Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Memory/Storage

Defining the memory's role in a secured environment

Posted: 01 May 2008 ?? ?Print Version ?Bookmark and Share

Keywords:secure memory? flash memory? computing? trusted execution environment?

By Venkat Natarajan
Spansion Inc.

Today's mobile phones are used for a myriad of new applications that involve storing sensitive data and providing such secure services as mobile payments. With phones storing more critical information than ever before, it is increasingly important to keep them safe from rogue software that can steal or abuse credit card numbers or encryption keys associated with valuable digital content.

Mobile phones require a trusted execution environment (EE) to guarantee that sensitive data is stored and processed without abuse. A trusted EE is a computing environment where execution takes place as expected. The Trusted Computing Group (TCG) uses the notion of behavioral reputation when it refers to "trusted computing" in its documents. Trusted behavior is an essential element of security since it allows one to reason about the behavior of an EE with confidence, which in turn allows one to analyze the security aspects of the environment. Having a complete understanding of how to create and maintain a trusted EE will help make mobile phone applications like mobile payment more secure. Once customers, banks and businesses can fully trust that these applications are protected, adoption will increase.

In the book Security for Mobility, Chris J. Mitchell refers to the following as the main security services related to mobile computing: authentication, data integrity, data confidentiality and non-repudiation. This paper shows how secure memory plays a critical role in offering these services as part of a trusted EE, including rich access control mechanism that supports multiple stakeholders.

Trusted environments
An EE is a collection of hardware and software components that defines a computing configuration. An EE can be a simple CPU with memory, or it could be a Java virtual machine running on top of an OS managing a processor and several peripherals. A trusted EE is a computing environment where execution takes place as expected. The TCG refers to this notion of behavioral reputation as trusted computing in its documents.

It is clear that behavioral reputation is required to provide secure services. The approach taken by TCG and others to assess behavioral reputation is to define a secure boot process that verifies that a phone boots in a "trusted state." This trusted state is attained by checking the integrity of the code (OS and others) to be executed on the phone.

However, secure boot alone is not enough to provide a trusted EE, as the system may be attacked by rogue software after a secure boot. There are security holes in any large OS that rogue software can exploit. A runtime integrity check is recommended to confirm the integrity of the code. These checks can take place periodically or before critical events in the system. However, runtime integrity checks can only detect attacks after they have taken place. This can reduce the damage, but it does not provide a trusted EE in the presence of rogue software.

Flash memory-based security
Many of the attacks on PCs and mobile phones can be traced to the attacker modifying data/code in the non-volatile memory. Flash memory-based security safeguards the memory against such attacks, preventing unauthorized modification to the flash. Mobile phone devices using enhanced security in the baseband processor alone cannot prevent modification to the flash. It can only detect modifications as part of integrity check. This detection may be too late in certain situations.

The TCG created the notion of a trusted platform module (TPM), that when integrated with a PC, provides improved hardware-based security in numerous applications. A TPM is a microcontroller that stores keys, passwords and digital certificates and is typically affixed to the motherboard of a PC. The Mobile Phone Working Group of the TCG extended this notion of TPM to the EE of a mobile device in its MTM standard. Unlike a TPM or MTM, flash memory-based security does not just detect failure in integrity, but ensures that integrity is preserved under a reasonable threat model. This feature, called integrity protected memory, is very important to avert an attack on the phone's non-volatile memory. An MTM without flash memory-based security can only detect the change to data/code, but cannot prevent it. The damage may be already done by the time the MTM detects the change in data/code.

Figure 1: A flash memory-based security embedded in a mobile phone.

Another important consequence of integrity-protected memory provided by flash memory-based security is data availability. Other approaches to trusted EE focus on data confidentiality. For example, they make sure that a user's credit card number is not readable by rogue software. However, they do not prevent a virus from deleting credit card numbers, resulting in thousands of customers not being able to use their phones to make mobile payments. Flash memory-based security provides both confidentiality and availability.

Flash memory-based security (Figure 1), is a multichip package that includes non-volatile memory (flash memory) as well as a secure processor that provides hardware access control to the non-volatile memory. The secure processor also acts as a trusted EE for providing secure services in a mobile phone. The secure processor is ideal as a trusted EE since it is close to the non-volatile memory where all the assets like integrity-protected code, data and keys are stored. Since it is also an isolated environment that only executes software provided as part of flash memory-based security, it is not subject to attacks like buffer overflow.

Figure 2 illustrates a block diagram of a secure processor. The CPU is an ARM7-TDMI processor running at about 60MHz. The crypto engine supports both symmetric (AES, DES, 3DES) and asymmetric (PKI based on RSA) cryptography. All the accesses (including the bypass) to the flash devices are monitored by the secure processor acting as a gatekeeper between the host processor (baseband or application processor) and the flash. The secure services provided by the secure processor include cryptographic and secure flash memory services.

Case in point: secure processor
The secure processor provides a trusted EE for applications running on the mobile phone. The software running on the secure processor is tightly controlled by the handset OEM and the network operator, and it is isolated from the host. Only programs that are verified and trusted are installed on the secure processor. The size of the software running on the secure processor is much smaller than a typical OS running on a mobile phone, so it is easier to verify that the software is trusted. The secure processor provides the four secure services (authentication, data integrity, data confidentiality and non-repudiation) required in the context of mobile phone security. Figure 3 illustrates the software architecture of flash memory-based security.

