The Open-Source sel4 Kernel Military-Grade Security Through

Transcription

1 The Open-Source sel4 Kernel Military-Grade Security Through Gernot Trustworthy Systems Data61 Linaro Connect SFO 17 h"ps://sel4.systems

2 Car Hacking What s Behind? Networking for: Entertainment Connected car Safety (@re pressure ) Maintenance (OTA upgrades) No security whatsoever on CAN bus! Sensor Infotainment etc Engine Control etc 2

3 Challenge of Networking Networking creates remote a"ack from passengers (wifi, Bluetooth) from nearby cars (wifi, Bluetooth) drive-by spread of viruses from anywhere (cellular) A"ack vectors: Insecure protocols Reusing crypto keys Soaware 3

4 Soaware Dependabilty, Security Soaware-engineering rule of thumb: 1 5 bugs per 1,000 lines of quality code Bluetooth protocol stack: Mul@ple 100,000 lines System Complexity Complexity Drivers Features/func@onality Legacy reuse Linux kernel: Tens of millions lines 4

5 Linux Security Soaware will break The enemy will be on the plahorm! 5

6 OK, So Let s Patch Regularly 10M LOC 10k bugs 10M LOC 10k-1 bugs Patch 10M LOC 10k bugs 1 known vulnerability Patch-and-Pray: A losing proposi@on 6

7 So, Let s Use Firewalls! Imposes overhead (SWaP) or Runs on vulnerable OS worthless if OS compromised Even more code may increase a"ack surface No help for valid messages that trigger bugs in soaware Firewalls treat symptoms, not causes of problems! Infotainment etc Sensor Engine Control etc 7

8 Let s Use AI to Detect Compromise! Runs on vulnerable OS worthless if OS compromised Even more code may increase a"ack surface Can only detect that system is already compromised Intrusion detec@on: admission of defeat Infotainment etc Sensor Engine Control etc 8

9 Fundamental Security Requirement: Strong untrusted trusted Enforced by trustworthy kernel Processor subject to global security policy 9

10 Trustworthiness: Can We Rely on A system is trustworthy if and only if: it behaves exactly as it is specified, in a timely manner, while ensuring secure execution Claim: A system must be considered untrustworthy unless proved otherwise! Corollary [with apologies to Dijkstra]: Tes@ng, code inspec@on, etc. can only show lack of trustworthiness! 10

11 Provably Secure System ~10,000 lines of C and ASM code Small attack surface, Amenable to full verification Non-kernel code can only access resources and communication channels if explicitly authorised with a per-object access token (capability) Confined damage Least privilege Small, fast, capability-based, operating system kernel components World s fastest (5 10X faster) operating system designed for security and safety Suitable for real-world deployment Code that runs in privileged mode of the hardware Most critical part Unprivileged mode sel4 access control VM IPC Threads Privileged mode hardware 11

12 20+ Years of L4 Microkernel R&D sel4: The latest (and most advanced) member of the L4 microkernel family API Inheritance L4-embed. Code Inheritance L4/MIPS L4/Alpha ios security processor OKL4-µKernel OKL4-Microvisor Codezero Qualcomm modem chips L3 L4 X Hazelnut Pistachio GMD/IBM/Karlsruhe UNSW/NICTA OK Labs Dresden Other (commercial) Fiasco P4 PikeOS Fiasco.OC Nova L4Re June'17

13 Proving Trustworthiness of sel4 C Implementa@on Exclusions (at present): Ini@alisa@on Low-level MMU model caches Mul@core Covert >ming channels Transla@on correctness [PLDI 13] Worst-case [RTSS 11, RTAS 16] Integrity Proof Proof Proof Abstract Model Binary code Availability Func@onal correctness [SOSP 09] Isola@on proper@es [ITP 11, S&P 13] Provably impossible: buffer overflow null-pointer dereference code injec@on memory leaks kernel crash undefined behaviour privilege escala@on 13

14 How Does sel4 Compare? Feature sel4 Other hypervisors, RTOSes, separation kernels Performance Fastest 2 10 slower Functional Proved No Guarantee correctness Isolation Proved No Guarantee Worst-case Sound & Estimates only latency bounds complete Storage channel Proved No Guarantee freedom Timing channel Low overhead None or High Overhead prevention Mixed-criticality support Fully supported, high utilisation Limited, resource-wastive 14

15 VM VM User Guest apps VMM Guest apps VMM Syscall Kernel guest OS guest OS Hypercall IPC Hyp COMP9242 S2/2017 W04

16 Security by Architecture Cyber-retrofit! Incremental process: migrate in pieces Virtual machine for legacy Extract bits, run untrusted Apps Apps Apps control Device driver NW stack Linux untrusted 16

17 Real-World Example: DARPA HACMS Retrofit system! Boeing Unmanned Li"le Bird SMACCMcopter Research Vehicle 17 US Army Autonomous Trucks Develop technology TARDEC GVR-Bot

18 Example: Processes A VSpace FRAME FRAME PT A PD A Thread-Object CSpace A CNodeA1 EP CONTEXT CNode A2 Send Receive CSpace CNode B1... Thread-Object B CONTEXT VSpace B Communica@on endpoint (port) 18 June'17

19 Component Middleware: CAmkES Higher-level of low-level sel4 constructs interface connector component 19 June'17

20 Example: Simplified HACMS UAV Radio Driver CAN Driver Data Link Crypto contained Wifi Camera Linux untrusted 20 June'17

21 Enforcing the Architecture Radio Driver CAN Driver Data Link Crypto untrusted, contained Linux untrusted Wi fi Camer a Architecture specifica@on language Low-level capdl access rights A Thread Object CSpace CSpace CNode EP CNode Thread Object B glue.c driver.c VMM.c CONTEXT VSpace... Send Receive... CONTEXT VSpace Compiler/ Linker init.c binary 21

22 Open-Source Architecture Analysis Analysis Tools Safety Eclipsebased IDE Design AADL Architecture Analysis & Language Generate Component CAmkES Generate Glue Code Binary 22 LCA'16 Geelong

23 Military-Grade Security Cross-Domain Desktop Compositor secure terminal Successful defence trial in AU Evaluated in US, UK, CA Formal security soon Pen10.com.au crypto device undergoing formal security in UK 23

24 Pull request or patch on mailing list Review 24

25 Thank you Robin Randhawa Please check out h"ps://sel4.systems 25

26 Military-Grade Security for You! Security is no excuse for poor performance! Gernot Linaro Connect SFO 17 h"p://sel4.systems