This article is reproduced from OpenHarmony TSC official WeChat public account " Summit Review Issue 1 | OpenHarmony Architecture Design Based on Hierarchical Security "
Speaker | Fu Tianfu
Review and arrangement | Liao Tao
Typesetting proofreading | Li Pingping
Guest profile
Fu Tianfu, Head of Security and Confidential Computing TSG of OpenHarmony Technical Steering Committee, Deputy Chief Scientist of Huawei Scientist Committee, Chief Security Architect of Terminal BG/Car BU, Security SEG Leader. Mainly responsible for the research and product design of HarmonyOS/OpenHarmony operating system security architecture design, terminal chip security architecture, security chip, trusted computing, mobile application ecological governance architecture, data leakage prevention technology, network security and application security detection technology based on big data .
Article content source
The First Open Atom Open Source Foundation OpenHarmony Technology Summit - Security and Confidential Computing Sub-Forum
video review
Summit Review Issue 1 | OpenHarmony Architecture Design Based on Hierarchical Security——Fu Tianfu
Contents
OpenHarmony is an operating system that enables thousands of industries. How does it protect the personal privacy of consumers and the core data assets of enterprises in a classified and hierarchical manner throughout the data life cycle? And how to avoid the problem of the overall fall after a subsystem is compromised in a distributed and interconnected ubiquitous system? Fu Tianfu, Deputy Chief Scientist of Huawei's Trusted Domain, gave his thoughts on the system architecture level at the first OpenHarmony Technology Summit.
01 ► Hierarchical security architecture
Fu Tianfu first introduced the original intention and related concepts of the OpenHarmony hierarchical security architecture design. Why choose hierarchical security system theory as the core of OpenHarmony security architecture? OpenHarmony enables a light bulb, a socket, mobile phones, tablets, and other smart home devices, such as smart screens, routers, storage, etc.; to enable the industrial Internet, such as coal mining machines in coal mines, and docks in traffic , ports and other control equipment to provide basic operating system software. If we want to combine the above-mentioned various devices with huge differences to form their own super terminals, we can of course require all devices to use the most reliable security chips and algorithms from the perspective of pursuing ultimate security, but the required cost is unacceptable. Therefore, for a distributed system composed of multiple devices with huge differences in security capabilities, there are two major risks: one is that confidential data may be leaked during processing in the distributed system, and weak security devices in the distributed system It is easy to be compromised and used as a springboard for bots to steal data. When confidential data circulates in the super terminal, it is also likely to accidentally flow from a well-protected strong security device to a weak security device, resulting in leaks; the second is the hijacking of control commands. In the scenario of Internet distributed interconnection, when a very weak device is hijacked, it may be used to forge identities to issue control instructions, or to tamper with control instructions, thus causing unpredictable results to the overall control network.
In order to deal with the above two typical risks of data leakage and control loss, OpenHarmony chose a hierarchical security architecture design. The hierarchical security architecture needs to solve two core problems: one is data leakage prevention, which must strictly control the access subjects of confidential data in terms of encryption, isolation, identity authentication and access control; the other is control flow trustworthiness, which must Solve the risks of counterfeiting, hijacking, and tampering of control flow, and ensure that low-security-level devices cannot send high-risk instructions to high-security-level devices, thereby avoiding system loss of control.
The two core architectures of OpenHarmony are abstracted into an access control model in the field of information security, which is the Bell Lapadula model (BLP model for short) to prevent data leakage and the Biba model to prevent system integrity damage (untrusted control flow instructions cause loss of control. A breach of the functional integrity of a system).
BLP Model Core Rules 
Biba Model Core Rules
The access control model of the subject accessing the object can be understood in plain language as, the correct person (subject, including natural persons, applications, devices that initiate control, etc.), on the correct device (environment for performing access control), the correct Use data (objects, including files, data, resources, controlled systems, etc.).
1.1 ►► Correct person (subject)
How to ensure that the convenient authentication of people, programs, and devices in the operating system is credible? This requires the establishment of a mechanism for classification and grading. Based on the theory of classification, single-factor, multi-factor and various authentication forms, such as people, programs, equipment, etc., are graded and certified. It can give it the right to do more and more dangerous operations.
From the perspective of identity authentication theory, the security of a single factor is not as good as that of multiple factors. The same factor is authenticated in different levels of security environments, and the security level is also different. OpenHarmony has developed a set of strict multi-factor hierarchical authentication trust level evaluation specifications. Decisions on the level of authentication for principals.
