Transcript 2008-11-11

Is the Operating System the Right Place to Address
Mobile Phone Security?
Craig Heath
Principal Product Manager, Security & Privacy
Copyright  2008 Symbian Software Ltd.
Page: 1
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 2
What is a “Secure” Mobile Phone – Who’s Asking?
technology
partners
OS vendor
aftermarket
s/w vendors
content
creators
content
distributors
phone
manufacturers
network
operators
enterprise
IT admins
phone
users
Copyright  2008 Symbian Software Ltd.
Page: 3
What do the Stakeholders in the Value Chain Care About?
Operating system vendor
Meet the phone manufacturers’ requirements, match or beat
competitors on (security) features
Technology partners
Maximise their revenue (find security nails for their hammers)
Phone manufacturers
Meet the network operators’ requirements (usually),
meet the phone users’ expectations (protect reputation),
minimise liability for security breaches (particularly DRM)
Aftermarket software vendors (tools Maximise their revenue (find security nails for their hammers)
and utilities)
Network operators
Protect the network infrastructure, maximise their revenue,
minimise their costs (particularly support costs)
Content creators (application
software and entertainment media)
Maximise their revenue, protect their intellectual property
Content distributors
Maximise their revenue (control of distribution channels)
Enterprise IT administrators
Protect company confidential information, minimise support
costs
Phone users
Don’t want to care about security
Copyright  2008 Symbian Software Ltd.
Page: 4
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 5
What Security Measures are Available?
Operating system vendor
OS platform security
Technology partners
secure execution environments, other “security elements”
(e.g. TPM), virtualisation, middleware, DRM agents
Phone manufacturers
patch management, “kill bits”
Aftermarket software vendors (tools non-native execution environments (including browser), antivirus
and utilities)
Network operators
device settings management, revocation, “cloud” services,
billing advice and dispute resolution, SIM applications
Content creators (application
software and entertainment media)
software activation keys, license management
Content distributors
DRM wrappers
Enterprise IT administrators
software inventory management, security policy settings
Phone users
responses to security prompts (trust decisions)
Copyright  2008 Symbian Software Ltd.
Page: 6
So, “Who Trusts Whom to do What?” (very simplified)
•
A “secure mobile phone” must meet the phone users’ expectations:
… always to be able to make and receive voice calls
• no blue screens, “Ctrl-Alt-Del”, applications stealing focus
… not to be presented with unauthorised charges
• Pay-as-You-Go or flat-rate customers often pay a premium for predictability
… not to have their (or their contacts’) private information misused
• your phone feels like a safe place to hold your data as it’s carried with you
•
Phone users trust the phone vendor to supply a device that meets these
expectations
… the phone vendor is often the network operator
•
Network operators trust the phone manufacturers to provide devices that
resist attack
•
Phone manufacturers trust the Operating System to correctly enforce the
security policies that they configure
Copyright  2008 Symbian Software Ltd.
Page: 7
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 8
Symbian OS Platform Security Objectives
Privacy
Reliability
Defensibility
protect
confidentiality of
user data
protect system
integrity
resist malware,
financial fraud,
network attacks
Unobtrusiveness
Openness
Trustworthiness
don’t compromise
the user
experience
innovative
3rd-party
applications
“does what it says
on the tin”
Copyright  2008 Symbian Software Ltd.
Page: 9
Symbian OS Platform Security Architecture
•
Run-time controls on add-on applications
•
Based on long-established security principles
… e.g. “Trusted Computing Base”, “Least Privilege”
•
Introduced in Symbian OS v9 (Q1 2006)
•
“Capabilities” determine process privileges
… Checked by APIs which offer security-relevant services
•
“Data Caging” protects stored data
… Protected directories for system and for applications
•
Secure identifiers (“SIDs”) for applications
… Verified at install-time
Copyright  2008 Symbian Software Ltd.
Page: 10
Capabilities and the Least-Privilege Principle
Trusted Computing Base (TCB)
Full access to all APIs and files
(kernel, installer, file server)
Trusted Computing Environment (TCE)
Servers with “system capabilities”
WriteUserData
NetworkServices
TCB
ESock
LocalServices
contacts,
agenda
ETel
L.B.S.
