s before the user gets involved
! Mul^-‐tenancy on a consumer device lacks some of the more powerful approaches available to server applica^ons
! There are also more threats now ‒ Professionalized malware ‒ Threats always follow the money
Privacy
please
OPEN! CLOSED!
MY CONTROL! NO, MINE!
Start Trusted, Stay Trusted
20 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
START TRUSTED
! So how does security enable trust? ! We typically define fundamental security building
blocks as “Roots of Trust”
! To be effec^ve the RoT has to be rooted in hardware ‒ Otherwise there are too many ways to remove it, and nothing to check back against
‒ “Trust, but verify” ! Not just a key: includes the mechanisms, code etc
‒ NIST guidelines ! Secure boot mechanisms (including UEFI) are based
on roots of trust
! Scaling problem – not everyone can own a direct root! So the planorm has to provide the main one
HARDWARE ROOTS OF TRUST
RoT for Storage
RoT for Verifica-on
RoT for Measurement
RoT for Repor-ng
RoT for Integrity
Protected Storage
Isola:on Device Integrity
Opera^ng System
App
App
App App
Picture: Andrew Regenshield: NIST/Computer Security Division
21 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
STAY TRUSTED
! Boot security is necessary but not sufficient ‒ Doesn’t account for run-‐^me exploits ‒ Good for system FW but doesn’t scale to applica^ons
! Security is a dynamic affair. We need to be able to react as quickly as the threats/market
! Planorm use cases shouldn’t be fixed when the chip leaves the factory ‒ Need to be able to add trusted func^onality later on
! Security context is best known to the service providers but they do not make hardware. ‒ How to anchor their trust chains in hardware at scale? ‒ How to encode their use case into general purpose HW? ‒ Can you do a whole FW update each ^me a single app changes? No!
SECURITY DOESN’T STAY STILL
TrustZone® and TEE
23 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
TRUSTZONE® HARDWARE BACKED SECURITY FROM ARM
! Separa^on technology built into ARM Cortex-‐A processors
! Enables 2 independent process stacks to execute on a single SoC: Normal mode and Secure mode
! Memory and peripherals can be par^^oned into secure-‐only or shared
! Mode separa^on is enforced by the processor and fabric – stronger than MMU
! Sovware in Normal World (including awacks!) can’t read memory or peripherals that are reserved for Secure World
! It is not magic! Designed to defeat sovware awacks, not na^onal governments and laserbeams
! Doesn’t have any sovware
TZ only Switchable
Normal
24 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
TRUSTED EXECUTION ENVIRONMENT PRACTICAL SECURITY FOR MOBILE APPLICATIONS
Image: GlobalPlanorm
Hardware Platform
Rich OS Application Environment
Rich OS
GlobalPlatformTEE Client API
Trusted Execution Environment
Trusted CoreEnvironment
GlobalPlatformTEEInternalAPI
TrustedFunctions
Payment Corporate
GlobalPlatformTEE Functional API
GlobalPlatformTEE Functional API
Client Applications
GlobalPlatform TEE Client API
TrustedApplication
DRM
TrustedApplication
Payment
TrustedApplicationCorporate
HW Keys, SecureStorage,Trusted UI (Keypad, Screen),
Crypto accelerators,NFC controller,
Secure Element, etc.
HW SecureResources
EnvironmentTrusted Core Trusted
Functions
GlobalPlatformTEE Internal
TEE Kernel
API
Primary device environment
runs as normal, including other
security mechanisms
Security cri:cal code and resources protected by TEE applica:ons
TEE provides the constant security founda:on independent of OS choice
Integrity and trust underpinned by SoC hardware
GlobalPlaIorm APIs ensure portability across handsets/plaIorms
Control of secure resources
25 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
TRUSTED EXECUTION ENVIRONMENT PRACTICAL SECURITY FOR MOBILE APPLICATIONS
! TEE combines the planorm hardware with sovware to provide an open environment in which to run security sensi^ve code for normal applica^ons
! Highly flexible system enables applica^on stakeholders to protect their own func^onality ‒ Correct context is used
! GlobalPlanorm is not the only model ‒ But a standard helps with a scalable ecosystem
! Provides simple APIs for cryptography, secure storage etc
! Working towards advanced APIs for things like Trusted User Interface (where applicable)
26 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
BACKEND TRUST AND ENROLMENT COMPLETING THE CHAIN OF TRUST
! A well-‐built TEE provides strong separa^on of processes on the device
! But as we’ve seen, systems and trust are bigger than the device
! A remote loading system connected to the Roots Of Trust is essen^al in order to sustain a chain of trust from Chip to Cloud
! Making it essen^al to the crea^on of an ecosystem
! This is not yet standardized but Trustonic operates a backend system connected to an on-‐chip Root of Trust
27 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
Trusted app
Trusted app
Secure Kernel
Trusted app
! ‘Secure boot’ from SoC ROM assures integrity of TEE and sensitive data assets
! TEE is given control of secure peripherals, memory regions and trusted apps
! Trusted apps are verified before they can run and access sensitive assets – contextual security
! Normal World can only access trusted apps through published APIs – transaction integrity
! Manufacturing and Backend systems maintain the chain of trust between chip, apps and relying parties
START TRUSTED, STAY TRUSTED LIFECYCLE SUPPORT DESIGNED-‐IN
28 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
! TPM 2.0 is an interface specification
