1. No category

INTRODUCING THE
SAMSUNG KNOX
PLATFORM
PENG NING
Background: Android in the Enterprise…
Top 3 reasons for poor Android acceptance in
the Enterprise:
 Fear of OS compromise
 No protection against data leakage
 Limited policy controls and management
10/28/2013
© Samsung 2013. All rights reserved.
2
Introducing Samsung KNOX
IT
Policies
10/28/2013
MDM
APIs
© Samsung 2013. All rights reserved.
3
Multi-layered Approach to OS Security
10/28/2013
© Samsung 2013. All rights reserved.
4
Secure Boot
Verification
•
Each boot loader verifies the next boot loader in the chain by authenticating
its signature using a public key certificate chain
-
•
10/28/2013
The Root-of-Trust is a Samsung root certificate, which is verified by the ROM
code
Special needs of government customers with high security demands
-
Maintain the root-of-trust and code signing by the government
-
Knox solution: Customizable secure boot
© Samsung 2013. All rights reserved.
5
Customizable Secure Boot (CSB)
Samsung
For consumer devices
Govern’t Reserved for governments;
Install multiple root
certificates at
manufacture time.
Samsung
Never used by Samsung
Purchased by
Government Trusted
Contractor (GTC)
Govern’t
Govern’t
Purchased by
regular consumers
Samsung
Govern’t
10/28/2013
Samsung
GTC executes
take-over tool
provided by Samsung
Samsung
Used by
consumers
© Samsung 2013. All rights reserved.
Govern’t
Used by
government
employees
6
SE for Android
•
•
SE (Security Enhancement) for Android
-
Mandatory access control (MAC)
-
An effort to port SE Linux to Android
-
Started by NSA (Stephen Smalley) and adopted by Android
Why do we need SE for Android
-
Android uses the user-based Discretionary Access Control (DAC)
-
Application sandbox: Each app (group of apps) runs with a unique UID
-
However, rooting the device allows apps to run as the privileged “root user” with
full access to all system resources
o
-
SE for Android has demonstrated success against many rooting attacks
o
10/28/2013
Malicious applications may take control of the device
NDSS 2013
© Samsung 2013. All rights reserved.
7
Key Characteristics of SE for Android
•
Partitions the system into
distinct security domains
•
Within each domain
applications are provided
the permissions required
for their tasks
•
Minimizes the amount of damage that can be caused by malicious or flawed
applications
•
Renders “rooting” less effective as even applications that run as the root
user are subject to mandatory access control
10/28/2013
© Samsung 2013. All rights reserved.
8
TIMA
•
TIMA stands for TrustZone-based Integrity Measurement Architecture
-
•
Leverage the ARM TrustZone Framework
-
10/28/2013
A suite of system integrity features
Hardware level security guarantee
© Samsung 2013. All rights reserved.
9
ARM TrustZone
•
Two worlds – security world and normal world
•
Hardware-enforced isolation between the two worlds
http://www.arm.com
10/28/2013
© Samsung 2013. All rights reserved.
10
TIMA Features
•
•
TIMA trusted boot
-
In conjunction with secure boot to measure key boot loaders and kernel image
-
Detect and record presence of unauthorized boot loaders and kernel
TIMA attestation
-
•
TIMA key store
-
•
10/28/2013
Remote attestation to boot loader and kernel fingerprints based on trusted boot
Key store that functions only when authorized boot loaders and kernel are booted
TIMA kernel protection
-
LKMAuth: Load-time authentication of kernel modules
-
PKM: periodic measurement of base kernel code and RO data
-
RKP: Real-time kernel protection
© Samsung 2013. All rights reserved.
11
TIMA Trusted Boot
•
•
Trusted boot
-
Collect and preserve “evidence” of boot loaders and kernel (hash values of the
binaries)
-
The “evidence” is used to support future decisions (e.g., attestation)
Why do we need trusted boot?
-
-
Secure boot is limited
o
Do not know which version is running after booting
o
Suffer from boot loader vulnerabilities (e.g., aboot vulnerabilities)
Samsung does not want to lock the kernel on all models
o
o
-
10/28/2013
Example:

Only AT&T and Verizon GS4 have kernel lock

Other GS4 models are rootable through recovery image
Note the risk of rooting – Improper kernel may damage the phone
Both would threaten the security of enterprise applications
© Samsung 2013. All rights reserved.
12
TIMA Trusted Boot (Cont’d)
•
Trusted boot
-
Boot loaders and the kernel are measured before executed
-
Measurements are saved in TrustZone secure world
TZ Execution
Environment
Load, measure,
and execute
ROM
Load, measure,
and execute
SBL
Load, measure,
and execute
OS
bootloader
Load, measure,
and execute
Boot.img
(kernel)
Save measurements
TZ Secure
Memory
10/28/2013
© Samsung 2013. All rights reserved.
13
TIMA Attestation
•
Attestation
-
•
•
10/28/2013
A device proves to a remote server about its software integrity
Why do we need attestation in Knox?
