Quest-V: A Secure and Predictable System for IoT and Beyond - - PowerPoint PPT Presentation

quest v a secure and predictable system for iot and beyond
SMART_READER_LITE
LIVE PREVIEW

Quest-V: A Secure and Predictable System for IoT and Beyond - - PowerPoint PPT Presentation

Jan 31, 2023 104 likes •578 views

Quest-V: A Secure and Predictable System for IoT and Beyond Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable

slide-1
SLIDE 1

Quest-V: A Secure and Predictable System for IoT and Beyond

Richard West richwest@cs.bu.edu

Computer Science

slide-2
SLIDE 2

2

Goals

  • Develop system for high-confidence

(embedded) systems – Mixed criticalities (timeliness and safety)

  • Predictable – real-time support
  • Secure – resistant to component failures &

malicious attacks

  • Self-healing
  • Online recovery of software

component failures

slide-3
SLIDE 3

3

Target Applications

  • Healthcare
  • Avionics
  • Automotive
  • Factory automation
  • Robotics
  • Space exploration
  • Secure/safety-critical domains
  • Internet-of-Things (IoT)
slide-4
SLIDE 4

4

Internet of Things

l Number of Internet-connected devices

> 12.5 billion in 2010

l World population > 7 billion (2015) l Cisco predicts 50 billion Internet devices by

2020 Challenges:

  • Secure management of vast quantities
  • f data
  • Reliable + predictable data exchange

b/w “smart” devices

slide-5
SLIDE 5

5

In the Beginning...Quest

  • Initially a “small” RTOS
  • ~30KB ROM image for uniprocessor version
  • Page-based address spaces
  • Threads
  • Dual-mode kernel-user separation
  • Real-time Virtual CPU (VCPU) Scheduling
  • Later SMP support
  • LAPIC timing

FreeRTOS, uC/OS-II etc Quest Linux, Windows, Mac OS X etc

slide-6
SLIDE 6

6

From Quest to Quest-V

  • Quest-V for multi-/many-core processors

– Distributed system on a chip – Time as a first-class resource

  • Cycle-accurate time accountability

– Separate sandbox kernels for system components – Memory isolation using h/w-assisted memory virtualization – Also CPU, I/O, cache partitioning

  • Focus on safety, efficiency, predictability + security
slide-7
SLIDE 7

7

Related Work

  • Existing virtualized solutions for resource

partitioning – Wind River Hypervisor, XtratuM, PikeOS, Mentor Graphics Hypervisor – Xen, Oracle PDOMs, IBM LPARs – Muen, (Siemens) Jailhouse

slide-8
SLIDE 8

8

Problem

Traditional Virtual Machine approaches too expensive – Require traps to VMM (a.k.a. hypervisor) to mux & manage machine resources for multiple guests – e.g., ~1500 clock cycles VM-Enter/Exit on Xeon E5506 Traditional Virtual Machine approaches too memory intensive for embedded systems in areas such as IoT!

slide-9
SLIDE 9

9

Traditional Approach (Type 1 VMM)

VM VM VM VM VM

...

Type 1 VMM / Hypervisor Hardware (CPUs, memory, devices)

slide-10
SLIDE 10

10

Quest-V Approach

VM VM VM VM VM

...

Hardware (CPUs, memory, devices)

Eliminates hypervisor intervention during normal virtual machine operations

slide-11
SLIDE 11

11

Quest-V Architecture Overview

Sandbox M Monitor Sandbox 1

VCPU

. . .

