Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
TM
GlobalPlatform
04 April 2014
GlobalPlatform Workshop April 15th 1.30-5.30pm
MPAA Office;
15301 Ventura Blvd,
Sherman Oaks,
CA 91403
1
TM
Workshop
• Intended audience:
– Primarily rights holders and content service providers, also
Technology/Device/Silicon Platform providers
• Objective:
– GlobalPlatform is working on standardising TEE APIs for use in content protection
use cases
– GlobalPlatform is working on a path to providing assurance for devices using TEEs
– This workshop is to intended to give participants an update as to roadmap, progress,
and also relevance of GlobalPlatform’s work in this area
– Input and dialogue is also sought in terms of use case alignment as well as threat
model discussions
2
TM
Workshop Agenda
• Introduction: Kevin Gillick, Executive Director of GlobalPlatform
• Status update from PCTF, Michael Lu/Jim Helman
• Status update from TEE spec working group: Existing roadmap
• Status update from TEE security working group – Herve Siebert (STM, Chair of TEE Security Working Group)
– Presentation of the TEE Protection Profile and its status (currently undergoing official evaluation), focus on the security model
• Strategy to ensure certification regime suitability for the content industry
– Call to participate to an upcoming TEE international Technical Community (TEE iTC)
• Open discussion with participants on: – Gathering of premium content security requirements:
• Discussion on title diversity, Renewability;
• Threat model discussion for content protection on device
– Maintenance and evolution of the TEE Protection Profile
• Different profiles and how do we establish roadmap;
3
TM
@GlobalPlatform_ www.linkedin.com/company/globalplatform
GlobalPlatform Overview
For
Premium Content Task Force Open Session
Kevin Gillick
Executive Director
GlobalPlatform
15 April 2014
TM
Thank You to Our Host!
5
TM
GlobalPlatform Positioning
6
TM
GlobalPlatform Mission
• GlobalPlatform works across
industries to identify, develop and
publish specifications which
facilitate the secure and
interoperable deployment and
management of multiple embedded
applications on secure chip
technology
• GlobalPlatform Specifications
enable trusted end-to-end solutions
which serve multiple actors and
support several business models
TM
TM
GlobalPlatform Vision
• Member-driven organization to define
technology standards for cards,
devices and systems and create
foundation for future growth.
• License royalty-free card, device, and
systems specifications.
• Compliance Program tools to verify
card, device, systems compliance to
GlobalPlatform technology.
• Foster adoption of secure chip
technology standards and
implementations across industries.
TM
TM
GlobalPlatform At-a-Glance
What is the output of GlobalPlatform?
Specifications – technical industry guidelines
Configurations – applying the guidelines to different market sectors
Security Certifications – streamlining security requirements & testing
Industry Compliance Program – confirming a product’s functionality aligns to
GlobalPlatform technology
Educating the Industry – white papers & technical documents
Workshops – specification training & educational
TM
A Wealth of Resources! (White Papers)
UICC System Role
and
GlobalPlatform Messaging
Requirements for NFC Mobile:
Management of Multiple Secure Elements
The Trusted
Execution Environment
TM
A Wealth of Resources! (White Papers)
The Consumer-Centric Model
The End-to-End Simplified
Service Management Framework
On-Card API
TM
Access to the Experts! (Seminars)
2nd Annual Trusted Execution Environment (TEE) Seminar
Tuesday, 30 September in Santa Clara, California
Pre-Seminar Technical Training on Monday, 29 September
TM
GlobalPlatform Members TM
TM
GlobalPlatform Structure How our Members Participate / Contribute
TM
TM
1
6
Thank you!
TM
PCTF and GlobalPlatform TEE Roadmap
update
Michael Lu
Business Development Director, Trustonic
Jim Helman
CTO, Movielabs
April 14-15, 2014
17
TM
2014 Activities of Interest
• To continue the advancement of specifications to address the administration of
the TEE.
• To support the evolution of the GlobalPlatform TEE Compliance Program.
• To establish a TEE Security Certification Program, which will aim to drive
‘practical’ TEE security certifications with short time-to-market constraints.
• To address the requirements of GlobalPlatform’s recently formed Premium
Content Task Force, and ensure alignment on work priorities.
