Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright  2008 Symbian Software Ltd.Page: 1 Craig Heath Principal Product Manager, Security & Privacy Is the Operating System the Right Place to Address.

Similar presentations


Presentation on theme: "Copyright  2008 Symbian Software Ltd.Page: 1 Craig Heath Principal Product Manager, Security & Privacy Is the Operating System the Right Place to Address."— Presentation transcript:

1 Copyright  2008 Symbian Software Ltd.Page: 1 Craig Heath Principal Product Manager, Security & Privacy Is the Operating System the Right Place to Address Mobile Phone Security?

2 Copyright  2008 Symbian Software Ltd.Page: 2 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

3 Copyright  2008 Symbian Software Ltd.Page: 3 What is a “Secure” Mobile Phone – Who’s Asking? content creators OS vendor technology partners network operators content distributors aftermarket s/w vendors phone manufacturers enterprise IT admins phone users

4 Copyright  2008 Symbian Software Ltd.Page: 4 What do the Stakeholders in the Value Chain Care About? Operating system vendor Meet the phone manufacturers’ requirements, match or beat competitors on (security) features Technology partners Maximise their revenue (find security nails for their hammers) Phone manufacturers Meet the network operators’ requirements (usually), meet the phone users’ expectations (protect reputation), minimise liability for security breaches (particularly DRM) Aftermarket software vendors (tools and utilities) Maximise their revenue (find security nails for their hammers) Network operators Protect the network infrastructure, maximise their revenue, minimise their costs (particularly support costs) Content creators (application software and entertainment media) Maximise their revenue, protect their intellectual property Content distributors Maximise their revenue (control of distribution channels) Enterprise IT administrators Protect company confidential information, minimise support costs Phone users Don’t want to care about security

5 Copyright  2008 Symbian Software Ltd.Page: 5 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

6 Copyright  2008 Symbian Software Ltd.Page: 6 What Security Measures are Available? Operating system vendor OS platform security Technology partners secure execution environments, other “security elements” (e.g. TPM), virtualisation, middleware, DRM agents Phone manufacturers patch management, “kill bits” Aftermarket software vendors (tools and utilities) non-native execution environments (including browser), anti- virus Network operators device settings management, revocation, “cloud” services, billing advice and dispute resolution, SIM applications Content creators (application software and entertainment media) software activation keys, license management Content distributors DRM wrappers Enterprise IT administrators software inventory management, security policy settings Phone users responses to security prompts (trust decisions)

7 Copyright  2008 Symbian Software Ltd.Page: 7 So, “Who Trusts Whom to do What?” (very simplified) A “secure mobile phone” must meet the phone users’ expectations: … always to be able to make and receive voice calls no blue screens, “Ctrl-Alt-Del”, applications stealing focus … not to be presented with unauthorised charges Pay-as-You-Go or flat-rate customers often pay a premium for predictability … not to have their (or their contacts’) private information misused your phone feels like a safe place to hold your data as it’s carried with you Phone users trust the phone vendor to supply a device that meets these expectations … the phone vendor is often the network operator Network operators trust the phone manufacturers to provide devices that resist attack Phone manufacturers trust the Operating System to correctly enforce the security policies that they configure

8 Copyright  2008 Symbian Software Ltd.Page: 8 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

9 Copyright  2008 Symbian Software Ltd.Page: 9 Symbian OS Platform Security Objectives Privacy protect confidentiality of user data Reliability protect system integrity Defensibility resist malware, financial fraud, network attacks Unobtrusiveness don’t compromise the user experience Openness innovative 3rd-party applications Trustworthiness “does what it says on the tin”

10 Copyright  2008 Symbian Software Ltd.Page: 10 Symbian OS Platform Security Architecture Run-time controls on add-on applications Based on long-established security principles … e.g. “Trusted Computing Base”, “Least Privilege” Introduced in Symbian OS v9 (Q1 2006) “Capabilities” determine process privileges … Checked by APIs which offer security-relevant services “Data Caging” protects stored data … Protected directories for system and for applications Secure identifiers (“SIDs”) for applications … Verified at install-time