1.2 ►► Correct equipment (environment)
How to ensure that the identity and capabilities of each device are trusted in all scenarios? Based on the classification requirements, the device security architecture is divided into several parts, including integrity protection, vulnerability prevention, isolation and access control, and trusted execution environment, and then the trust classification is carried out for each part. For example: the stronger the integrity of a device, the higher its trustworthiness; the isolation mechanism of the device, software and hardware and other vulnerability prevention technologies are different, and the trustworthiness is also different. After a device completes the identity authentication and trust level authentication, it can assume corresponding responsibilities in a specific system, and the operating system can also reject each device from taking responsibility beyond the scope of its capabilities according to the identity authentication and trust level of each device. operations, such as restricting its issuance of instructions and data of a certain degree of sensitivity.
1.3 ►►Correct Data (Object)
How to ensure that the data is legal, compliant, and processed in the way expected by the data sovereign owner? In the whole life cycle of data, the bottom layer of the operating system needs to empower the application. For example, in the data production stage, it is very difficult for applications to implement data classification independently. Although it is possible to set the level of each data, the degree of encryption, where the key should be stored, how to design the access control mechanism of the key, etc., it may be uncontrollable in the ecological environment: lack Experienced designers may have huge safety hazards when designing and implementing, and the workload is huge.
OpenHarmony provides a general mechanism for the entire end-to-end process from data production, storage, transmission, use, and destruction. For example, when data is generated, by setting the data level, the bottom layer can automatically complete encryption based on different levels, and developers do not need to consider the cumbersome things such as encryption environment, algorithm, strategy, and key management; in the data use stage, As long as the data usage policy is set in advance, the operating system can help to implement the policy, such as setting that the data cannot be printed, transmitted, or copied. This greatly reduces the risk of data leakage during end-to-end use.
02 ► OpenHarmony system permissions and access control architecture
The hierarchical security architecture of the operating system is implemented in the hierarchical control of the program. How to reduce the size of the TCB trust base and how to minimize the permissions of the application? Fu Tianfu introduced the principles related to the OpenHarmony system permissions and access control architecture. The authentication of people, such as supporting multi-modal and multi-factor authentication, has been implemented in previous versions, but when processing data as a natural person, it must be processed through the application, that is, it must be a piece of application logic to process data. If the permission level of the program is not strictly distinguished, the subject of the data processing is untrustworthy. It is very likely that an application that should have a low-level permission processes data, but is improperly accessed by a high-privilege application, resulting in data leakage. Therefore, applications also need to be managed hierarchically. OpenHarmony will open source this part of the design when the latest version is released.
2.1 ►►Classification strategy
In the Linux system, if a process is set to uid=0 (that is, given root authority), the process has obtained the highest privilege of the system, and can perform various dangerous operations unimpeded. In the Android system, there are not only the highest privileged processes with Root privileges, but also other privileged System processes (uid=1000). For example, permissions such as microphone, camera, and geographic location can be arbitrarily accessed without user authorization, which has led many attackers to spend a lot of effort to inject their malicious code into the System process, or modify their uid to pretend to be a System process. This forms two relatively fragile Trusted Computing Bases (TCB, Trusted Computing Base) in the Android system, which poses a huge security risk to the system.
In addition, there are similar problems with the improper use of signatures. When an application has a system platform signature, it has many privileges similar to the Android System process, and becomes a part of the trusted base of the operating system in disguise. As we all know, the smaller the trust base of the operating system, the better. The smaller the TCB, the fewer system defects and the smaller the attack surface.
A high-security operating system generally minimizes its TCB as much as possible, and limits the size of privileged applications based on a hierarchical security architecture. When MULTICS, the originator of the modern operating system, was designed in 1965, the original intention of the design of the security architecture was "even if it is infiltrated and controlled by spies, it can still ensure that the data of the operating system is safe." MULTICS introduced the security model of MLS epoch-makingly , and based on this model to implement the hierarchical security architecture of the system. The hierarchical security architecture is also the basic consensus for high-end operating systems. And we often see high-security operating systems such as QNX, L4 and other designs based on microkernel architecture, which also adopt an unprivileged Rootless design architecture.
OpenHarmony also draws lessons from the operating system architectures of these typical high-security architectures in history to design its own hierarchical security architecture model to solve the rootless non-privileged design of the system architecture.