The API implemented on the host platform provides secure memory services, as well as cryptographic services. The API converts the function calls into messages that are sent to the secure processor using the memory interface.

These messages are designed with well-defined syntax and semantics to eliminate malicious message attacks on the secure processor. Within a message, each data field of variable length starts with a special marker followed by the length of the field, which is specified before the data. This is not like C strings whose length is known only after you scan the string and find a null character. There is a message parser that analyzes the message and checks for valid syntax. The message is not processed unless the syntax check is successful, which provides a guard against buffer overflow-type attacks. The message is then routed to the right agent based on a special field in the message. The agent allocates buffers of adequate size as specified in the message and verified by the message parser. There is a limited set of messages that are processed by a limited set of agents, which are carefully analyzed for security holes. The message cannot result in arbitrary native code being executed in the secure processor. There are no function pointers in the messages.

Figure 2: Shown is a flash memory-based security block diagram.

Secure flash memory services!The secure processor provides secure memory services, including the storage of keys, certificates, code and data. The access rights to these objects are specified according to the security needs of the applications using them.

Secure portioning!The non-volatile memory can be divided into separate memory partitions, each with separate access control. There is a separate hardware-enforced access control for read and program/erase and another for changing the access rights to the partitions. Access can be controlled by a password or through PKI authentication for increased security. Different stakeholders create these partitions during different lifecycle stages. For example, the network operator can create a "code partition" that contains the OS and other certified software installed by the operator. This partition will have a read access without any authentication so that the code can be executed freely. At the same time, program/erase will require a PKI authentication from the network operator. This prevents any rogue software running on the host platform from modifying the code partition. This maintains the integrity of the OS and other related software at all times, not just during secure boot.

Secure partitioning with a rich access control provides data integrity and data confidentiality. The partition can be protected against unauthorized read using password protection or PKI authentication. This provides the necessary data confidentiality. The partition can be protected against unauthorized write in a similar way, resulting in data integrity.

The access control also has an additional feature that defines the availability of the individual partitions. For example, the main code partition can be locked for read prior to a successful "simlock check." This will enforce the policy that the phone cannot be used without a successful simlock check.

Figure 3: An illustration of flash memory-based security software architecture.

Storage objects!Flash memory-based security is used for storing data, code, keys, certificates and counters. Mobile devices normally store the keys in ROM, which is less flexible and limited in size compared to flash. Storing keys encrypted in non-volatile memory provides confidentiality. However, it does not prevent keys from being wiped out by rogue software. Flash memory-based security allows one to store a virtually unlimited number of keys. More keys can be added at any time using an OTA update. Confidentiality, integrity and authenticity are provided by storing the objects in their appropriate partitions.

On-the-fly encryption!The secure processor provides an on-the-fly encryption feature. This allows the host to send plaintext to the memory, which gets encrypted as it is being written to the flash. The encryption algorithm used is AES-CTR.

Cryptographic services!The cryptographic services are a subset of the PKCS#11 API. The API is independent of a host platform and supports symmetric key and public key cryptography. The API converts function calls to messages to the secure processor, where they are serviced using the crypto flash core. The integrity and confidentiality of the keys are well protected since they never leave the secure processor. The cryptographic services provided by the secure processor allow one to create a secure communication channel between the secure processor and an external server. The security of this communication channel is not dependent on the host platform. This allows secure implementation of applications such as FOTA and mobile commerce. The secure processor provides a high level of device authentication since the root key never leaves the secure processor.

Flash memory-based security provides a trusted EE, as well as a secure non-volatile memory with a rich access control mechanism that supports multiple stakeholders. Secure non-volatile memory with PKI authentication means that the integrity of the code and data is protected, resulting in highly secure data integrity and confidentiality. Authentication and non-repudiation are a result of the secure processor being an isolated trusted EE with an embedded crypto flash core. In addition, secure non-volatile memory makes the data available at all times. This property of data availability is not possible with encryption alone. Using cryptography, other solutions such as MTM can detect whether the data has been tampered with, but cannot protect against tampering. If not prevented, a virus can destroy credit card numbers on thousands of phones, making it impossible for customers to make mobile payments.

Integrity-protected memory provided by flash memory-based security makes key provisioning more flexible. There is more room for storing cryptographic keys and digital certificates. Further, the keys can be updated over the air.

Many of the attacks on PCs and mobile phones can be traced to the attacker modifying data/code in the non-volatile memory. Flash memory-based security safeguards the memory against such attacks, which is something other mobile security approaches cannot do. Approaches such as MTM or baseband security rely on secure boot and runtime integrity check to detect any changes to code or data. Modified code may have already abused sensitive data by the time the runtime integrity check detects it. It is important to prevent tampering of data/code to build a trusted EE.

Using flash memory-based security memory to create and maintain a trusted EE will help make advanced mobile phone applications like mobile payment secure and reliable and increasing their adoption by institutions and consumers.

About the author
Venkat Natarajan
is a Spansion fellow and is part of the security and advanced technology division.

Article Comments - Defining the memory's role in a secu...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top