Secure Resource Sharing for Embedded Protected Module Architectures - - PowerPoint PPT Presentation
Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium MSc Thesis Presentation BELCLIV-CLUSIB, April 21, 2017 Jo Van Bulck Secure Resource Sharing for
Jo Van Bulck
imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium
MSc Thesis Presentation BELCLIV-CLUSIB, April 21, 2017
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 1 / 20
Introduction
— Rob Joyce, NSA’s Tailored Access Operations chief (MIT Technology Review, January 2016).
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 2 / 20
Introduction Source: https://www.ncta.com/platform/industry-news/infographic-the-growth-of-the-internet-of-things/ Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 3 / 20
Introduction
TI MSP430: low-cost, low-power computing Runs ˜13 years on a single AA battery [Sea08] Single-address-space without memory protection Attacker can modify all code and data, and forge sensor readings or node identity
http://martybugs.net/ electronics/msp430/ Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 4 / 20
Introduction
TI MSP430: low-cost, low-power computing Runs ˜13 years on a single AA battery [Sea08] Single-address-space without memory protection Attacker can modify all code and data, and forge sensor readings or node identity
http://martybugs.net/ electronics/msp430/
Protected Module Architectures: isolation and attestation Minimal (hardware-only) Trusted Computing Base Server/desktop: Intel SGX, ARM TrustZone Low-end embedded: SMART, TrustLite, TyTAN, Sancus
Maene et al.: “Hardware-Based Trusted Computing Architectures for Isolation and Attestation”, 2017 [MGDC+17]. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 4 / 20
Background: Protected Module Architectures
Unprotected memory 0x000000
Code
Protected mem. 0xFFFFFF ...
Data
Isolated execution in a single-address-space
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 5 / 20
Background: Protected Module Architectures
Unprotected memory 0x000000
Code
Protected mem. 0xFFFFFF ...
Data
Isolated execution in a single-address-space Program counter based access control
From \ to Protected Unprotected Entry Code Data Protected r-x r-x rw- rwx Unprotected /
r-x r--
Strackx et al.: “Efficient Isolation of Trusted Subsystems in Embedded Systems”, 2010 [SPP10]. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 5 / 20
Background: Protected Module Architectures
Unprotected memory 0x000000
Code
Fields Secure stack
Data
Protected mem. 0xFFFFFF ...
Isolated execution in a single-address-space Program counter based access control Secure fully abstract compilation
From \ to Protected Unprotected Entry Code Data Protected r-x r-x rw- rwx Unprotected /
r-x r--
Strackx et al.: “Efficient Isolation of Trusted Subsystems in Embedded Systems”, 2010 [SPP10]. Agten et al.: “Secure Compilation to Modern Processors”, 2012 [ASJP12]. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 5 / 20
Background: Protected Module Architectures
[NAD+13, NVBM+17]
Zero-software TCB: extended openMSP430 instruction set
Unprotected Entry point Code & constants Unprotected SM1 text section Protected data SM1 data section Unprotected Memory KN,SP,SM1 IDSM1 Next ID Caller ID KN SM1 metadata Layout Key ID Protected storage area Node Noorman et al.: “Sancus 2.0: A Low-Cost Security Architecture for IoT Devices”, 2017 [NVBM+17]. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 6 / 20
Background: Protected Module Architectures
[NAD+13, NVBM+17]
Zero-software TCB: extended openMSP430 instruction set SM == unit of isolation + authentication: Remote attestation / secure linking Hardware-level cryptographic key + ID per SM
Unprotected Entry point Code & constants Unprotected SM1 text section Protected data SM1 data section Unprotected Memory KN,SP,SM1 IDSM1 Next ID Caller ID KN SM1 metadata Layout Key ID Protected storage area Node Noorman et al.: “Sancus 2.0: A Low-Cost Security Architecture for IoT Devices”, 2017 [NVBM+17]. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 6 / 20
Research Objectives
PMAs assume the presence of an attacker:
SM_A SM_B
R
Unprotected MMIO
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 7 / 20
Research Objectives
PMAs assume the presence of an attacker:
⇒ Self-protecting “OS” modules to supplement HW: ↔ Monolithic privileged kernel ˜ Extreme microkernel idea
SM_A SM_B
R
Protected MMIO SM_Server
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 7 / 20
Logical File Access Control
Front-End Access Control Layer
Protected file system SMsfs boundary
MMIO
Serial Flash Drive
CFS API
Flash Storage Back-End Shared Memory Back-End
CFS API
SMA SMB
SFS API
System boundary
OR
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 8 / 20
Logical File Access Control
Front-End Access Control Layer
Protected file system SMsfs boundary
MMIO
Serial Flash Drive
CFS API
Flash Storage Back-End Shared Memory Back-End
CFS API
SMA SMB
SFS API
System boundary
OR
UNIX like file system API (incl. chmod)
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 8 / 20
Logical File Access Control
Front-End Access Control Layer
Protected file system SMsfs boundary
MMIO
Serial Flash Drive
CFS API
Flash Storage Back-End Shared Memory Back-End
CFS API
SMA SMB
SFS API
System boundary
OR
UNIX like file system API (incl. chmod) Access control using sancus_get_caller_id
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 8 / 20
Logical File Access Control
Front-End Access Control Layer
Protected file system SMsfs boundary
MMIO
Serial Flash Drive
CFS API
Flash Storage Back-End Shared Memory Back-End
CFS API
SMA SMB
SFS API
System boundary
OR
