SIEMENS

# A Formal Security Model of the Infineon SLE88 Smart Card Memory Management

David von Oheimb, Volkmar Lotz Siemens AG, Corporate Technology, Security

{David.von.Oheimb,Volkmar.Lotz}@siemens.com

Georg Walter Infineon Technologies AG, Security & Chip Card ICs

Georg.Walter@infineon.com



#### • Context

#### SLE88 Memory Management

- Overview of Functionality
- Security Objectives
- SLE88 System Model
- Security Properties
  - Enforcing access control through attributes
  - Protection of security-critical memory areas
- Results



# 32-bit smart card processor Infineon SLE88



3

- Used for e.g. secure identification for UMTS and pay-TV
- Novelty of the SLE88: multi-application support
- New functionality: Memory Management Unit
  - virtual address space
  - protection on both virtual and physical level
  - separation of packages



## **Context: SLE88 security**

- Certification of SLE88 according to Common Criteria EAL5+
- Existing LKW security model of SLE 66 [LKW00, vOL02] applies
- Additional security functionality for SLE88:

Memory Management Unit protects

- Read/write/execute access to memory cells
- Designated entry points to critical packages ("port commands")
- Intended to achieve security objectives:
  - Restricted memory access
  - Separation of applications, OS, and chip security functionality (SL)
- Augmenting the LKW model

with a separate memory management model suffices



SIEMENS

#### Address Space



- VEA Virtual Effective Address
- PEA Physical Effective Address
- PT Page Table
- PP Page Pointer

- DP Displacement
- PAD Package Address
- EAR Effective Access Right
- BPF Block Protection Field

© 2005 Siemens AG, CT IC 3



# Information & Communications Security

#### **Access Control Mechanisms**

• Block Protection Field (BPF)

applies to 4-bit blocks of physical addresses

• Effective Access Rights (EARs)

apply to 8-bit blocks of virtual addresses

| Source package: | Same as target |       | Other than target |                           |
|-----------------|----------------|-------|-------------------|---------------------------|
| Target EAR      | Read           | Write | Read              | Write                     |
| WW              | +              | +     | +                 | +                         |
| WR              | +              | +     | +                 | MPA/+                     |
| RR              | +              | MPA   | +                 | $\mathtt{MPA}/\mathtt{+}$ |
| W-              | +              | +     | MPA/+             | $\mathtt{MPA}/\mathtt{+}$ |
| R-              | +              | MPA   | MPA/+             | $\mathtt{MPA}/\mathtt{+}$ |
| Х-              | MPA            | MPA   | MPA/+             | $\mathtt{MPA}/\mathtt{+}$ |

## **Security Requirements**

The TOE must provide the Smartcard Embedded Software with the capability to define restricted access memory areas. The TOE must then enforce the partitioning of such memory areas so that access of software to memory areas is controlled as required, for example, in a multi-application environment.

#### • Critical aspects:

- shared memory
- modification of EAR table
- protection achieved by BPF ("fail-safe"?)
- port commands (not shown here)



## System Model: SLE88 Memory

#### Formal definition of the virtual address space:

| =                                                                                                                                                                                                                                                                                                   |            |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
|                                                                                                                                                                                                                                                                                                     |            |
| typedecl VEA_mid_lo — 2-bit part of VEA_mid with identical EA<br>typedecl VEA_mid_hi — 16-bit part of VEA_mid with different EA                                                                                                                                                                     |            |
| types $VEA_mid - 18$ -bit middle part of $VEA$                                                                                                                                                                                                                                                      |            |
| $= "VEA_mid_hi \times VEA_mid_lo"$ $VEA \qquad \qquad32\text{-bit virtual effective address}$ $= "PAD \times VEA_mid \times DP"$ $VEA_dEAR \qquad24\text{-bit upper part of VEA determining EA}$ $= "PAD \times VEA_mid_hi"$ $VP \qquad26\text{-bit virtual page pointer}$ $= "PAD \times VEA_mid"$ | <b>ARs</b> |



## System Model: State

Formal definition of the system state:

- physical memory
- address translation
- access control settings
- execution state

#### record state =

- abstraction of physical memory:
  - memory :: "PEA  $\Rightarrow$  value" including peripherals
- $BPF_PASL :: "PEA_dBPF \Rightarrow bool" BPF stating SL-only access to page blocks$
- abstraction of page table (package descriptions and translation lookaside buffers):
  - $PT_map$  :: "VP  $\rightsquigarrow PP$ "
  - $PT\_EAR \qquad :: "VEA\_dEAR \Rightarrow EAR"$
- abstraction of execution state:
  - curr\_PAD :: "PAD"
  - stack :: "PAD list"

- page mapping, relative to packages
- EARs for 256-byte sections
- currently executing package
- package part of return addresses