Monitor Sandbox 2

VCPU VCPU

Monitor Communication + Migration

VCPU VCPU

Sandbox Address Space Thread IO Devices PCPU(s) IO Devices PCPU(s) IO Devices PCPU(s)

slide-12
SLIDE 12

12

Memory Partitioning

  • Guest kernel page tables for GVA-to-GPA

translation

  • EPTs (a.k.a. shadow page tables) for GPA-to-

HPA translation – EPTs modifiable only by monitors – Intel VT-x: 1GB address spaces require 12KB EPTs w/ 2MB superpaging

slide-13
SLIDE 13

13

Quest-V Memory Partitioning Quest-V Memory Partitioning

slide-14
SLIDE 14

14

I/O Partitioning

  • Device interrupts directed to each sandbox

– Use I/O APIC redirection tables – Eliminates monitor from control path

  • EPTs prevent unauthorized updates to I/O APIC

memory area by guest kernels

  • Port-addressed devices use in/out instructions
  • VMCS configured to cause monitor trap for specific

port addresses

  • Monitor maintains device "blacklist" for each sandbox

– DeviceID + VendorID of restricted PCI devices

slide-15
SLIDE 15

15

CPU Partitioning

  • Scheduling local to each sandbox

– partitioned rather than global – avoids monitor intervention

  • Uses real-time VCPU approach for Quest

native kernels [RTAS'11]

slide-16
SLIDE 16

16

l VCPUs for budgeted real-time execution of

threads and system events (e.g., interrupts)

l Threads mapped to VCPUs l VCPUs mapped to physical cores l Sandbox kernels perform local scheduling on

assigned cores

l Avoid VM-Exits to Monitor – eliminate cache/

TLB flushes

Predictability

slide-17
SLIDE 17

17

VCPUs in Quest(-V)

Main VCPUs I/O VCPUs Threads PCPUs (Cores) Address Space

slide-18
SLIDE 18

18

Example VCPU Schedule Example VCPU Schedule

slide-19
SLIDE 19

19

Utilization Bound Test

  • Sandbox with 1 PCPU, n Main VCPUs, and m

I/O VCPUs – Ci = Budget Capacity of Vi – Ti = Replenishment Period of Vi – Main VCPU, Vi – Uj = Utilization factor for I/O VCPU, Vj

Ci Ti

i=0 n−1

+ 2 −Uj

( )⋅Uj

j=0 m−1

≤ n⋅ 2 n −1

( )

slide-20
SLIDE 20

20

Cache Partitioning

  • Shared caches controlled using color-aware

memory allocator [COLORIS – PACT'14]

  • Cache occupancy prediction based on h/w

performance counters – E' = E + (1-E/C) * ml – E/C * mo – Enhanced with hits + misses [Book Chapter, OSR'11, PACT'10]

slide-21
SLIDE 21

21

Linux Front End

  • For low criticality legacy services
  • Based on Puppy Linux 3.8.0
  • Runs entirely out of RAM including root filesystem
  • Low-cost paravirtualization

– less than 100 lines – Restrict observable memory – Adjust DMA offsets

  • Grant access to VGA framebuffer + GPU
  • Quest native SBs tunnel terminal I/O to Linux via

shared memory using special drivers

slide-22
SLIDE 22

22

Quest-V Linux Screenshot

No VMX or EPT flags 1 CPU + 512 MB

slide-23
SLIDE 23

23

Quest-V Performance

100 Million Page Faults 1 Million fork-exec-exit Calls

Quest-V Performance

slide-24
SLIDE 24

24

Quest-V Summary

  • Separation kernel built from scratch

– Distributed system on a chip – Uses (optional) h/w virtualization to partition resources into sandboxes – Protected comms channels b/w sandboxes

  • Sandboxes can have different criticalities

– Linux front-end for less critical legacy services

  • Sandboxes responsible for local resource

management – avoids monitor involvement

slide-25
SLIDE 25

25

Proposed Work

  • Port of Quest to Intel Galileo [Done]
  • Qduino API [Ongoing]
  • Port of Quest(-V) to Intel

Edison and Minnowboard Max [Started]

  • IoT Applications: 3D printing /

manufacturing, robotics, secure home automation, etc [To Do]

  • (Secure) Information Flow Analysis [To Do]
  • Real-time Communication [Ongoing]
slide-26
SLIDE 26

