Mobile Industry Starts to Move

Mobile operators are developing requirements to enhance the security of mobile handsets within organizations such as the "Open Mobile Terminal Platform (OMTP)," which is led by a group of major operators including Cingular, Orange, T-Mobile, Vodafone and many others. Manufacturers and mobile software and silicon vendors interact with operators in this context and develop new technologies and products that address their requirements.

The Trusted Computing Group's (TCG) charter is to develop and promote open, vendor-neutral industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms. TCG has been concentrating primarily on servers, storage and desktops. However, a new working group has been created to look specifically at mobile phones.

Avoid a Small Hole Sinking the Ship

Two complementary views need to be considered, (1) architect preventive protection in a secure way, e.g. filtering, auditing, updating, integrity checking, monitoring, etc; and (2) confine the damages in case of a successful attack and avoid a small hole sinking the ship, e.g. maintain the core phone function working, in case of a multimedia service corruption.  A secure system has an infrastructure similar to the layers on an onion: Outer elements protect the inner circles that hold the most precious data or perform the most critical functions for the overall system.

Virtualization Protects the Reality

An approach by CIO's to protect the company assets manipulated on their IT server is to use "virtualization" technology to implement layers of software firewalls around each category of assets.  Starting with the hardware, underlying core services are virtualized so they are protected from upper layers of software that might try to access the core services directly. Upper layers are also isolated from their neighbors that compete to access those underlying services.

The software that controls the "real" hardware and virtualizes it is often called a virtual machine monitor (VMM) to reflect that it generates and monitors "virtual machines" in which operating systems (OS) are executed. An operating system that executes in the context of a virtual machine is often referred to as a "guest OS," as opposed to a "native OS" that has full control over the hardware resources (i.e. the "real machine").  The VMM is also called a "hypervisor" by analogy to the term "supervisor" used to designate the function of the inner part of an OS called the OS kernel, which supervises the execution of applications and their access to hardware resources (computing, memory, storage, network, etc.). In the case of "virtualization technology," the hypervisor provides access to the hardware resources for the operating systems. This adds one layer of isolation and protection.  A main security interest of doing this is that hypervisors are implemented as simple and small pieces of software where critical functionality can be safely implemented and verified compared to guest OS's that have become very complex in order to support wide ranges of applications concurrently.

The first hypervisor called Control Program 67 (CP-67) was introduced in the summer of 1966 by IBM in its famous System/360 family of mainframe computers, the 360/67.  It then became VM/370 on the S/370 and was used to run various operating systems such as "single user" (e.g. CMS) or "batch" operating systems (e.g. OS 360) simultaneously and securely on the same computer.  Essentially VM/370 and hardware cooperate so multiple instances of any operating system, each with protected access to the full instruction set, can peacefully and concurrently coexist. It is still in wide use In IBM mainframes today.

Since then hypervisors have become very popular in the computing server space. The most widely used hypervisor on x86-based computers is VMware, which is now part of EMC.  The University of Cambridge Computer Laboratory has developed a competing open source project called Xen that is supported by various computer manufacturers including IBM, Sun Microsystems and HP to run several instances of Linux on their x86-based servers.  Microsoft recently announced its own hypervisor software named Hyper-V.

Hypervisors provide "hardware virtual machines" and should not be confused with interpreters providing "application virtual machines."  Interpreters isolate the application used by the user from the computer it is running on. Because versions of the virtual machine are written as interpreters for various computer platforms, any application written for the virtual machine can be operated on any of the platforms, instead of having to produce separate versions of the application for each computer and operating system. One of the best known examples of an application virtual machine is Sun Microsystem's Java Virtual Machine.

Virtualization in a Device

The amount of processing power and memory available in mobile handsets enable them to run high-level, general purpose operating systems such as Linux, Windows or Symbian providing rich sets of services and applications.  Smartphones increasingly resemble laptops in terms of the amount of software they are able to run.  Similar to what happened to traditional computers, virtualization technology can also be applied to mobile handsets and provide them with a software architecture that can protect them more efficiently against the malware introduced through rich and open operating systems.