UNIX like file system API (incl. chmod) Access control using sancus_get_caller_id Pluggable private back-end encapsulating resource
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 8 / 20
Logical File Access Control
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 9 / 20
Logical File Access Control
⇒ Generic resource sharing mechanism SW-based access control guarantees: Build upon HW primitives (isolation + authentication) Non-persistent file protection Confined and explicit TCB: Principle of least privilege (˜ microkernel) Attestable via sancus verify
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 10 / 20
Secure Scheduling
Thread == synchronous control flow within address space Local thread context on call stack Conventional OS kernel saves CPU state on interrupt
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 11 / 20
Secure Scheduling
Thread == synchronous control flow within address space Local thread context on call stack Conventional OS kernel saves CPU state on interrupt PMA multithreading challenges: Unit of threading >> SM Compiler-generated sm entry asm stubs Inter-SM call/return flow integrity guards
SM_Bar SM_Foo SM_A 1.1.1: illegal return to A 1.1: call_bar 1: call_foo
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 11 / 20
Secure Scheduling
⇒ Scheduler SM interleaves multiple control flows
Regis- tered Running Ready Killed Finished start_fct register_thread_portal yield return from yield return from start_fct report_entry_violation
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 12 / 20
Secure Scheduling
⇒ SM maintains at most one internal call stack per thread-ID
SM_foo SM_bar SM_sched 9: ... 8: continue 1: ... 7: yield_get_next 6: yield 5: return busy 4: cur_thr_id 3: get_cur_thr_id 2: call_foo
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 13 / 20
Secure Scheduling
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 14 / 20
Secure Scheduling
⇒ Isolated cross-SM control flow threads Division of responsibilities: Hardware: SM confidentiality/integrity (memory isolation) Compiler: entry call stack consistency (SM call/return) Unprivileged scheduler: scheduling policy (temporal isolation)
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 15 / 20
Future Work
Real-time secure multitasking [VBNMP16]: Hardware primitives: secure interrupts + atomicity monitor Compiler: SM-internal multithreading Preemptive scheduler: FreeRTOS prototype Efficient resource sharing: Controlling access to a multi-device I/O bus Hardware mechanisms for inter-SM sharing Case studies: Smart metering [MCM+16] Automotive computing [M¨
uh17]
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 16 / 20
https://distrinet.cs.kuleuven.be/software/sancus/ https://github.com/jovanbulck/thesis-src/ https://distrinet.cs.kuleuven.be/software/sancus/publications/vanbulck15thesis.pdf
Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 17 / 20
Trustzone: Integrated hardware and software security. ARM white paper, 3(4):18–24, 2004.
Secure compilation to modern processors. In Computer Security Foundations Symposium, pp. 171–185. IEEE, 2012.
TyTAN: Tiny trust anchor for tiny devices. In Design Automation Conference (DAC 2015), pp. 1–6. IEEE, 2015.
Secure interrupts on low-end microcontrollers. In Application-specific Systems, Architectures and Processors (ASAP), 2014 IEEE 25th International Conference on, pp. 147–152. IEEE, 2014.
SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In NDSS, vol. 12, pp. 1–15. Internet Society, 2012.
TrustLite: A security architecture for tiny embedded devices. In Proceedings of the Ninth European Conference on Computer Systems, pp. 10:1–10:14. ACM, 2014. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 18 / 20
Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 10:1–10:1. ACM, 2013.
uhlberg, S. Cleemput, A. M. Mustafa, J. Van Bulck, B. Preneel, and F. Piessens. Implementation of a high assurance smart meter using protected module architectures. In 10th WISTP International Conference on Information Security Theory and Practice (WISTP’16), vol. 9895 of LNCS,
uller, F. Freiling, and I. Verbauwhede. Hardware-based trusted computing architectures for isolation and attestation. IEEE Transactions on Computers, PP(99), 2017.
uhlberg. A new security architecture for networked embedded devices. eeNews Europe Automotive, June 2017. http://www.eenewsautomotive.com/design-center/new-security-architecture-networked-embedded-devices.
Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In 22nd USENIX Security Symposium, pp. 479–494. USENIX Association, 2013.
uhlberg, F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, J. G¨
uller, and F. Freiling. Sancus 2.0: A low-cost security architecture for IoT devices. ACM Transactions on Privacy and Security (TOPS), 2017. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 19 / 20
Powering an msp430 from a single battery cel. Technical report, Texas Instruments, September 2008. http://www.ti.com.cn/cn/lit/an/slaa398/slaa398.pdf.
Efficient isolation of trusted subsystems in embedded systems. In Security and Privacy in Communication Networks, pp. 344–361. Springer, 2010.
uhlberg, and F. Piessens. Secure resource sharing for embedded protected module architectures. In 9th WISTP International Conference on Information Security Theory and Practice (WISTP’15), vol. 9311 of LNCS,
uhlberg, and F. Piessens. Towards availability and real-time guarantees for protected module architectures. In Companion Proceedings of the 15th International Conference on Modularity (MASS’16), pp. 146–151. ACM, 2016. Jo Van Bulck Secure Resource Sharing for Embedded Protected Module Architectures MSc Thesis 20 / 20