Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Similar documents
Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Building secure devices on the intelligent edge with Azure Sphere. Paul Foster, Microsoft Dr Hassan Harb, E.On

Microsoft Azure Sphere Overview Martin Grossen, Line Manager Microsoft Embedded / IoT Europe 5. June 2018

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

NI Linux Real-Time. Fanie Coetzer. Field Sales Engineer SA North. ni.com

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Provisioning secure Identity for Microcontroller based IoT Devices

Windows 10 IoT Overview. Microsoft Corporation

Firmware Updates for Internet of Things Devices

ArduCAM CC3200 UNO board

Advanced Embedded Systems

[Docker] Containerization

Virtualizaton: One Size Does Not Fit All. Nedeljko Miljevic Product Manager, Automotive Solutions MontaVista Software

Cypress PSoC 6 Microcontrollers

Deployment Patterns using Docker and Chef

Beyond TrustZone PSA. Rob Coombs Security Director. Part1 - PSA Tech Seminars Arm Limited

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Designing Security & Trust into Connected Devices

Android System Development Training 4-day session

OS Security III: Sandbox and SFI

The friendly operating system for the IoT!

IoT.js. Next generation web for connected things. Samsung Electronics Software Center Piotr Marcinkiewicz 2017

Interconnects, Memory, GPIO

A Developer's Guide to Security on Cortex-M based MCUs

64-bit ARM Unikernels on ukvm

Product specification

Patrick Doyle Principal Software Engineer, irobot 2017 Embedded Linux Conference, Portland OR

OS Containers. Michal Sekletár November 06, 2016

D1 - Embedded Linux. Building and installing an embedded and real-time Linux platform. Objectives. Course environment.

Beyond TrustZone Part 1 - PSA

Embedded Linux With Raspberry Pi IOT

Landlock LSM: toward unprivileged sandboxing

Designing Security & Trust into Connected Devices

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

The failure of Operating Systems,

Building a Better Mousetrap:

Pushing The Limits Of Linux On ARM

Titan silicon root of trust for Google Cloud

Glomation. Embedded Single Board Computer GESBC-3130S User s Manual

Embedded Technosolutions

Simple custom Linux distributions with LinuxKit. Justin Cormack

mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017

3 Software Stacks for IoT Solutions. Ian Skerrett Eclipse

Data Security and Privacy. Unix Discretionary Access Control

Embedded Linux system development training 5-day session

Introduction p. 1 Why Linux? p. 2 Embedded Linux Today p. 3 Open Source and the GPL p. 3 Free Versus Freedom p. 4 Standards and Relevant Bodies p.

Containers and isolation as implemented in the Linux kernel

Engineering Robust Server Software

Microsoft's IoT Vision and Roadmap. Sam George Director, Azure IoT

CSE 565 Computer Security Fall 2018

EMBEDDED LINUX ON ARM9 Weekend Workshop

Profiling and Debugging OpenCL Applications with ARM Development Tools. October 2014

Particle E Series Cloud-integrated hardware platform for cellular IoT devices

Alternatives to Solaris Containers and ZFS for Linux on System z

Embedded Technosolutions

Building a reference IoT product with Zephyr. Ricardo Salveti Michael Scott Tyler Baker

New Approaches to Connected Device Security

JOURNALING FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 26

ARM Powered SoCs OpenEmbedded: a framework for toolcha. generation and rootfs management

The Software of Things T Y S O N T U T T L E C E O S I L I C O N L A B S A S P E N C O R E C E O S U M M I T S H E N Z H E N 8 N O V E M B E R 2018

Designing, developing, debugging ARM Cortex-A and Cortex-M heterogeneous multi-processor systems

Windows IoT Security. Jackie Chang Sr. Program Manager

TEN LAYERS OF CONTAINER SECURITY

Yocto Project and OpenEmbedded training 3-day session

Agile Hardware Design: Building Chips with Small Teams

EMBEDDED SYSTEMS WITH ROBOTICS AND SENSORS USING ERLANG

Ellipse Support. Contents

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

Enabling IoT OSs for Intel Quark MCU Platforms: the fast way. OpenIoT Summit Europe Andre Guedes

Kernel Boot-Time Optimization

Husarion CORE2. Husarion CORE2 is a development board for Internet-connected automation & robotic devices.

