T-Systems GEI GmbH ADSF Security26.09.2007, Page 1

A Maintenance Process?

T-Systems.Secure Software Download

T-Systems GEI GmbH ADSF Security26.09.2007, Page 2

Reasons for DownloadBusiness chances / Critical questions

Bug FixesA software update for a security system is cheaper and faster than changing the hardware.How often is critical hardware changed?

Enhancements for staying competitiveStaying ahead while in the field for years enables a business field for downloads.Is it only software defining the technological progress?

Modular Business ModelSelling special features to customers on demand can enable new business models and markets.Are special features relevant to security systems?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 3

Updating Certified SoftwareIs it an Option?

Going through a CC certification process may easily take a year or more.

Changing security relevant parts will require re-evaluation. How do new features impact on the security evaluation?

A new component requires changing at least the HLD/TDS and its dependencies, i.e. results in a major re-evaluation.

Only parts without security relevance can be updated freely How to define an appropriate structure?

Maintenance upgrades are desirable Is impact analysis practical for core updates? How to define an appropriate infrastructure?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 4

Secure System

UpdatesAssurance Continuity

Module 1

Module 2

Module 3

Module 4

Secure System?

Module 1

Module 2

Module 3a

Module 4

Module

Impact Analysis: Is the module / compo-

nent TSP enforcing? Is it truly seperable?

Is impact analysis at all practical?

Side effects of weakly separable modules, e.g. same address space.

Side effects of defining new behavior for inter-nal interfaces.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 5

Secure System

UpdatesAssurance Continuity

Module 1

Module 2

Module 3

Module 4

Secure System?

Module 1

Module 2

Module 3

Module 4

Module 5

Secure System?

Module 1

Module 2

Module 3a

Module 4

Module

Impact Analysis: Is it allowed to install the module on the system?Are all interfaces for new modules existing?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 6

Upgrade DilemmaEffects, Side-Effects and Domain Separation

Component not enforcing TSPSafe to change at will.Strictly requires Security Domain Separation.

Component supporting TSPConsistence of interfaces: allowing a new parameter can break an existing function, which relies on an error state.Analysis of side effects or FPT_SEP / ADV_ARC

Security Domain Separation is the only clean solution

T-Systems GEI GmbH ADSF Security26.09.2007, Page 7

Secure System

Field downloadsAssurance Continuity

Module 1

Module 2

Module 3

Module 4

Secure System?

Module 1

Module 2

Module 3a

Module 4

Module

Field upgrades are performed automatically in uncontrolled environments.

Who is the sender?Is transmission correct?Is the module intended for this system?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 8

Secure System

Field downloadsAssurance Continuity

Module 1

Module 2

Module 3

Module 4

Secure System?

Module 1

Module 2

Module 3

Module 4

Module 5

Secure System?

Module 1

Module 2

Module 3a

Module 4

Module

Is it allowed to install the module on the system in a particular configuration?The system must decide!

T-Systems GEI GmbH ADSF Security26.09.2007, Page 9

Field downloadsSecurity threats

Integrity and AuthenticityOrganizational processes specified for class ADO (resp. ALC_DEL, AGD_PRE) during initial delivery must be mapped to technical means in terms of e.g. FDP_DAU

Configuration managementFollowing several updates the installation base will be heterogeneous. ACM_SCP (resp. ALC_CMS) virtually encompasses each instance of the TOE. The TOE will enforce e.g. FDP_ACC.2 based on roles and TOE actual configuration.

TestingTesting could become infeasible. If e.g. a module was allowed to be installed in any configuration of the TOE, this also applies to future configurations.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 10

Field downloadsBusiness threats

LiabilityFailure of critical systems can severely affect reputation and finance.Worse, if the failure was induced by third parties.

Intellectual PropertyIf software defines the technological benefit, updates may leak important, confidential IP.

PiracySoftware can be copied arbitrarily fast and often at almost no cost without greater knowledge. If there is a market for modules, there is a market for pirates.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 11

Field upgradesIntegrate data from unreliable sources

How to maintain security, when we cannot rely on the

update data?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 12

CrosstalkRequirements require each other

Targ

et S

yste

m

SoftwareUpdate

This is how it looks:Some Software shall go to a target system.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 13

CrosstalkRequirements require each other

Availability

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateCustomer

Database

A closer look:Someone manages the process

T-Systems GEI GmbH ADSF Security26.09.2007, Page 14

CrosstalkRequirements require each other

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

Maintaining security:Choose the correct updateTest in all configurations

T-Systems GEI GmbH ADSF Security26.09.2007, Page 15

CrosstalkRequirements require each other

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

Maintaining security:Do you know that your database is on track with the actual configuration of each single target system?

T-Systems GEI GmbH ADSF Security26.09.2007, Page 16

CrosstalkRequirements require each other

Integrity

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

Maintaining security:Ensure that what you sent is what is installed!

