Android's pKVM Becomes First Globally Certified Software to Achieve SESIP Level 5 Security Certification (googleblog.com) 32
Protected KVM (pKVM), the hypervisor powering the Android Virtualization Framework, has officially achieved SESIP Level 5 certification (in testing by cybersecurity lab Dekra against the TrustCB SESIP scheme).
Google's security blog called the certification "a watershed moment," and a "new benchmark" for both open-source security — and for the future of consumer electronics. "It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon." This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity...
Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android's multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance... Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation.
"This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF," the post concludes.
"We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users."
Google's security blog called the certification "a watershed moment," and a "new benchmark" for both open-source security — and for the future of consumer electronics. "It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon." This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity...
Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android's multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance... Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation.
"This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF," the post concludes.
"We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users."
Wasn't WinNT security certified as well? (Score:2)
yes (Score:4, Informative)
Re: Wasn't WinNT security certified as well? (Score:3)
no, dude (Score:3, Informative)
This is specifically referring to NT 3.5 and 4.0 getting C2 security certification. The tested system did have a floppy disk, just not a network connection. [slashdot.org] It was also a custom software configuration.
"The evaluation of Microsoft Windows NT 4.0 excludes Exchange Server, System Management Server (SMS), MS Mail, remote access services and Clipbook viewer. Domain based security functionality is included up to the transport driver interface; underlying network protocols and architectures are excluded. The posix
Re: (Score:2)
Exactly. Functionally, it is similar to the idea that any computer can be secured by cutting the power cord, wiping the drive, encasing it in a 10 foot concrete cube and sunk to the deepest part of the ocean. But good luck playing minesweeper on that.
Psst...I've got a certification to sell you (Score:2)
I'll even make it global, for just 50% more!
Make the device read-only (Score:2)
Re:Make the device read-only (Score:5, Interesting)
Wouldn't be simpler and safer to make the device read-only through a hardware switch. That way any potential harmful malware would be flushed at boot.
Well, the system partition on most Android devices is already effectively read-only, and if the bootloader is locked and dm-verity is enforced, changing it without permission isn't easy. Malware mostly doesn't end up there. Making more stuff read-only gets complex, you'd have to turn it off to install an app, and maybe even to log in and save session data. And then there's all the persistent advertising and tracking spam that needs to be written. And then there's the possibility of malware sitting and waiting until the write-protect switch is turned off and doing its evil deeds. Not an easy problem to solve.
Xbox has done quite well using a virtualization-based approach, with the 360's protection only relatively recently being broken effectively and the later models still holding strong. Done right, this could be best approach for Android as well.
Re:Make the device read-only (Score:5, Informative)
a. Not really, I built one long ago on a USB device with a read-only switch. A self extraditable RAR archive that extracted into a RAMDISK.
b. Besides, is it wise trusting your security to former members of Unit 8200. The cyber security arm of the Israel Defense Forces.
Built on military-grade cyber expertise [plaxidityx.com]
“Three graduates of the Israel Defense Forces’ Unit 8200 – responsible for the military’s cyber security – created Argus Cyber Security LTD.* to bring their robust expertise to the private sector. And until today, our R&D department is home to cyber experts from across the IDF.”
Israel’s Unit 8200 used Microsoft cloud to store ‘a million calls an hour’ of Palestinian phone conversations [arabnews.com]
Re: (Score:2)
> Making more stuff read-only gets complex, you'd have to turn it off to install an app, and maybe even to log in and save session data ..
a. Not really, I built one long ago on a USB device with a read-only switch. A self extraditable RAR archive that extracted into a RAMDISK.
Lots of things do stuff like that, a few of them even with hardware write protect. Most home-grade routers, as another commenter points out. The many composable/immutable Linux distros coming out lately. But this model either breaks the "just install an app" paradigm everyone is used to, or if willy-nilly installation of persistent, executable code is permitted, doesn't really solve the problem.
Code signing and verified boot can really go quite far, and solid VM-based app sandboxing is a big boost beyond
Re: (Score:3)
Making more stuff read-only gets complex, you'd have to turn it off to install an app, and maybe even to log in and save session data.