Implementation of hardware virtualization in a mobile handset requires a specific design as these devices are very cost and memory constrained. Mobile handsets support various peripherals such as screen, touchpad, keyboard, audio I/O, camera, flash memory, disk, IR, Bluetooth, USB, WiFi as well as wireless telecom network protocols. They also operate under stringent performance conditions.

A new generation of hypervisor has emerged which are referred to as "real-time virtualization," which allows a guest OS of the hypervisor to be a real-time operating system (RTOS). A RTOS is used in mobile handsets to support deterministic tasks, such as running wireless protocol stacks and core phone services.  Like other hypervisors in the traditional computer space, embedded hypervisor software ensures strict isolation and secure communication between multiple virtualized execution environments.  These hypervisors support the ARM processor family that powers the vast majority of mobile phones and leverages hardware support for trusted software available on phone chipsets, which enforces stronger security, such as secure memory or trusted platform modules (TPM), for example.

"Real-time virtualization" can be used to consolidate a RTOS and a rich operating system on the same phone CPU to reduce the cost of smartphones and bring more functionality into the high-volume mass market. It also provides a trusted execution environment (TEE), compliant with the requirement standards of the OMTP and the TCG.

The TEE is used to securely authenticate, provision, operate, protect, upgrade, control and repair the device; all of this reliably, securely and independently of the operating system that supports the applications. It allows the isolation of the device platform management functions, including advanced security management, from the general application execution environment that by nature cannot be trusted and is subject to malware. This way, the application execution environment - a rich operating system - is checked, monitored, controlled, stopped, restarted, updated, etc. from an external malware-proof, trusted environment maintained under tight administration rules. In simple terms, such software architecture provides a highly available, fault tolerant phone protected from malware, and able to survive failures, including those that are intentionally injected.

The TEE created by the virtualization software can be used to run anti-virus, firewall and other filtering services], in a way that such services are also protected from malware in the application execution environment.

The TEE can also support over the air (OTA) device software provisioning, configuration and upgrades in a specific execution environment securely isolated from the main open operating system.

Unlike virtualization technologies targeting IT servers in the data center, such as provided by VMware Xen or Microsoft, VirtualLogix VLX has been specifically designed to address the requirements of devices such as mobile phones. Such virtualization products can be summarized as providing real-time deterministic execution environments dedicating specific hardware resources to particular guest OS's for performance reasons, and supporting embedded processors such as the ARM processor family.

They support Linux, Windows, Symbian, several commercial real-time operating systems and a variety of legacy "home-grown" proprietary embedded OS's. Their real-time virtualization technology provides a flexible architecture that enables various tradeoffs between resource isolation and sharing policies, based upon use case requirements. This approach to security provides efficient isolation and device sharing policies for a semi-controlled environment, as well as sophisticated isolation and device sharing policies protecting against denial of service attacks in widely-open environments.

Four in One

A key issue for mobile handsets moving forward is that these devices carry assets belonging to several categories of stakeholders, with at times conflicting interests. Users own their personal data and they need to trust that their mobile handset will not compromise their privacy, and that the services they buy are of high quality. Operators need to trust that the user is not allowed to operate the device or access billable services without being charged, or to tamper with the network applications and protocols which could negatively affect thousands of other users. They require guarantees that external intruders are not allowed to compromise billing information or jeopardize customers' trust in the operator's services. Operators also require solutions that prevent mobile phones from infecting their network with malware. Content providers must protect their rights from being misused by the user, and trust that illegal copies or broadcasts of decrypted content are not made. Enterprises need to have valid users be able to access company data, but trust that e-mail transferred to the device cannot be accessed by external intruders or be compromised by malware installed by a game application.

To avoid mixing OS environments that do not trust each other one can use a different device for each function. Many people today carry a personal phone, a business phone, an enterprise e-mail processing handset, a portable MP3 or video player, etc. Enterprises need to enforce their own security policies for their employee's mobile handsets. This normally forbids the user to install software that is not company approved.

Virtualization accommodates these constraints by sharing a single hardware device between several application execution environments, securely isolated from one another.

Within the next few years, as mobile handsets become as powerful as today's laptops, virtualization technology will allow each of the asset holders - the user, operator, content provider, enterprise - to be able to depend upon and trust mobile devices and the many advanced services to come.