26

Quest on Galileo

  • Porting Quest to the Galileo board:

– Added multiboot support back to 32-bit GRUB EFI (GRUB Legacy) – Developed I2C, SPI controller drivers – Developed Cypress GPIO Expander and AD7298 ADC drivers

  • Original Arduino API Support
  • New real-time multithreaded Qduino API
slide-27
SLIDE 27

27

Qduino

  • Qduino – Enhanced Arduino API for Quest

– Parallel and predictable loop execution – Real-time communication b/w loops – Predictable and efficient interrupt management – Real-time event delivery – Simplifies multithreaded real-time programming

slide-28
SLIDE 28

28

Qduino Multi-loop Example

  • Multiple loop sketch example:

loop (1, 40, 100) { /* VCPU: C = 40, T = 100 */ digitalWrite (LED1, HIGH); ... /* Blink LED1 */ } loop (2, 20, 100) { /* VCPU: C = 20, T = 100 */ analogWrite (LED2, brightness); ... /* Change brightness of LED2 */ } setup () { pinMode (LED1, OUTPUT); pinMode (LED2, OUTPUT); }

slide-29
SLIDE 29

29

Qduino Organization

Sketch Kernel User ... Quest Native App Quest Native App Galileo QDuino Libs

loop1 loopN

... x86 SoC Edison Minnowboard VCPU Scheduler GPIO Driver SPI Driver I2C Driver

slide-30
SLIDE 30

30

Qduino New APIs

Function Signatures Category

l loop(loop_id, C, T)

Structure

l interruptsVcpu(C,T) l attachInterruptVcpu(pin,ISR,mode,C,T)

Interrupt

l spinlockInit(lock) l spinlockLock(lock) l spinlockUnlock(lock)

Spinlock

l channelWrite(channel,item) l item channelRead(channel)

Four-slot

l ringbufInit(buffer,size) l ringbufWrite(buffer,item) l ringbufRead(buffer,item)

Ring buffer

slide-31
SLIDE 31

31

Qduino Event Handling

Main VCPU

Scheduler

Main VCPU

Sketch

IO VCPU

Handler GPIO Driver Pin State Monitoring CPU Core(s) GPIO Expander Kernel User

Real Time Event

attachInterrupt pthread_create

slide-32
SLIDE 32

32

Qduino Temporal Isolation

10 20 30 40 50 60 100T 200T 300T 400T 500T

Counter (x104) Time (Periods)

(50,100),2 (50,100),4 (70,100),2 (70,100),4 (90,100),2 (90,100),4 Linux,2 Linux,4

l Foreground loop increments

counter during loop period

l 2-4 background loops act

as potential interference, consuming remaining CPU capacity

l No temporal isolation or

timing guarantees w/ Linux

slide-33
SLIDE 33

33

Possible Use Cases

l Mixed-criticality automotive system l Secure home automation l 3D printer controller l IoT interoperability sandboxing l Secure virtual networks of untrusted

devices

l Many others...

slide-34
SLIDE 34

34

Mixed-Criticality Automotive System

Real-time Command & Control Real-time Sensor Data Processing Memory Monitor ... ... Core(s) Core(s) Core(s) Display & External Comms Comms Monitor Monitor Memory Memory I/O Devices e.g. Motors, Servos I/O Devices e.g. Cameras, LIDAR I/O Devices e.g. GPU, NIC Hardware Kernel VCPU(s) VCPU(s) User More Critical Less Critical Sandbox 1 Sandbox 2 Sandbox M ...