-
No kernel lock on many models
-
Potential boot loader vulnerabilities (e.g., aboot vulnerabilities)
-
Knox uses TIMA attestation to verify device integrity before turning on the
enterprise features
Properties to be confirmed during attestation
-
Boot loaders and kernel required by Knox are running on the device
-
SE for Android is in enforcement mode
© Samsung 2013. All rights reserved.
14
TIMA Attestation (Cont’d)
•
Hardware foundation
-
Each device has a unique public/private key pair with the public key certificate
-
Only available on selected models (Note 3 and derived models)
•
Enable devices to attest to the currently running boot loaders and kernel
•
Measurements are taken during trusted boot and stored in secure memory
•
Execution of the remote attestation on the device performed in TrustZone
Attestation Server
2. Retrieve
measurements M
Sig Sign (M, N);
(performed in
TrustZone secure
world)
1. Random nonce N
3. M, N, Sig, Certs
4. Verify M
and Sig
Security benefits:
• Knox container can be created only if the attestation result is positive;
• The server can learn the exact version of software running on the devices
10/28/2013
© Samsung 2013. All rights reserved.
15
TIMA Keystore
•
TIMA Keystore
-
Cryptographic keys can be installed in TIMA key store
o
-
Used for eCryptfs keys in Knox; will be released to all app developers in next version
Keys can be retrieved only if the measurements of boot loaders and the kernel
image match authorized binaries
o
SE for Android protection in enforcement mode
o
Enhanced security compared with Android keystore
Normal world
Knox App
Install key
Secure world
TIMA Keystore
Key
Slots
10/28/2013
Retrieve key
Trusted boot
measurements
© Samsung 2013. All rights reserved.
16
TIMA Kernel Protection
TIMA measures the integrity of the
kernel using three techniques:
REAL-TIME PROTECTION
10/28/2013
① Authenticating Linux kernel
modules as they are dynamically
loaded
② Periodic kernel measurement by
verifying kernel code, Read-only
data, and vectors
③ Real-time kernel protection by
mediating modifications of
kernel code pages
© Samsung 2013. All rights reserved.
17
Multi-faceted Application Security
• Application container
• Security of data-in-transit (DIT)
• Encryption of data-at-rest (DAR)
• Smart card support
• Enterprise Single Sign-On with AD
• File system integrity
10/28/2013
© Samsung 2013. All rights reserved.
18
Application Container (1/2)
•
The KNOX Container is a virtual Android environment within the device,
complete with its own home screen, launcher, applications, and widgets.
-
•
The Container enables enterprise IT to
isolate enterprise applications and data in
a secure environment
-
•
Applications and data running inside the
Container cannot interact with applications
and data outside the Container.
Eliminates the “data leakage problem”
associated with Bring Your Own Device
(BYOD) and Corporate-Owned Personally
Enabled (COPE)
KNOX Container
Environment
Personal
Environment
Activated by a KNOX-compliant MDM system or AD/GPM*
* requires Centrify Corp.’s Container Management Solution
10/28/2013
© Samsung 2013. All rights reserved.
19
Application Container (2/2)
•
Upon creation the container is
populated with a set of utility
applications – email, calendar,
browser, camera, etc.
-
10/28/2013
Additional applications may
be downloaded from the
KNOX app store, or may be
pushed by the MDM system.
•
The container uses an
eCryptfs-based file system
with AES 256-bit encryption.
•
The container supports a
variety of policies to allow
remote IT configuration and
management.
© Samsung 2013. All rights reserved.
20
Single Sign-On With Enterprise Identity
•
Active Directory-based SSO is built-in on the KNOX platform
•
KNOX takes SSO to next level with “Zero Sign-On” for mobile apps
•
One-click access to 1000s of mobile apps
•
Leverages AD credentials and AD role-based authorization to apps
•
Supports rich/native apps and mobile web apps
•
Simple KNOX SSO SDK available for mobile app developers
10/28/2013
© Samsung 2013. All rights reserved.
22
Using SSO on KNOX
Mobile Web
App SSO
10/28/2013
Rich Mobile
App SSO
© Samsung 2013. All rights reserved.
23
KNOX Integration with Active Directory
•
Enroll KNOX device into Active Directory to create users’ container
•
Two benefits:
1. Manage KNOX container/device using Active Directory-Group Policy (MDM)
2. Use same identity to silently sign on to cloud apps & services (SSO)
Container
Intranet
…
1
SSO
Centrify SSO
(SaaS) 3
Active
Directory
2
KNOX Android
Framework
Leverage
same for SSO
Enroll with
Enterprise
Identity
10/28/2013
© Samsung 2013. All rights reserved.
Manage with
AD/Group Policy
Manager
24
Active Directory-based MDM of KNOX
•
AD-based Group Policy management
for KNOX containers and devices
•
Cloud-based service deploys in
minutes — leveraging existing
infrastructure
•
Lower cost of ownership with selfservice with full lifecycle automation
•
Supports all SAFE v4 policies and
KNOX policies
•
Unified cross-platform device &
desktop management
10/28/2013
© Samsung 2013. All rights reserved.