• To engage with mobile network operators and key players in the web
ecosystem to confirm industry requirements, as well as continue to serve the
needs of specific vertical markets such as premium content protection, financial
services, enterprise and government.
18
TM
What is a TEE?
• TEE provides hardware-based
isolation from rich operating
systems (OS) such as Android
• TEE runs on the main device
chipset
• TEE has privileged access to
platform and device resources
(user interface, display
controller, memory controller,
HW decoder/renderer, crypto
accelerators, secure elements…)
• Technology already massively
deployed
• Premium content protection is
currently a major use case
19
Hardware Platform
Rich OS Application Environment
Rich OS
Trusted Execution Environment
Trusted CoreEnvironment
GlobalPlatformTEEInternalAPI
TrustedFunctions
Payment Corporate
Client Applications
TrustedApplication
DRM
TrustedApplication
Payment
TrustedApplicationCorporate
HW Secure Resources
GlobalPlatformTEE Internal
TEE Kernel
API
GlobalPlatform TEE Client API
Open to malware and
rooting / jailbreaking
Isolation of sensitive
assets
TM
What’s the TEE Scope in GlobalPlatform?
20
TEE Software
Interfaces
Functional
Compliance
Security
Certification
TEE Administration
Use Cases
& Business
Requirements
• Mobile platform and silicon
providers
• Device vendors
• Network operators
• Services Providers
• TSM providers
• TEE OS providers
• Test and security labs
Participation for TEE includes
Technology Agnostic
TM
GlobalPlatform TEE Main Functions
• Code and data isolation
• Secure cryptography
• Secure storage
• Secure clock
• Trusted user interface
• Secure Element interface
• Administration scheme
Hardware-based
TEE Functions = ToolBox
• Device authentication
• User authentication
• DRM protection
• Trusted playback
• Trusted link protection
• Downloadable scheme
Value for Premium Content
includes
TM
GlobalPlatform TEE Compliance &
Security Certification
22
+ TEE OS
System on Chip-based Platform Supporting GlobalPlatform TEE
Functional
GlobalPlatform
Compliance
Security
Certification
GlobalPlatform
STAMP
GlobalPlatform-
defined test
suite
GlobalPlatform-
defined TEE
Protection
Profile
• Current and first focus = platform
• Final product (final smartphone, tablet…): light delta compliance and / or security
certification might be defined at a later stage
First TEE
TestFest
in Oct.
2012
TM
Charter of PCTF
• The Premium Content Task Force purpose is to
– Identify and establish liaisons with relevant stakeholders and organizations in the Media industry
– Identify the relevant content protection use cases and address their enablement in a Device offering TEE capability to prevent fragmentation
– Provide inputs to define content protection compliance and certification programs to GlobalPlatform Committees
– Promote GlobalPlatform technology adoption and membership to interested parties in the Media Industry
• The deliverables for the group include:
– Develop a public position paper which provides an overview of the premium content landscape on consumer electronics devices:
• Identify the scope of GlobalPlatform's role in this area
• Define key premium content use cases and determine the relevant business and technical
requirements for these use cases
• Determine how GlobalPlatform technologies such as TEE should be best utilized in this market
• Identify the enhancements that may be needed to meet requirements
– Deliver requirements to GlobalPlatform's relevant technical committees to ensure that GlobalPlatform Specifications, Compliance and Certification programs are enhanced to provide interoperable and verifiable solutions to the market
23
TM
Content and Service Protection through TEE
• Content Piracy Prevention
– Raises assurance bar for protection of decrypted Media playback on devices;
– Certification and Independent Evaluation for Hardware and Firmware
implementation;
• TEE for Service Piracy Prevention
– Acts as a security plugin to the platform OS (Android, Windows or Tizen)
• TEE provides secure environment for sensitive tasks without exposing cryptographic
credentials.
– Provides a programmable security environment where updates can be provided in
case of security breach.
