A Formal Security Model of the Infineon SLE88 Smart Card Memory Management
description
Transcript of A Formal Security Model of the Infineon SLE88 Smart Card Memory Management
![Page 1: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/1.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
A Formal Security Model of the Infineon SLE88 Smart Card Memory Management
David von Oheimb, Volkmar LotzSiemens AG, Corporate Technology, Security
{David.von.Oheimb,Volkmar.Lotz}@siemens.com
Georg WalterInfineon Technologies AG, Security & Chip Card ICs
![Page 2: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/2.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 2
Context
• Certification of SLE88 according to Common Criteria EAL5+
• Existing LKW security model of SLE 66 [LKW00, vOL02] applies
• New security functionality for SLE88: Memory Management Unit
• virtual address space
• protection mechanisms on both virtual and physical level
• Intended to achieve security objectives:
• Restricted memory access
• Separation of applications, OS, and chip security functionality (SL)
• Augmenting the LKW model with a separate memory management model suffices
![Page 3: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/3.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 3
Overview
• Context
• SLE88 Memory Management
• Overview of functionality
• Security Objectives
• Interacting State Machines
• SLE88 System Model
• Security Properties
• Enforcing attribute-based access control
• Protection of security-critical memory areas
• Results
![Page 4: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/4.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 4
Address Space
EAR
DPPAD
0531 23
DP
0 521
BPF
0 SL1 PSL/HAL2 OS3..15 reserved16..255 regular
VEA Virtual Effective AddressPEA Physical Effective AddressPT Page TablePP Page Pointer
VEA
PEA
DP DisplacementPAD Package AddressEAR Effective Access RightBPF Block Protection Field
PT
PP
privileged
![Page 5: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/5.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 5
Access Control Mechanisms
• Block Protection Field (BPF)
applies to 4-bit blocks of physical addresses
• Effective Access Rights (EARs)
apply to 8-bit blocks of virtual addresses
![Page 6: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/6.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 6
Security Requirements
• Critical aspects:
• shared memory
• modification of EAR table
• protection achieved by BPF (“fail-safe”?)
• port commands (not shown here)
![Page 7: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/7.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 7
• state transitions (maybe non-deterministic)
• buffered I/O simultaneously on multiple connections
• finite trace semantics
• modular (hierarchical) parallel composition
Interacting State Machines (ISMs)
![Page 8: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/8.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 8
• Generic ISMs: global/shared state
• Dynamic ISMs: changing availability and communication
• Ambient ISMs: mobility with constrained communication
• Dynamic Ambient ISMs: combination
Extensions to ISM concepts
(generic) ISMs
AmbISMsdISMs
dAmbISMs
![Page 9: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/9.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 9
• AutoFocus: CASE tool for graphical specification and simulation
• syntactic perspective
• graphical documentation
• type and consistency checks
• Isabelle/HOL: powerful interactive theorem prover
• semantic perspective
• textual documentation
• validation and correctness proofs
• AutoFocus drawing Quest file Isabelle theory file
Within Isabelle: ism sections standard HOL definitions
Tool support
![Page 10: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/10.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 10
ISM representation in AutoFocus
• System Structure Diagram: Client/Server
• State Transition Diagram: working thread
![Page 11: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/11.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 11
Basic ISMs in Isabelle/HOL
![Page 12: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/12.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 12
System Model: SLE88 Memory
Formal definition of the virtual address space:
![Page 13: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/13.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 13
System Model: State
Formal definition of the system state:
• physical memory• address translation• access control settings• execution state
![Page 14: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/14.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 14
System Model: Inputs and Outputs
![Page 15: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/15.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 15
System Model: Memory Access
Auxiliary function for checking access control conditions
Request for access mode at virtual address va in state s returns Ok, if:• va is mapped to a physical address• access is (privileged or) permitted according to EAR table• BPF is consistently assigned (or special access by SL)
![Page 16: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/16.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 16
System Model: Transition Relation (excerpt)
![Page 17: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/17.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 17
Security Properties (1):“Granted Accesses Do Respect EAR Settings”
PT_map PEAVEA
WW
WR
Consistency of EARs:• In case of non-injective PT_map, the effective
protections is determined by weakest EAR• Conflicts are possible• Should aliasing be prohibited?• Solution: Define consistency requirements on EARs: all WW or all RR• Property only holds in case of EAR consistency
![Page 18: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/18.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 18
Security Properties (2):“Protection of SL Memory”
Required axioms (assumptions):
• Initial state satisfies requirements on BPF and initial EAR values • Benign behaviour of SL (correct setting of BPF values, page table
entries, and EAR table entries)
Used lemmas (invariants):
• SL parts of page table and EAR table can only be modified by SL• EARs referring to SL are always set in a way that access by non-SL packages is denied• For SL memory areas, the BPF tag is always set
![Page 19: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/19.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 19
Conclusion
• Identification: necessary assumptions on initial state and behaviour of SL
• Analysis: effects of non-injective address mappings
• Analysis: role of block protection fields (BPF)
• Proof: security functionality is adequate to satisfy security requirements
(on abstract level of specification)
• Proof: security specification is consistent
(with some additional arguments referring to consistency of HOL)
• Security model satisfies all requirements of ADV_SPM.2
and thus contributes to EAL5 certification
• Effort: 2 person months
![Page 20: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/20.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Thank you for your attention!
Questions?
![Page 21: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/21.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Backup Slides
![Page 22: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/22.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 22
Formal Definition of Basic ISMs
![Page 23: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/23.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Open runs
![Page 24: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/24.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 24
Parallel Runs (Interaction)
![Page 25: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/25.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 25
(Parallel) Composition of ISMs
![Page 26: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/26.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
Information & Communications
Security
Parallel State Transition Relation
![Page 27: A Formal Security Model of the Infineon SLE88 Smart Card Memory Management](https://reader035.fdocuments.in/reader035/viewer/2022062809/56815846550346895dc59b0e/html5/thumbnails/27.jpg)
C
O R
P O
R A
T E
T
E C
H N
O L
O G
Y
© Siemens AG, CT IC 3Information &
CommunicationsSecurity
CASSIS Workshop, Marseille, 13 March 2004 27
Results on BPF
• Prohibits access of non-SL packages to SL through alternative access paths
• Allows to grant exclusive access of SL to other memory areas
• Achieves write protection of SL memory areas in case of traps being delayed
• Is not a “fail-safe” mechanism in case of inappropriate EARs for SL memory!