tock a secure operating system for microcontrollers
play

Tock: A Secure Operating System for Microcontrollers Limitations of - PowerPoint PPT Presentation

Feb 10, 2023 •545 likes •1.11k views

Amit Levy SITP Retreat, June 22, 2018 Tock: A Secure Operating System for Microcontrollers Limitations of Microcontroller Sofware Low memory: ~64 kB RAM No virtual memory Cant use Linux! No isolation USB authentication

  1. Amit Levy SITP Retreat, June 22, 2018 Tock: A Secure Operating System for Microcontrollers

  2. Limitations of Microcontroller Sofware ➔ Low memory: ~64 kB RAM ➔ No virtual memory ➔ Can’t use Linux! ➔ No isolation ➔ USB authentication keys have multiple functions ➔ Sensor networks run several experiments at once ➔ Fitness watches support diferent activities 2

  3. Multi-User Device: Signpost Modular city-scale sensing ➔ Tracking Ambient conditions ➔ Pedestrian density ➔ Noise monitoring 8 pluggable modules ➔ Microcontroller + Sensors Several applications per module Currently deployed @ U.C. Berkeley 3

  4. OTA Updates: Helium ➔ End-to-end IoT “solution” ➔ Programmable module – Long-range radio – MCU runs customer services + applications ➔ Abandoned a previous version that used Lua ➔ Next version uses Tock 4

  5. Security Sensitive Device: Google Titan ➔ Google’s Titan chip: security hardened MCU ➔ Server root-of-trust, authentication ➔ Without Tock: a handful of experts audit all code ➔ Open source port of Tock started during internship 5

  6. Thesis: Embedded Devices are Multiprogrammed ➔ Multiple users running applications concurrently ➔ Applications updated dynamically – Small payloads better – Buggy updates shouldn’t brick devices ➔ Security sensitive devices want least privilege 6

  7. Tock Embedded OS ➔ Growing open-source community – 883 GitHub followers, >100 mailing list subscribers – 54 contributors (so far) to main project – ~20 contributors to out-of-tree HW ports – >100 developers trained at Tock tutorials ➔ Growing HW support – ARM Cortex-Ms: Atmel SAM4L, Nordic NRF5x, TI CC26xx & TM4C129x, NXP MK66, STM32 – RISC-V port at a secret facility outside Boston

  8. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 8

  9. Example: USB Authentication Key ➔ Multiple independent applications ➔ No programmability in favor of security ➔ Result: Handful of programmers control sofware stack 9

  10. Platform (~10 developers) ➔ Build the hardware ➔ Responsible for TCB: core kernel, MCU-specific code ➔ Trusted: complete control over firmware & hardware Goal: possible to correctly extend TCB 10

  11. OS Services (~1000 developers) ➔ Most OS services come community – Device drivers, networking protocols, timers... ➔ Platform provider can audit but won’t catch all bugs Goal: protect kernel from safety violations 11

  12. Applications (~20M developers) ➔ Implement end-user functionality ➔ “Third-party” developers: unknown to platform provider ➔ Potentially malicious Goal: end-users can install 3rd-party apps 12

  13. Need New Isolation Techniques ➔ With 64 kB, malloc a serious threat to system stability ➔ No virtual memory ➔ Still need to solve driver isolation – GC’d languages & hardware isolation too resource heavy 13

  14. New Tools Available Memory Protection Unit (MPU) ➔ Protection bits for 8 memory regions ➔ Isolate processes for applications Rust ➔ Non-GC'd type-safe systems language ➔ Prevent safety violations in kernel at very low cost 14

  15. Tock: A Microcontroller OS ➔ Processes : Use the Memory Protection Unit ➔ Capsules : Type-safe Rust API for safe driver development ➔ Grants : Bind dynamic kernel resources to process lifetime 15

  16. Tock’s Isolation Mechanisms Processes ● Standalone executable in any language ● Isolation enforced at runtime ● Higher overhead ● Applications Totally untrusted Capsules ● Rust code linked into kernel ● Isolation enforced at compile-time ● Lower overhead Trusted for liveness, not safety ● Used for device drivers, protocols, timers... 16

  17. Processes ➔ Hardware-isolated concurrent programs in any language – MPU to protect memory regions without virtualization – Independent stack, heap, static variables ➔ Run dynamically, compiled with position independent code ➔ Scheduled preemptively ➔ System calls & IPC for communication 17

  18. Process Overhead ➔ Dedicated memory region (at least a stack) ➔ Context switch for communication (340 cycles) 18

  19. Capsules ➔ A Rust module and structs ➔ Single-threaded event-loop with asynchronous I/O ➔ Single stack ➔ No heap ➔ Communicate via references & method calls, ofen inlined 19

  20. Capsule Resource Overhead Example 1: “blink” ROM size (B) RAM size (B) Tock 3208 916 TinyOS 5296 72 Example 2: Networked sensor ROM size (B) RAM size (B) Tock 41744 9704 TinyOS 39604 10460 20

