11 Security requirements

22.0573GPPMobile Execution Environment (MExE)Service descriptionStage 1TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause consists of:

– a sub-clause giving the principles behind security for MExE. These are not requirements as such but the principles behind the requirements;

– a sub‑clause specifying specific requirements that MExE implementations must adhere to;

– a sub-clause specifying the security domain classifications for MExE executables.

11.1 Security Principles

The ME and the data therein are the property of the user. The user is also responsible for the payment of chargeable events involving her UE, and will be seen as the party responsible for any events (whether chargeable or not) involving her UE. Therefore the user shall have full control over all chargeable and non-chargeable events initiated by her UE (“event” includes responses made by the UE to external events, e.g. the acceptance by the UE of an incoming session). This control can be exercised either by the giving of explicit permission at the time of the event or by the giving of implicit permission to the events by the agreement to an event schedule listed clearly in a user profile.

The user shall be able to request the logging of specific network events initiated by MExE UE applications/applets.

The privacy of user data in the UE is of paramount importance.

The SIM/USIM and operator controlled areas within the terminal are the property of the network operator. The network operator shall therefore have full control over access to the SIM/USIM and operator controlled area The operator shall also have full control over data, excluding personal user data, transmitted to or from the SIM/USIM and the operator controlled terminal area and all events initiated by the SIM/USIM or operator controlled area (“event” includes responses made to external events, e.g. the response to a command sent from the ME).

As the user cannot know the capabilities of any MExE executables transferred from a MExE service environment before transfer, the UE MExE environment shall ensure that transferred MExE executables cannot compromise the above principles.

11.2 Security Requirements

For MExE executables of security operator, manufacturer and user trusted domains , as defined in clause 11.3, it shall be possible to authenticate the identity of the body that authorised the application, applet or content.

There shall be a secure, unforgable means for assigning the security domains defined in section 11.3 to the MExE executables transferable from the MExE service environment.

The certification of authorisation associated with MExE executables transferable from the MExE service environment shall be transferred with the certified material.

The MExE UE shall be able to verify the security domain, as defined in section 11.3, of MExE executables transferred from the MExE service environment.

The verification process in the UE itself shall not compromise the security of the functionality and content in the UE

Transferred material that fails verification shall not be installed and shall be deleted by the terminal as soon as possible.

MExE executables that cannot be verified due to the absence of required verification information in the UE, shall be considered as untrusted material, as defined in section 11.3.

The events that MExE executables are given permission by the user to initiate shall be securely recorded in the user profile.

There shall be mechanisms within the MExE UE for ensuring that applications cannot have access to UE functionality and content beyond that allowed by their security domain, as defined in section 11.3.

It shall be possible to for the user to downgrade MExE executables of operator, manufacturer or user trusted domain status to untrusted status, at installation or at any other time.

The MExE UE shall be able to detect if MExE executables transferred from the MExE service environment have been modified since they were assigned a security level.

MExE executables shall not be transferred to a MExE UE without the explicit permission of the UE user immediately prior to transfer or implicit permission via the user profile.

Applications and applets transferred to a MExE UE shall not be able to initiate events without the explicit permission of the UE user immediately prior to event initiation or implicit permission via the user profile.

The user profile data for transfer and event initiation cannot be changed without the explicit agreement of the user.

The user shall be able to abort or suspend any on-going session that has been set up automatically by an application.

The integrity of the SIM or USIM and other security mechanisms shall not be compromised by the introduction of MExE services.

The user shall be able to request the logging of specific network events initiated by MExE UE applications/applets.

MExE UE applications/applets shall not be able to send command RUN GSM ALGORITHM to the SIM.

11.3 Security domain classifications

The security domain of MExE executables shall be graded according to the measure of authorisation which they have been designated. The following 3 (the “sandbox” in which untrusted MExE executables runs is not considered to be a domain) domains shall be supported for MExE executables:

– MExE Security Operator Domain (used by the HPLMN operator);

MExE executables designated at this security domain have been authorised by the network operator (i.e. HPLMN),

– MExE Security Manufacturer Domain (system MExE executables);

MExE executables designated at this security domain have been authorised by the MExE UE manufacturer.

– MExE Security User Trusted Domain (trusted applications, applets and content);

MExE executables MExE executables designated at this security domain have been written by user trusted software developers and verified as user trusted domain material (but not with regard to their content) via organisations such as certification authorities.

– MExE Security Untrusted (untrusted applications, applets and content);

Untrusted MExE executables have not been supplied with an associated authorisation, or the authorisation cannot be verified due to the absence of required verification information in the MExE UE.