Building mbed Together: An Overview of mbed OS and How To Get Involved

Running Databases in Containers.

Bringing the benefits of Cortex-M processors to FPGA

OS concepts and structure. q OS components & interconnects q Structuring OSs q Next time: Processes

The Next Steps in the Evolution of Embedded Processors

U-Boot Falcon Mode. Minimizing boot times using U-Boot "Falcon" mode. Stefano Babic / Wolfgang Denk. July 2012

Copyright 2017 Samsung. All Rights Reserved. O-Hoon Kwon, Ph.D. Samsung Electronics

Topics. Operating System. What is an Operating System? Let s Get Started! What is an Operating System? Where in the Book are we?

containerization: more than the new virtualization

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Embedded Linux kernel and driver development training 5-day session

Hacking and Hardening Kubernetes

DesignWare IP for IoT SoC Designs

CS2028 -UNIX INTERNALS

DevKit7000 Evaluation Kit

Extending Fixed Subsystems at the TLM Level: Experiences from the FPGA World

Designing Security & Trust into Connected Devices

Accelerating IoT with ARM mbed

SUSE Linux Entreprise Server for ARM

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Snappy Ubuntu Core Enabling secure devices with app stores

SiFive Freedom SoCs: Industry s First Open-Source RISC-V Chips

Leverage Vybrid's asymmetrical multicore architecture for real-time applications by Stefan Agner

Windows Devices. Device Capabilities. Premium. Entry

HYDRA-X23/X23S. Power Application Controllers. PAC HYDRA-X User s Guide. Copyright 2014 Active-Semi, Inc.

PERFORMANCE ANALYSIS USING NXP S I.MX RT1050 CROSSOVER PROCESSOR AND THE ZEPHYR OS

Transcription:

Azure Sphere: Fitting Linux Security in 4 MiB of RAM Ryan Fairfax Principal Software Engineering Lead Microsoft

Agenda o o o o Intro to Azure Sphere Kernel Customizations User mode services / App Model Future work / Takeaways

Microcontrollers (MCUs) 9 BILLION new MCU devices built and deployed every year

Azure Sphere is an end-to-end solution for MCU powered devices The Azure Sphere OS Azure Sphere Certified MCUs The Azure Sphere Security Service

Azure Sphere certified MCUs C O N N E C T E D with built-in networking S E C U R E D with built-in Microsoft silicon C Osecurity N N E Ctechnology T E D with including built-in networking the Pluton Security Subsystem Microsoft Pluton Security Subsystem Firewall FLASH 4MB Firewall Network Connection WiFi in first chips Firewall S E C U R E D with built-in Microsoft silicon security technology C R O S Sincluding O V E R Cortex-A the Pluton processing Security Subsystem power brought to MCUs for the first time ARM Cortex-A optimized for low power SRAM 4MB ARM Cortex-M for real time processing C R O S S O V E R Cortex-A processing power brought to MCUs for the first time Firewall Firewall Multiplexed I/O Firewall GPIO PWM TDM I2S UART I2C SPI ADC

The Azure Sphere OS Secure Application Containers Compartmentalize code for agility, robustness & security On-chip Cloud Services Provide update, authentication, and connectivity Custom Linux kernel Empowers agile silicon evolution and reuse of code Security Monitor Guards integrity and access to critical resources OS Layer 4 OS Layer 3 OS Layer 2 OS Layer 1 Azure Sphere OS Architecture App Containers for POSIX (on Cortex-A) On-chip Cloud Services HLOS Kernel Security Monitor App Containers for I/O (on Cortex-Ms) Hardware Azure Sphere MCUs

Linux Kernel Customizations At the heart of the Azure Sphere OS is the Linux Kernel Based on kernel.org sources Originally 4.1, now 4.9, with the goal to keep moving forward as LTS branches get declared Upstream releases are merged monthly We have 227 commits in a branch on top of the upstream sources as of Aug 16 th OS Layer 4 OS Layer 3 OS Layer 2 Azure Sphere OS Architecture App Containers for POSIX (on Cortex-A) On-chip Cloud Services HLOS Kernel App Containers for I/O (on Cortex-Ms) OS Layer 1 Security Monitor Hardware Azure Sphere MCUs

