se-4101, trustworthy multi-tenancy for the modern application ecosystem, by jon geater

TRUST THY NEIGHBOR? TRUSTWORTHY MULTI-‐TENANCY FOR THE

MODERN APPLICATION ECOSYSTEM

2 | TRUST THEY NEIGHBOR? | JON GEATER, TRUSTONIC | NOVEMBER 12TH, 2013 | CONFIDENTIAL

ABOUT TRUSTONIC JON GEATER, CHIEF TECHNICAL OFFICER

The changing landscape


THE RISE OF MOBILE AND THE CONNECTED SOCIETY

0

100

200

300

400

500

600

700

2005 2006 2007 2008 2009 2010 2011 2012 2013E

Desktop

Laptop

Smartphone

Source data: Morgan Stanley Research


THE RISE OF MOBILE AND THE CONNECTED SOCIETY

0

100

200

300

400

500

600

700

2005 2006 2007 2008 2009 2010 2011 2012 2013E

All PC

Smartphone

Source data: Morgan Stanley Research


THE RISE OF MOBILE AFFECTS THE ENTIRE CHAIN

!  So why are we talking about Smartphones at an AMD conference?

!  What is a mobile device?


JUST A FEW YEARS AGO… MOBILE SECURITY

!  I was working for an Enterprise Security company making encrypôn and key management products

!  We were asked by a major US bank to help them with the problem they had with informaôn security on mobile devices

!  2 primary device types:

‒  Laptops This one’s fairly obvious. But this was easier because of established security vendors and no real noôn of BYOD for laptops

‒ Tape drives (!) They are very mobile… But compara^vely simple security problem .



!  We now (try to) do everything on the mobile internet that we used to do by PC, ordinary phone and post

!  That blurs the lines between device types: phones, tablets, laptops – truly heterogeneous!

!  It forces applicaôns on-‐line, so the whole informaôn system from chip to cloud needs consistent security

!  It also leads to a significant rise in the number of types of informaôn processed on mobile devices

!  …and a consequent rise in the value of that informaôn



!  We now (try to) do everything on the mobile internet that we used to do by PC, ordinary phone and post

!  That blurs the lines between device types: phones, tablets, laptops

!  It forces applicaôns on-‐line, so the whole informaôn system from chip to cloud needs consistent security

!  It also leads to a significant rise in the number of types of informaôn processed on mobile devices

!  …and a consequent rise in the value of that informaôn

Sensi^ve Informaôn

Security and trust


WHAT IS RISK?

Risk = probability x severity


WHAT IS RISK?

Risk = ^me x remedia^on


WHAT IS RISK?

Risk = likelihood x cost


WHAT IS RISK?

Risk = likelihood x cost

How much should I care about this? When will it happen? What’s the impact if it does?


WHAT IS SECURITY?

A Venn diagram

SECURE NOT SECURE


WHAT IS SECURITY?

A Venn diagram

SECURE?


WHAT IS SECURITY?

Security Is

Contextual



!  Things are much more complicated now

!  The different use cases present a set of conflic^ng use cases that a single extant planorm has to sa^sfy

!  And that’s before the user gets involved

!  Mul^-‐tenancy on a consumer device lacks some of the more powerful approaches available to server applica^ons

!  There are also more threats now ‒ Professionalized malware ‒ Threats always follow the money

Privacy

please

OPEN! CLOSED!

MY CONTROL! NO, MINE!

Start Trusted, Stay Trusted


START TRUSTED

!  So how does security enable trust? !  We typically define fundamental security building

blocks as “Roots of Trust”

!  To be effec^ve the RoT has to be rooted in hardware ‒ Otherwise there are too many ways to remove it, and nothing to check back against

‒  “Trust, but verify” !  Not just a key: includes the mechanisms, code etc

‒ NIST guidelines !  Secure boot mechanisms (including UEFI) are based

on roots of trust

!  Scaling problem – not everyone can own a direct root! So the planorm has to provide the main one

HARDWARE ROOTS OF TRUST

RoT for Storage

RoT for Verifica-on

RoT for Measurement

RoT for Repor-ng

RoT for Integrity

Protected Storage

Isola:on Device Integrity

Opera^ng System

App

App

App App

Picture: Andrew Regenshield: NIST/Computer Security Division


STAY TRUSTED

!  Boot security is necessary but not sufficient ‒ Doesn’t account for run-‐^me exploits ‒ Good for system FW but doesn’t scale to applica^ons

!  Security is a dynamic affair. We need to be able to react as quickly as the threats/market

!  Planorm use cases shouldn’t be fixed when the chip leaves the factory ‒ Need to be able to add trusted func^onality later on

!  Security context is best known to the service providers but they do not make hardware. ‒ How to anchor their trust chains in hardware at scale? ‒ How to encode their use case into general purpose HW? ‒ Can you do a whole FW update each ^me a single app changes? No!

