Building Trust Despite Digital Personal Devices

Building Trust DespiteDigital Personal DevicesOpenIT - 07.03.2014byJavier GonzálezJavier González - jgon@itu.dkPhilippe Bonnet - phbo@itu.dk

Digital nFlowntetnocaipasedsw mord appspicturessestsacfiey mitkrails cesshPersonal DevicesService ProvidersServices

Digital SocietyPrivacyControlPrivacy?Personal Devices

define: privacy

The social science viewpointWhat are the social norms around privacy and personaldata processing? How do they evolve in time? How dothey evolve with respect to IT evolution?Getting beyond the lame meme- “Privacy is dead – deal with it”- “I’ve done nothing wrong, why should I care?”- “In Denmark, people are very trusting, so privacy is notan issue”!

Contextual IntegrityHelen Nissenbaum. Privacy in Context, 2010Exchange/sharing of personal data is at the core of anysocial interaction- Privacy is not about “not sharing” personal data!Any social context (work, education, health, .) defines –more or less explicitly – a social norm, i.e., an appropriatebehaviour that is to be expected.Contextual integrity gives a framework to reason about thenorms that apply, in a given social context, to the flows ofpersonal data (i.e., information norms)

Digital SocietyContextual IntegrityUsersInformationFlowPersonal DevicesService Providers

Social ScienceFrameworkComputer ScienceImplementation

UCONABCJaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst.Secur., 7(1):128–174, February 2004.

UCONABCFormal ModelCan model complexframeworksStrong security AssumptionsNo implementation!Enforcement: a prioricontrol of usage rightsAudit: a posteriori controlof how rights were usedJaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst.Secur., 7(1):128–174, February 2004.

Implementing UCONABCProgram ProgramUCONProgramSecurity Perimeterbeyond rootdomainsUsage ControlrootAccess ControlSensitive DataUntrusted Storage

Requirements UCONABCUCON needs to be implemented within a securityperimeter protected by hardware so that attackers withroot privileges cannot disable it using software.From inside the security perimeter it should be possible to“monitor” programs outside the security perimeterCommunicating with programs in the security perimetershould entail a low overhead

Secure PlatformsOnly SoftwareSoftware andHardwareSW and Tamperresistant HWLevel lesLowMessages,Sockets, SMRich OSAndroid, Linux,IOS, WindowsMedium/HighSharedMemoryRich OS TEEARM TrustZoneVery HighNarrowInterfacesSecureAd-how OSIBM CryptoCards,TPM, Secure TokenNormal Execution EnvironmentAll Sorts of ApplicationsMonitorWith LowOverheadSecurity PerimeterMonitoringApplicationsProtected byHardware

ARM TrustZone

ARM TrustZoneSecure memory, rich memory andshared memorySecure acquisition/release ofperipherals in runtime (e.g.,ethernet, screen, flash)Gatekeeper - Context switchcontrolled by hardware (AMBA3)Shared processor

HardwareSoftwareRich/Secure AbstractionRich EnvironmentSecure Environmentroot User SpaceKernel SpacerootClientServerSecure SpaceHardwarePrinciple 1: Self preservation first. Under the suspicion of a threat, the secureenvironment isolates itself logically and gives up availability in order to protectdata integrity, confidentiality and durability.Principle 2: Lead all communications. The secure environment defines allparameters that define this communication: protocol, certificates, encryptionkeys, etc.Principle 3: Secure all interactions. The secure area has priority to obtainexclusive access to secure peripherals.

Building TrustUsers have the certainty that their sensitive information willnot be misused by the software running in their devices.Service providers have the certainty that the devicesinteracting with their systems are not compromisedBoth should have the freedom to choose who they trust,and the technology should aid giving certainty, notenforcing

Building TrustSupport differentdigital contextsEnforce usagepoliciesMonitor the integrityof the systemProtect data insecondary storage

Trusted Storage Module (TSM)Background InformationA system providing trusted storage should guarantee dataconfidentiality, integrity, availability, and durabilityToday’s security policies rely on data encryption to supportconfidentiality and integrity. However, if encryption keyscan be compromised or stolen on the client computer, thenthere is not much protection left.Approaches using tamper-resistant hardware: lowfunctionality, physical separated, and narrow interfaces

Trusted Storage Module (TSM)Thread ModelProgram ProgramMalwarerootMemorySensitive DataUntrusted StorageAccess to storageAccess to memoryAccess to peripherals

Trusted Storage Module (TSM)ArchitectureData producerAppTSM CISecureEnvironment CIRich ure EnvironmentCryptoModuleMetadata(ii)Data Chunkfor [i.n] (i)TSMEnc. DataSecure Module(v)(iv)Enc. Keys Enc. Data(iii)TamperResistant UnitStoragePDS

Trusted Storage Module (TSM)Overhead0.01500Time ch&20KB50KBStore&Object&in&Secure&100KB

