This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
OMTP Security Recommendations and the Advanced Trusted Environment: OMTP TR1
– Requires extensive debugging and manipulation by the hacker
• Exploiting hardware glitches or mistakes– Often induced by the hacker
• Monitoring busses to capture or inject data
• Decapping of devices using Nitric Acid– Probing inside devices – Focused Ion Beam attack– can manipulate data within the devices on the phone– Very difficult!
This process takes months of development and cumulated years of research:
the financial end justifies the means
This process takes months of development and cumulated years of research:
the financial end justifies the means
• OMTP assesses and references many different standards
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.Sun Tzu
Overview to TR1
• Enhances the Basic Trusted Environment
• New and expanded threat model
• Protects the Application Security Framework on a device
• Different profiles for different levels of security in the handset
� communications between execution environments � APIs and Instruction Set Architecture
– all at a very low level in the device
• How does it work?– is isolated from normal execution environment(s) (EEs)– Small size – higher level of integrity checking– Can service the user or other EEs
Run-time Integrity Checking
• What is it?– a mechanism for ensuring that the device is doing what it should be doing
and that the integrity of critical data stored on the handset is ok.
• What does it protect?– Data stored on the handset that may be tampered with such as:
• How does it work?– Effectively ‘Polices’ the handset– Monitors data on the device for modification– Looks at suspicious events such as unexpected change– Logs event data– Escalates issues for action
Secure User Input / Output
• What is it?– A set of requirements to ensure that anything that is presented to the
user via an interface, for example a transaction amount displayed on a screen is authentic and not from another (rogue) application.
– Primarily: the user– Any input:– Microphone, keypad entry (eg: PIN), biometrics– Any output:– decoded protected DRM content, displayed information (e.g. prompts)
• How does it work?– Ensures that asset security properties are valid– Protects drivers and codecs on the device from being abused– Prevents attacks such as driver hooking, keylogging etc.
Generic Bootstrapping Architecture
• What is it?– a method of using the existing security relationship between the USIM of
the user and the network for application layer purposes.
• What does it protect?– Already used to protect MBMS (Multimedia Broadcast)– It is not ‘protection’ but a facility that could be used for other applications
– It is not ‘protection’ but a facility that could be used for other applications such as IMS services (e.g. presence)
– Could provide keying material for the secure UICC / ME link
• How does it work?– Primary aim is to establish keys for application security– The handset goes through the bootstrapping procedure– Secure application layer communications enabled
Flexible Secure Boot
• What is it?– the process of ensuring the integrity of the software code base on the
phone at boot-time and allowing new code to be updated on the device securely over-the-air or via cable – an extremely security sensitive operation.
• What does it protect?– The initial state of the handset – the root of trust– Ensures the phone has not been modified while it was ‘off’– Ensures that the manufacturer can update the core software of the phone
securely
• How does it work?– Verifies the integrity of the code base on the device
at boot-time– Checks authenticity and integrity of updates– Acts as a ‘gatekeeper’ for code on the device
Secure Interaction of UICC and Mobile
• What is it?– A mechanism for ensuring that data transmitted between the handset and
UICC is secure and has not been tampered with or changed.
• What does it protect?– Allows the UICC to ratify the trustworthiness of the device– Future applications such as:
– Future applications such as:� Mobile ticketing� Broadcast� SIM-based DRM
• How does it work?– Handset and UICC are authenticated– Handset applications can securely access the facilities of UICC– Allows exchange of sensitive information between the handset and UICC– Enables use cases and facilitates other parts of TR1:
� Secure User Input / Output� M-Commerce
Contact Details and Links:David RogersDirector of External [email protected]
OMTP BONDI:http://www.omtp.org/bondi
OMTP Published Security Related Recommendations:Advanced Trusted Environment: OMTP TR1http://www.omtp.org/Publications/Display.aspx?Id=24ad518b-6dba-4155-ad51-3143bd43a234
Security Threats on Embedded Consumer Deviceshttp://www.omtp.org/Publications/Display.aspx?Id=c5a1758c-84fe-4ee1-a88d-dff9d6044175