SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

Transcription

1 1 SRIFY: A COMPOSITIONAL APPROACH OF BUILDING SRITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC March 2018

2 2 Securify Approach Compositional Security Reasoning with Untrusted Components Securify Architecture Model-based Secure Code Generation Runtime Security Verification Hardware-aided Dynamic Security Analysis Automatic Program Verification Security- Enhanced Library Verification Secure Micro- Kernel Verification Hardware Verification Applications Libraries OS / Micro Kernel Hardware

3 3 Research Highlights Detection of errors in the ARINC-653 standard for safety of partitioning systems. Recognized by the ARINC-653 Committee and revised according to our proposed fixes. Multi-Core separation micro-kernel Verification Building demos using the verified micro-kernels Library Verification and Safe Code Generation Collaboration on generating secure libraries for Linux kernel and critical components in autonomous vehicles Runtime verification Attack detection in CANBUS and Android for malware detection Vulnerability Reported 100+ CVE reported in commercial software with 100K USD bug bounties

4 4 Defense Internet of Things Communication Devices Attack Isolation Smart Home Dynamic Monitoring Aerospace Fault Contemption Medical Devices High Assurance Systems Smart Nation Foundational Secure Architecture ITS Isolated Critical backends from Non-secure Front-ends Banking Devices Embedded Systems

5 5 Approaching Devices Security by Construction Current Non-secure Architecture Proposed Secure Architecture Processes Call to Buggy System/Library Linux (Monolithic Kernel) s (Bugs) Libraries (Bugs) Security Mechanisms (NX, ASLR, etc.) (Bugs) Control Access Mechanisms (Bugs). HW Processes Truly Isolated Functional and memory safety correctness using safe code generation from specification Security Monitor Runtime monitor for dynamic security Separation Micro-Kernel Necessary and Sufficient set of verified services providing Spatial and temporal isolation HW

6 6 Approaching Devices Security by Construction Security Monitor Runtime monitor for dynamic security Scheduling Actions Process Actions Communication Actions Verified Kernel Interface Legal System Call Illegal System Call Verified Separation Micro-Kernel Necessary and Sufficient set of verified services providing Spatial and temporal isolation HW

7 7 Monolithic Approach in AV User Interface Self-Driving System GPS CAN adaptor Camera Steering Brake Linux WiFi Bluetooth Acceleration CAN BUS

8 8 Monolithic Approach in AV Vulnerable User Interface Self-Driving System GPS CAN adaptor Camera Steering Brake Linux WiFi Bluetooth Acceleration CAN BUS CAN BUS easily accessible AV easy to hijack!!!

9 9 A separation approach for AV Security Isolated Components Malicious Agents do not have access to other domains Bluetooth WiFi Malicius User Interface Camera GPS Self-Driving System Security Monitor CAN adaptor Steering Brake Separation Micro-Kernel Acceleration CAN BUS

10 10 A separation approach for AV Security Verified Micro Kernel ensures that there are no kernel exploits able to affect the information flow. Bluetooth WiFi Malicius User Interface Camera GPS Self-Driving System Security Monitor CAN adaptor Steering Brake Separation Micro-Kernel Acceleration CAN BUS

11 11 A separation approach for AV Security Indirect access can be controlled: limited communication in the channel Security Monitor can control the information sent between domains Bluetooth WiFi GPS Malicius User Interface Self-Driving System Security Monitor Camera CAN adaptor Steering Brake Separation Micro-Kernel Acceleration CAN BUS

12 12 Summary Securify provides a secure architecture by construction with a verified secure Separation kernel and run-time monitoring for dynamic security. Separation Kernel provides a secure architecture for high assurance systems. Security can be enhanced with a trusted privileged system runtime monitor. Securify foundations can be used to provide a secure architecture for IoT devices and IST, which naturally fixes most of the problems of monolithic approaches.

13 Thanks for your attention! 13