10/
31/
13
24
TM
Proposed PCTF Milestones & Deliverables
• Milestone 1:
– Purpose
• Enables ecosystem to leverage GP TEEs for secure video playback
– Expected DC deliverables
• Architecture and Secure Video Playback API
• Review of existing GP TEE PP
• Milestone 2:
– Purpose:
• Standardise TEE capabilities for enhanced protection associated with UltraHD content
• Identify additional use cases associated with UltraHD content distribution
• Identify additional threats above current protection profile associated with UltraHD content
distribution
• Expected DC deliverables
– Additional specifications and APIs
– Potential changes in PP and certification regime
• Milestone 3:
– TBD pending on ecosystem requirement gathering
25
TM
Status of the PCTF Deliverables
• Milestone One requirements
– Scope approved by PCTF
– Document to be finalized in next two weeks (by April 11)
• Milestone Two requirements
– In progress
• White Paper on Relevance of GlobalPlatform TEE in the media industry
– In progress
TM
Milestone 1
• All use cases below requires rendering to internal display or protected link
• Playback of premium content from the broadcast network;
• Playback of premium content using streaming technologies
• Playback of stored premium content
• Playback of premium content using an application Over-The-Top accessible through the browser;
• Trickplay;
• Playback of premium content from a Personal Video Recorder;
• Playback of premium content for which the protection system is no longer available in the device
• Playback of several premium content protected with different protection systems (optional)
27
TM
GP Confidential
©2014
TEE Security Certification
Hervé Sibert
Security Architect, Director, ST Micro
TEE Security WG Chair, GlobalPlatform
April 14-15, 2014
2
8
TM
TEE Security Certification
29
TM
Why?
30
TM
It is part of GlobalPlatform vision
GlobalPlatform
qualified tools and
accredited labs
GlobalPlatform
TEE Client API specification
TEE Internal API specification
GlobalPlatform
TEE test suite
GlobalPlatform
TEE Protection Profile
Internationally-
recognized process
TEE Functional
Compliance
TEE Security
Certification
31
TM
It is essential for deployment
• The TEE Security Working Group gathers members from the complete
ecosystem, from TEE providers and Smartcard/SoC/Device manufacturers to
laboratories, operators…
• Goals
– To make sure that there is a means of evaluating TEE security by closing the
certification gap with a pragmatic approach compatible with short device life-cycle
– To provide security assurance to stakeholders (device manufacturers, service
providers, regulators)
• The choice of Common Criteria methodology has been triggered by
– Proven framework for the statement of security requirements (through Protection
Profiles) and evaluation methodology
– Existent network of security accredited labs
– International recognition
– Applicability to the domain
– Market acceptance
32
TM
Milestones
33
TM
Q4 Q3 Q2
2 0 1 3
Q1 Q4 Q3 Q2 Q1
TEE Security WG Roadmap
“Final” version of
the TEE
Protection Profile
2 0 1 4
End of public review of
the TEE Protection
Profile
Presentation of the
TEE PP at ICCC
2013
TEE Security
Certification Workshop
2 0 1 2
Initial Security
Requirements
document
Decision to go for
Common Criteria
methodology
TEE Protection Profile
v0.1:= TOE, Assets,
Threats, Objectives
TEE Protection
Profile v0.3 =
v0.2 + EAL TEE
2 0 1 1
TEE Protection Profile
v0.2 = v0.1 + SFRs
Q4 Q3 Q2 Q1 Q4 Q3 Q2 Q1
PP review process
PP review process PP Certification
34
TM
TEE Protection Profile strategic choices
35
TM
Protection Profile template
• Usual CC Protection Profile
• Designed to be usable today by accredited labs
• Does not mandate any particular technology
– Compatible with all the ways considered by GP to realize a TEE
• ARM proprietary TrustZone technology
• Virtualization
• Dedicated security processor/subsystem
– Does not define the way the TEE is instantiated
• The “Secure boot” process varies a lot between platforms
36
TM
Target of Evaluation
Boundary with Rich operating system (OS): Messaging interface
Boundary with Trusted Applications:
TEE Internal API
TOE (HW, FW, SW)
The TOE comprises:
• Any hardware, firmware and software
used to provide the TEE security functionality
• The guidance for the secure usage of the
TEE after delivery
The TOE does not comprise:
• The trusted applications
• The rich execution environment (REE)
• The client applications
37
TM
TOE Security Functionality
• TEE initialization process using
assets bound to the SoC, that ensures
the authenticity and integrity of the TEE
code running in the device
(implementation-dependent)
• Isolation of the TEE services, the TEE
resources involved and all the trusted
applications (TAs) from the REE
• Isolation between TAs and isolation of
the TEE from TAs
• Protected communication interface
between CAs and TAs within the TEE,
including communication endpoints in
the TEE
• Trusted storage of TA and TEE data
and keys, ensuring consistency,
confidentiality, atomicity and binding to
the TEE
• Correct execution of TA services
• Random number generator
• Cryptographic API including generation
and derivation of keys and key pairs,
support for cryptographic algorithms
such as SHA-256, AES 128/256, T-
DES, RSA 2048, etc.