## **System Model: Inputs and Outputs**

#### datatype message =

Code\_Fetch VEA — is meant to precede each other type of instruction — read/write operations:

| Read\_Mem VEA

/ Write\_Mem VEA value

- control transfer operations:

| Jump VEA

/ Call VEA

| Return

/ Write\_RetAddr VEA

— operations for setting security attributes and page table entries:

| Ok | No - access granted or denied without generating a trap

| MPA | MPSF | RLCP | MPBF | PRIV | MCR - traps

/ Write\_BPF\_PASL PEA\_dBPF bool

/ Write\_PT\_EAR VEA\_dEAR EAR

/ Write\_PT\_map VP "PP option"

— outcome of operations:

Information & Communications Security

 $\succ$ 

0 T 0 G

N H

 $\bigcirc$ 

Ш

Ш

RA

 $\bigcirc$ 

RР

 $\bigcirc$ 

 $\bigcirc$ 

## **System Model: Memory Access**

Auxiliary function for checking access control conditions

Request for access mode at virtual address va in state s returns Ok, if:

- va is mapped to a physical address
- access is (privileged or) permitted according to EAR table
- BPF is consistently assigned (or special access by SL)

```
constdefs — read/write access restrictions to main memory
mem_access :: "access_mode \Rightarrow state \Rightarrow VEA \Rightarrow message"
"mem_access mode s va \equiv case PEA s va of None \Rightarrow MPBF / Some pa \Rightarrow
let source = curr_PAD s; target = PAD va in
(if is_Pri source \land mode\neqExecute \land source\neqtarget \land target\neqPri SL \lor
mode \in (if source=target then RWX_own else RWX_other) (EAR s va)
then (if ((BP_PASL s pa = (target = Pri SL)) \lor BP_PASL s pa \land
source = Pri SL \land mode \neq Execute \land target \neq Pri SL)
then Ok else MPSF)
else (if mode \neq Execute then MPA else MPBF))"
```

 $\succ$ 



#### **System Model: Interacting State Machine**

```
ism SLE88_MM =
   ports interface
    inputs "{In}"
    outputs "{Out}"
   messages message — instructions received or indications of success sent
   states data state init "s0" name "s" — the initial state is s0
   transitions
```

```
Read_Mem:
in In "[Read_Mem va]"
out Out "[mem_access Read s va]"
Write_Mem:
in In "[Write_Mem va v]"
out Out "[mem_access Write s va]"
post memory := "(mem_access Write s va = Ok ∨
mem_access Write s va = MPSF ∧ belated_MPSF ∧
PAD va = Pri SL ∧ ¬BP_PASL s (the (PEA s va))) ?
(memory s)(the (PEA s va) := v)"
```

Information & Communications Security . . .

. . .

## Security Properties (1): "Granted Accesses Do Respect EAR Settings"

theorem interpackage\_Write\_Mem\_respects\_EAR: " $\bigwedge$  va va'.  $[[((p,s),c,(p',s')) \in Trans; hd (p In)=Write_Mem va v; hd (p' Out)=Ok;$ PAD va  $\neq$  curr\_PAD s $]] \implies$  is\_Pri (curr\_PAD s)  $\land$  PAD va  $\neq$  Pri SL  $\lor$ EAR s va = WW  $\land$  (EARs\_consistent s)  $\longrightarrow$  PEA s va' = PEA s va  $\longrightarrow$ PAD va  $\neq$  PAD va'  $\longrightarrow$  EAR s va' = WW)"



Consistency of EARs:

- In case of non-injective PT\_map, the effective protection is determined by weakest EAR
- Conflicts are possible
- Should aliasing be prohibited?
- Solution: Define consistency requirements on EARs: all WW or all RR
- Property only holds in case of EAR consistency



# Security Properties (2): "Protection of SL Memory"

theorem only\_SL\_changes\_SL\_memory:
"[[ts ∈ TRuns; ((p,s),c,(p',s')) ∈ set ts; curr\_PAD s ≠ Pri SL;
PEA s (Pri SL, lva) = Some pa]] ⇒ memory s pa = memory s' pa"

#### **Used lemmas** (invariants):

- SL parts of page table and EAR table can only be modified by SL
- EARs referring to SL are always set in a way that access by non-SL packages is denied
- For SL memory areas, the BPF tag is always set

#### Required axioms (assumptions):

- Initial state satisfies requirements on BPF and initial EAR values
- Benign behaviour of SL (correct setting of BPF values, page table entries, and EAR table entries)



## Conclusion

- Identification: necessary assumptions on initial state and behaviour of SL
- Analysis: effects of non-injective address mappings
- Analysis: role of block protection fields (BPF)
- **Proof**: security functionality is adequate to satisfy security requirements (on abstract level of specification)
- **Proof**: security specification is consistent
  - (with some additional arguments referring to consistency of HOL)
- Security model satisfies all requirements of ADV\_SPM.3 and thus contributes to EAL5 certification
- Effort: 2 person months

