C O R P O R A T E T E C H N O L O G Y Information & Communications Security A Formal Security Model of the Infineon SLE88 Smart Card Memory Management.

Slides:

Advertisements

Similar presentations

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Advertisements

© Fachgebiet Softwaretechnik, Heinz Nixdorf Institut, Universität Paderborn 2.4 The Z Notation [Reference: M. Spivey: The Z Notation, Prentice Hall]

Operating Systems Review.

Chapter 6 Security Kernels.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

CMPT 300: Operating Systems I Dr. Mohamed Hefeeda

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

OS Spring’03 Introduction Operating Systems Spring 2003.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Vir. Mem II CSE 471 Aut 011 Synonyms v.p. x, process A v.p. y, process B v.p # index Map to same physical page Map to synonyms in the cache To avoid synonyms,

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Advances in Language Design

Computer Organization

Protection and the Kernel: Mode, Space, and Context.

1 COMPSCI 110 Operating Systems Who - Introductions How - Policies and Administrative Details Why - Objectives and Expectations What - Our Topic: Operating.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Composition and Evolution of Operating Systems Introduction to Operating Systems: Module 2.

Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.

1 Memory Management (b). 2 Paging  Logical address space of a process can be noncontiguous; process is allocated physical memory whenever the latter.

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.

Operating System Structure A key concept of operating systems is multiprogramming. –Goal of multiprogramming is to efficiently utilize all of the computing.

1 Client-Server Interaction. 2 Functionality Transport layer and layers below –Basic communication –Reliability Application layer –Abstractions Files.

Windows XP & Vista Memory Management

Concern Architecture View and Aspect-Oriented Design Mika Katara and Shmuel Katz Tampere U. T. Technion, Haifa.

1 Lecture 1: Computer System Structures We go over the aspects of computer architecture relevant to OS design  overview  input and output (I/O) organization.

Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.

Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.

Memory Management: Overlays and Virtual Memory. Agenda Overview of Virtual Memory –Review material based on Computer Architecture and OS concepts Credits.

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

CS4315A. Berrached:CMS:UHD1 Operating Systems and Computer Organization Chapter 4.

Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.

8.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Fragmentation External Fragmentation – total memory space exists to satisfy.

What is a Process ? A program in execution.

LECTURE 12 Virtual Memory. VIRTUAL MEMORY Just as a cache can provide fast, easy access to recently-used code and data, main memory acts as a “cache”

FILE SYSTEM IMPLEMENTATION 1. 2 File-System Structure File structure Logical storage unit Collection of related information File system resides on secondary.

ECE 456 Computer Architecture Lecture #9 – Input/Output Instructor: Dr. Honggang Wang Fall 2013.

ACCESS MATRIX IMPLEMENTATION AND COMPARISON By: Rushabh Dharwadkar Roll no: TE COMP.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Lecture : chapter 9 and 10 file system 1. File Concept A file is a collection of related information defined by its creator. Contiguous logical address.

Memory: Page Table Structure

CMSC 611: Advanced Computer Architecture

Muen Policy & Toolchain

Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.

Section 9: Virtual Memory (VM)

Process Realization In OS

OS Virtualization.

Processes in Unix, Linux, and Windows

Segmentation Lecture November 2018.

FIGURE 12-1 Memory Hierarchy

Processes in Unix, Linux, and Windows

IS 2935: Developing Secure Systems

Virtual Memory Overcoming main memory size limitation

Concurrency: Mutual Exclusion and Process Synchronization

Operating Systems: A Modern Perspective, Chapter 3

Processes in Unix, Linux, and Windows

CSE 471 Autumn 1998 Virtual memory

Access Control What’s New?

Synonyms v.p. x, process A v.p # index Map to same physical page

Presentation transcript:

C O R P O R A T E T E C H N O L O G Y Information & Communications Security A Formal Security Model of the Infineon SLE88 Smart Card Memory Management David von Oheimb, Volkmar Lotz Siemens AG, Corporate Technology, Security Georg Walter Infineon Technologies AG, Security & Chip Card ICs

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Context Certification of SLE88 according to Common Criteria EAL5+ Existing LKW security model of SLE 66 [LKW00, vOL02] applies New security functionality for SLE88: Memory Management Unit virtual address space protection mechanisms on both virtual and physical level Intended to achieve security objectives: Restricted memory access Separation of applications, OS, and chip security functionality (SL) Augmenting the LKW model with a separate memory management model suffices