! Can co-exist with TEE, or run as an application inside it ‒ Or even be a hardware one, if money, space and
power allow. Compatible with all models
! Extensive work in the TCG on Firmware TPMs (PCClient group) and Mobile TPMs (Mobile Platforms group) to enable this kind of architecture
WHAT ABOUT TPM? TPM 2.0 protocol can be supported too
TEE entry
Rich App
Mobile OS
REE
Rich App
Trusted OS
TA TPM
TEE
Smartphone hardware
TEE Client API
TPM Client API
TEE Internal API + TEE trusted UI ++
TA
Client to Cloud Examples
30 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
CHIP TO CLOUD TRUST EXAMPLE USE CASE: SIMPLER LOGIN
ARM TrustZone® enabled SoC
Client API
Open Environment Trusted Execution Environment
OTP TA Secure OTP generation
Secure OTP key storage OTP Launcher
APIs
Trusted User Interface
Secure cryptography
Secure Mass Storage
7KH�SULQFLSDO�ORJR�FRORU�LV�EODFN��EOXH�W\SH� ZLWK�WKH�LFRQ�ORFNXS�
7KH�EODFN�ORJR�LV�XVHG�YHU\�UDUHO\�RQO\�LQ�LQVWDQFHV�ZKHUH�WKH�SXEOLFDWLRQ�RU�GRFXPHQW� ZLOO�RQO\�DSSHDU�LQ�EODFN��ZKLWH��LH��ID[�VKHHWV�DQG�QHZVSDSHU�
7KHVH�DUH�WKH�RQO\�YHUVLRQV�SHUPLWWHG�
LOGO
LOGO IN BLACK
LOGO COLOR VERSIONS
LOGO ON BLACK
Rich OS
Cloud service can have more confidence in the ID claim they receive
User has the convenience of using their preferred device,
and fewer clicks
31 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
CHIP TO CLOUD TRUST OTHER USE CASES
! Flexible iden^ty & access use cases ‒ Convert passwords to stronger on-‐the-‐wire creden^als ‒ Also biometrics
! Transac^on verifica^on and protec^on ‒ Simpler payments ‒ Confiden^ality ‒ binding integrity
! Content ‒ DRM processing, innova^ve delivery models
! Enterprise ‒ On board creden^als for VPN etc ‒ BYOD trust anchors ‒ Virtual HSM
! Improve user experience
! Provide more innova^ve services
32 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
CHIP TO CLOUD TRUST BENEFITS
! Chip to cloud works both ways ‒ The client is increasingly the primary device. Remote service should have to prove itself before the device gives up any sensi^ve informa^on
‒ The flexible architecture of TEE enables these islands of trust to work both ways
! Ability to verify root of trust separately enables greater confidence and unlocks poten^al for enhanced services and user experience
! Privacy impacts can be limited by separa^ng the key actors in the system: something that can happen naturally
AMD and Trustonic
34 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
AMD AND TRUSTONIC THE PLATFORM SECURITY PROCESSOR
AMD64
PSP
TEE
APU
(Not to scale!)
! The Planorm Security Processor (PSP) is a dedicated ARM co-‐processor within the APU dedicated to providing security func^ons
! Has its own secure RAM and NV storage
! Can access system memory
! Crypto func^onality, including TRNG
! Last month AMD and Trustonic announced a partnership: AMD has licensed the Trustonic TEE to run as the security kernel in the PSP
! Talk to AMD for the PSP roadmap and access for 3rd party security extensions
Wrap up
36 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
WRAPPING UP
The mobility trend affects ALL areas of compu^ng 1
Security is DYNAMIC. Need to keep up. 2
HARDWARE trust is needed to defeat SOFTWARE threats 3
A collabora^ve ECOSYSTEM approach is essen^al 4
AMD and Trustonic are working together to enable this 5
37 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
Thank you
39 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
DISCLAIMER & ATTRIBUTION
The informa^on presented in this document is for informa^onal purposes only and may contain technical inaccuracies, omissions and typographical errors.
The informa^on contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, sovware changes, BIOS flashes, firmware upgrades, or the like. Trustonic assumes no obliga^on to update or otherwise correct or revise this informa^on. However, Trustonic reserves the right to revise this informa^on and to make changes from ^me to ^me to the content hereof without obliga^on of AMD to no^fy any person of such revisions or changes.
TRUSTONIC MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION.
TRUSTONIC SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL TRUSTONIC BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF TRUSTONIC IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
ATTRIBUTION
© 2013 Trustonic Ltd. All rights reserved. Trustonic, the graphical <t logo and combina^ons thereof are trademarks of Trustonic Ltd. in Europe, the United States and/or other jurisdic^ons. AMD is a trademark of Advanced Micro Devices, Inc. ARM and TrustZone are trademarks of ARM, Ltd.Other names are for informa^onal purposes only and may be trademarks of their respec^ve owners.
40 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL
SESSION ABSTRACT
! TITLE: Trust thy neighbour? Trustworthy mul^-‐tenancy for the modern applica^on ecosystem
! SHORT ABSTRACT: With tales of leaks, hacks and malware on the rise, trust in mobile systems is in short supply these days. In other areas an almost opposite but equally troubling problem exists where walled gardens or security agents seek to keep out the bad guys, but also s^fle innova^on and invite ques^ons of trust in the mo^va^on and interest of the gardeners.
! This talk looks at recent developments in client-‐to-‐cloud trust technology in the ARM mobile device ecosystem and presents a model for both security and control that allows mul^-‐tenancy with confidence. It also covers how AMD have adopted and adapted some of this technology to create a world-‐leading SoC planorm with trust built into the very heart of the chip.