17/11/99S3 and MExE1 S3 review of MExE release 99 security Tim Wright, Vodafone UK 3GPP SA3, ETSI SMG10
17/11/99S3 and MExE2 Contents MExE refresher course Specification history and S3/SMG10 involvement Break for clarification Issues raised by Colin Blanchard and self Questions and discussions
17/11/99S3 and MExE3 MExE refresher course Mobile Execution Environment A spec to create a standardised execution environment on mobile terminals, similar to PDA, such as Palm, Psion Classmark 1 is WAP Classmark 2 is Java, specifically the PersonalJava virtual machine
17/11/99S3 and MExE4 Execution domains Operator, manufacturer and third party execution domains Applications can only execute in a domain if authorised for that domain Broadly similar capabilities for each domain Untrusted domain
17/11/99S3 and MExE5 Domain authorisation Apps that can run in a domain must have a a digitally signature that can be verified by the terminal using valid certificates Certificates are verified with root public keys for each domain Operator and third party root keys can be on the SIM Untrusted apps are unsigned
17/11/99S3 and MExE6 Third party Administrator Third party roots may be installed by manufacturer and user (and operator) Operator may have no control over signing policy of a third party root controller Therefore, Operator may (but is not obliged to) elect to be Administrator and can then control which Third Party roots are valid (but cannot delete or revoke)
17/11/99S3 and MExE7 User permission Apps cannot be installed without user permission Apps cannot carry out functions without user permission Three types of user permission –Single action –Session –Blanket
17/11/99S3 and MExE8 Specification history MExE begun within ETSI in January 1998 Stage 1 approved in February (March?) 1998 Release 98 stage 1 and 2 approved in July 1999 Release 99 to be approved in December 1999
17/11/99S3 and MExE9 S3/SMG10 involvement Some review of specs since February Little real interaction until December 1998 Productive MExE/SMG10 meeting in February 1999 S3 took responsibility for MExE security in August 1999
17/11/99S3 and MExE10 Goal of this session MExE (and) WAP are powerful developments with enormous potential to change the way phones are used Security is a key issue MExE has worked hard on security and deserve credit Time, and last chance, for S3 to take corporate responsibility
17/11/99S3 and MExE11 Clarifications
17/11/99S3 and MExE12 Issues raised by CB Application could be downloaded that would: –Eavesdrop on user –Perform internal denial of service –Make bogus calls and so complicate law enforcement
17/11/99S3 and MExE13 Issues raised by CB User would have to give permission for installation Process of giving permission by user must be clear - can this be ensured? Above apps would have to be trusted Issue of whether third parties can be trusted
17/11/99S3 and MExE14 VF issues - Security table Security table is currently very complex List actions that can be performed by each domain and that are forbidden for each domain Status of actions not listed uncertain Suggest - security table lists forbidden actions only Would be clearer and more likely to be implemented
17/11/99S3 and MExE15 VF issues - external port access Difficult to manage permissions if don’t know what is attached to the port for example, location info in phone is forbidden to an app but it can be accessed via port if GPS attached to phone Have to rely on user/ Warnings should be given
17/11/99S3 and MExE16 VF issues - untrusted applications Can acess screen and keyboard without user permission Apps are long lived - Trojan horses App could listen to keyboard and pick up PINs Could interfere with UI and get user to perform actions they did not want
17/11/99S3 and MExE17 VF issues - untrusted applications But untrusted apps could be a popular market sector What can be done? Rules for precedence in screen access Session user permission? ?