V2V, V2I Infotainment

INTERNET Sandboxes on multicore platform replace CAN bus nodes

slide-35
SLIDE 35

35

Secure Home Automation

Real-time Sensor Data Processing Linux ... ... Core(s) Core(s) Web Server / App “Plugins” Comms Monitor Monitor Memory Memory I/O Devices e.g. Cameras, CO+Fire Alarm I/O Devices e.g. NIC Hardware Kernel VCPU(s) User More Secure Less Secure Sandbox 1 Sandbox M

INTERNET 3rd Party untrusted services

slide-36
SLIDE 36

36

Secure Home Automation

l Home equipped w/ cameras, alarms, window/

door actuators, HVAC + appliance controls

l “Home owner” sandbox(es) for localized control

  • f data, sensors + actuators

l e.g., smartphone çè appliance control l 3rd party sandbox(es) for plugin app services l e.g., Emergency (police/fire/ambulance)

callouts

slide-37
SLIDE 37

37

Secure Home Automation

l Challenges: l Prevent homeowner generating false

alarms

l Apply penalties from service provider

l Prevent 3rd parties accessing sensitive

homeowner data (e.g., raw camera feeds)

l Enforce secure inter-sandbox comms l Require services across sandboxes to be

digitally signed by separate entities (non- collusion)

slide-38
SLIDE 38

38

Secure Home Automation

l External system interface via public Internet only

accesses 3rd party (untrusted) sandboxes

l Internal system interface via home network accesses

trusted sandboxes

l Replicated monitors observe suspicious activity l e.g., high frequency access to “root” mode

(monitor) via VM-exits

l Monitors akin to security guards l An attacker would have to compromise all such

guards to prevent system recovery

slide-39
SLIDE 39

39

Edison 3D Printer Controller

Real-time Sensing & Control Real-time Job Scheduling Linux Memory Monitor Core(s) Core(s) Core(s) Web Server / Verification Comms Monitor Monitor Memory Memory I/O Devices e.g. Motors, Extruder, Temp Sensors I/O Devices e.g. Flash Storage I/O Devices e.g. NIC Hardware Kernel VCPU(s) VCPU(s) User Untrusted Trusted Sandbox 1 Sandbox 2 Sandbox 3

DUAL CORE ATOM SILVERMONT QUARK MCU INTERNET

slide-40
SLIDE 40

40

Distributed Virtual Manufacturing

l Extend 3D print service to distributed “customizable”

  • ne-off manufacturing

l A “Kinkos” 3D printing/manufacturing service l Submit requests via web interface l Need to verify correctness l Verified requests spooled for processing l Use real-time comms + Qduino for real-time machine

control

l Possible to form “job shop” style assembly lines

slide-41
SLIDE 41

41

IoT Interoperability Sandboxing

l Collaborative open-source frameworks l IoTivity (Open Interconnect Consortium:

Intel, Samsung, Cisco, GE + many others)

l Alljoyn (Allseen Alliance), 160+ partners l Communication across different transport

media, OSes, and protocols

l Microsoft Device System Bridges (DSBs)

for Z-wave and BACnet

l Google's Brillo Weave, Apple Home Kit

slide-42
SLIDE 42

42

IoT Interoperability Sandboxing

l Use Quest-V sandboxes to isolate IoTivity /

Alljoyn software stacks

l Promote secure isolation of networks of

devices

l Use replicated / distributed monitor network to

identify “unusual” (potentially malicious) network activity

slide-43
SLIDE 43

43

What Next?

l Continue port of Quest(-V) to Edison and

Minnowboard Max

l Develop 3D printer controller l Investigate techniques to quarantine and verify 3rd

party service requests before processing

l Develop autonomous vehicle system l Look at real-time control in presence of injected

faults

l Home automation prototype l Provide secure services for 3rd party plugins

slide-44
SLIDE 44

44

Conclusions

l Quest-V uses one monitor per sandbox l Heightens security & safety l Monitors are small

l Not needed for resource multiplexing

l Can potentially exploit this to build new

security models

l Monitors like multiple system guards

l Chip-level distributed system l Real-time inter-sandbox communication l Isolation of 3rd party services

slide-45
SLIDE 45

45

The Quest Team

  • Richard West
  • Ye Li
  • Eric Missimer
  • Matt Danish
  • Gary Wong
  • Ying Ye
  • Zhuoqun Cheng

The Quest Team