11 Copyright  2008 Symbian Software Ltd.Page: 11 Capabilities and the Least-Privilege Principle WriteUserData ReadUserData UserEnvironment Location LocalServices NetworkServices ETel multimedia L.B.S. ESock TCB Trusted Computing Base (TCB) Full access to all APIs and files (kernel, installer, file server) Trusted Computing Environment (TCE) Servers with “system capabilities” messaging contacts, agenda Most 3 rd party apps need only “user capabilities”

12 Copyright  2008 Symbian Software Ltd.Page: 12 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

13 Copyright  2008 Symbian Software Ltd.Page: 13 Judging the Success of a Security Architecture Is the system secure? … concrete block has excellent security properties but poor information processing performance … is the system secure enough? is the security policy enforced sufficiently effectively? there will be a point of “diminishing returns” Is the resulting system better? … simple economics: does the benefit exceed the cost? … but benefit and cost may be difficult to measure quantitatively benefits include attacks that don’t happen (deterrence) costs include inconvenience (reduced usability)

14 Copyright  2008 Symbian Software Ltd.Page: 14 Symbian OS – is it Secure Enough? Symbian OS is the biggest target for malware … Over 200 million phones shipped with Symbian OS … 46.6% of worldwide smartphone market in Q3 2008 [Canalys] 2 nd Apple (17.3%), 3 rd RIM (15.2%), 4 th Microsoft (13.6%), 5 th Linux (5.1%) Symbian OS platform security in phones from March 2006 … Small increase in new Symbian OS malware in 1H 2006 Interest raised by v9 security feature press coverage? … Significant reduction in overall numbers in 2006 and 2007 Lack of interest in “old” (v6, v7, v8) security holes? Increasing proportion of Symbian OS-based phones on v9 No malware found on Symbian OS v9-based phones … 2½ years and counting...

15 Copyright  2008 Symbian Software Ltd.Page: 15 Effect of Symbian OS Platform Security on Malware First phones introduced with platform security

16 Copyright  2008 Symbian Software Ltd.Page: 16 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

17 Copyright  2008 Symbian Software Ltd.Page: 17 Symbian OS – Who Benefits from the Security? Phone Manufacturers … protection of reputation leading to increased phone sales … reduced risk of liability for device vulnerabilities Network Operators … reduction of support costs due to malware-infected phones … protection of network infrastructure (e.g. from DDoS attacks) Application Developers (ISVs) … larger market for third-party smartphone applications, due to increased adoption of open phones by manufacturers and operators increased user confidence leads to more willingness to purchase apps End Users … protection of personal data and reduced risk of malware

18 Copyright  2008 Symbian Software Ltd.Page: 18 Symbian OS – Who Pays for the Security? Phone Manufacturers … high initial development costs of migrating UI software to the new security model, ongoing porting costs Network Operators … give up some control in supporting a open standard security policy risk of lost revenue to third-party services (e.g. free VoIP clients) Application Developers … pay to have their software approved by Symbian Signed feel as if they are being charged for access to APIs have difficulties deploying “open beta” software End Users … inconvenienced by binary incompatibility with previous versions

19 Copyright  2008 Symbian Software Ltd.Page: 19 How Do We Know if the Costs are Fairly Distributed? Costs and benefits are hard to quantify … how much value to put on “inconvenience”? could include lost sales, missed opportunities for innovation Best approximation is how happy each stakeholder is … or how loud they complain! … need however to consider perception vs. reality Are stakeholders asking for more or less security? … phone manufacturers are mostly content … end users are mostly content (“ignorance is bliss?”) … network operators are asking for more security OMTP Application Security Framework, Advanced Trusted Environment … application developers are asking for less security Symbian Signed is a very visible inconvenience for many

20 Copyright  2008 Symbian Software Ltd.Page: 20 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

21 Copyright  2008 Symbian Software Ltd.Page: 21 How Do We Know if We are Paying Too Much Overall? Where is the point of diminishing economic returns? … adding to the costs beyond this point won’t provide enough benefit … to find this point we need to quantify the costs and benefits Measuring security benefits is hard … Ross Anderson, 2001 “Why Information Security is Hard – An Economic Perspective” … or rather more flippantly: Why do elephants paint their toenails red? So they can hide in cherry trees! You’ve never seen an elephant in a cherry tree? See how well it works!

