Upload
vuongdat
View
222
Download
0
Embed Size (px)
Citation preview
T-Systems GEI GmbH ADSF Security26.09.2007, Page 1
A Maintenance Process?
T-Systems.Secure Software Download
T-Systems GEI GmbH ADSF Security26.09.2007, Page 2
Reasons for DownloadBusiness chances / Critical questions
Bug FixesA software update for a security system is cheaper and faster than changing the hardware.How often is critical hardware changed?
Enhancements for staying competitiveStaying ahead while in the field for years enables a business field for downloads.Is it only software defining the technological progress?
Modular Business ModelSelling special features to customers on demand can enable new business models and markets.Are special features relevant to security systems?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 3
Updating Certified SoftwareIs it an Option?
Going through a CC certification process may easily take a year or more.
Changing security relevant parts will require re-evaluation. How do new features impact on the security evaluation?
A new component requires changing at least the HLD/TDS and its dependencies, i.e. results in a major re-evaluation.
Only parts without security relevance can be updated freely How to define an appropriate structure?
Maintenance upgrades are desirable Is impact analysis practical for core updates? How to define an appropriate infrastructure?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 4
Secure System
UpdatesAssurance Continuity
Module 1
Module 2
Module 3
Module 4
Secure System?
Module 1
Module 2
Module 3a
Module 4
Module
Impact Analysis: Is the module / compo-
nent TSP enforcing? Is it truly seperable?
Is impact analysis at all practical?
Side effects of weakly separable modules, e.g. same address space.
Side effects of defining new behavior for inter-nal interfaces.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 5
Secure System
UpdatesAssurance Continuity
Module 1
Module 2
Module 3
Module 4
Secure System?
Module 1
Module 2
Module 3
Module 4
Module 5
Secure System?
Module 1
Module 2
Module 3a
Module 4
Module
Impact Analysis: Is it allowed to install the module on the system?Are all interfaces for new modules existing?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 6
Upgrade DilemmaEffects, Side-Effects and Domain Separation
Component not enforcing TSPSafe to change at will.Strictly requires Security Domain Separation.
Component supporting TSPConsistence of interfaces: allowing a new parameter can break an existing function, which relies on an error state.Analysis of side effects or FPT_SEP / ADV_ARC
Security Domain Separation is the only clean solution
T-Systems GEI GmbH ADSF Security26.09.2007, Page 7
Secure System
Field downloadsAssurance Continuity
Module 1
Module 2
Module 3
Module 4
Secure System?
Module 1
Module 2
Module 3a
Module 4
Module
Field upgrades are performed automatically in uncontrolled environments.
Who is the sender?Is transmission correct?Is the module intended for this system?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 8
Secure System
Field downloadsAssurance Continuity
Module 1
Module 2
Module 3
Module 4
Secure System?
Module 1
Module 2
Module 3
Module 4
Module 5
Secure System?
Module 1
Module 2
Module 3a
Module 4
Module
Is it allowed to install the module on the system in a particular configuration?The system must decide!
T-Systems GEI GmbH ADSF Security26.09.2007, Page 9
Field downloadsSecurity threats
Integrity and AuthenticityOrganizational processes specified for class ADO (resp. ALC_DEL, AGD_PRE) during initial delivery must be mapped to technical means in terms of e.g. FDP_DAU
Configuration managementFollowing several updates the installation base will be heterogeneous. ACM_SCP (resp. ALC_CMS) virtually encompasses each instance of the TOE. The TOE will enforce e.g. FDP_ACC.2 based on roles and TOE actual configuration.
TestingTesting could become infeasible. If e.g. a module was allowed to be installed in any configuration of the TOE, this also applies to future configurations.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 10
Field downloadsBusiness threats
LiabilityFailure of critical systems can severely affect reputation and finance.Worse, if the failure was induced by third parties.
Intellectual PropertyIf software defines the technological benefit, updates may leak important, confidential IP.
PiracySoftware can be copied arbitrarily fast and often at almost no cost without greater knowledge. If there is a market for modules, there is a market for pirates.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 11
Field upgradesIntegrate data from unreliable sources
How to maintain security, when we cannot rely on the
update data?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 12
CrosstalkRequirements require each other
Targ
et S
yste
m
SoftwareUpdate
This is how it looks:Some Software shall go to a target system.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 13
CrosstalkRequirements require each other
Availability
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateCustomer
Database
A closer look:Someone manages the process
T-Systems GEI GmbH ADSF Security26.09.2007, Page 14
CrosstalkRequirements require each other
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
Maintaining security:Choose the correct updateTest in all configurations
T-Systems GEI GmbH ADSF Security26.09.2007, Page 15
CrosstalkRequirements require each other
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
Maintaining security:Do you know that your database is on track with the actual configuration of each single target system?
T-Systems GEI GmbH ADSF Security26.09.2007, Page 16
CrosstalkRequirements require each other
Integrity
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
Maintaining security:Ensure that what you sent is what is installed!
T-Systems GEI GmbH ADSF Security26.09.2007, Page 17
CrosstalkRequirements require each other
IntegrityConfidentiality
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
Protect IP:Keep confidential information away from pirates.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 18
CrosstalkRequirements require each other
IntegrityAuthenticityConfidentiality
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
Maintaining security:Ensure that what you sent there is what is installed there!
T-Systems GEI GmbH ADSF Security26.09.2007, Page 19
Protocols
CrosstalkRequirements require each other
IntegrityAuthenticityConfidentiality
Availability Correctness
OEM Business Case
Targ
et S
yste
m
SoftwareUpdateConfiguration
DatabaseCustomerDatabase
T-Systems GEI GmbH ADSF Security26.09.2007, Page 20
ProtocolsCryptograpic and others
CrosstalkProtocols define it all
OEM Business Case
TOE
(Inte
rface
s, c
apab
ilitie
s)
Agentsinvolved
(Who to trust?)
T-Systems GEI GmbH ADSF Security26.09.2007, Page 21
Update Business CaseUpdate Issuer
CrosstalkProtocols define it all
OEM Business CaseDevelopers
TOE
(Inte
rface
s, c
apab
ilitie
s)
PersonnelData CentersSmart Media
T-Systems GEI GmbH ADSF Security26.09.2007, Page 22
Update IssuerBusiness Case
RolesThe issuer defines it all
Use
r
SoftwareDevelopers
Installers &Transporters
HardwareDevelopers
T-Systems GEI GmbH ADSF Security26.09.2007, Page 23
TechnologyMedia and Packages
On-SiteThe target is returned to the issuer for upgrade.
BroadcastingThe update package is identical for all clients.Delivery to target by uncontrolled sending of packages.
On-LineBiderectional communication between issuer and target.Information can be collected, and the package can be created individually.
Stored Back-ChannelSome information collected on secure, smart medium.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 24
Open SystemCase Study
Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software
Domain separationReliable software must not be affected by other modules.
Distribution with back-channelDetermine actual target configurationMutually authenticate to counter men-in-the-middle
T-Systems GEI GmbH ADSF Security26.09.2007, Page 25
Open SystemCase Study
Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software
Domain separationReliable software must not be affected by other modules.
Distribution with back-channelDetermine actual target configurationMutually authenticate to counter men-in-the-middle
T-Systems GEI GmbH ADSF Security26.09.2007, Page 26
Domain SeparationSeparation physical or virtual systems
A
OSARS
HW
11
Segregating modules Keeping security through defined interfaces
Application1 (single module) Operating system (OS) maintaining
resources Application registration service (ARS)
Enforce software integrity / authenticity Hardware (HW) supports OS (protected
mode)
T-Systems GEI GmbH ADSF Security26.09.2007, Page 27
Domain SeparationSeparation physical or virtual systems
A
OSARS
HW
11
A
OSARS
HW
21
A31
Segregating modules Keeping security through defined interfaces
Uncontrolled Application A3 OS manages all resources OS controls all IPC HW supports OS (MMU) A2 does not trust A3
T-Systems GEI GmbH ADSF Security26.09.2007, Page 28
Domain SeparationSeparation physical or virtual systems
A
OSARS
HW
11
A
OSARS
HW
21
A31
A
OSARS
HW
41
A51
A52
Segregating modules Keeping security through defined interfaces Divide and Conquer state-space of complex applications Let the Application Registration Service (ARS) manage
configuration and update suitability
T-Systems GEI GmbH ADSF Security26.09.2007, Page 29
ConclusionSome lessons learned
Systems interact with users and some deployment infrastructure. These external factors may be even more important than the system itself.
Never believe data at your interfaces, unless you can prove that the source is trustworthy and correct.
Therefore, all kinds of closed loops are never to be believed!
It is only the module, which can decide, whether data shall be accepted or not.
It is only a superordinate instance, which can distinguish modules from each other.
Segregation inside the same domain provides firewalls to mitigate single faults, components, which can be updated predictably
T-Systems GEI GmbH ADSF Security26.09.2007, Page 30
ConclusionFeasible, but ...
Updating secure systems is a growing issue Update processes introduce complex security requirements Implementing an update process is
primarily defining a (business) process, secondarily defining a system architecture, finally implement it correctly. Don't try to add an update feature in the end!
Technical measures exist to mitigate trust implementation is non-trivial benefits exist also, if no updates are intended
Proper implementation of security domain separation can allow for assurance continuity by a maintenance process instead of a re-evaluation.
T-Systems GEI GmbH ADSF Security26.09.2007, Page 31
T-SystemsEnterprise ServicesADSF SecurityDr. Lars Hanke, Dr. Igor Furgel
Thank you.