• Monotonic TA instance time
• TEE firmware integrity up to
modifications authorized by the
upgrade policy (implementation-
dependent)
• Advanced TEE (rollback protection over
resets)
– Monotonic persistent time
– Full integrity protection of TA data,
code, keys and TEE data
38
TM
Threat model
• The TEE PP addresses threats that arise during the end-usage phase and can
be achieved by software means without damaging the device
• At the identification phase
– The attacker discovers some vulnerability, conceives malicious software and
distributes it
– No assumption holds regarding the equipment, expertise, etc. and the possibility to
use more than one device, potentially in a destructive way
• At the exploitation phase
– The attacker exploits the vulnerability by running the malicious software
– There are two main exploitation profiles: remote attacker and basic device attacker
– Basic, non-destructive HW attacks are also possible
– More expensive or destructive HW attacks are not forbidden for exploitation, but they
are not compatible with the potential given to the attacker at the assurance level
chosen for the TEE
39
TM
Threats
Side-channel: PMA, EMA, cache
Bus injection/capture
Glitches
Debug
Fuzzing
Memory isolation breach
Rollback
Buffer overflow
Bad crypto
/binding
41
TM
Security Objectives
42
TM
Mapping of objectives to CP requirements (1/3)
43
GP TEE PP Security Objective Application to content protection schemes
O.CA_TA_IDENTIFICATION Typically each content protection scheme will be installed in its own TA. This objective generally exceeds requirements of most CP schemes.
O.CRYPTOGRAPHY
CP TAs make use of available cryptographic functions in the TEE when available. Some CP schemes require unique functions not provided by standard cryptographic implementations. For performance reasons, some CP schemes require hardware cryptographic modules that operate as TEE-based peripherals.
O.DEVICE_ID CP TAs make use of unique device IDs to derive keys bound to the device. Such keys are used to provide secure storage and similar functions.
O.INITIALIZATION This objective applies to the TEE itself.
O.INSTANCE_TIME Many CP TAs require monotonic time. In general, absolute time is not a requirement.
O.OPERATION This objective applies to the TEE itself.
TM
44
GP TEE PP Security Objective Application to content protection schemes
O.RNG CP TAs use RNG functions to create ephemeral keys and protocol data, generate unique keys and key pairs.
O.RUNTIME_CONFIDENTIALITY CP TAs are required to protect the confidentiality of secret data and in some cases algorithms during runtime.
O.RUNTIME_INTEGRITY Runtime integrity enforces correct operation of TAs.
O.TA_ISOLATION TAs must be isolated from each other.
O.TEE_DATA_PROTECTION This objective applies to the TEE itself.
O.TEE_FIRMWARE_UPGRADE This objective generally exceeds the requirements of most CP schemes.
O.TEE_ISOLATION This objective applies to the TEE itself.
O.TRUSTED_STORAGE TA CPs may make use of trusted storage to protect secret data of the scheme, its protocols and data.
O.ROLLBACK_PROTECTION This objective generally exceeds the requirements of most CP schemes.
O.TA_PERSISTENT_TIME This objective generally exceeds the requirements of most CP schemes.
Mapping of objectives to CP requirements (2/3)
TM
45
GP TEE PP Security Objective Application to content protection schemes
OE.DEBUG This objective applies to the TEE itself, but fulfils a need to protect CP TAs from analysis, debugging and inspection.
OE.INTEGRATION_CONFIGURATION This objective applies to the TEE itself.
OE.MANAGEMENT This objective applies to the TEE itself.
OE.PROTECTION_AFTER_DELIVERY Pre-installed CP TAs may have to account for the fact that the TEE is not fully provisioned until first use.
OE.ROLLBACK Not needed if O.ROLLBACK_PROTECTION is implemented.
OE.SECRETS CP TAs may rely on the TEE’s implementation of this objective to provide secure provisioning and personalization.