Trusted Storage Module (TSM)ContributionsProvide a mechanism for rich apps to store securely objectscontaining sensitive information introducing low overheadProvide a mechanism to enforce access control to the filesstoring those objects, i.e., encryption, secure memory andsecure peripheralsUse untrusted storage as a cheap and “unlimited” sourceof secondary storage

Antifragile StorageCan we learn from successful attacks and improve, beingbetter prepared for future attacks?Successful attacks (hardware and software) that do not entailthe collapse of the system are good and welcome (if detectable),and even intentionally provokedThe level of hardware tamper resistance is the upper boundaryto which the system can benefit from being harmedHow do we detect these attacks (e.g., traps, humanintervention)? How to learn from them (e.g., AI, machinelearning)?* Nassim Nicholas Taleb

Trusted Integrity Module (TIM)Background InformationSecondary storage is normally attacked. To survive a rebootor hide from system administrators, attackers makemodifications to system files, line commands and systemlibraries.Running processed produce logs, which are accessible fromusers space (applications), and therefore can be tamperedwith.Storage-based integrity checks need to build on top oftrusted storage (e.g., TSM)

Trusted Integrity Module (TIM)ArchitectureRich EnvironmentPlatformIndependentSecure e()read()write()flush().struct inode {.uid t //user id of ownerdid t //group id of ownereid t //environ. id of owner.};file Objdentry Objinode ObjHistory LogsTSMVFS Metadatahash(file)hash(inode)hash(dentry)VFS Trusted ExtensionAttributesDependenciesSystem-Call Interface (SCI)Transaction LogsSecure EnvironmentCommunication InterfaceGLIBCDependenciesAttributesKernel SpaceUser SpaceRich Appsuper-blockObjdentry Objsecurefile Objinode ockObjcache FSncache FSnTSMFS0FS0FSnFS0Shared MemoryFS0readallSEC.FILEnothingallRICHFILECrypto KeysTamperResistant UnitFSnread / execFSnTIMSEC.FILERICHFILESEC.FILEallallall

Trusted Integrity Module (TIM)ContributionProvide an architecture to guarantee the integrity of systemfiles adding a low overhead to file system primitivesProvide an method to log actions involving system files intrusted storage, preventing attackers to clean afterthemselvesTIM is in itself a storage-based Intrusion Detection System(IDS) without much less assumptions than currentapproaches

Next StepsImplement UCON on top of TIM to add complex usagecontrol policies to secure file operations (i.e., enforcement,embedded behaviour, and audit)Extend TIM with a machine learning algorithm to learnfrom past attacks - antifrigilityExploring how to monitor running processes withoutintroducing a big overhead. Ideas: Use of resources,peripherals, etc.

Example:Supporting differentdigital “social” contexts

Security todayImpositionUsersService Providers*Distrustbypass?Cyberactivism:- Software Freedom- Privacy- Anti Copyright!Lock upDRM-likeSecure Personal Devices* some - normally those involved in media content.

Lockdown, Freedom, and CertaintyCory Doctorow. The Coming Civil Warover General Purpose ComputingLockdown: “Your TPM comes with a set of signing keys it trusts, and unlessyour bootloader is signed by a TPM-trusted party, you can't run it. Moreover,since the bootloader determines which OS launches, you don't get to controlthe software in your machine.”Freedom: “Android lets you tick a box to run any code you want.”Certainty: “You tell your TPM which signing keys you trust - say, Ubuntu, EFF,ACLU and Wikileaks - and it tells you whether the bootloaders it can find onyour disk have been signed by any of those parties. It can faithfully report thesignature on any other bootloaders it finds, and it lets you make up your owndamn mind about whether you want to trust any or all of the above.”

Certainty BootPower OnUbuntuSamsungWikiLeaks FSBLSEBoot LoaderSecure OSVerificationNon SecureBoot LoaderNon SecureOSArchitecture

Certainty BootContributionsProvide a Trusted Boot using a Secure Element (SE) andTrustZone. The boot sequence is stored in the SE, which can onlybe accessed from the secure environment. (2-phase verification)New signing keys can be added to the SE by the userApplications can check the boot sequence trace through thesecure environment to verify that they trust the running software

ContributionsWe have a framework that can implement a usage controlmodel defining privacy policies (contextual integrity) in order tobuild trust in digital interactionsBottom - up: We have a prototype where storage-based usagecontrol policies based on trusted storage and its integrity caneasily be implemented: TSM and TIMTop - down: We have one way to give users the freedom tochoose their software while giving certainty to both users andand service providers

Building Trust DespiteDigital Personal DevicesOpenIT - 07.03.2014byJavier GonzálezJavier González - jgon@itu.dkPhilippe Bonnet - phbo@itu.dk

SW and Tamper resistant HW Secure Ad-how OS Narrow Interfaces Very High Low Messages, Sockets, SM Software and Hardware Shared Memory Medium/High ARM TrustZone Examples Android, Linux, IOS, Windows IBM CryptoCards, TPM, Secure Token Normal Execution Environment Security Perimeter . Implement UCON on top of TIM to add complex usage