Genode - OS Security By Design Dr.-Ing. Norman Feske < - - PowerPoint PPT Presentation

Genode - OS Security By Design

Dr.-Ing. Norman Feske <norman.feske@genode-labs.com>

Outline

• 1. Introduction
• 2. Architectural Principles
• 3. Showcases
• 4. Current Topics

Genode - OS Security By Design 2

Outline

• 1. Introduction
• 2. Architectural Principles
• 3. Showcases
• 4. Current Topics

Genode - OS Security By Design 3

Universal Truths

Ease of use Security Utilization Scalability Assurance Accountability

Genode - OS Security By Design 4

Problem: Complexity

Today’s commodity OSes Exceedingly complex trusted computing base (TCB) TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user → User credentials are exposed to millions of lines of code

Genode - OS Security By Design 5

Problem: Complexity (II)

Implications: High likelihood for bugs (need for frequent security updates) Huge attack surface for directed attacks Zero-day exploits

Genode - OS Security By Design 6

Universal Truths

Ease of use Security Utilization Scalability Assurance Accountability

Genode - OS Security By Design 7

Problem: Resource management

Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior → Need for complex heuristics, schedulers

Genode - OS Security By Design 8

Universal Truths

Ease of use Security Utilization Scalability Assurance Accountability

Genode - OS Security By Design 9

Key technologies

Microkernels Componentization, kernelization Capability-based security Virtualization ...but how to compose those?

Genode - OS Security By Design 10

Genode architecture

→ Application-specific TCB

Genode - OS Security By Design 11

Combined with virtualization

Genode - OS Security By Design 12

Components

Genode - OS Security By Design 13

Components

Genode - OS Security By Design 14

Components

Genode - OS Security By Design 15

Components

Genode - OS Security By Design 16

Components

Genode - OS Security By Design 17

Components

Genode - OS Security By Design 18

Outline

• 1. Introduction
• 2. Architectural Principles
• 3. Showcases
• 4. Current Topics

Genode - OS Security By Design 19

Object capabilities

Delegation of authority between components Each component lives in a virtual environment A component that possesses a capability can

◮ Use it (invoke) ◮ Delegate it to acquainted components Genode - OS Security By Design 20

Recursive system structure

Genode - OS Security By Design 21

Service announcement

Genode - OS Security By Design 22

Session creation

Genode - OS Security By Design 23

Session creation

Genode - OS Security By Design 24

Resource management

Explicit assignment of physical resources to components

Genode - OS Security By Design 25

Resource management (II)

Resources can be attached to sessions

Genode - OS Security By Design 26

Outline

• 1. Introduction
• 2. Architectural Principles
• 3. Showcases
• 4. Current Topics

Genode - OS Security By Design 27

Faithful Virtualization

User Mode Privileged Mode

NOVA Hypervisor Core Init

Resource Multiplexer

Unmodified Guest OS

virtual CPU virtual device virtual RAM

VMM Device Driver Kernel Genode - OS Security By Design 28

OS-level Virtualization

Genode - OS Security By Design 29

Rich applications

Loader Init Arora Web Browser Init Nitpicker GUI TCP/IP Menu Nitpicker GUI

Virtual Framebuffer Launchpad Testnit

Genode - OS Security By Design 30

Outline

• 1. Introduction
• 2. Architectural Principles
• 3. Showcases
• 4. Current Topics

Genode - OS Security By Design 31

Current Topics

Eating our own dog food

◮ Noux (GCC, VIM, bash, coreutils...) ◮ Wireless networking

Capability-based user interface seL4 kernel as base platform ARM Virtualization Package management

Genode - OS Security By Design 32

Thank you

Genode OS Framework http://genode.org Genode Labs GmbH http://www.genode-labs.com Source code at GitHub http://github.com/genodelabs/genode

Genode - OS Security By Design 33