Page 1
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
A Formal Security Model of the Infineon SLE88 Smart Card Memory Management
David von Oheimb, Volkmar LotzSiemens AG, Corporate Technology, Security
{David.von.Oheimb,Volkmar.Lotz}@siemens.com
Georg WalterInfineon Technologies AG, Security & Chip Card ICs
[email protected]
Page 2
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 2
Context
• Certification of SLE88 according to Common Criteria EAL5+
• Existing LKW security model of SLE 66 [LKW00, vOL02] applies
• New security functionality for SLE88: Memory Management Unit
• virtual address space
• protection mechanisms on both virtual and physical level
• Intended to achieve security objectives:
• Restricted memory access
• Separation of applications, OS, and chip security functionality (SL)
• Augmenting the LKW model with a separate memory management model suffices
Page 3
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 3
Overview
• Context
• SLE88 Memory Management
• Overview of functionality
• Security Objectives
• Interacting State Machines
• SLE88 System Model
• Security Properties
• Enforcing attribute-based access control
• Protection of security-critical memory areas
• Results
Page 4
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 4
Address Space
EAR
DPPAD
0531 23
DP
0 521
BPF
0 SL1 PSL/HAL2 OS3..15 reserved16..255 regular
VEA Virtual Effective AddressPEA Physical Effective AddressPT Page TablePP Page Pointer
VEA
PEA
DP DisplacementPAD Package AddressEAR Effective Access RightBPF Block Protection Field
PT
PP
privileged
Page 5
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 5
Access Control Mechanisms
• Block Protection Field (BPF)
applies to 4-bit blocks of physical addresses
• Effective Access Rights (EARs)
apply to 8-bit blocks of virtual addresses
Page 6
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 6
Security Requirements
• Critical aspects:
• shared memory
• modification of EAR table
• protection achieved by BPF (“fail-safe”?)
• port commands (not shown here)
Page 7
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 7
• state transitions (maybe non-deterministic)
• buffered I/O simultaneously on multiple connections
• finite trace semantics
• modular (hierarchical) parallel composition
Interacting State Machines (ISMs)
Page 8
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 8
• Generic ISMs: global/shared state
• Dynamic ISMs: changing availability and communication
• Ambient ISMs: mobility with constrained communication
• Dynamic Ambient ISMs: combination
Extensions to ISM concepts
(generic) ISMs
AmbISMsdISMs
dAmbISMs
Page 9
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 9
• AutoFocus: CASE tool for graphical specification and simulation
• syntactic perspective
• graphical documentation
• type and consistency checks
• Isabelle/HOL: powerful interactive theorem prover
• semantic perspective
• textual documentation
• validation and correctness proofs
• AutoFocus drawing Quest file Isabelle theory file
Within Isabelle: ism sections standard HOL definitions
Tool support
Page 10
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 10
ISM representation in AutoFocus
• System Structure Diagram: Client/Server
• State Transition Diagram: working thread
Page 11
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 11
Basic ISMs in Isabelle/HOL
Page 12
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 12
System Model: SLE88 Memory
Formal definition of the virtual address space:
Page 13
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 13
System Model: State
Formal definition of the system state:
• physical memory• address translation• access control settings• execution state
Page 14
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 14
System Model: Inputs and Outputs
Page 15
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 15
System Model: Memory Access
Auxiliary function for checking access control conditions
Request for access mode at virtual address va in state s returns Ok, if:• va is mapped to a physical address• access is (privileged or) permitted according to EAR table• BPF is consistently assigned (or special access by SL)
Page 16
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 16
System Model: Transition Relation (excerpt)
Page 17
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 17
Security Properties (1):“Granted Accesses Do Respect EAR Settings”
PT_map PEAVEA
WW
WR
Consistency of EARs:• In case of non-injective PT_map, the effective
protections is determined by weakest EAR• Conflicts are possible• Should aliasing be prohibited?• Solution: Define consistency requirements on EARs: all WW or all RR• Property only holds in case of EAR consistency
Page 18
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 18
Security Properties (2):“Protection of SL Memory”
Required axioms (assumptions):
• Initial state satisfies requirements on BPF and initial EAR values • Benign behaviour of SL (correct setting of BPF values, page table
entries, and EAR table entries)
Used lemmas (invariants):
• SL parts of page table and EAR table can only be modified by SL• EARs referring to SL are always set in a way that access by non-SL packages is denied• For SL memory areas, the BPF tag is always set
Page 19
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 19
Conclusion
• Identification: necessary assumptions on initial state and behaviour of SL
• Analysis: effects of non-injective address mappings
• Analysis: role of block protection fields (BPF)
• Proof: security functionality is adequate to satisfy security requirements
(on abstract level of specification)
• Proof: security specification is consistent
(with some additional arguments referring to consistency of HOL)
• Security model satisfies all requirements of ADV_SPM.2
and thus contributes to EAL5 certification
• Effort: 2 person months
Page 20
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Thank you for your attention!
Questions?
Page 21
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Backup Slides
Page 22
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 22
Formal Definition of Basic ISMs
Page 23
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Open runs
Page 24
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 24
Parallel Runs (Interaction)
Page 25
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 25
(Parallel) Composition of ISMs
Page 26
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Parallel State Transition Relation
Page 27
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 27
Results on BPF
• Prohibits access of non-SL packages to SL through alternative access paths
• Allows to grant exclusive access of SL to other memory areas
• Achieves write protection of SL memory areas in case of traps being delayed
• Is not a “fail-safe” mechanism in case of inappropriate EARs for SL memory!