Using a Certified Hypervisor to Secure V2X communication

Similar documents
A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

Hypervisor Market Overview. Franz Walkembach. for GENIVI AMM, April 19 th, 2018 (Munich) SYSGO AG Public

Safety and Security for Automotive using Microkernel Technology

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Operating System Security

Virtual Machine Security

CS6501: Great Works in Computer Science

CSE Computer Security

Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Advanced Systems Security: Virtual Machine Systems

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Designing Security & Trust into Connected Devices

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Security and Performance Benefits of Virtualization

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Advanced Systems Security: Virtual Machine Systems

Communication Patterns in Safety Critical Systems for ADAS & Autonomous Vehicles Thorsten Wilmer Tech AD Berlin, 5. March 2018

CSE543 - Computer and Network Security Module: Virtualization

10 th AUTOSAR Open Conference

CSE543 - Computer and Network Security Module: Virtualization

Designing Security & Trust into Connected Devices

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Support for Smart NICs. Ian Pratt

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Interaction between AUTOSAR and non-autosar Systems on top of a Hypervisor

Applying MILS to multicore avionics systems

Resilient IoT Security: The end of flat security models

A Big Little Hypervisor for IoT Development February 2018

SUCCESSFULL MULTICORE CERTIFICATION WITH SOFTWARE-PARTITIONING Efficient Implementation for DO-178C, EN 50128, ISO 26262

Infotainment Solutions. with Open Source and i.mx6. mentor.com/embedded. Andrew Patterson Business Development Director Embedded Automotive

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

CIS 5373 Systems Security

10 Steps to Virtualization

Designing Security & Trust into Connected Devices

CS 261 Fall Mike Lam, Professor. Virtual Memory

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

SafeBricks: Shielding Network Functions in the Cloud

Bringing Android to Secure SDRs

SIERRAWARE SIERRATEE FOR MIPS OMNISHIELD

Multicore platform towards automotive safety challenges

ARM processors driving automotive innovation

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Four Components of a Computer System

Fault Isolation for Device Drivers

A Developer's Guide to Security on Cortex-M based MCUs

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

Trusted Computing and O/S Security

OS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

CSE543 - Computer and Network Security Module: Virtualization

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Autonomous Driving needs Safety & Security. Embedded World 2018 Dr. Ciwan Gouma

Deflating the hype: Embedded Virtualization in 3 steps

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

18-642: Security Mitigation & Validation

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

Operating-System Structures

CSC 5930/9010 Cloud S & P: Virtualization

Distributed IMA with TTEthernet

Chapter 2: Operating-System Structures

Virtualizaton: One Size Does Not Fit All. Nedeljko Miljevic Product Manager, Automotive Solutions MontaVista Software

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

ARM Security Solutions and Numonyx Authenticated Flash


Mentor Automotive Save Energy with Embedded Software! Andrew Patterson Presented to CENEX 14 th September 2016

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

Computer Architecture Background

Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

W11 Hyper-V security. Jesper Krogh.

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Tailoring TrustZone as SMM Equivalent

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Secure Containers with EPT Isolation

IoT It s All About Security

Creating a Practical Security Architecture Based on sel4

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

10 th AUTOSAR Open Conference

Advanced Systems Security: Security Goals

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

Presentation's title

Security as a Architectural Concern, Chrome Arch, and NFP Measurement Reid Holmes

Trusted Platform Modules Automotive applications and differentiation from HSM

whitepaper ClickShare Security

The Adaptive Platform for Future Use Cases

CSE 120 Principles of Operating Systems

Trustzone Security IP for IoT

Real-Time Systems and Intel take industrial embedded systems to the next level

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Interconnecting Components

CSE 4/521 Introduction to Operating Systems. Lecture 12 Main Memory I (Background, Swapping) Summer 2018

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Transcription:

SYSGO AG PUBLIC 1

Using a Certified Hypervisor to Secure V2X communication Author(s): Date: Version Chris Berg 08/05/2017 v1.1 SYSGO AG PUBLIC 2

Protecting Assets People started protecting their assets (e.g. life) from the very beginning of their existence People started building Fences Walls Trenches + water Air-gapping SYSGO AG PUBLIC 3

Protecting Assets People started protecting their assets (e.g. life) from the very beginning of their existence People started building Fences Walls Trenches + water Air-gapping SYSGO AG PUBLIC 4

What is going to be hacked??? SYSGO AG PUBLIC 5

Short Answer: The weakest link SYSGO AG PUBLIC 6

Long Answer: Attack Surface Typically attacks aim at Components with the exposed interfaces Information flow within system, i.e. component interaction Thus, the attack surface is the full system architecture Security is the integral system property! Without a clean design, it is extremly difficult to identify/define the attack surface SYSGO AG PUBLIC 7

Secure Design Principles (Saltzer and Schroeder 75) Design Principle Principle of Economy of Mechanism Explanation The protection mechanism should have a simple and small design. Principle of Fail-safe Defaults Principle of Complete Mediation Principle of Open Design Principle of Separation of Privilege Principle of Least Privilege Principle of Least Common Mechanism Principle of Psychological Acceptability The protection mechanism should deny access by default, and grant access only when explicit permission exists. The protection mechanism should check every access to every object. The protection mechanism should not depend on secrecy of its design The protection mechanism should grant access based on more than one piece of information (e.g., two keys are needed to open a vaultlock or defence in the depth). Every process shall operate with the minimum privileges needed to perform its task Minimize the amount of mechanism common to more than one user and depended on by all users The protection mechanism should be easy to use (at least as easy as not using it). SYSGO AG PUBLIC 8