SECURITY DOESN’T STAY STILL

TrustZone® and TEE


TRUSTZONE® HARDWARE BACKED SECURITY FROM ARM

!  Separaôn technology built into ARM Cortex-‐A processors

!  Enables 2 independent process stacks to execute on a single SoC: Normal mode and Secure mode

!  Memory and peripherals can be par^ôned into secure-‐only or shared

!  Mode separaôn is enforced by the processor and fabric – stronger than MMU

!  Sovware in Normal World (including awacks!) can’t read memory or peripherals that are reserved for Secure World

!  It is not magic! Designed to defeat sovware awacks, not naônal governments and laserbeams

!  Doesn’t have any sovware

TZ only Switchable

Normal


TRUSTED EXECUTION ENVIRONMENT PRACTICAL SECURITY FOR MOBILE APPLICATIONS

Image: GlobalPlanorm

Hardware Platform

Rich OS Application Environment

Rich OS

GlobalPlatformTEE Client API

Trusted Execution Environment

Trusted CoreEnvironment

GlobalPlatformTEEInternalAPI

TrustedFunctions

Payment Corporate

GlobalPlatformTEE Functional API

GlobalPlatformTEE Functional API

Client Applications

GlobalPlatform TEE Client API

TrustedApplication

DRM

TrustedApplication

Payment

TrustedApplicationCorporate

HW Keys, SecureStorage,Trusted UI (Keypad, Screen),

Crypto accelerators,NFC controller,

Secure Element, etc.

HW SecureResources

EnvironmentTrusted Core Trusted

Functions

GlobalPlatformTEE Internal

TEE Kernel

API

Primary device environment

runs as normal, including other

security mechanisms

Security cri:cal code and resources protected by TEE applica:ons

TEE provides the constant security founda:on independent of OS choice

Integrity and trust underpinned by SoC hardware

GlobalPlaIorm APIs ensure portability across handsets/plaIorms

Control of secure resources


TRUSTED EXECUTION ENVIRONMENT PRACTICAL SECURITY FOR MOBILE APPLICATIONS

!  TEE combines the planorm hardware with sovware to provide an open environment in which to run security sensi^ve code for normal applicaôns

!  Highly flexible system enables applicaôn stakeholders to protect their own funcônality ‒ Correct context is used

!  GlobalPlanorm is not the only model ‒ But a standard helps with a scalable ecosystem

!  Provides simple APIs for cryptography, secure storage etc

!  Working towards advanced APIs for things like Trusted User Interface (where applicable)


BACKEND TRUST AND ENROLMENT COMPLETING THE CHAIN OF TRUST

!  A well-‐built TEE provides strong separaôn of processes on the device

!  But as we’ve seen, systems and trust are bigger than the device

!  A remote loading system connected to the Roots Of Trust is essenâl in order to sustain a chain of trust from Chip to Cloud

!  Making it essenâl to the creaôn of an ecosystem

!  This is not yet standardized but Trustonic operates a backend system connected to an on-‐chip Root of Trust


Trusted app

Trusted app

Secure Kernel

Trusted app

!  ‘Secure boot’ from SoC ROM assures integrity of TEE and sensitive data assets

!  TEE is given control of secure peripherals, memory regions and trusted apps

!  Trusted apps are verified before they can run and access sensitive assets – contextual security

!  Normal World can only access trusted apps through published APIs – transaction integrity

!  Manufacturing and Backend systems maintain the chain of trust between chip, apps and relying parties

START TRUSTED, STAY TRUSTED LIFECYCLE SUPPORT DESIGNED-‐IN


!  TPM 2.0 is an interface specification

!  Can co-exist with TEE, or run as an application inside it ‒ Or even be a hardware one, if money, space and

power allow. Compatible with all models

!  Extensive work in the TCG on Firmware TPMs (PCClient group) and Mobile TPMs (Mobile Platforms group) to enable this kind of architecture

WHAT ABOUT TPM? TPM 2.0 protocol can be supported too

TEE entry

Rich App

Mobile OS

REE

Rich App

Trusted OS

TA TPM

TEE

Smartphone hardware

TEE Client API

TPM Client API

TEE Internal API + TEE trusted UI ++

TA

Client to Cloud Examples


CHIP TO CLOUD TRUST EXAMPLE USE CASE: SIMPLER LOGIN

ARM TrustZone® enabled SoC

Client API

Open Environment Trusted Execution Environment

OTP TA Secure OTP generation

Secure OTP key storage OTP Launcher

APIs

Trusted User Interface

Secure cryptography

Secure Mass Storage

7KH�SULQFLSDO�ORJR�FRORU�LV�EODFN��EOXH�W\SH� ZLWK�WKH�LFRQ�ORFNXS�

7KH�EODFN�ORJR�LV�XVHG�YHU\�UDUHO\�RQO\�LQ�LQVWDQFHV�ZKHUH�WKH�SXEOLFDWLRQ�RU�GRFXPHQW� ZLOO�RQO\�DSSHDU�LQ�EODFN��ZKLWH��LH��ID[�VKHHWV�DQG�QHZVSDSHU�

7KHVH�DUH�WKH�RQO\�YHUVLRQV�SHUPLWWHG�

LOGO

LOGO IN BLACK

LOGO COLOR VERSIONS

LOGO ON BLACK

Rich OS

Cloud service can have more confidence in the ID claim they receive

User has the convenience of using their preferred device,

and fewer clicks


CHIP TO CLOUD TRUST OTHER USE CASES

!  Flexible iden^ty & access use cases ‒ Convert passwords to stronger on-‐the-‐wire credenâls ‒ Also biometrics

!  Transacôn verificaôn and protecôn ‒  Simpler payments ‒ Confidenâlity ‒ binding integrity

!  Content ‒ DRM processing, innova^ve delivery models

!  Enterprise ‒ On board credenâls for VPN etc ‒ BYOD trust anchors ‒ Virtual HSM

!  Improve user experience

!  Provide more innova^ve services


CHIP TO CLOUD TRUST BENEFITS

!  Chip to cloud works both ways ‒ The client is increasingly the primary device. Remote service should have to prove itself before the device gives up any sensi^ve informa^on

‒ The flexible architecture of TEE enables these islands of trust to work both ways

!  Ability to verify root of trust separately enables greater confidence and unlocks poten^al for enhanced services and user experience

!  Privacy impacts can be limited by separa^ng the key actors in the system: something that can happen naturally

AMD and Trustonic


AMD AND TRUSTONIC THE PLATFORM SECURITY PROCESSOR

AMD64

PSP

TEE

APU

(Not to scale!)

!  The Planorm Security Processor (PSP) is a dedicated ARM co-‐processor within the APU dedicated to providing security func^ons

!  Has its own secure RAM and NV storage

!  Can access system memory

!  Crypto func^onality, including TRNG

!  Last month AMD and Trustonic announced a partnership: AMD has licensed the Trustonic TEE to run as the security kernel in the PSP

!  Talk to AMD for the PSP roadmap and access for 3rd party security extensions

Wrap up


WRAPPING UP

The mobility trend affects ALL areas of compu^ng 1

Security is DYNAMIC. Need to keep up. 2

HARDWARE trust is needed to defeat SOFTWARE threats 3

A collabora^ve ECOSYSTEM approach is essen^al 4

AMD and Trustonic are working together to enable this 5

Thank you


DISCLAIMER & ATTRIBUTION

The informaôn presented in this document is for informaônal purposes only and may contain technical inaccuracies, omissions and typographical errors.

The informaôn contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, sovware changes, BIOS flashes, firmware upgrades, or the like. Trustonic assumes no obligaôn to update or otherwise correct or revise this informaôn. However, Trustonic reserves the right to revise this informaôn and to make changes from ^me to ^me to the content hereof without obligaôn of AMD to no^fy any person of such revisions or changes.

TRUSTONIC MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION.

TRUSTONIC SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL TRUSTONIC BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF TRUSTONIC IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ATTRIBUTION

© 2013 Trustonic Ltd. All rights reserved. Trustonic, the graphical <t logo and combinaôns thereof are trademarks of Trustonic Ltd. in Europe, the United States and/or other jurisdicôns. AMD is a trademark of Advanced Micro Devices, Inc. ARM and TrustZone are trademarks of ARM, Ltd.Other names are for informaônal purposes only and may be trademarks of their respec^ve owners.


SESSION ABSTRACT

!  TITLE: Trust thy neighbour? Trustworthy mul^-‐tenancy for the modern applicaôn ecosystem

!  SHORT ABSTRACT: With tales of leaks, hacks and malware on the rise, trust in mobile systems is in short supply these days. In other areas an almost opposite but equally troubling problem exists where walled gardens or security agents seek to keep out the bad guys, but also s^fle innovaôn and invite quesôns of trust in the mo^vaôn and interest of the gardeners.

!  This talk looks at recent developments in client-‐to-‐cloud trust technology in the ARM mobile device ecosystem and presents a model for both security and control that allows mul^-‐tenancy with confidence. It also covers how AMD have adopted and adapted some of this technology to create a world-‐leading SoC planorm with trust built into the very heart of the chip.

se-4101, trustworthy multi-tenancy for the modern application ecosystem, by jon geater

Technology

confidenti informa

confidenti secure

contextual17 trusttheyneighbor

on12 trusttheyneighbor

sothewhole informa

laptops thisonesfairlyobvious

securityand trust

onof byodforlaptops