Secure Mobile Linux Why Should We Care - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Secure Mobile Linux Why Should We Care

Description:

Theory of Programming Languages, Formal & Functional Languages, Semantics of Security ... Baskin-Robbins Ice Cream Flavors? 31 [~25] Mass of The Sun (in pounds) ... – PowerPoint PPT presentation

Number of Views:142
Avg rating:3.0/5.0
Slides: 34
Provided by: hadin
Category:

less

Transcript and Presenter's Notes

Title: Secure Mobile Linux Why Should We Care


1
Secure Mobile LinuxWhy Should We Care?
August 4-7, 2008 The Moscone Center San Francisco
  • Hadi Nahari
  • Security Researcher
  • Preemptive Security Consulting

2
Disclaimer
  • This document does _not_ represent presenters
    employer or its official stance ergo it only
    reflects my own experience and professional
    opinion.

3
Agenda
  • Introduction
  • Motivation
  • Status
  • Conclusion
  • QA

4
Introduction
  • Hadis Background
  • Security, Cryptography, Complex-system Analysis
  • Identity Management, Asset Protection
  • Vulnerability Assessment Threat Analysis
  • Information Assurance Certs. (FIPS, CC, NSA)
  • Theory of Programming Languages, Formal
    Functional Languages, Semantics of Security
  • Enterprise Embedded (Netscape, Sun Micro, U.S.
    Government, Motorola, MontaVista, etc.)

5
Common Myths
  • Strong Security Is Only For Military
  • Hardware Security Is Impractical
  • Have To Trust The Network

6
Myth-Buster (Cardinal Sins!)
  • Security Is Different Things To Different People
  • Closed Source More Secure Than Open Source
  • Security Could Be Achieved By Obscurity
  • Software-Only Security Is Good (Enough)
  • Security Staff Are Pain In The _at_
  • Security Is A Set Of Components
  • Can Protect Against All Attacks
  • Encryption Equals Security
  • Can Add Security Later
  • Hackers Are Clueless

7
Security Should Be Strong
8
High Performance Security

9
Motivation
  • System Secure State Is U/Indefinable
  • Assets Complex Security Characteristics
  • Distributed Systems Even More Complex
  • Protection Mechanisms Are Heterogeneous
  • Assertions
  • Current Protection Mechanisms Are Not Effective
  • Furthermore, They CAN NOT Be Effective
  • Frustrating To Be A Security Professional
  • Adversaries Have Advantage

10
How Complex?
  • Baskin-Robbins Ice Cream Flavors?
  • 31 25
  • Mass of The Sun (in pounds)?
  • 1030 299 (thats a nonillion, by the way)
  • HMAC-SHA-1 Key-space Size?
  • 1048 2160
  • Volume of Our Galaxy (in cubic miles)?
  • 1051 2168
  • 256-bit AES Key-space Size?
  • About 1078 2256 (thats a quinvigintillion)
  • Source http//pages.prodigy.net/jhonig/bignum/ind
    x.html

11
How Complex? (contd)
  • Number of 2048-bit RSA Key Combinations?
  • Microsoft Excel returns an error at 21024
    10307
  • But the answer is 10624
  • 100,000,000,000,000,000,000,000,000,000,000,000,00
    0,000,000,000,000,000,000,000,000,000,000,000,000,
    000,000,000,000,000,000,00000,000,000,000,000,000,
    000,000,000,000,000,000,000,000,000,000,000,000,00
    0,000,000,000,000,000,000,000,000,000,000,000,000,
    000,000,000,000,000,000,000,000,000,000,000,000,00
    0,000,000,000,000,000,000,000,000000,000,000,000,0
    00,000,000,00,000,000,000,000,000,000,000,000,000,
    000,000,000,000,000,000,000,000,000,000,000,000,00
    0,000,000000,000,000,000,000,000,000,000,000,000,0
    00,000,000,000,000,000,000,000,000,000000,000,000,
    000,000,000,000,000,000,000,000,000,000,000,00,000
    ,000,000,000,000,000,000,000,000,000,000,000,000,0
    00,000,000,000000,000,000,000,000,000,000,000,000,
    000,000,000,000,000,000,000,000,000000,000,000,000
    ,000,000,000,000,000,000,000,000,000,000,000,000,0
    00,000,000,000,000,000,000,000,000,000,000,000,000
    ,000,000,000,000,000,000,000

12
Morale Of The Math
Hackers Wont Bother With Brute-force!!
13
Fundamental Definitions
  • Whats Mobile?
  • Why Its Security Is Different?
  • Security Assets
  • Define Them First!
  • Attacks
  • Compose Attack Tree Next!
  • Devise The Protection Profile
  • What About Hardware Attacks?
  • Multilevel Security (MLS)
  • A Must!
  • But What Does It Mean?
  • MAC DAC
  • What Are They? Always Need MAC?
  • Protection Strategy
  • Access Control Mechanisms
  • Application/Framework/Security
  • Intrusion Detection/Prevention Services (IDPS)
  • Hardware Security (HSM, TPM, etc)

14
Challenge Establishing Trust
  • SecureBoot (aka Hi Assurance Boot or HAB) Process

Authorizing Applications
Validating System Images (kernel, libs, etc.)
Integrity Checking Of Basic Parameters (e.g.
Public Keys)
Chain of Trust
Hardware Root of Trust
SecureBoot Code
Hardware Security Device (HSM, TPM, etc.)
15
Challenge Establishing Trust
  • Confining Applications At Runtime

