TEE and The Next Generation Mobile Security Framework
There are three mobile environments which make up the security framework within a mobile phone. Each has a different task:
Rich Operating System (Rich OS): An environment created for versatility and richness where device applications, such as Android, Symbian OS, and Windows Phone for example, are executed. It is open to third party download after the device is manufactured. Security is addressed here but is limited due to it's design and functions it performs.
Trusted Execution Environment (TEE): Made up of software and hardware, the TEE offers a level of protection against software attacks, generated in the Rich OS environment. It assists in the control of access rights and houses sensitive applications, which need to be isolated from the Rich OS and effectively acts as a firewall between the “normal world” and “secure world” For example, the TEE is the ideal environment for content providers offering a video for a limited period of time that need to keep their premium content (e.g. HD video) secure so that it cannot be shared for free.
Secure Operating System (Secure OS): A secure kernel which runs in parallel with a fully featured Rich OS, on the same processor core. It includes drivers for the Rich OS ("normal world") to communicate with the secure kernel ("secure world"). Anything can be made as part of the trusted infrastructure, from interfaces, display, keypad to regions of PCI-E address space and memories. User space applications cannot access protected regions within the system.
Secure Element (SE): The SE is comprised of software and tamper resistant hardware. It allows high levels of security and can even work in tandem with the TEE. The SE is mandatory for hosting proximity payment applications or official electronic signatures where the highest level of security is required. The TEE may also offer a trusted user interface to securely transmit a personal identification number (PIN), which is required in order to make high value transactions. It also filters access to applications stored directly on the SE.
INSIDE TEE Enablement Components
INSIDE solutions are compliant with GlobalPlatform specifications and integrate seamlessly inside trusted execution environments based on ARM TrustZone frameworks.
INSIDE’s Fusion products offer HDCP and DTCP-IP solutions to secure High Definition (HD) video content for wired and wireless device-to-device streaming As well as Embedded DRM Fusion agents to support Microsoft PlayReady providing a modular architecture that allows fast and easy integration on any platform with any multimedia to fulfill the highest security requirement for premium early window content.
Providing secure remote access to sensitive corporate information and applications requires that both the person’s identity information used for login authentication as well as the VPN communication channel maintain its privacy, integrity and confidentiality. INSIDE enables the use of a TEE to protect the users information and secure communications over IPSEC and SSL through its SafeZoneFIPS- Certified Cryptographic modules, and QuickSec software development kits.
VaultIP is a Secure Element delivered, as a synthesizable Verilog RTL source code VaultIP is an embedded security platform that operates independently as an SE and/or to fortify a TEE against software attacks.
Get to Market Faster with Optimized Security IP
Mobile devices with 24x7 connectivity are pervasive and enabling new ways of doing business. With the arrival of Multi-core performance for application processors these devices can run virtually any application, including many which handle highly sensitive, valuable and mission critical information. Now you can incorporate secure elements in your chip design to prevent against attacks designed to exploit the weaknesses in an application or operating system by extracting, modifying or destroying information held within the device.
Implemented in Hardware IP, it comprises a tightly integrated set of modules optimized for the ARM architecture. It provides the ‘trust anchor’ needed by a Secure Operating System to run effectively within a TEE. VaultIP implements this 'trust anchor’ as a hardware interface to an area of secure, non-volatile memory where keys and other security assets are stored. All use of these assets go thru VaultIP,; they are never used directly by software, protecting them from software attacks.
The VaultIP ‘Trust Anchor’ can also be implemented in semiconductor designs that do not include a TEE. The secure, non-volatile memory management capabilities are integrated with software operations via a set of VaultIP Access APIs, protecting keys and other sensitive material from any exposure to software attacks.