  21. Capsule Isolation struct DMAChannel { length: u32, base_ptr: *const u8, } impl DMAChannel { fn send_buffer(&self, buf: &'static [u8]) { self.length = buf.len(); self.base_ptr = buf.as_ref(); } } ➔ Exposes the DMA base pointer and length as a Rust slice ➔ Type-system guarantees user has access to memory ➔ Won’t be deallocated before DMA completes 21

  22. Safe Dynamic Kernel Allocation 22

  23. Working Example: Sofware Timer Sofware Timer Kernel HW Alarm 23

  24. Statically allocate timer state? FAIL Sofware Timer Driver Static allocation must trade of memory eficiency and maximum concurrency 24

  25. What About Dynamic Allocation? FAIL AES Driver Sofware Timer Driver Bluetooth Driver Can lead to unpredictable shortages. One process’s demands impacts capabilities of others. 25

  26. Grants: Per-Process Kernel Heaps ➔ Allocations for one process do not afect others ➔ System proceeds if one grant section is exhausted ➔ All process resources freed on process termination Grant section RAM Heap Process Data Accessible Stack Memory Flash Code 26

  27. Grants: Per-Process Kernel Heaps Sofware Timer Driver Grants balance safety and reliability of static allocation with flexibility of dynamic allocation 27

  28. Grants use the type-system to ensure references only accessible when process is live // Can’t operate on timer data here timer_grant.enter(process_id, |timer| { // Can operate on timer data here if timer.expiration > cur_time { timer.fired = true; } }); // timer data can’t escape here fn enter<'a, F>(&'a self, pid: ProcId, f: F) → where F: for<'b> FnOnce(&'b mut T) 28

  29. Grants: No Cross-Process Structures Shared Heap Process 1 Process 2 Sofware Timer Driver 29

  30. Grants: No Cross-Process Structures μS 30

  31. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 31

  32. Power State & Clock Control ➔ Power draw combo of duty cycle and active draw – What’s the deepest sleep state we can drop to? – Which clock should drive active peripherals? ➔ Multiprogramming makes both harder! RCSYS RCFAST Duty Cycle a Function of Workload Impact of Active Clock Selection 32

  33. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 33

  34. Multiprogramming a Peripheral ➔ A platform must support all possible applications – Eficient protocols may not be so eficient anymore ➔ Peripheral communication not designed for multiprogramming – How to restart individual components? – How to isolate services? – Virtualizing vs. Multiplexing 34

  35. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 35

  36. Future Work ➔ Writing & Enforcing security policies – For the kernel: language-based capability system? – For processes: permissions without a file system? – For networked applications: cryptographic tokens? ➔ Debugging embedded applications – Security implications – Logging ➔ More applications, more hardware – RISC-V, x86 – Wearables, sensor networks, security devices 36

  37. Tock: A Secure Operating System for Microcontrollers ➔ Embedded devices are multiprogrammable – Security, Sofware Updates, Multi-tenancy ➔ Tension between isolation and resources – Traditional approaches insuficient for low memory – New programming languages & hardware features help ➔ Must also rethink: power management, networking, security policies... 37

  38. Evaluating End-to-End 38

  39. Evaluating with Practitioners ➔ Researchers working with Tock ➔ Half-day tutorials (~100 people) ➔ Open source community (45+ contributors) ➔ Embedded Systems class at Stanford 39

  40. Security is an End-to-End Property ➔ Is threat model realistic? ➔ Can system builders extend TCB safely? ➔ Can developers build applications? 40

  41. Realistic Threat Model? Signpost Helium Titan App Applications Researchers Customers Developers Module Community, Product Capsules builders Helium Inc. developers Signpost Platform Helium Inc. Titan team authors 41

  42. Security is an End-to-End Property ✓ ➔ Is threat model realistic? ➔ Can system builders extend TCB safely? ➔ Can developers build applications? 42

  43. Safely Extend the TCB? Rule out common errors by design: ➔ Synchronization with interrupt handlers ➔ Untrusted user pointers ➔ Use-afer-free 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2 University of Michigan 3 University of California, Berkeley 1 Amit Levy 1 Brandon Ghena 2 Michael Andersen 3 Brad Campbell 2 Gabe Fierro 3 Pat Pannuto 2

582 views • 57 slides
HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir

HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir

HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir Naaman, Avi Harpaz, Gidon Gershinsky IBM Haifa Research Laboratory Mount Carmel, Haifa 31905, Israel { tock,naaman,harpaz,gidon } @il.ibm.com

291 views • 7 slides
AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller

AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller

Microprocessors, Lecture 3: AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller Different families Based on the application and Flash memory capacity Classic AVR e.g. AT90S2313, AT90S4433

704 views • 27 slides
InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 23, 2005 Lecture 11 Lecture 11 Page 1 Page 2

553 views • 8 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 27, 2006 Lecture 12 Lecture 12 Page 1 Page 2

329 views • 9 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

981 views • 39 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

588 views • 20 slides
InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

1.06k views • 79 slides
Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Silberschatz and

714 views • 35 slides
Module 3: Operating-System Structures System Components Operating-System Services

Module 3: Operating-System Structures System Components Operating-System Services

' $ Module 3: Operating-System Structures System Components Operating-System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation &amp; %

589 views • 13 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = &gt; good scope

103 views • 8 slides
to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051

to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051

Introduction review to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051 Intel then Everyone (8-bit old ) PIC Microchip (8, 16 &amp; 32bit) AVR Atmel (8 &amp; 32bit) MSP430 TI

288 views • 5 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
A better picture Many applications Application One Operating System System calls Operating

A better picture Many applications Application One Operating System System calls Operating

Introduction Operating Systems Spring 2003 OS Spring03 What is Operating System? It is a program! It is the first piece of software to run after boot It coordinates the execution of all other software User programs It

306 views • 12 slides
Operating System Overview Chapter 2 1 Operating System A program that controls the

Operating System Overview Chapter 2 1 Operating System A program that controls the

Operating System Overview Chapter 2 1 Operating System A program that controls the execution of application programs An interface between applications and hardware 2 1 Operating System Objectives Convenience Makes the

719 views • 33 slides
The CBM Experiment at FAIR and its Silicon Tracking System: Physics case, Experimental approach,

The CBM Experiment at FAIR and its Silicon Tracking System: Physics case, Experimental approach,

The CBM Experiment at FAIR and its Silicon Tracking System: Physics case, Experimental approach, Status of development Johann M. Heuser GSI Helmholtz Center for Heavy Ion Research, Darmstadt, Germany for the CBM Collaboration JAEA Advanced

604 views • 56 slides
The Silicon Tracking System of the Compressed Baryonic Matter (CBM) Experiment at FAIR Hans

The Silicon Tracking System of the Compressed Baryonic Matter (CBM) Experiment at FAIR Hans

The Silicon Tracking System of the Compressed Baryonic Matter (CBM) Experiment at FAIR Hans Rudolf Schmidt, for the CBM Collaboration University of Tbingen Frontier Detectors for Frontier Physics 14th Pisa Meeting on Advanced Detectors May

654 views • 26 slides
Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics Wire

Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics Wire

Digital IC-Design The Wire &amp; decreasing feature sizes Dynamic behavior change in deep submicron A Active elements are less dominant i l l d i Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics

392 views • 9 slides
RNA Search and Motif Discovery Lecture 9 CSEP 590A Summer 2006 Outline Whirlwind tour of

RNA Search and Motif Discovery Lecture 9 CSEP 590A Summer 2006 Outline Whirlwind tour of

RNA Search and Motif Discovery Lecture 9 CSEP 590A Summer 2006 Outline Whirlwind tour of ncRNA search &amp; discovery Covariance Model Review Algorithms for Training Mutual Information Algorithms for searching Rigorous &amp;

829 views • 72 slides
Parallel Programming using OpenMP Qin Liu The Chinese University of Hong Kong 1 Overview Why

Parallel Programming using OpenMP Qin Liu The Chinese University of Hong Kong 1 Overview Why

Parallel Programming using OpenMP Qin Liu The Chinese University of Hong Kong 1 Overview Why Parallel Programming? Overview of OpenMP Core Features of OpenMP More Features and Details... One Advanced Feature 2 Introduction OpenMP is

1.49k views • 89 slides
A new setup for direct reaction w/ RIBs Francesco Recchia Department of Physics and Astronomy

A new setup for direct reaction w/ RIBs Francesco Recchia Department of Physics and Astronomy

A new setup for direct reaction w/ RIBs Francesco Recchia Department of Physics and Astronomy University of Padova Nuclear Spectroscopy Instrumentation Network of ENSAR2, NUSPIN 2017 - GSI Darmstadt - June 26 th - 29 th , 2017 Superconducting

292 views • 10 slides
Intec Systems is an established provider of water slide sensor systems for waterparks and the

Intec Systems is an established provider of water slide sensor systems for waterparks and the

intec systems Flume / Water Slide SyStemS Intec Systems is an established provider of water slide sensor systems for waterparks and the leisure industry in the UK and abroad. All our products are designed to be fjtted to new or existing fmumes,

45 views • 4 slides
WiFr rst st IoT Debugging IDE Instruments device code, network calls, and a local

WiFr rst st IoT Debugging IDE Instruments device code, network calls, and a local

WiFr rst st IoT Debugging IDE Instruments device code, network calls, and a local router to capture network communications and program activity Provides a time-linked data visualization and automatic checks to highlight potential

234 views • 12 slides

More recommend