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Overview Context SLE88 Memory Management Overview of functionality Security Objectives Interacting State Machines SLE88 System Model Security Properties Enforcing attribute-based access control Protection of security-critical memory areas Results

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Address Space  EAR DPPAD DP  BPF 0SL 1PSL/HAL 2OS 3..15reserved regular VEA Virtual Effective Address PEAPhysical Effective Address PTPage Table PP Page Pointer VEA PEA DP Displacement PADPackage Address EAREffective Access Right BPFBlock Protection Field PT PP privileged

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Access Control Mechanisms Block Protection Field (BPF) applies to 4-bit blocks of physical addresses Effective Access Rights (EARs) apply to 8-bit blocks of virtual addresses

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Security Requirements Critical aspects: shared memory modification of EAR table protection achieved by BPF (“fail-safe”?) port commands (not shown here)

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March state transitions (maybe non-deterministic) buffered I/O simultaneously on multiple connections finite trace semantics modular (hierarchical) parallel composition Interacting State Machines (ISMs)

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Generic ISMs: global/shared state Dynamic ISMs: changing availability and communication Ambient ISMs: mobility with constrained communication Dynamic Ambient ISMs: combination Extensions to ISM concepts (generic) ISMs AmbISMs dISMs dAmbISMs

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March AutoFocus: CASE tool for graphical specification and simulation syntactic perspective graphical documentation type and consistency checks Isabelle/HOL: powerful interactive theorem prover semantic perspective textual documentation validation and correctness proofs AutoFocus drawing  Quest file  Isabelle theory file Within Isabelle: ism sections  standard HOL definitions Tool support

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March ISM representation in AutoFocus System Structure Diagram: Client/Server State Transition Diagram: working thread

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Basic ISMs in Isabelle/HOL

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March System Model: SLE88 Memory Formal definition of the virtual address space:

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March System Model: State Formal definition of the system state: physical memory address translation access control settings execution state

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March System Model: Inputs and Outputs

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March System Model: Memory Access Auxiliary function for checking access control conditions Request for access mode at virtual address va in state s returns Ok, if: va is mapped to a physical address access is (privileged or) permitted according to EAR table BPF is consistently assigned (or special access by SL)

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March System Model: Transition Relation (excerpt)

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Security Properties (1): “Granted Accesses Do Respect EAR Settings” PT_map PEAVEA WW WR Consistency of EARs: In case of non-injective PT_map, the effective protections is determined by weakest EAR Conflicts are possible Should aliasing be prohibited? Solution: Define consistency requirements on EARs: all WW or all RR Property only holds in case of EAR consistency

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Security Properties (2): “Protection of SL Memory” Required axioms (assumptions): Initial state satisfies requirements on BPF and initial EAR values Benign behaviour of SL (correct setting of BPF values, page table entries, and EAR table entries) Used lemmas (invariants): SL parts of page table and EAR table can only be modified by SL EARs referring to SL are always set in a way that access by non-SL packages is denied For SL memory areas, the BPF tag is always set

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Conclusion Identification: necessary assumptions on initial state and behaviour of SL Analysis: effects of non-injective address mappings Analysis: role of block protection fields (BPF) Proof: security functionality is adequate to satisfy security requirements (on abstract level of specification) Proof: security specification is consistent (with some additional arguments referring to consistency of HOL) Security model satisfies all requirements of ADV_SPM.2 and thus contributes to EAL5 certification Effort: 2 person months

C O R P O R A T E T E C H N O L O G Y Information & Communications Security Thank you for your attention! Questions?

C O R P O R A T E T E C H N O L O G Y Information & Communications Security Backup Slides

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Formal Definition of Basic ISMs

C O R P O R A T E T E C H N O L O G Y Information & Communications Security Open runs

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Parallel Runs (Interaction)

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March (Parallel) Composition of ISMs

C O R P O R A T E T E C H N O L O G Y Information & Communications Security Parallel State Transition Relation

C O R P O R A T E T E C H N O L O G Y © Siemens AG, CT IC 3 Information & Communications Security CASSIS Workshop, Marseille, 13 March Results on BPF Prohibits access of non-SL packages to SL through alternative access paths Allows to grant exclusive access of SL to other memory areas Achieves write protection of SL memory areas in case of traps being delayed Is not a “fail-safe” mechanism in case of inappropriate EARs for SL memory!