WIXLIB

MOBILE DEVICE SECURITY PROGRAM OBJECTIVES1: Partner with DHS Components and federal stakeholders toidentify operational requirements and capability gaps2: Develop secure mobile solutions to enhance the DHS mission3: Partner with industry to foster innovationStrategic AlignmentThe objectives and initiatives of the MDS Program alignwith DHS, S&T, and federal strategies and priorities. TheDHS S&T 2015-2019 Strategic Plan addresses the goalsand objectives necessary to deliver effective and innovativeinsight, methods, and solutions for the critical needs ofthe Homeland Security Enterprise (HSE). The plan’s threestrategic objectives were specifically designed to addressthe environment the Government operates within today,and MDS Program goals directly align with Objectives 1 and2. These objectives and their respective initiatives are:1. Deliver Force Multiplying Solutions:– Identify and prioritize operational requirementsand capability gaps– Make strategic investments in high-impact,priority areas– Partner with the HSE2. Energize the Homeland Security Industrial Base (HSIB)– Optimize markets by pooling demand anddeveloping standards– Engage the HSIB through a deliberate, continuous,and transparent approach– Improve programs designed to increase collaborationwith innovative companiesThe Program also directly aligns with two key goalsand objectives of the DHS Information TechnologyStrategic Plan2 :Goal 2: Innovative Technology– Objective 2.4: Enable end-to-end delivery ofmobile solutions that enhance enterprise-widemobile computing capabilities for successfulmission outcomes.Goal 4. Cybersecurity– Objective 4.2: Enable secure communications toeffectively support the mission of DHS and its partners.Mobile technology by its nature allows the end user accessto data that might not otherwise be available. Ensuringaccess to data and services ‘anywhere, anytime’ is oneaspect of the targeted mobile security R&D and alignsspecifically with Objective 2.4. Mobile security R&D isheavily focused on ensuring secure delivery of data and/orservices, consistent with Objective 4.2.The Office of Management and Budget’s CybersecurityStrategy and Implementation Plan (CSIP ) also addressesthe need for mobile security as an imperative. Thisdocument notes that “Mobile devices have become aspowerful and connected as desktop and laptop computers,requiring the same level of attention to cybersecurity.Mobile security has unique challenges that requiredifferent solutions than existing programs offer. [Potentialsolutions] could address authentication, applicationmanagement, device management, and encryption,and may include approved tools, best practices, andimplementation support.”Finally, it should be noted that the MDS Program isdirectly aligned to the requirements of DHS componentsand missions elicited through multiple sources, asnoted below.Initiatives to Address ObjectivesOBJECTIVE 1. Partner with Components and FederalStakeholders to Identify Operational Requirementsand Capability GapsTo achieve Objective 1, the MDS Program leveragesthe efforts of existing federal and DHS mobility workinggroups to gather and prioritize mobile security capabilitygaps preventing mobile implementations both at thefederal level and across the HSE. These groups includethe following federal and DHS working groups:Federal Interagency Working Groups Federal Chief Information Officers (CIO) Council’sInformation Security and Identity ManagementCommittee (ISIMC) Mobile Technology TigerTeam (MTTT) ISIMC Identity, Credential and Access ManagementSub-Committee (ICAMSC) MTTT Mobile Application Security Vetting Working GroupS&T CYBER SECURITY DIVISION MOBILE SECURITY R&D PROGRAM GUIDE6