2.2 ►►Implement logic
In the OpenHarmony operating system, applications are divided into three levels, as shown in the figure below. Among them, the System Core layer includes the core basic functions of the operating system, such as resource management and program scheduling, control, etc.; the System Basic layer includes the basic services provided by the operating system; and all consumers can download and install third-party applications Programs only have Normal permissions, that is, they are all included in the Normal layer. In this way, OpenHarmony doubles the trusted base size of the operating system. All applications can only run on the lowest level of Normal level. If you need to access the API of System Basic or System Core, you only need to access the API of the application program. Permissions are authorized and controlled. Therefore, as long as OpenHarmony's Basic and Core kernels are kept secure, applications can hardly continue to behave maliciously.
OpenHarmony Hierarchical Permission Architecture Model
Based on the above grading strategy, in the OpenHarmony ecosystem, all applications can achieve their intended functions as expected. For example, weather-type software can focus on weather-related functions. Because its permissions are extremely limited, it cannot steal user privacy and sell user data for profit. If the purity and safety of the operating system can be guaranteed, risk management and control will be much easier, and the purity and safety of the OpenHarmony ecosystem will be guaranteed fundamentally.
2.3 ►►Data Leakage Prevention
The risk of data leakage is the most painful problem in the current data security field. Therefore, OpenHarmony provides an important basic capability: data leakage prevention. OpenHarmony provides a full set of life cycle management mechanisms for data. In addition to creating, storing, using, transmitting and destroying data on the local machine for strict policy control, OpenHarmony can also ensure that after data is sent to another device, the data remains The use of data is strictly controlled in accordance with the security policy formulated by the sovereign owner who sends the data. OpenHarmony has the ability to ensure the controllability of data after it is sent, whether it is a personal scenario or an enterprise scenario.
In what scenarios can the OpenHarmony data leakage prevention solution be applied? Digital copyright protection is a good application scenario: for example, OpenHarmony can help the implementation and development of the National Digital Library. On the premise of ensuring that the copyright of books is not leaked, you can browse the library's content on an OpenHarmony device Books and literature without worrying about these valuable assets being maliciously distributed out of control. If it can be popularized, it will help improve the quality of citizens, ensure that data can be shared under controllable conditions to protect the rights and interests of copyright owners, and allow citizens to access it anytime, anywhere through an OpenHarmony tablet or computer, so that browsing experience content of interest. Another possible typical application is that in the field of self-media, the OpenHarmony system can protect the ownership and property rights of high-quality works of self-media creators, protect their legitimate rights and interests, and at the same time promote the output of high-quality works.
In addition, data leakage prevention is also a key part of maintaining the core data assets of enterprises from leakage. In order to prevent the leakage of data assets, we have seen that in the current situation where the mobile Internet has become extremely popular, there are still many confidential units that still share data through CD burning. Procedures such as physical transfer, CD destruction, and re-signing by the responsible person are not conducive to collaboration and efficiency improvement. If the ability to provide classified and hierarchical protection at the bottom layer of the operating system, and at the same time ensure that the data can still be strictly controlled after it is sent out, we will implement one-key encryption for some confidential documents. The storage, use, and Encryption and decryption, access control, etc. are all carried out in an independent security chip. Usually, the security chip has hardware three-defense capabilities, so that even if the device is lost, if it is cracked by violence, it can also ensure that the data is not leaked, and the security is guaranteed. It has greatly increased and improved the efficiency of data sharing.
As can be seen from the above, since the data is encrypted, the ciphertext is transmitted, so the data transmission can be guaranteed not to be leaked. The encryption key and file permissions are encapsulated in a digital envelope encrypted based on the public key of the encryption machine, and the DLP server and OpenHarmony jointly complete authentication, decryption, and permission control to ensure that the data remains intact after leaving the data subject. controlled.
03 ►Summary _
Fu Tianfu finally mentioned that OpenHarmony's hierarchical security architecture can enable thousands of industries, based on the strict data leakage prevention BLP model and the Biba model guaranteed by control flow instructions, to enable mobile Internet, enterprise office and other scenarios, ensuring that data No leakage, and after the data is sent, it can still be strictly controlled and not leaked; when the industrial Internet is enabled, the security and credibility of the control flow can be strictly guaranteed, ensuring that only high-security devices can control low-security devices, and low-security devices cannot reverse To control high-security equipment, it provides the most basic guarantee for the reliable, controllable and stable operation of the industrial Internet. In future new versions, OpenHarmony will gradually release new functions and features. All scholars and engineers who are interested in designing and implementing a high-security operating system are welcome to join us to make OpenHarmony's security capability base stronger. Enrich the various application scenarios, empower the Internet of Everything, escort the national digital economy, and provide the most basic root base for China's system software.