ReadUserData
messaging
multimedia
UserEnvironment
Location
Most 3rd party apps need
only “user capabilities”
Copyright  2008 Symbian Software Ltd.
Page: 11
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 12
Judging the Success of a Security Architecture
• Is the system secure?
… concrete block has excellent security properties
• but poor information processing performance
… is the system secure enough?
• is the security policy enforced sufficiently effectively?
• there will be a point of “diminishing returns”
• Is the resulting system better?
… simple economics: does the benefit exceed the cost?
… but benefit and cost may be difficult to measure quantitatively
• benefits include attacks that don’t happen (deterrence)
• costs include inconvenience (reduced usability)
Copyright  2008 Symbian Software Ltd.
Page: 13
Symbian OS – is it Secure Enough?
• Symbian OS is the biggest target for malware
… Over 200 million phones shipped with Symbian OS
… 46.6% of worldwide smartphone market in Q3 2008 [Canalys]
• 2nd Apple (17.3%), 3rd RIM (15.2%), 4th Microsoft (13.6%), 5th Linux (5.1%)
• Symbian OS platform security in phones from March 2006
… Small increase in new Symbian OS malware in 1H 2006
• Interest raised by v9 security feature press coverage?
… Significant reduction in overall numbers in 2006 and 2007
• Lack of interest in “old” (v6, v7, v8) security holes?
• Increasing proportion of Symbian OS-based phones on v9
• No malware found on Symbian OS v9-based phones
… 2½ years and counting...
Copyright  2008 Symbian Software Ltd.
Page: 14
Effect of Symbian OS Platform Security on Malware
18
16
Variants
14
New Strains
12
10
8
6
4
Dec-08
Sep-08
Jun-08
Mar-08
Dec-07
Sep-07
Jun-07
Mar-07
Dec-06
Sep-06
Jun-06
Mar-06
Dec-05
Sep-05
Jun-05
Mar-05
Dec-04
Sep-04
0
Jun-04
2
First phones introduced
with platform security
Copyright  2008 Symbian Software Ltd.
Page: 15
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 16
Symbian OS – Who Benefits from the Security?
• Phone Manufacturers
… protection of reputation leading to increased phone sales
… reduced risk of liability for device vulnerabilities
• Network Operators
… reduction of support costs due to malware-infected phones
… protection of network infrastructure (e.g. from DDoS attacks)
• Application Developers (ISVs)
… larger market for third-party smartphone applications, due to
• increased adoption of open phones by manufacturers and operators
• increased user confidence leads to more willingness to purchase apps
• End Users
… protection of personal data and reduced risk of malware
Copyright  2008 Symbian Software Ltd.
Page: 17
Symbian OS – Who Pays for the Security?
• Phone Manufacturers
… high initial development costs of migrating UI software to the new
security model, ongoing porting costs
• Network Operators
… give up some control in supporting a open standard security policy
• risk of lost revenue to third-party services (e.g. free VoIP clients)
• Application Developers
… pay to have their software approved by Symbian Signed
• feel as if they are being charged for access to APIs
• have difficulties deploying “open beta” software
• End Users
… inconvenienced by binary incompatibility with previous versions
Copyright  2008 Symbian Software Ltd.
Page: 18
How Do We Know if the Costs are Fairly Distributed?
• Costs and benefits are hard to quantify
… how much value to put on “inconvenience”?
• could include lost sales, missed opportunities for innovation
• Best approximation is how happy each stakeholder is
… or how loud they complain!
… need however to consider perception vs. reality
• Are stakeholders asking for more or less security?
… phone manufacturers are mostly content
… end users are mostly content (“ignorance is bliss?”)
… network operators are asking for more security
• OMTP Application Security Framework, Advanced Trusted Environment
… application developers are asking for less security
• Symbian Signed is a very visible inconvenience for many
Copyright  2008 Symbian Software Ltd.
Page: 19
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 20
How Do We Know if We are Paying Too Much Overall?
• Where is the point of diminishing economic returns?