DHS Mobility Working Groups Common Enterprise Mobility Tiger Team Mobility Initiative-5 (mi-5) Mobile Community of PracticeOBJECTIVE 2: Develop Secure Mobile Solutions toEnhance the DHS MissionCollectively, these groups have identified gaps in currentpolicy or technologies that inhibit the adoption of securemobile solutions. From these issues, CSD has prioritizedseveral that are appropriate targets for Mobile SecurityR&D, including: Mobile device management Device interface management Trust implementation for executables and access Application management and version control Malware and mobile app security vetting Identity management and authentication Data privacy OS fragmentationThe MDS Program has established several initiativesto address the primary gaps identified through itspartnerships with DHS Components and other federalagencies. These efforts identified needs for secure mobilesolutions in four areas: Mobile device management Mobile app management Identity and access management Data management/data protectionThese areas are interrelated; for example, secure solutionsfor both mobile device management and mobile appmanagement include data protection and integration withidentity and access control solutions.The MDS projects and initiatives addressing thesechallenges are related as illustrated above. These initiativesare broadly focused on mobile device security and mobileapplication security, as described below.Mobile Device SecurityOne objective of this effort is to develop tamper-evidentmodules, or “roots of trust,” that can be continuouslymeasured and verified to produce a chain of cryptographicallystrong evidence about the state of the device. This servesto verify devices are in a protected state at power-on andcontinue to bootstrap trust to verify software (e.g., operatingsystem, apps, security management software, etc.) beforeand during execution. This root of trust can be queried andmeasured to attest to the state of the device to providegreater assurance to security mechanisms such as softwareverification, application and data isolation, and dataprotection, which are at the heart of security enforcementtechnologies such as mobile device management.A cross-cutting effort under mobile device managementseeks to leverage the mobile device’s innate capabilities(e.g., application sandboxing, camera, GPS, etc.) to senseand measure the environment, user interaction, and appinteraction to gather contextual information. Situationalawareness capabilities that relate contextual attributes,such as application usage, patterns of data access, andgeo-location, can be used to ascertain the risk associatedwith the user, device, app, and network connectivity. Thisknowledge can be applied to any of the four categories ofsecurity management for devices, applications, users, anddata to enable the ability to dynamically enforce policies andadapt service access based on threat level associated withthe current context. Moreover, these continuous sources ofcontextual attributes also enable capabilities for behavioralbased user identification and anomaly detection.Mobile App SecurityThe MDS Program is developing a framework that employsstatic, behavioral, and flow-based techniques to continuouslyvet the security posture of government-developed andcommercially developed mobile apps throughout their7S&T CYBER SECURITY DIVISION MOBILE SECURITY R&D PROGRAM GUIDE

lifecycle – from requirements, design, and implementationthrough deployment, maintenance, and retirement. Thiscapability will go beyond identifying malicious software andbe able to pinpoint undesirable behavior that violates userdefined risk criteria. By providing a standard evaluation scoreand analysis report that provides actionable informationfor decision makers to remediate problems, this effort alsopromotes information sharing across Components andfederal agencies, potentially reducing cost and avoidingduplication of analysis efforts.The DHS Joint Requirements Council (JRC), a component-ledbody focused on operational mission areas, is designed toidentify, prioritize and recommend investments to addresscross-department required capabilities, ensuring unity ofeffort among the components, and to address the highestpriority needs to meet mission requirements. The JRCestablished the Cybersecurity Portfolio Team in 2014 toidentify and develop requirements for the highest priority,cross-department capability needs for cybersecurity. TheCybersecurity Portfolio Team identified new capabilities inMobile App Security as a high-priority, cross-departmentneed. Future efforts under the mobile app security programseek to promote a standards-based approach (e.g., vialinkage to national vulnerability databases), integrate thevetting of mobile applications with federal application stores,and enable active management of applications throughoutthe lifecycle by integrating the solution with mobile enterprisemanagement solutions.On the HorizonOBJECTIVE 3. Partner with Industry toFoster InnovationIn addition to addressing current and emerging mobilesecurity challenges in the four key aspects of the MDSProgram (devices, apps, identity, data), additional R&D willbe needed to integrate these technologies into a holisticmobile security solution that protects the HSE. Future R&Dareas include integration into continuous monitoring andother elements of the network security infrastructure.Industry partnerships and relationships enable the MDSprogram to engage and leverage the power of the privatesector to bring innovative solutions to the marketplacesooner. The MDS Program has formed valued relationshipswith academic and industry performers, including thefollowing, by technical area:Mobile Roots of Trust R&D BlueRISC, Inc., Amherst, MA Def-Logix, San Antonio, TX Galois, Inc., Portland, ORMobile Malware Analysis / Mobile App Archiving R&D University of California, Santa Barbara /Vrije Universiteit Amsterdam George Mason University / KryptoWire LLCBroad Agency Announcement: Mobile Technology Security4 Northrop Grumman – Mobile Device Instrumentation HRL Laboratories, LLC – Continuous Behavior BasedAuthentication for Mobile Devices Kryptowire LLC – Quo Vadis? A framework for MobileDevice and User Authentication United Technologies Research Center – CASTRA: ContextAware Security Technology for Responsive and AdaptiveProtection Rutgers University – Dynamic Data Protection via VirtualMicro Security Perimeters IBM: Multi-modal Mobile Security Management for UserBehavior Anomaly Detection and Risk Estimation University of North Carolina at Charlotte – Theseus: AMobile Security Management Tool for Mitigating Attacksin Mobile Networks Intelligent Automation, Inc. – TRUMP: Trusted Monitor andProtection for Mobile DevicesA summary of each performer’s R&D technology follows.References[1]2014 Lookout Mobile Threat Report, Lookout.comWebsite.[2]Department of Homeland Security Information TechnologyStrategic Plan, FY2015-2018.[3]OMB m-16-04, Cybersecurity Strategy and ImplementationPlan, White House Website.[4]See press release at: Department of Homeland SecurityScience & Technology News WebsiteS&T CYBER SECURITY DIVISION MOBILE SECURITY R&D PROGRAM GUIDE8