25
Per-app VPN Protects Data-in-Transit
10/28/2013
•
The Per-app VPN feature
enables IT admins to
selectively enforce secure
VPN connectivity only for
enterprise apps, including
web-based (SaaS) apps.
•
Eliminates personal
applications congesting
enterprise VPN resources.
•
Protects consumer privacy by
not sending personal
application data via the
enterprise network.
© Samsung 2013. All rights reserved.
27
Device Encryption Protects Data-at-Rest
•
•
10/28/2013
The KNOX On-Device Data
Encryption (ODE) feature encrypts
data on the entire device using a
256-bit AES cipher algorithm:
-
The encryption spans the device’s
internal storage as well as external
SD Card.
-
The key used for encryption is
derived from the user-supplied
password or passcode.
-
Full device encryption may be
activated by the user, or remotely
by the IT admin as a policy setting.
NIST FIPS 140-2 certification is
pending.
© Samsung 2013. All rights reserved.
28
Smart Card Support
•
•
Samsung KNOX supports US Dept. of Defense issued Smart Cards aka
Common Access Cards (CACs)
-
Used by active-duty military, selected Reserve, DoD civilian employees, and
some contractors.
-
Requires a compatible bluetooth
CAC reader such as the
baiMobile™ 3000MP Bluetooth ®
Smart Card Reader.
The browser, email and VPN clients
use credentials on the CAC card if
configured by the IT admin.
-
•
10/28/2013
Other applications may also utilize the CAC card via well-defined PKCS 11 APIs
KNOX also supports two-factor authentication for the device lock screen
using the CAC.
© Samsung 2013. All rights reserved.
29
File System Integrity Service
•
The KNOX Integrity Service performs
an on-demand scan of the device and
helps identify any integrity breach:
-
•
•
MDM Console with
Integrity Mgmt
For example, an unexpected change in
the file structure or an unapproved APK
The integrity measurement is primarily
based on a scan of the file system on
the Android device:
-
The /system folder is completely
scanned.
-
3rd
App
App
App
MDM
Agent
App
App
App
App
party APKs that are part of the
‘baseline’ are also scanned.
This service requires the use of a
compatible MDM system, e.g. Fixmo
Sentinel
Integrity Svc
Agent
(Fixmo)
Container Apps
Integrity
Svc Layer
KNOX
Container
Android
Framework
SE Android
10/28/2013
© Samsung 2013. All rights reserved.
30
File System Integrity Service (Cont’d)
MDM Console with
Integrity Mgmt
Integrity Svc
Agent (Fixmo)
MDM Agent
Create/update baselines
Trigger scan
Reports
Scan system
Scan 3rd party APKs
Create Fingerprint
Report violations
Request Scan primitives
Storage primitives
Reports
Android Framework
MDM
Framework
Enterprise
ISL Policy
Integrity
Service Layer
Secure
DB
MDM
Service
SE Android
10/28/2013
© Samsung 2013. All rights reserved.
31
IT Policy Support
10/28/2013
© Samsung 2013. All rights reserved.
32
Knox Availability
• Rolled out with Galaxy Note 3
• Available (or available soon) through firmware update
10/28/2013
-
Galaxy S4 and S4 mini
-
Galaxy Note 2
-
Galaxy S3 and S3 mini
-
Galaxy tab
© Samsung 2013. All rights reserved.
33
Summary
• Samsung KNOX significantly raises the bar for enterprise application
security
•
Secure Boot, TIMA, SE for Android, Container, SSO, Per-app VPN, …
• Samsung is introducing more hardware and software based security
mechanisms through Knox
•
More are coming in Knox 2.0
• Samsung would like to share all these Knox mechanisms with app
developers through SDK and API
• It’s a good time to build apps on Samsung Knox platform!
10/28/2013
© Samsung 2013. All rights reserved.
34
Advertisement
• Knox Talk #2
-
Remote Verification of Device Integrity Using Knox Attestation APIs and
Cloud Services
-
Day 1, 4:20pm – 5:10pm, Olympics
-
Chung-huan Liu
• Knox Talk #3
10/28/2013
-
Developing Enterprise Applications for Samsung Knox
-
Day 2, 1pm – 1:50pm, California East
-
Bala Gattu
© Samsung 2013. All rights reserved.
35
Thank you for supporting
Samsung KNOX.
Visit http://www.samsungknox.com
Notice: All functionality, features, specifications, and other product information provided in this document including,
but not limited to, the benefits, design, pricing, components, performance, availability, and capabilities of the product
are subject to change without notice or obligation. Samsung reserves the right to make changes to this document
and the product described herein, at anytime, without obligation on Samsung to provide notification of such change.
10/28/2013
© Samsung 2013. All rights reserved.
36