Creating a Practical Security Architecture Based on sel4

Transcription

1 Creating a Practical Security Architecture Based on sel4 Xinming (Simon) Ou University of South Florida (many slides borrowed/adapted from my student Daniel Wang) 1

2 Questions for sel4 Community Is there concrete evidence that sel4 can improve security of computing systems we use today? If so, How shall we architect a system using sel4? How can we make the real world adopt it? 2

3 A Tale of Two Efforts Use sel4 to improve the security of building automation systems (BAS) Built physical prototypes using both sel4 and Linux and demonstrated how attacks fare on each Transition the technology to a major BAS vendor Built multiple proof of concepts for the company Convinced business units that sel4 is the preferred technology to use for future products Efforts funded by the DHS CPSSEC program 3

4 Buildings are critical cyber infrastructures Building Automation System (BAS) interconnects multiple types of cyber physical systems Computerized controls Moving towards smart like the rest of the world 4

5 Threats Buildings are already on the Internet Internet Enterprise IP Network Building Controllers Field Devices Air-gapping BAS network has long become impossible Stepping stone for launching attacks on connected CPSs New attack surfaces in intelligent applications 5

6 Security Issues Zero security in communication protocol BAS controller has little protection More and more functions start to be deployed on the same controller BAS controller is becoming a mixed-critical system Big attack surface, serious risks BASs require a (more) secure computing platform 6

7 Anchor Security to the Controllers What do we need from a BAS controller? Process Isolation Robust Design with small Trusted Computing Base Non-bypassable, Explicit Management of Critical System Resources mandatory access control (MAC) Maintain critical functionalities even when partially compromised Microkernel Seems to be the Right Choice 7

8 Most current BAS controllers are built with conventional OS such as Linux, which is monolithic. 8

9 Experimented with Two Microkernels MINIX 3 Free, open-source microkernel OS; developed over 30 years (V3 released in 2005) 4000 LOC Small, simple, and easy to modify Lack of formal verification No built-in support for MAC sel4 The world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement 10.2 KLOC Support real-time constraints (not formally verified yet) Support MAC naturally through its capability-based access model 9

10 Q1: Is there concrete evidence that sel4 can improve security of BAS we use today? Temperature Control Scenario Implemented using BeagleBone Black Board Alarm System HVAC: Fan & Sensor Building Controller 10

11 Temperature Control Scenario -- Linux FanActuator AlarmActuator TempSensor TempControl WebInterface Process Control Block Message Queue Virtual File System Drivers Monolithic Kernel 11

12 Temperature Control Scenario -- Linux Compromised with root Spoofing message: Alarm OFF & Fan OFF FanActuator AlarmActuator TempSensor TempControl WebInterface Process Control Block Message Queue Virtual File System Drivers Monolithic Kernel 12

13 Temperature Control Scenario -- Linux Compromised with root kill(fanactuator); & kill(alarmactuator); FanActuator AlarmActuator TempSensor TempControl WebInterface Process Control Block Message Queue Virtual File System Drivers Monolithic Kernel 13

14 Temperature Control Scenario Compromised FanActuator AlarmActuator TempSensor TempControl WebInterface Process Manager WebInterface has no way of communicating with FanActuator or AlarmActuator Kernel derives capability: denied sel4 14

15 Temperature Control Scenario sel4 Compromised FanActuator AlarmActuator TempSensor TempControl WebInterface Process Manager WebInterface has no way of communicating with ProcessManager, thus cannot terminate the other processes Kernel derives capability: denied sel4 15

16 Q2: How can we make the BAS industry adopt it? In practice, companies have legacy code developed targeting existing platforms It is cost-prohibitive to replace architecture overnight It is infeasible to expect businesses to build applications from scratch in favor of security Security solution must be transparent Adoption is a gradual process 16

17 Our Approach: Use sel4 as a Hypervisor Application File System Libraries Application Process Control Device Drivers Guest OS (e.g., Linux) Third-party Application Libraries Network Stack sel4 running as a hypervisor Secure Storage Sensitive App Hardware (e.g., ARM Processor with virtualization support) Security sensitive applications run natively on sel4 Legacy OS+s/w stack runs in a virtualized environment; applications do not see anything different Applications request sensitive services from secure apps though microkernel IPC using modified libraries Microkernel audits/mediates all interactions through predefined policies 17

18 POC1: Current/Standard Linux Architecture encrypt/decrypt request Crypto Client App Drivers Anther Linux App Libraries Socket File System Linux ARM Cortex-A9 Crypto Server App Modules Key stored in file system User Mode Kernel Mode Proposed Secure Controller Architecture encrypt/decrypt request Crypto Client App L4Linux Modified Library VMM Anther Linux App Root Pager L4Re microkernel ARM Cortex-A9 crypto Server App Key stored in isolated L4 native app L4Re User Mode Kernel Mode The Goal: Protect the Private Key 18

19 Adapted Approach: BAS App Crypto Server Linux Linux Linux VMM VMM VMM sel4 running as a hypervisor Network Stack Hardware (e.g. ARM Processor with virtualization support) Use sel4 as a means to separating legacy code components into VMs mediated by the microkernel 19

20 POC2: Current BAS Edge Gateway Architecture Proposed New Edge Gateway Architecture Guest OS Guest OS Guest OS Cloud Client Security Monitor Libraries BAS Apps User Mode Kernel Mode Cloud Client IoT Gateway (e.g. Azure Sphere) Modified Library Security Monitor Customized Linux Modified Library BAS Apps Customized Linux Modified Library File System VMM VMM VMM Drivers Linux ARM Processor Modules CapDL-Loader sel4 microkernel ARM Cortex-A15 User Mode Supervisor Mode Compromise in one component Compromise all Compromise in one component confined to that component The Goal: Provide separation within legacy code 20

21 Take Away sel4 seems to be a useful technology for improving the cybersecurity of BAS and possibly many other types of CPSs sel4 by itself is not sufficient; we need an architectural design for the overall system The architecture must be able to work with existing legacy systems for sel4 to be adoptable by industry There is still huge amount of important engineering efforts needed for sel4 to be usable in real-world systems 21