T-Systems GEI GmbH ADSF Security26.09.2007, Page 17

CrosstalkRequirements require each other

IntegrityConfidentiality

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

Protect IP:Keep confidential information away from pirates.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 18

CrosstalkRequirements require each other

IntegrityAuthenticityConfidentiality

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

Maintaining security:Ensure that what you sent there is what is installed there!

T-Systems GEI GmbH ADSF Security26.09.2007, Page 19

Protocols

CrosstalkRequirements require each other

IntegrityAuthenticityConfidentiality

Availability Correctness

OEM Business Case

Targ

et S

yste

m

SoftwareUpdateConfiguration

DatabaseCustomerDatabase

T-Systems GEI GmbH ADSF Security26.09.2007, Page 20

ProtocolsCryptograpic and others

CrosstalkProtocols define it all

OEM Business Case

TOE

(Inte

rface

s, c

apab

ilitie

s)

Agentsinvolved

(Who to trust?)

T-Systems GEI GmbH ADSF Security26.09.2007, Page 21

Update Business CaseUpdate Issuer

CrosstalkProtocols define it all

OEM Business CaseDevelopers

TOE

(Inte

rface

s, c

apab

ilitie

s)

PersonnelData CentersSmart Media

T-Systems GEI GmbH ADSF Security26.09.2007, Page 22

Update IssuerBusiness Case

RolesThe issuer defines it all

Use

r

SoftwareDevelopers

Installers &Transporters

HardwareDevelopers

T-Systems GEI GmbH ADSF Security26.09.2007, Page 23

TechnologyMedia and Packages

On-SiteThe target is returned to the issuer for upgrade.

BroadcastingThe update package is identical for all clients.Delivery to target by uncontrolled sending of packages.

On-LineBiderectional communication between issuer and target.Information can be collected, and the package can be created individually.

Stored Back-ChannelSome information collected on secure, smart medium.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 24

Open SystemCase Study

Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software

Domain separationReliable software must not be affected by other modules.

Distribution with back-channelDetermine actual target configurationMutually authenticate to counter men-in-the-middle

T-Systems GEI GmbH ADSF Security26.09.2007, Page 25

Open SystemCase Study

Open System Contains secure software Can be updated in the field Exists in various configurations Runs further software on the same platform Shall accept commodity software

Domain separationReliable software must not be affected by other modules.

Distribution with back-channelDetermine actual target configurationMutually authenticate to counter men-in-the-middle

T-Systems GEI GmbH ADSF Security26.09.2007, Page 26

Domain SeparationSeparation physical or virtual systems

A

OSARS

HW

11

Segregating modules Keeping security through defined interfaces

Application1 (single module) Operating system (OS) maintaining

resources Application registration service (ARS)

Enforce software integrity / authenticity Hardware (HW) supports OS (protected

mode)

T-Systems GEI GmbH ADSF Security26.09.2007, Page 27

Domain SeparationSeparation physical or virtual systems

A

OSARS

HW

11

A

OSARS

HW

21

A31

Segregating modules Keeping security through defined interfaces

Uncontrolled Application A3 OS manages all resources OS controls all IPC HW supports OS (MMU) A2 does not trust A3

T-Systems GEI GmbH ADSF Security26.09.2007, Page 28

Domain SeparationSeparation physical or virtual systems

A

OSARS

HW

11

A

OSARS

HW

21

A31

A

OSARS

HW

41

A51

A52

Segregating modules Keeping security through defined interfaces Divide and Conquer state-space of complex applications Let the Application Registration Service (ARS) manage

configuration and update suitability

T-Systems GEI GmbH ADSF Security26.09.2007, Page 29

ConclusionSome lessons learned

Systems interact with users and some deployment infrastructure. These external factors may be even more important than the system itself.

Never believe data at your interfaces, unless you can prove that the source is trustworthy and correct.

Therefore, all kinds of closed loops are never to be believed!

It is only the module, which can decide, whether data shall be accepted or not.

It is only a superordinate instance, which can distinguish modules from each other.

Segregation inside the same domain provides firewalls to mitigate single faults, components, which can be updated predictably

T-Systems GEI GmbH ADSF Security26.09.2007, Page 30

ConclusionFeasible, but ...

Updating secure systems is a growing issue Update processes introduce complex security requirements Implementing an update process is

primarily defining a (business) process, secondarily defining a system architecture, finally implement it correctly. Don't try to add an update feature in the end!

Technical measures exist to mitigate trust implementation is non-trivial benefits exist also, if no updates are intended

Proper implementation of security domain separation can allow for assurance continuity by a maintenance process instead of a re-evaluation.

T-Systems GEI GmbH ADSF Security26.09.2007, Page 31

T-SystemsEnterprise ServicesADSF SecurityDr. Lars Hanke, Dr. Igor Furgel

www.t-systems-ict-security.comLars.Hanke@T-Systems.com

Thank you.