Linux Kernel Customizations The first challenge was making it fit The first build was a 4MB kernel, which took up all of the RAM We moved to Execute-In-Place (XIP) which helped a lot but we still used nearly 4MB of RAM to boot Lots of our early patches were making things more modular and tuning sizes of caches Some things were removed to reduce size (sysfs, most memory tracking options, kallsyms). As of our public preview we re at ~2.4MB of code + data, ~2100KB RAM usage after boot

Linux Kernel Customizations The first version of our security model used static permissions baked into the filesystem We set owner, group, SUID, SGID on each process to ensure a consistent identity at runtime via build policy To pull this off we added some kernel code to enforce effective UID = real UID to avoid getting back to root Shared data or IPC was done via supplemental groups (also baked into filesystem) This made effective access for a program easier to reason about, but you had a major burden at build time to ensure the right owners / groups were set

Linux Kernel Customizations The second version involved a simple Linux Security Module The goals were to reduce attack surface and enable new access control scenarios The LSM statically fails many operations that aren t needed on the platform We add three new fields to each task: App ID (CID), Network ID (TID), Capabilities Other apps + kernel modules can use these new fields for extended access control All values are immutable once set and inherit to child processes

Linux Kernel Customizations We experimented a lot with filesystems We started with CRAMFS + XIP patches, but moved to a fork with modifications to reduce overhead We patched in CoW support for XIP code when debugging is enabled We tried many writable file systems that didn t work out due to RAM or flash wear overhead: ext2, jffs2, yaffs Ultimately we ported ARM s LittleFS to the kernel as it was a better fit for writable partitions that are hundreds of KiB in size https://github.com/armmbed/littlefs In some cases we added more access control to existing features Added per-pin GPIO access to the base GPIO infrastructure as an optional feature Added file system quota support for MTD devices Adjusted some items to leverage existing or new capabilities instead of checking for root

User mode / App model Our user mode code execution model focuses around applications Everything is an app, other than the application manager (aka init). This includes system services. Apps are self describing, independently updatable, and generally run isolated from each other There are 4 out of box system apps + an optional debugger Apps are renewable Everything on the system can be updated over the air Microsoft manages OS app updates, OEMs manage their app updates

User mode / App model We looked at options for self contained app packages and containers Looked seriously at LXC but couldn t get it to fit We started rolling our own containers with namespaces but found many of the peripherals apps used didn t interact with namespaces properly or led to capability leakage We ended up with apps as self describing file systems Each app is its own filesystem that is mounted / unmounted to install / uninstall Apps contain metadata documents in the root of the FS that describes how they work and what they need access to The system validates policy and enforces it by leveraging many other Linux technologies

User mode / App model Manifests describe the app What to run What policy to enforce What peripherals to allow access to Our custom init process (applicationmanager) enforces the policy Uses cgroups for resource limiting Assigns each app a unique UID / GID Updates access on /dev entries Programs netfilter firewall Every process other than init is an app

User mode / App model Attack surface is reduced by removing features This not only helps our RAM limits but means one less feature we have to reason about from a security perspective We have no shell or user account management No kernel module support We ship a greatly reduced library set (9 total.so files in /usr/lib) Resource usage is limited cgroups enables predictable RAM exhaustion and resource contention behavior An app cannot access any peripherals or network traffic without opting into those features

Future Work Upstream some of our work that is applicable outside our product Some memory improvements and configuration support are wins for any platform File system work maybe generally applicable to other classes of embedded devices More namespace usage and further isolation of resources There s a lot of security goodness to be had here if we can make it fit Split up some large capability sets like CAP_SYS_ADMIN The Linux capability model is great until you need CAP_SYS_ADMIN Some low level hardware features are designed to require ADMIN when not strictly needed Revisit features that were too big to fit by refactoring to enable usage with less resources For example, looking at other LSMs Many, many, more ideas than I can possibly fit on this slide

Takeaways Security and resources are at odds at times Features are designed for strong security, space considerations are secondary (if at all) Security features are often all or nothing no way to take some benefit without paying for all Many security features depend on other frameworks like sysfs There s a lot that works well Most core Linux features just work even with limited resources Most of the changes we had to do were small modifications to existing code paths Improvements for the desktop / server space often benefit embedded & IoT as well The problems in the IoT space are far from unique

Let s secure the future.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback