INTRODUCING THE SAMSUNG KNOX PLATFORM P
INTRODUCING THE SAMSUNG KNOX PLATFORM PENG NING Background: Android in the Enterprise… Top 3 reasons for poor Android acceptance in the Enterprise: Fear of OS compromise No protection against data leakage Limited policy controls and management 10/28/2013 © Samsung 2013. All rights reserved. 2 Introducing Samsung KNOX IT Policies 10/28/2013 MDM APIs © Samsung 2013. All rights reserved. 3 Multi-layered Approach to OS Security 10/28/2013 © Samsung 2013. All rights reserved. 4 Secure Boot Verification • Each boot loader verifies the next boot loader in the chain by authenticating its signature using a public key certificate chain - • 10/28/2013 The Root-of-Trust is a Samsung root certificate, which is verified by the ROM code Special needs of government customers with high security demands - Maintain the root-of-trust and code signing by the government - Knox solution: Customizable secure boot © Samsung 2013. All rights reserved. 5 Customizable Secure Boot (CSB) Samsung For consumer devices Govern’t Reserved for governments; Install multiple root certificates at manufacture time. Samsung Never used by Samsung Purchased by Government Trusted Contractor (GTC) Govern’t Govern’t Purchased by regular consumers Samsung Govern’t 10/28/2013 Samsung GTC executes take-over tool provided by Samsung Samsung Used by consumers © Samsung 2013. All rights reserved. Govern’t Used by government employees 6 SE for Android • • SE (Security Enhancement) for Android - Mandatory access control (MAC) - An effort to port SE Linux to Android - Started by NSA (Stephen Smalley) and adopted by Android Why do we need SE for Android - Android uses the user-based Discretionary Access Control (DAC) - Application sandbox: Each app (group of apps) runs with a unique UID - However, rooting the device allows apps to run as the privileged “root user” with full access to all system resources o - SE for Android has demonstrated success against many rooting attacks o 10/28/2013 Malicious applications may take control of the device NDSS 2013 © Samsung 2013. All rights reserved. 7 Key Characteristics of SE for Android • Partitions the system into distinct security domains • Within each domain applications are provided the permissions required for their tasks • Minimizes the amount of damage that can be caused by malicious or flawed applications • Renders “rooting” less effective as even applications that run as the root user are subject to mandatory access control 10/28/2013 © Samsung 2013. All rights reserved. 8 TIMA • TIMA stands for TrustZone-based Integrity Measurement Architecture - • Leverage the ARM TrustZone Framework - 10/28/2013 A suite of system integrity features Hardware level security guarantee © Samsung 2013. All rights reserved. 9 ARM TrustZone • Two worlds – security world and normal world • Hardware-enforced isolation between the two worlds http://www.arm.com 10/28/2013 © Samsung 2013. All rights reserved. 10 TIMA Features • • TIMA trusted boot - In conjunction with secure boot to measure key boot loaders and kernel image - Detect and record presence of unauthorized boot loaders and kernel TIMA attestation - • TIMA key store - • 10/28/2013 Remote attestation to boot loader and kernel fingerprints based on trusted boot Key store that functions only when authorized boot loaders and kernel are booted TIMA kernel protection - LKMAuth: Load-time authentication of kernel modules - PKM: periodic measurement of base kernel code and RO data - RKP: Real-time kernel protection © Samsung 2013. All rights reserved. 11 TIMA Trusted Boot • • Trusted boot - Collect and preserve “evidence” of boot loaders and kernel (hash values of the binaries) - The “evidence” is used to support future decisions (e.g., attestation) Why do we need trusted boot? - - Secure boot is limited o Do not know which version is running after booting o Suffer from boot loader vulnerabilities (e.g., aboot vulnerabilities) Samsung does not want to lock the kernel on all models o o - 10/28/2013 Example: Only AT&T and Verizon GS4 have kernel lock Other GS4 models are rootable through recovery image Note the risk of rooting – Improper kernel may damage the phone Both would threaten the security of enterprise applications © Samsung 2013. All rights reserved. 12 TIMA Trusted Boot (Cont’d) • Trusted boot - Boot loaders and the kernel are measured before executed - Measurements are saved in TrustZone secure world TZ Execution Environment Load, measure, and execute ROM Load, measure, and execute SBL Load, measure, and execute OS bootloader Load, measure, and execute Boot.img (kernel) Save measurements TZ Secure Memory 10/28/2013 © Samsung 2013. All rights reserved. 13 TIMA Attestation • Attestation - • • 10/28/2013 A device proves to a remote server about its software integrity Why do we need attestation in Knox? - No kernel lock on many models - Potential boot loader vulnerabilities (e.g., aboot vulnerabilities) - Knox uses TIMA attestation to verify device integrity before turning on the enterprise features Properties to be confirmed during attestation - Boot loaders and kernel required by Knox are running on the device - SE for Android is in enforcement mode © Samsung 2013. All rights reserved. 14 TIMA Attestation (Cont’d) • Hardware foundation - Each device has a unique public/private key pair with the public key certificate - Only available on selected models (Note 3 and derived models) • Enable devices to attest to the currently running boot loaders and kernel • Measurements are taken during trusted boot and stored in secure memory • Execution of the remote attestation on the device performed in TrustZone Attestation Server 2. Retrieve measurements M Sig Sign (M, N); (performed in TrustZone secure world) 1. Random nonce N 3. M, N, Sig, Certs 4. Verify M and Sig Security benefits: • Knox container can be created only if the attestation result is positive; • The server can learn the exact version of software running on the devices 10/28/2013 © Samsung 2013. All rights reserved. 15 TIMA Keystore • TIMA Keystore - Cryptographic keys can be installed in TIMA key store o - Used for eCryptfs keys in Knox; will be released to all app developers in next version Keys can be retrieved only if the measurements of boot loaders and the kernel image match authorized binaries o SE for Android protection in enforcement mode o Enhanced security compared with Android keystore Normal world Knox App Install key Secure world TIMA Keystore Key Slots 10/28/2013 Retrieve key Trusted boot measurements © Samsung 2013. All rights reserved. 16 TIMA Kernel Protection TIMA measures the integrity of the kernel using three techniques: REAL-TIME PROTECTION 10/28/2013 ① Authenticating Linux kernel modules as they are dynamically loaded ② Periodic kernel measurement by verifying kernel code, Read-only data, and vectors ③ Real-time kernel protection by mediating modifications of kernel code pages © Samsung 2013. All rights reserved. 17 Multi-faceted Application Security • Application container • Security of data-in-transit (DIT) • Encryption of data-at-rest (DAR) • Smart card support • Enterprise Single Sign-On with AD • File system integrity 10/28/2013 © Samsung 2013. All rights reserved. 18 Application Container (1/2) • The KNOX Container is a virtual Android environment within the device, complete with its own home screen, launcher, applications, and widgets. - • The Container enables enterprise IT to isolate enterprise applications and data in a secure environment - • Applications and data running inside the Container cannot interact with applications and data outside the Container. Eliminates the “data leakage problem” associated with Bring Your Own Device (BYOD) and Corporate-Owned Personally Enabled (COPE) KNOX Container Environment Personal Environment Activated by a KNOX-compliant MDM system or AD/GPM* * requires Centrify Corp.’s Container Management Solution 10/28/2013 © Samsung 2013. All rights reserved. 19 Application Container (2/2) • Upon creation the container is populated with a set of utility applications – email, calendar, browser, camera, etc. - 10/28/2013 Additional applications may be downloaded from the KNOX app store, or may be pushed by the MDM system. • The container uses an eCryptfs-based file system with AES 256-bit encryption. • The container supports a variety of policies to allow remote IT configuration and management. © Samsung 2013. All rights reserved. 20 Single Sign-On With Enterprise Identity • Active Directory-based SSO is built-in on the KNOX platform • KNOX takes SSO to next level with “Zero Sign-On” for mobile apps • One-click access to 1000s of mobile apps • Leverages AD credentials and AD role-based authorization to apps • Supports rich/native apps and mobile web apps • Simple KNOX SSO SDK available for mobile app developers 10/28/2013 © Samsung 2013. All rights reserved. 22 Using SSO on KNOX Mobile Web App SSO 10/28/2013 Rich Mobile App SSO © Samsung 2013. All rights reserved. 23 KNOX Integration with Active Directory • Enroll KNOX device into Active Directory to create users’ container • Two benefits: 1. Manage KNOX container/device using Active Directory-Group Policy (MDM) 2. Use same identity to silently sign on to cloud apps & services (SSO) Container Intranet … 1 SSO Centrify SSO (SaaS) 3 Active Directory 2 KNOX Android Framework Leverage same for SSO Enroll with Enterprise Identity 10/28/2013 © Samsung 2013. All rights reserved. Manage with AD/Group Policy Manager 24 Active Directory-based MDM of KNOX • AD-based Group Policy management for KNOX containers and devices • Cloud-based service deploys in minutes — leveraging existing infrastructure • Lower cost of ownership with selfservice with full lifecycle automation • Supports all SAFE v4 policies and KNOX policies • Unified cross-platform device & desktop management 10/28/2013 © Samsung 2013. All rights reserved. 25 Per-app VPN Protects Data-in-Transit 10/28/2013 • The Per-app VPN feature enables IT admins to selectively enforce secure VPN connectivity only for enterprise apps, including web-based (SaaS) apps. • Eliminates personal applications congesting enterprise VPN resources. • Protects consumer privacy by not sending personal application data via the enterprise network. © Samsung 2013. All rights reserved. 27 Device Encryption Protects Data-at-Rest • • 10/28/2013 The KNOX On-Device Data Encryption (ODE) feature encrypts data on the entire device using a 256-bit AES cipher algorithm: - The encryption spans the device’s internal storage as well as external SD Card. - The key used for encryption is derived from the user-supplied password or passcode. - Full device encryption may be activated by the user, or remotely by the IT admin as a policy setting. NIST FIPS 140-2 certification is pending. © Samsung 2013. All rights reserved. 28 Smart Card Support • • Samsung KNOX supports US Dept. of Defense issued Smart Cards aka Common Access Cards (CACs) - Used by active-duty military, selected Reserve, DoD civilian employees, and some contractors. - Requires a compatible bluetooth CAC reader such as the baiMobile™ 3000MP Bluetooth ® Smart Card Reader. The browser, email and VPN clients use credentials on the CAC card if configured by the IT admin. - • 10/28/2013 Other applications may also utilize the CAC card via well-defined PKCS 11 APIs KNOX also supports two-factor authentication for the device lock screen using the CAC. © Samsung 2013. All rights reserved. 29 File System Integrity Service • The KNOX Integrity Service performs an on-demand scan of the device and helps identify any integrity breach: - • • MDM Console with Integrity Mgmt For example, an unexpected change in the file structure or an unapproved APK The integrity measurement is primarily based on a scan of the file system on the Android device: - The /system folder is completely scanned. - 3rd App App App MDM Agent App App App App party APKs that are part of the ‘baseline’ are also scanned. This service requires the use of a compatible MDM system, e.g. Fixmo Sentinel Integrity Svc Agent (Fixmo) Container Apps Integrity Svc Layer KNOX Container Android Framework SE Android 10/28/2013 © Samsung 2013. All rights reserved. 30 File System Integrity Service (Cont’d) MDM Console with Integrity Mgmt Integrity Svc Agent (Fixmo) MDM Agent Create/update baselines Trigger scan Reports Scan system Scan 3rd party APKs Create Fingerprint Report violations Request Scan primitives Storage primitives Reports Android Framework MDM Framework Enterprise ISL Policy Integrity Service Layer Secure DB MDM Service SE Android 10/28/2013 © Samsung 2013. All rights reserved. 31 IT Policy Support 10/28/2013 © Samsung 2013. All rights reserved. 32 Knox Availability • Rolled out with Galaxy Note 3 • Available (or available soon) through firmware update 10/28/2013 - Galaxy S4 and S4 mini - Galaxy Note 2 - Galaxy S3 and S3 mini - Galaxy tab © Samsung 2013. All rights reserved. 33 Summary • Samsung KNOX significantly raises the bar for enterprise application security • Secure Boot, TIMA, SE for Android, Container, SSO, Per-app VPN, … • Samsung is introducing more hardware and software based security mechanisms through Knox • More are coming in Knox 2.0 • Samsung would like to share all these Knox mechanisms with app developers through SDK and API • It’s a good time to build apps on Samsung Knox platform! 10/28/2013 © Samsung 2013. All rights reserved. 34 Advertisement • Knox Talk #2 - Remote Verification of Device Integrity Using Knox Attestation APIs and Cloud Services - Day 1, 4:20pm – 5:10pm, Olympics - Chung-huan Liu • Knox Talk #3 10/28/2013 - Developing Enterprise Applications for Samsung Knox - Day 2, 1pm – 1:50pm, California East - Bala Gattu © Samsung 2013. All rights reserved. 35 Thank you for supporting Samsung KNOX. Visit http://www.samsungknox.com Notice: All functionality, features, specifications, and other product information provided in this document including, but not limited to, the benefits, design, pricing, components, performance, availability, and capabilities of the product are subject to change without notice or obligation. Samsung reserves the right to make changes to this document and the product described herein, at anytime, without obligation on Samsung to provide notification of such change. 10/28/2013 © Samsung 2013. All rights reserved. 36
© Copyright 2024