… adding to the costs beyond this point won’t provide enough benefit
… to find this point we need to quantify the costs and benefits
• Measuring security benefits is hard
… Ross Anderson, 2001
• “Why Information Security is Hard – An Economic Perspective”
… or rather more flippantly:
• Why do elephants paint their toenails red?
• So they can hide in cherry trees!
• You’ve never seen an elephant in a cherry tree?
• See how well it works!
Copyright  2008 Symbian Software Ltd.
Page: 21
The Economics of the Symbian OS Security Model
• The economics of a security model is critical for its success
• Arguably, too much has been invested over the past two years
… malware has been reduced to effectively zero
• could this have been achieved at less cost?
• Maintaining a zero level of malware isn’t desirable
… we need to see the occasional elephant in the cherry tree
… threats should be managed to acceptable levels
• similar to banks defining an acceptable level of card fraud
• The costs may be unfairly distributed (“externalities”)
… network operators may not be paying enough for security
• or the costs may not be visible enough to them
… application developers may be paying too much
• or the benefits may not be visible enough to them
Copyright  2008 Symbian Software Ltd.
Page: 22
How Can We Adjust the Economic Incentives?
• Marketing security to application developers
… perhaps promoting use of platform security for copy protection?
• Reducing the inconvenience for application developers
… Symbian Signed is continually evolving
• Open Signed Online went live in March, replacing free developer certs
… perhaps making more capabilities user-grantable?
• Involving network operators more directly in the security model
… working with them so they will set up network infrastructure for
revocation and quarantine of malware
… finding a way for network operators to subsidise application testing?
… enabling network operators to contribute directly to security feature
development (a possibility with the Symbian Foundation)
Copyright  2008 Symbian Software Ltd.
Page: 23
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 24
Is the Operating System the Best Place?
• Obviously, the OS is the best place (for Symbian!)
… It is effective, as seen by the effect on malware
… It has little marginal cost (although it was expensive to implement)
… It is necessary
• Applications and services that directly provide the user experience require
the operating system to provide data protection and control access to
hardware resources
• But it can’t stand alone
… The OS can’t know whether it has been tampered with – this requires
some external element (usually secure boot hardware or an external
monitor like a Trusted Platform Module)
• Defence in depth is a Good Thing
… When properly combined, multiple security mechanisms can mitigate
the failure of a single mechanism
Copyright  2008 Symbian Software Ltd.
Page: 25
Do We Have Enough Security?
• We must continue developing new security features
… the threat landscape is evolving
• attackers are always developing new techniques
• PCs are becoming a harder target
… Vista User Account Control, TPMs, hypervisors, etc.
• the “business model” for malware may start to favour mobile phones
… there is a very long lead time
• up to 2 years to start shipping a feature in phones
• months or years after that to significant adoption by the user base
… if we “overcorrect” investment it will take a long time to recover
• But, security features must be designed to be “tuneable”
… business decisions are best made late in the product cycle
… as Bruce Schneier often says, investment in prevention of attacks must
go hand-in-hand with investment in detection and response
Copyright  2008 Symbian Software Ltd.
Page: 26
Cooperation Across the Value Chain
•
Cooperation to ensure malware doesn’t get out of control
… GSMA / OMTP working groups
•
OS Vendors, Technology Partners and Device Manufacturers
… Improve platform security to mitigate possible damage from malware
• Making use of security hardware to monitor the OS integrity
… Tight integration with specialist security suppliers (anti-virus, firewall, etc.)
•
After-market Software Vendors, Content providers and Distributors
… Take advantage of digital signatures to promote trustworthy channels for
applications and content
•
Enterprise IT Administrators and Network Operators
… Provide infrastructure for application lifecycle management, including revocation
and patching
•
End users
… Value security, think about security prompts, but DON’T PANIC!
Copyright  2008 Symbian Software Ltd.
Page: 27
Topics
• What we mean by a “secure” mobile phone
• What approaches are possible (“who trusts whom to do what?”)
• What measures can be taken by the operating system
• How effective those measures have been in practice
• Whether the “costs” of the security measures are fairly distributed
• How the economics can be adjusted for better advantage
• How operating system security can cooperate with other measures
• Open discussion
Copyright  2008 Symbian Software Ltd.
Page: 28