The document discusses Riscure assurance for premium content, focusing on Trusted Execution Environment (TEE) security and its mechanisms for protecting assets. It outlines challenges, issues with existing standards like Global Platform and Common Criteria, and proposes a methodology for component evaluations to enhance security assurance. The document also mentions compliance with MovieLabs specifications for enhanced content protection and the benefits of Riscure assurance screening.

1. 1
Riscure Assurance
for Premium Content

2. 2
Trusted Execution Environment (TEE) security
• TEE protects the assets hidden in HW or SW
– Hardware enforced mechanisms are set up and controlled by TEE based on root of trust
• TEE isolates assets from REE access
– keys, video, video path
• While the secure media path could be entirely in HW, the configuration as well as
control of the HW is performed by TEE SW

3. 3
Trusted Application (TA) security
• Security of the system is built on top of TEE SW and HW separation mechanisms
• Confidentiality of the data as well as integrity of the applications and data are
critical of the security of the assets
• There should not be unauthorized modifications of the code that performs core
functions and expose the assets

4. 4
TEE Security Challenges
• Does it protect my assets?
• Is the HW base secure?
• Is the SW secure?
• What kind of attacker can attack me?
• How much effort do they need?
• What can they do with my device?

5. 5
Global Platform Problems / Drawbacks
• Has PP for TEE
• Includes security functional testing
• Only a single assurance level
• Pass/fail evaluation – no quality indication
• Administrative costs
• No component evaluations, only system
• Not endorsed by the content protection
market
• Fixed amount of effort , mitigations not
accounted for

6. 6
Common Criteria Problems / Drawbacks
• Provides various assurance levels
• Takes into account different attacker
levels
• CC provides either extensive
evaluation and testing or insufficient
• Administrative costs
• Only integrated System assurance
• Pass-fail verdict
• Reviews implementation
representation
• Doesn’t take mitigations into account

7. 7
Methodology has to:
• Capture relevant attacks
• Provide different security levels
• Provide different assurance levels
• Be time efficient
• Provide component evaluations

8. 8
Levels and Attackers – what does it mean
5-7 Medium to Advanced hacker
1-4 Script-kiddy or amateur hacker
8 Organized criminals
9-10 Government security agency

9. 9
The “MovieLabs Specifications for Enhanced Content
Protection – Version 1.1” is one of the main security
standards in the content provider market.
For chipsets it requires testing of the Secure Computation
Environment and Secure Media Pipeline, as well as SCA
resistance of the encryption and decryption algorithms.
These requirements are also included in the scope of the
Riscure Assurance for Content Protection program. The
table below shows which Component Assurance Levels are
necessary for chipsets to comply with the MovieLabs
Specifications.
MovieLabs Specifications
for Enhanced Content
Protection
MovieLabs Specifications Riscure Assurance for Content Protection
Secure Computation
Environment
CAL 6+ for TEE HW, CAL 5+ for TEE SW
Hardware Root of Trust CAL 6+ for TEE HW
Secure Media Pipeline (SMP) CAL 5+ for SMP SW, CAL 6+ for TEE HW
Encryption (SCA requirement) CAL 6+ for Conditional Access (CA)

10. 10
Methodology steps
Step 4: Integration testing (optional)
Verifies configuration for level 6 and up
Step 3: SW code review of TCB
SW vulnerabilities per 1KLoC Coverage depends on CAL
Step 2: TEE HW testing of selected tests
JIL rating indicates the level Effort depends on the level
Step 1: Design review
HW and SW design Effort depends on the level

11. 11
Step 1: Design review
• Find the relevant up to date attacks in the design
• What HW mechanisms are in place to protect assets and TEE?
(compliance rules)
• What boot process is in place? Is the root of trust
implemented? Keys protection, time protection?
• Attacks based on standardized documentation such as JHAS
and knowledge of relevant up-to-date attacks

12. 12
Step 2: HW testing
• For the selected tests for HW mechanisms during the Design review
phase:
• Penetration testing is performed
• For tests that indicate the attack is possible JIL rating is
assigned
• Based on the JIL rating, the robustness of the design is
determined

13. 13
Step 3: SW code review
• SW code review aims at
• Determining overall quality of the code using statistics
• Detecting the most critical SW vulnerabilities
• Detecting if there are exploit mitigations
• Identifying vulnerabilities in the chain of trust

14. 14
Benefits
• Effective testing with respect to time to
market
• Budget-efficient high-assurance
evaluation
• Up-to date threat assessment
• Composite evaluations

15. 15
NEW: Riscure Assurance
for Premium Content
screening
• Estimates what level would your chip/
HW/SW component get
• Key benefits
• Determines the expected level
• Light, easy and quick
• Guides you how to improve your
solution
• Contact us to learn more

16. 16
Challenge your security
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
Riscure North America
550 Kearny St., Suite 330
San Francisco, CA 94108 USA
Phone: +1 650 646 99 79
inforequest@riscure.com
Riscure China
Room 2030-31, No. 989, Changle Road, Shanghai 200031
China
Phone: +86 21 5117 5435
inforcn@riscure.com