OE.TA_DEVELOPMENT CP TA developers must observe the guidelines provided by the TEE supplier.
OE.TEE_FIRMWARE_UPGRADE This objective applies to the TEE itself.
OE.UNIQUE_DEVICE_ID CP TAs may rely on the TEE’s implementation of this objective to reliably derive unique secret data for their own purposes.
Mapping of objectives to CP requirements (3/3)
TM
EAL
• The Working Group decided to define a specific EAL for the TEE
• The TEE PP provides:
– The TEE attack quotation table for rating full attack paths from identification to exploitation
– The description and quotation of four representative exploitation profiles
– A list of illustrative attacks at identification phase
• The TEE PP states the attack potential at « Enhanced-Basic »
– Higher than the score of known attacks to Rich OS devices
– Lower than the « High » attack potential of secure elements
• The TEE PP takes into account the constraints of SoC manufacturing and TEE integration
– TEE tight integration with SoC resources yields involvement of several teams that are not dedicated to security
– EAL 2 has been chosen as the EAL base, and augmented with the “Enhanced-Basic” attack potential
• Discussions are ongoing with Certification Bodies on the relevance of these choices (see further)
47
TM
Future extensions
• The updates will be managed as optional modules like the Time and Rollback
module, in order to avoid having different PPs
– Internal core 1.1, Debug API, SE API etc… (minor impact)
– Remote management
– Content protection
49
TM
Product certification process
50
TM
TEE Security Certification in the short
term
• The TEE Protection Profile is available at
http://www.globalplatform.org/specificationsdevice.asp
• Usual Common Criteria framework
Certification of the Protection Profile – ongoing, target is completion before
end of Q2, 2014
Certification of products
• Discussions with Certification Bodies (CBs) on the TEE EAL
– Some CBs advise to come back to standard EAL2 (with “Basic” attacks only),
otherwise they will not recognize the EAL (or downgrade their recognition to EAL2)
– Our intention is to stay at EAL2+
• CBs should all recognize certified products at EAL2
• Certification at the defined TEE EAL can only be done with CBs recognizing our specific EAL
51
TM
Short term options summary
52
Option 1 (preferred) Option 2
Description Pass PP certification with existing
EAL2+ (EAL TEE) level
Pass PP certification with
EAL level back to EAL2
Time impact Few weeks delay
Certification
recognition impact
EAL2 recognition by CC CBs,
EAL2+ recognition only by willing
CC schemes
EAL2 recognition by CC
CBs
Certification level
impact
None Downgrade vs current PP
Certification
process
Willing CC CBs for EAL2+ (or GP
stamp), usual CC for EAL2
Usual CC for EAL2
TM
Expectations for certification
• Common Criteria is undergoing transformation, based on the creation of
“international Technical Communities” for each technology, defining and
maintaining the Protection profile(s) for this technology
– It will still take some years to be well in place
– GlobalPlatform has announced its intention to be part of a TEE iTC, and even
proposes to organize it
• GlobalPlatform is considering the organization of a certification process,
reusing the CC structure
– The main objective is to avoid loss of time due to disagreements between countries
for technical and/or political reasons
– Evaluation would be done by recognized labs, familiar with CC methodology
• Is it mandatory to you that these labs are CC-accredited?
– To do that, GlobalPlatform may organize an open “Technical Community”, open to
non-members
– Does official governmental recognition matter, or would you consider a
GlobalPlatform-driven process for certification?
53
TM
Long term options summary
54
Option 1 Option 2
Description Form an international
Technical Community
under CC
Create and promote an open GP Technical
Community
Time impact Unknown (few years) Start now
Certification
recognition
impact
Recognition by those
CC CBs recognizing
the iTC
Use CC to certify subsequent PP versions,
to enable govt recognition.
Create a GP stamp for product certification
(not linked to one CB).