No. For a hardware-based scheme you simply need one memory chip that is for system software (hardware read-only) and another for configuration, applications, and application data. The system software chip doesn't need to be anything fancy either because it can be a compressed partition that is copied into RAM upon boot for maximum speed or utilize execute in place (XIP) if access speed is not an issue. This isn't a unique scheme either because this is how consumer-grade home routers operate, using flash me
Re: (Score:2)
So read only for a tiny portion of the system and read-write for an entire world of data that is required to make the device reasonably function. Got it. Nice small attack surface you have there.
Re: (Score:3)
If the read-only bit is secure against attacks and only loads digitally signed content as the next layer of the execution environment, then yes, it is a small attack surface. Certificate or signature revocation is the major need in that case.
If app X is read-write and insecure but it only has access to data in its own partition then I only care about its insecurity for a few values of X: email client and web browser most prominently.
Re: (Score:2)
So read only for a tiny portion of the system
If by "tiny portion of the system", you mean the entire firmware, then yes.
and read-write for an entire world of data that is required to make the device reasonably function.
This is the present condition when it comes to the hardware.
Nice small attack surface you have there.
It is always favorable to reduce the attack surface, which is what such a scheme would ensure. I'm not sure why you seem to object to this notion.
Wank me a river (Score:2)
Yes, yes , the critics will wank on about it being Google, or imperfect somewhere, or just like Windows. But are you really going to claim it's worse than the current solution of "nothing at all" in the IoT space?
Android? Really? (Score:2, Troll)
When does ANYTHING Google does have to do with privacy or integrity?
Re: (Score:3)
Re: (Score:2)
And in this case, you do not even have access to the room in the basement, because only the landlord has the key.
Re: (Score:2)
That's the security industry all over. Make the strongest links even stronger and more prominent, shouting about it from the rooftops while leaving the weak links that an attacker is actually going to target just the same as they always were.
Re: (Score:3)
Years ago a place I worked for that handled data that someone had decided was sensitive needed to get their security audited and certified. The assessor who did it declared the server room to be secure (thick concrete walls, it was the part of the basement of a large structure, locked security door) and everything else, like the key to the server room hanging on the hook outside the door to be out of scope and therefore not part of the audit (I'm not making this up). So it was audited and certified secure
Android Device Security doesn't matter (Score:2, Troll)
Google knows more about you than you know about yourself at this point.
Google securing android is like the
Very Effective DRM (Score:5, Insightful)
Precisely. This is going to be used against the owners of the hardware, not for them. I suspect that these containers are very secure. It's just too bad that my phone is the one device that I own where I do not have root access. This security is not going to be used to protect my data from Google, but to protect Google's data from me.
Hooray!
Re: (Score:2)
Android is also Open Source. Perhaps SurfaceFlinger will be what winds up winning instead of Wayland ;)
Re: (Score:2)
Totally orthogonal concern. Try again.
Re: (Score:2)
Google doesn't hand over data to you. Why would they? That would be like Coca Cola selling recipes instead of drinks. They sell your eyes, through their platforms, through APIs that target you. Your data belongs to them.
And they are the *LAST* people I'm concerned about having it compared to literally anyone else because I trust their desire to make money is aligned with my interest for them to not simply hand over raw data to anyone else.
Can this be mainlined as part of KVM? (Score:3)
I wonder if this can be put in the mainline Linux kernel. So much stuff coming from Android and AOSP is highly useful outside of that ecosystem. For example, something like this would be very useful for web browsers to ensure that even if they were compromised, it would not escape the virtual machine. For servers, having containers in pKVM VMs is also an increase in security.
Yeah, yeah, I know; fuck Google, but... (Score:5, Insightful)
If I'm understanding this correctly, pKVM will enable a single, extensible kernel binary to be used by all Android hardware manufacturers. Vendors just need a pKVM vendor module that enables device-specific functionality. Diverse hardware platforms can now all share the same kernel, which means security patches for Android will, in the future, cover all devices instead of having each vendor having to roll/integrate their own.
The other purpose is to further the security model of Android by fully de-privileging third party code and providing a portable environment in which services are isolated from each another and the rest of Android.
Also, while phones might be the most prevalent use of Android they are far from the only application. Pushing this security model makes Android more attractive for all applications, not just consumer ones.
Google might be unpopular, but I can't see how this is a bad thing unless you really the idea of your data being exfiltrated (by someone other than Google).
Doesn't matter (Score:2)
Congratulation , But how many will use it? (Score:2)