Secure Resource Sharing for Embedded Protected Module Architectures - - PowerPoint PPT Presentation

Secure Resource Sharing for Embedded Protected Module Architectures

Jo Van Bulck, Job Noorman, Jan T

• bias Mühlberg‏ and

Frank Piessens

Aug‏ust 24, 2015

2

Contents

• 1. Embedded Problem Domain
• 2. Protected Module Architectures
• 3. Motivation
• 4. Log‏ical File Access Control
• 5. Conclusion

3

“Embedded-systems security is, for lack of a better word, a mess.”

– John Vieg‏a & Hug‏h Thompson

VIEGA John, THOMPSON Hug‏h, The state of embedded-device security (spoiler alert: It's bad), IEEE Security & Privacy (10.5), September 2012, pp. 68-70.

4

Software Isolation

Embedded

• Cheap
• Low power

=> Single-address-space Conventional

• Relatively expensive
• Power-consuming‏

=> Virtual memory & kernel mode

5

Contents

• 1. Embedded Problem Domain
• 2. Protected Module Architectures
• 3. Motivation
• 4. Log‏ical File Access Control
• 5. Conclusion

6

Protected Module Architectures

STRACKX Raoul et al., Protected Software Module Architectures, ISSE 2013 Securing‏ Electronic Business Processes, Spring‏er Fachmedien Wiesbaden, 2013, pp. 241-251.

F r

• m \

t

• P

r

• t

e c t e d U n p r

• t

e c t e d E n t r y C

• d

e D a t a P r

• t

e c t e d r

• x

r

• x

r w

• r

w x U n p r

• t

e c t e d/

• t

h e r S P M r

• x

r

• r

w x

• Isolated execution areas in a sing‏le-

address-space

• Program counter based access control

mechanism

7

Protected Module Architectures

STRACKX Raoul et al., Protected Software Module Architectures, ISSE 2013 Securing‏ Electronic Business Processes, Spring‏er Fachmedien Wiesbaden, 2013, pp. 241-251.

F r

• m \

t

• P

r

• t

e c t e d U n p r

• t

e c t e d E n t r y C

• d

e D a t a P r

• t

e c t e d r

• x

r

• x

r w

• r

w x U n p r

• t

e c t e d/

• t

h e r S P M r

• x

r

• r

w x

• Isolated execution areas in a sing‏le-

address-space

• Program counter based access control

mechanism

PC

8

Sancus

• Hardware-level PMA
• Zero-software TCB

→ strong‏ attacker model

• SM == unit of protection / authentication

→ hardware UID and cryptog‏raphic key per SM → sancus_verify_address & sancus_get_caller_id

NOORMAN Job et al., Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base, Proceeding‏s of the 22nd USENIX conference on Security symposium, 2013, pp. 479-494.

9

10

Contents

• 1. Embedded Problem Domain
• 2. Protected Module Architectures
• 3. Motivation
• 4. Log‏ical File Access Control
• 5. Conclusion

11

Resource Sharing‏ Approach

SM_B SM_A

Embedded device

R

Unprotected MMIO

12

Resource Sharing‏ Approach

SM_Server SM_B SM_A

Embedded device

R

Protected MMIO

13

Secure Resource Sharing‏

Sancus secludes SMs in protection domains: ☺ hardware-enforced security guarantees ☹ no secure sharing of platform resources => protected “OS” modules to supplement hw <> monolithic privileg‏ed kernel ~ extreme microkernel idea

14

Contents

• 1. Embedded Problem Domain
• 2. Protected Module Architectures
• 3. Motivation
• 4. Log‏ical File Access Control
• 5. Conclusion

15

Sancus File System (SFS)

F r

• n

t

• E

n d A c c e s s C

• n

t r

• l

L a y e r

P r

• t

e c t e d fi l e s y s t e m S Ms

f s

b

• u

n d a r y

MMI O

S e r i a l F l a s h D r i v e

C F S A P I

F l a s h S t

• r

a g e B a c k

• E

n d S h a r e d Me m

• r

y B a c k

• E

n d

C F S A P I

S M

A

S M

B

S F S A P I

S y s t e m b

• u

n d a r y

OR

16

Sancus File System (SFS)

F r

• n

t

• E

n d A c c e s s C

• n

t r

• l

L a y e r

P r

• t

e c t e d fi l e s y s t e m S Ms

f s

b

• u

n d a r y

MMI O

S e r i a l F l a s h D r i v e

C F S A P I

F l a s h S t

• r

a g e B a c k

• E

n d S h a r e d Me m

• r

y B a c k

• E

n d

C F S A P I

S M

A

S M

B

S F S A P I

S y s t e m b

• u

n d a r y

OR

UNIX like fjle system API (incl. chmod)

17

Sancus File System (SFS)

F r

• n

t

• E

n d A c c e s s C

• n

t r

• l

L a y e r

P r

• t

e c t e d fi l e s y s t e m S Ms

f s

b

• u

n d a r y

MMI O

S e r i a l F l a s h D r i v e

C F S A P I

F l a s h S t

• r

a g e B a c k

• E

n d S h a r e d Me m

• r

y B a c k

• E

n d

C F S A P I

S M

A

S M

B

S F S A P I

S y s t e m b

• u

n d a r y

OR

Access control using‏ sancus_get_caller_id UNIX like fjle system API (incl. chmod)

18

Sancus File System (SFS)

F r

• n

t

• E

n d A c c e s s C

• n

t r

• l

L a y e r

P r

• t

e c t e d fi l e s y s t e m S Ms

f s

b

• u

n d a r y

MMI O

S e r i a l F l a s h D r i v e

C F S A P I

F l a s h S t

• r

a g e B a c k

• E

n d S h a r e d Me m

• r

y B a c k

• E

n d

C F S A P I

S M

A

S M

B

S F S A P I

S y s t e m b

• u

n d a r y

OR

Access control using‏ sancus_get_caller_id Plug‏g‏able private back-end encapsulating‏ resource UNIX like fjle system API (incl. chmod)

19

20

Access Control Overhead

Majority of cycles caused by SM switching

Relative access control overhead decreases with the amount of work done in the back-end

☹ Protected shared memory back-end ☺ Flash Cofgee FS: 20% for getc and 15% for putc

21

Contents

• 1. Embedded Problem Domain
• 2. Protected Module Architectures
• 3. Motivation
• 4. Log‏ical File Access Control
• 5. Conclusion

22

Conclusion

• Generic resource sharing mechanism
• Confjned and explicit TCB:

→ attestable via sancus_verify → principle of least privileg‏e

• Supplement hw-enforced security g‏uarantees

→ build upon hw primitives (isolation + caller auth) → sw-based access control g‏uarantees

Secure Resource Sharing for Embedded Protected Module Architectures

Jo Van Bulck, Job Noorman, Jan T

• bias Mühlberg‏ and

Frank Piessens

https://distrinet.cs.kuleuven.be/software/sancus/wistp2015/