Applications
Access Control
Additional Services?
Validating System Images (kernel, libs, etc.)
Integrity Checking Of Basic Parameters (e.g.
Public Keys)
Chain of Trust
Hardware Root of Trust
TPM Services
SecureBoot Code
Hardware Security Device (HSM, TPM, etc.)
16
Challenge Establishing Trust
  • Leveraging Root Of Trust To Augment Chain of
    Trust

Authorizing Applications
Access Control
Additional Services?
Validating System Images (kernel, libs, etc.)
Integrity Checking Of Basic Parameters (e.g.
Public Keys)
Chain of Trust
Hardware Root of Trust
TPM Services
SecureBoot Code
Hardware Security Device (HSM, TPM, etc.)
17
Establishing Trust (contd)
  • Different Designs Defend Against Different
    Attacks
  • Access Control Is Necessary At Runtime
  • Continuous Protection Is The Key
  • Hardware-rooted Security Necessary
  • Challenges
  • No Standardized H/W Implementation (due to IP?)
  • No Standard API For Applications/Frameworks

18
The Stack
  • How Complicated Does It Look?

19
Typical Mobile Linux Architecture
20
What To Do?
  • Infrastructure Growing
  • In Adding New Features
  • In Complexity
  • In Size
  • So Do Adversaries

21
Whats Needed
  • Security Infrastructure Should Provide
  • Static/Dynamic Security Asset Protection
  • Strong Authentication Mechanisms (e.g. Secure Key
    Management)
  • Access Control, Effective Containment (Jailhouse)
  • Secure Update Mechanism (i.e. Verification Prior
    To Installation)
  • Secure-Vault, Encrypted Filesystem
  • Virtualization/Container Security
  • Distributed Security Infrastructure
  • And Be
  • Simple
  • Flexible Extensible
  • Layered Scaleable
  • Light-weight High-performance

22
What Is E2E?
  • Trusted Computing Environment.
  • From What End To What End?
  • What Is The Root Of Trust?

23
MAC What Is It Good For?
  • OK, MAC is Great But Why Should I Use It?
  • Native 3rd Party Applications Support
  • Without MAC Only Java 3rd Party Applications Are
    Safe!
  • Protection Against Buffer Overflow Attacks
  • Protection Against Untested Software Flaws
  • From 3rd Party Vendor
  • From Manufacturer
  • Protection Against Remote Local Attacks
  • Via Tagged Network Packets
  • Controlling Applications Access To System
    Resources
  • Without The Need To Recompile!
  • And Much More
  • Through Jailhouse Mechanism Effective
    Confinement

24
Vir what???
  • How About Virtualization (or virtualisation?)

25
Isolation Requirements
  • Isolation Should Provide
  • Execution Segregation Running Trusted Code
  • Along With Untrusted Code
  • Inside Untrusted Environment
  • Security Controls Within VMM
  • Fine Grained Enough To Guarantee Isolation
  • Coarse Grained Enough To Not Affect Performance
  • GPL Jailhouse
  • Non-Open Source Adoption

26
Motivation
  • Addition of VMM ? More Security Risk
  • Currently, Security Logic Is
  • Embedded In VMM Application (Tightly Coupled)
  • Visible Only Through Code Inspection (Visibility)
  • Brittle And Difficult To Change (Flexibility)
  • Hard To Audit (Traceability)
  • Prone To Exploitation
  • Different Usecases Have Different Security Needs
  • A Framework For Maintaining Security Is Required

27
Secure Isolation Whats Missing
  • The Notion of Identity
  • security_context(Dom_n_id)
  • Lacks Individual Application Identification
    Within a Domain
  • security_context(Dom_n_id, App_m_id)
  • Individual Applications Within a Domain
    Identified
  • But Who Handles
  • Identity Management?
  • Access Control Definition Enforcement?
  • What's The Mediation Mechanism Across Domains??
  • Who Arbitrates Attests The Identities?
  • Hypervisor? Could It Still Be Considered thin
    layer?

28
Secure Isolation Whats Missing (contd)
Dom_N
Dom_0
  • Minimal Security Only MMU
  • No Secure Isolation
  • No VMM Access Control
  • No Secure Communication
  • No Secure Services
  • No VM Mediated Sharing
  • No Attestations by VM
  • No Integrity Guarantees

userland
.
userland
Dom_N App
Dom_0 App
.
.
kernel
kernel
.
Virtual Machine N
Virtual Machine 0
Virtual Machine Monitor (aka Hypervisor)
Hardware Architecture
29
Virtualized Chain of Trust (contd)
  • Access Control Granularity Is Important
  • IBM's sHype
  • A Step In The Right Direction
  • Available On Xen
  • VMWare ESX MS Viridian Likely To Adopt Same
    Style
  • Not Fine-grained Enough
  • More Work Needed (Mainline?)
  • XSM (Xen Security Modules)
  • NSA NIARL Working on it
  • Includes FLASK, ACM (sHype), dummy (default)
  • FLASK Module Fine-grained, SELinux-like MAC
  • Interesting Approach, More Work Needed.

30
Chain of Trust in Type-I Virtualization
?
?
31
High-level Design
32
What Are The Choices?
  • Going The Same Path Over And Over
  • Thinking, Designing, Implementing Differently
  • The Choice Is Yours!

33
Thank You!
  • Q A
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Secure Mobile Linux Why Should We Care" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!