C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

Information & Communications

Security

A Formal Security Model of the Infineon SLE88 Smart Card Memory Management

David von Oheimb, Volkmar LotzSiemens AG, Corporate Technology, Security

{David.von.Oheimb,Volkmar.Lotz}@siemens.com

Georg WalterInfineon Technologies AG, Security & Chip Card ICs

Georg.Walter@infineon.com

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 2

Context

• Certification of SLE88 according to Common Criteria EAL5+

• Existing LKW security model of SLE 66 [LKW00, vOL02] applies

• New security functionality for SLE88: Memory Management Unit

• virtual address space

• protection mechanisms on both virtual and physical level

• Intended to achieve security objectives:

• Restricted memory access

• Separation of applications, OS, and chip security functionality (SL)

• Augmenting the LKW model with a separate memory management model suffices

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 3

Overview

• Context

• SLE88 Memory Management

• Overview of functionality

• Security Objectives

• Interacting State Machines

• SLE88 System Model

• Security Properties

• Enforcing attribute-based access control

• Protection of security-critical memory areas

• Results

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 4

Address Space

EAR

DPPAD

0531 23

DP

0 521

BPF

0 SL1 PSL/HAL2 OS3..15 reserved16..255 regular

VEA Virtual Effective AddressPEA Physical Effective AddressPT Page TablePP Page Pointer

VEA

PEA

DP DisplacementPAD Package AddressEAR Effective Access RightBPF Block Protection Field

PT

PP

privileged

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 5

Access Control Mechanisms

• Block Protection Field (BPF)

applies to 4-bit blocks of physical addresses

• Effective Access Rights (EARs)

apply to 8-bit blocks of virtual addresses

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 6

Security Requirements

• Critical aspects:

• shared memory

• modification of EAR table

• protection achieved by BPF (“fail-safe”?)

• port commands (not shown here)

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 7

• state transitions (maybe non-deterministic)

• buffered I/O simultaneously on multiple connections

• finite trace semantics

• modular (hierarchical) parallel composition

Interacting State Machines (ISMs)

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 8

• Generic ISMs: global/shared state

• Dynamic ISMs: changing availability and communication

• Ambient ISMs: mobility with constrained communication

• Dynamic Ambient ISMs: combination

Extensions to ISM concepts

(generic) ISMs

AmbISMsdISMs

dAmbISMs

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 9

• AutoFocus: CASE tool for graphical specification and simulation

• syntactic perspective

• graphical documentation

• type and consistency checks

• Isabelle/HOL: powerful interactive theorem prover

• semantic perspective

• textual documentation

• validation and correctness proofs

• AutoFocus drawing Quest file Isabelle theory file

Within Isabelle: ism sections standard HOL definitions

Tool support

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 10

ISM representation in AutoFocus

• System Structure Diagram: Client/Server

• State Transition Diagram: working thread

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 11

Basic ISMs in Isabelle/HOL

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 12

System Model: SLE88 Memory

Formal definition of the virtual address space:

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 13

System Model: State

Formal definition of the system state:

• physical memory• address translation• access control settings• execution state

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 14

System Model: Inputs and Outputs

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 15

System Model: Memory Access

Auxiliary function for checking access control conditions

Request for access mode at virtual address va in state s returns Ok, if:• va is mapped to a physical address• access is (privileged or) permitted according to EAR table• BPF is consistently assigned (or special access by SL)

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 16

System Model: Transition Relation (excerpt)

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 17

Security Properties (1):“Granted Accesses Do Respect EAR Settings”

PT_map PEAVEA

WW

WR

Consistency of EARs:• In case of non-injective PT_map, the effective

protections is determined by weakest EAR• Conflicts are possible• Should aliasing be prohibited?• Solution: Define consistency requirements on EARs: all WW or all RR• Property only holds in case of EAR consistency

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 18

Security Properties (2):“Protection of SL Memory”

Required axioms (assumptions):

• Initial state satisfies requirements on BPF and initial EAR values • Benign behaviour of SL (correct setting of BPF values, page table

entries, and EAR table entries)

Used lemmas (invariants):

• SL parts of page table and EAR table can only be modified by SL• EARs referring to SL are always set in a way that access by non-SL packages is denied• For SL memory areas, the BPF tag is always set

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 19

Conclusion

• Identification: necessary assumptions on initial state and behaviour of SL

• Analysis: effects of non-injective address mappings

• Analysis: role of block protection fields (BPF)

• Proof: security functionality is adequate to satisfy security requirements

(on abstract level of specification)

• Proof: security specification is consistent

(with some additional arguments referring to consistency of HOL)

• Security model satisfies all requirements of ADV_SPM.2

and thus contributes to EAL5 certification

• Effort: 2 person months

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

Information & Communications

Security

Thank you for your attention!

Questions?

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

Information & Communications

Security

Backup Slides

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 22

Formal Definition of Basic ISMs

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

Information & Communications

Security

Open runs

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 24

Parallel Runs (Interaction)

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 25

(Parallel) Composition of ISMs

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

Information & Communications

Security

Parallel State Transition Relation

C

O R

P O

R A

T E

T

E C

H N

O L

O G

Y

© Siemens AG, CT IC 3Information &

CommunicationsSecurity

CASSIS Workshop, Marseille, 13 March 2004 27

Results on BPF

• Prohibits access of non-SL packages to SL through alternative access paths

• Allows to grant exclusive access of SL to other memory areas

• Achieves write protection of SL memory areas in case of traps being delayed

• Is not a “fail-safe” mechanism in case of inappropriate EARs for SL memory!