Certification
level impact
Controlled by
governments – but can
be non-standard
Tailor the existing PP with different levels:
- Existing EAL TEE
- EAL TEE+ for higher security
- Additional functional testing for NIAP
Certification
process
CC CBs recognizing
the iTC
Labs selected by GlobalPlatform (CC
accredited or used by GP TC members)
…then turn it into an iTC once the iTC
framework is up and running well
TM
Requirements of Labs to be GP Qualified (derived
from GP Compliance testing rules)
• Lab must initially qualify, and then re-qualify every year
• Qualification criteria includes :
– Lab must participate in the GP TEE Technical Community
– Lab must execute GP’s Consulting Services License Agreement and Qualification
and Listing Agreement
– Lab must submit to GP documents that confirm they are currently an […Common
Criteria, FIPS, PCI…?] qualified laboratory
– Lab must support the up-to-date version(s) of the Protection Profile
– Lab must have at least one expert trained on (1) TEE Specifications and (2) the
Protection Profile. Training to be performed by a GlobalPlatform TEE Certification
Expert
– The trained expert(s) must be involved in the GP TEE evaluations performed by the
lab
Please note that if a company has more than one laboratory it wishes to qualify, then each laboratory must be qualified separately by GlobalPlatform.
TM
Re-Qualification of Laboratories (derived from GP
Compliance testing rules)
• Laboratories to be re-qualified every year
• Re-qualification criteria to include:
– GP TEE Technical Community continuation
– Consulting Services License Agreement and Qualification and Listing Agreements
remains in effect
– Lab remains qualified to […Common Criteria, FIPS, PCI…?]
– Support of the up-to-date Protection Profile versions
– Audit of the evaluations performed by the lab by GlobalPlatform TEE Certification
Expert
56
TM
Open Discussion on Use Case and Threat
Model
57
TM
Content and Service Protection through TEE
• Content Piracy Prevention
– Raises assurance bar for protection of decrypted Media playback on devices;
– Certification and Independent Evaluation for Hardware and Firmware
implementation;
• TEE for Service Piracy Prevention
– Acts as a security plugin to the platform OS (Android, Windows or Tizen)
• TEE provides secure environment for sensitive tasks without exposing cryptographic
credentials.
– Provides a programmable security environment where updates can be provided in
case of security breach.
58
TM
Where should the security bar be?
• The TEE may serve different purposes for content protection
– Offload features from the main OS to the TEE (for security reasons)
– Offload features from smartcards to the TEE (for flexibility reasons)
– Offload features from SoC HW to the TEE (for flexibility reasons)
• Major examples
– Protection of media path to prevent OS access to clear content (Trusted Video Path)
– Protection of other features currently managed in main OS (CA application offload)
– DRM and other cardless systems
– Virtual smartcard either instead of discrete smartcard, or to allow revocation/change
of CA system
• What is the current TEE certification level adapted to?
Our expectation is:
– Adapted to Trusted Video Path and CA application offload
– DRM currently managed in main OS
– Additional, higher security may be expected for other use cases
59
TM
TEE for other content protection features
• Among the following features, what would you consider the TEE for, and what
is your expectation for the related security requirements?
– Key management
• TEE for key storage
• TEE for key ladders
• Any difference between DRM and CA?
– Algorithm agility
• TEE for proprietary (tweaked) algorithms
– Watermarking
• TEE for watermark insertion
• TEE for watermark recognition
• What is the hierarchy of security requirements depending on the nature of the
content?
– Quality
– Type of content
– Value/time scale
60
TM
Threat Landscape
Threats Mitigation GlobalPlatform Positioning
Local attacker – discovery of attack
Increase Expertise and Cost required for Attack
Raises assurance bar for protection of decrypted Media playback on devices; Certification and Independent Evaluation for Hardware and Firmware implementation;
Packaging, Distribution and Replication of Attack;
Avoid use of Class secrets; Use of device binding; Experience degradation; Revocation;
Platform integrity, secure boot, Isolation between REE and between TAs prevents certain types of software attacks being replicated; In general TEE security features make it very costly to replicate attacks across devices;
Online distribution of pirated content
Forensic Watermarking, Legal means; System Renewal after Attack;
If TEE is not breached, provides a programmable security environment where updates can be provided in case of security breach.
61
TM
ECP Threats and Mitigation Discussion
• Zero Day rips
– Raises assurance bar for protection of decrypted Media playback on devices;
– Certification and Independent Evaluation for Hardware and Firmware
implementation;
• Hack One, Hack All
– Device Binding
– Copy and Title Diversity;
– Software Diversity
• Revocation and Renewal
• Compromise of the TEE
• What are the threats and attacks that could result in compromise of TEE;
• What are the impacts of a breach
62
TM
THANK YOU!
63