Software Based MobileRoots of Trust

Mobile Roots of Trust:Software-only Roots of Trustfor Mobile DevicesKristopher Carver – PIEmail Kristopher CarverDr. Andras Moritz – FounderEmail Dr. Andras MoritzBlueRISCJeffry Gummeson – Sr. Security ArchitectEmail Jeffry GummesonOverviewOur ApproachBlueRISC’s MobileRoT measures and verifies a mobiledevice’s static and runtime state to enable trust andoverall device security. It can be utilized to detect malicioussystem change or activity and to ensure that access tocritical information and software can only be performed ina trusted state. MobileRoT requires no modifications to theunderlying operating system kernel, nor any manufactureror service provider support for insertion, which greatlyreduces hurdles to adoption.To overcome the array of surface attacks designedagainst software-based systems, MobileRoT utilizesa new architecture for enabling transitive trust basedon a Core Root of Trust for Measurement (CRTM). TheCRTM is hardened code that acts as the root-of-trust forreliable integrity measurements and is the foundation foradditional trusted services. The MobileRoT architectureincludes a layer of encrypted CRTM code that is tied toa cryptographic key that is generated at boot-time. Withthe CRTM established, the resulting system does notrequire any sensitive information to be stored persistentlyin an unprotected state, closely mimicking the level ofsecurity achievable via a dedicated hardware. A securecryptographic sealing and unsealing procedure tied to theboot-time and runtime measurements performed by thesolution enables application and data protection. Since allprotected data and applications are sealed, they remainprotected even in the case of an attacker’s attempt to alteror bypass the MobileRoT technology.Customer NeedThe mobile device market has grown tremendously.Individuals, businesses, and governments rely on mobiledevices to access critical infrastructure and share vitalinformation (e.g. banking, medical, intellectual property,etc.). This growth in adoption has also brought abouta parallel surge in attacks. Malware, ransomware andspyware are targeting mobile platforms to steal sensitivedata, access private networks, track users and do othernefarious activities. Particularly for governments usingmobile technology, mobile attacks can disrupt life-savingoperations, endanger personnel and expose governmentsystems to exploitation.Roots-of-Trust (RoTs), which are highly trustworthytamper-evident components, can provide a foundation tobuild security and trust. RoTs are usually provided as aspecialized hardware chip (e.g., Trusted Platform Module)on desktop or laptop systems. However, mobile deviceslack dedicated hardware mechanisms for providing RoTs.This leaves a single solution, namely to provide RoTs viasoftware. Unfortunately, this is challenging to realize giventhe sophistication of current threats and the ease in whicha mobile device’s state and information can be extractedand altered. Moreover security specifications such asTrusted Computing Group’s Mobile Trusted Module do notaddress how to support mobile RoTs in software nor dothey address dynamic verification of device and softwarebehavior while applications are running.11Traditional solutions focus primarily on boot-time validation,establishing the validity of each component prior to acomplete boot, while providing only minimal support forruntime activities. Unfortunately, it is widely known thatsophisticated attacks can target applications that arealready running and devices are rarely rebooted these days.To address the shortcomings of one-time static verification,MobileRoT provides dynamic verification and attestation byalso performing runtime measurements of the system stateof the device. These runtime agents harden themselvesfrom attack and modification by creating a self-validatingnetwork, which can instantly respond to a threat to thesystem or the protection technology itself.While cybercrime targeting mobile devices is becomingpervasive, MobileRoT can preserve and confirm theintegrity of the device while at rest or in use. BlueRISC’sMobileRoT technology has overcome barriers to bringRoT to a mobile platform, providing a foundation of securityfeatures to accelerate development ofsecure mobile devices.S&T CYBER SECURITY DIVISION MOBILE SECURITY R&D PROGRAM GUIDE