22 Copyright  2008 Symbian Software Ltd.Page: 22 The Economics of the Symbian OS Security Model The economics of a security model is critical for its success Arguably, too much has been invested over the past two years … malware has been reduced to effectively zero could this have been achieved at less cost? Maintaining a zero level of malware isn’t desirable … we need to see the occasional elephant in the cherry tree … threats should be managed to acceptable levels similar to banks defining an acceptable level of card fraud The costs may be unfairly distributed (“externalities”) … network operators may not be paying enough for security or the costs may not be visible enough to them … application developers may be paying too much or the benefits may not be visible enough to them

23 Copyright  2008 Symbian Software Ltd.Page: 23 How Can We Adjust the Economic Incentives? Marketing security to application developers … perhaps promoting use of platform security for copy protection? Reducing the inconvenience for application developers … Symbian Signed is continually evolving Open Signed Online went live in March, replacing free developer certs … perhaps making more capabilities user-grantable? Involving network operators more directly in the security model … working with them so they will set up network infrastructure for revocation and quarantine of malware … finding a way for network operators to subsidise application testing? … enabling network operators to contribute directly to security feature development (a possibility with the Symbian Foundation)

24 Copyright  2008 Symbian Software Ltd.Page: 24 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion

25 Copyright  2008 Symbian Software Ltd.Page: 25 Is the Operating System the Best Place? Obviously, the OS is the best place (for Symbian!) … It is effective, as seen by the effect on malware … It has little marginal cost (although it was expensive to implement) … It is necessary Applications and services that directly provide the user experience require the operating system to provide data protection and control access to hardware resources But it can’t stand alone … The OS can’t know whether it has been tampered with – this requires some external element (usually secure boot hardware or an external monitor like a Trusted Platform Module) Defence in depth is a Good Thing … When properly combined, multiple security mechanisms can mitigate the failure of a single mechanism

26 Copyright  2008 Symbian Software Ltd.Page: 26 Do We Have Enough Security? We must continue developing new security features … the threat landscape is evolving attackers are always developing new techniques PCs are becoming a harder target … Vista User Account Control, TPMs, hypervisors, etc. the “business model” for malware may start to favour mobile phones … there is a very long lead time up to 2 years to start shipping a feature in phones months or years after that to significant adoption by the user base … if we “overcorrect” investment it will take a long time to recover But, security features must be designed to be “tuneable” … business decisions are best made late in the product cycle … as Bruce Schneier often says, investment in prevention of attacks must go hand-in-hand with investment in detection and response

27 Copyright  2008 Symbian Software Ltd.Page: 27 Cooperation Across the Value Chain Cooperation to ensure malware doesn’t get out of control … GSMA / OMTP working groups OS Vendors, Technology Partners and Device Manufacturers … Improve platform security to mitigate possible damage from malware Making use of security hardware to monitor the OS integrity … Tight integration with specialist security suppliers (anti-virus, firewall, etc.) After-market Software Vendors, Content providers and Distributors … Take advantage of digital signatures to promote trustworthy channels for applications and content Enterprise IT Administrators and Network Operators … Provide infrastructure for application lifecycle management, including revocation and patching End users … Value security, think about security prompts, but DON’T PANIC!

28 Copyright  2008 Symbian Software Ltd.Page: 28 Topics What we mean by a “secure” mobile phone What approaches are possible (“who trusts whom to do what?”) What measures can be taken by the operating system How effective those measures have been in practice Whether the “costs” of the security measures are fairly distributed How the economics can be adjusted for better advantage How operating system security can cooperate with other measures Open discussion


Download ppt "Copyright  2008 Symbian Software Ltd.Page: 1 Craig Heath Principal Product Manager, Security & Privacy Is the Operating System the Right Place to Address."

Similar presentations


Ads by Google