BenefitsCompetitive AdvantageThe value proposition for BlueRISC’s MobileRoT product isthe establishment of software-based static and dynamicRoTs that can be leveraged for providing application anddata protection and trusted MDM policy enforcement. Theautomated installation methodology and the lack of anymodifications to the underlying operating system kerneldrastically reduce barrier-to-entry.In the mobile device protection, there are two main typesof solutions: those provided by the device manufacturersand those designed to operate on top of the OS to providesome user-land security services. Out of these two types ofproducts, the former represent the main competition. Table1 provides a more detailed competitive analysis betweenmobile protection solutions.MobileRoT reliably allows all levels of software, includinguser applications, to have access to its trusted servicesthrough an open application programming interface (API).This enables the creation of secure off-the-shelf third--partyand proprietary applications and data, and strengthenskey management and policy enforcement technology, suchas Mobile Device Management (MDM). MobileRoT alsoprovides fine-grained protections integrated directly into anapplication. For example, BlueRISC has taken a standardAndroid Calendar application and modified to support theconcept of a “Secure Event”. This secure event is establishedin cooperation with the MobileRoT and persistentlyprotected. To view a secure event, proper authorization andauthentication is required and the system state mustbe verified.BlueRISC’s solution complements the user-land securitysolutions (such as MDM), which could take advantage of theRoTs provided by MobileRoT to harden their system/approachvia the open trusted services API. The provided featuresare valuable to traditional anti-virus/MDM companiesbecause recent trends in security suggest that they arelosing their value proposition as the attacks are becomingmore sophisticated. Lastly, one of the goals of MobileRoTis to provide a U.S.-made alternative to vendor-specifictechnologies such as Samsung’s Knox that is also opento third-party developers. This is also expanding upon theprotections and trusted services while enabling flexibility.Next StepsWe are currently finalizing implementation of the TrustedServices API to provide beta versions to our existingpartners for use-case development and security evaluation.We are always interested in exploring additional use-caseswith new partners.Competitive Analysis of Mobile Protection SolutionsBlueRISCSamsungArxanMcAfeeSoftware-only Roots of TrustFeatures1011Chain-of-trust: Boot through Runtime1100Dynamic System Attestation1011MTM Compatible 1000Open API1110Automated Technology Insertion1001Provisioning for FIPS Certification1100Supports Government Credentials1100Owned & Operated in USA*1011Total:9444 Enables 3rd party MTM compatible software to run* Critical for US Government & Defense Use CasesS&T CYBER SECURITY DIVISION MOBILE SECURITY R&D PROGRAM GUIDE12

Mobile Roots of Trust :Next-Generation Securityand ConfidenceGaloisAdam WickEmail Adam WickOverviewMobile roots of trust provide a mechanism to not only havea secure device, but to prove it. While such capabilities existin limited product lines, we focus on increasing commercialunderstanding of the capability to bootstrap a market thatprovides better and more prevalent capabilities.Customer NeedAs malware infects the mobile environment, the criticalservices in our lives must begin to ensure that the requeststhey receive from our mobile phones are actually comingfrom us, rather than from malware. To do this, they musthave a trustworthy mechanism by which to query the stateof our devices. This capability allows government andcommercial entities to ensure, for example, that criticaldata is only transferred to devices that have been properlyconfigured to organizational standards.At the heart of any such mechanism is a root of trust. Itprovides the basis for any argument the phone makes aboutits state. Because of the root of trust, we trust the phone’sm

(S&T) Mobile Security Research and Development (R&D) Program. This guide introduces you to the goals and objectives for Mobile Security R&D, its alignment with DHS and federal mobile security strategies and priorities, and provides a view into S&T's exploration of new and cutting edge mobile security R&D. We are excited to share these .