PikeOS Supports Secure Design Principles Design Principle Principle of Economy of Mechanism Principle of Fail-safe Defaults Principle of Complete Mediation Principle of Open Design PikeOS Property PikeOS is 10-15k LoC. Typical hypervisor sizes on market are 60k-200k LoC. That is PikeOS default policy: No information flow and no resource sharing unless specified. PikeOS is a small separation kernel, which controls all accesses to controlled resources. 1) PikeOS source code and design are available for certification needs/vulnerability analysis, i.e. PikeOS security does not depend on secrecy of its design. Principle of Separation of Privilege Principle of Least Privilege Principle of Least Common Mechanism Principle of Psychological Acceptability 2) Detailed PikeOS API documentation available to all customers. PikeOS implements first level privilege, resource level. Thus, system/application design can rely on it and build separate privilege control. PikeOS separation is the technical means to implement it on system level. 1) PikeOS can be the only shared component. 2) PikeOS separation allows modular sharing of system security mechanisms. 1) Decomposition of a system into partitions makes it easier to understand and maintain its functionality. 2) Strong certification portfolio. 9 SYSGO AG PUBLIC 9

Agenda Security Challenges Connectivity Automotive Security Separation Kernel Multiple Independent Levels of Security Separation Kernel Security Concept Security Add-On Secure Boot Secure Update Summary SYSGO AG PUBLIC 10

Distributed System of ECUs Instrument Cluster Connectivity Box Infotainment Head Unit Electronic Toll Collection Advanced Driver Assistance Systems Ref: Wikipedia SYSGO AG PUBLIC 11

Distributed System of ECUs Problems SWaP Size Weight Power Communication overhead, interferences, the cost of interconnect Validation of the integrated system SYSGO AG PUBLIC 12

Consolidated System ADAS e.g. Traffic Sign identification Toll Collection ECU State Management... Gateway.. PikeOS Physical Hardware Core 0 Core 1 Core 2 Core 3 SYSGO AG PUBLIC 13

Consolidated System Characteristics of Consolidated System Multiple safety levels Multiple security domains Real-time and non-real time applications on a single device Shared device drivers Centralized state management Centralized health monitoring SYSGO AG PUBLIC 14

Agenda Security Challenges Connectivity Industrial Security Separation Kernel Multiple Independent Levels of Security Separation Kernel Security Concept Security Add-On Secure Boot Secure Update Security Certification Common Criteria PikeOS Security Certification Summary SYSGO AG PUBLIC 15

Why do I want Security? Security for Safety Security for Availability Security vs. Safety Safety The system shall not harm the environment Security The environment shall not harm the system http://www.google.de/imgres?imgurl=http%3a%2f%2fcdn3.spiegel.de%2fimages%2fimage-706496-galleryv9- wzjk.jpg&imgrefurl=http%3a%2f%2fwww.spiegel.de%2ffotostrecke%2froboter-sollen-menschen-an- fertigungsstrassen-arbeit-abnehmen-fotostrecke-115468-4.html&h=558&w=850&tbnid=3fzo3ydnbdgxfm%3a&zoom=1&docid=n0rab2uchoonzm&ei=xyzyvfikk8pb7 AbOpICgBw&tbm=isch&client=safari&iact=rc&uact=3&dur=1913&page=2&start=15&ndsp=20&ved=0CE0QrQMw Dw SYSGO AG PUBLIC 16

Perfectly Secure Product It is secure because it s doing nothing, i.e. it stays in the same state NOP transition INIT only if initial state is secure SYSGO AG PUBLIC 17

Sharing is a Challenge Challenge: Resources sharing Resources CPUs Memory, IO memory Flies, drivers, devices, buses Safety Integrity, availability Isolation, application errors, fail safe Security Integrity, availability, confidentiality Possible side channels via shared resources Resources and API are attack surface Challenge: Time sharing Time CPU cycles Time effects of accessing shared resources, e.g. buses Safety Availability, deterministic behavior, meeting deadlines Right balance between timeand event-triggered tasks Security Availability, confidentiality Possible timing side channels via shared resources, e.g. caches, busses Time is the attack surface SYSGO AG PUBLIC 18

Security by Spatial Separation MMU Map Memory to Partitions Adress- Space Static Configuration of OS Resources Connectivity Linux No Error Propagation HMI Android Early Boot CAN-Bus Guaranteed Access to Assigned Resources System Part. Health Mon. CBIT Native Privileged Partition Restart / Shutdown Direct Mapping of Physical Resources Change Scheduling Execute in User Mode IOMMU Memory access for DMA Devices PikeOS Hypervisor Execute in Kernel Mode Security by separation and controlled information flow SYSGO AG PUBLIC 19

Sharing of L2 Cache and the Consequence Security Domain 1 handling some secret data that shall not leak to Security Domain 2 -> information flow policy requires no data exchange from Dom 1 to Dom 2 Dom 1 contains an application Transmitter that willingly or non-willingly leaking information to Receiver in Dom 2 Assume: Domain 1 and Doman2 are assigned disjoint resources, e.g. memory Domain 1 and Doman2 are disjoint in time, i.e. executed in different time windows If they are scheduled on same core Core local cache (L1, L2) is shared Cache activity of one domain will be observable from other domain Cache based timing covert channel 20

Cache Based Timing Covert Channel Preparation Phase SYSGO AG PUBLIC 21

Cache Based Timing Covert Channel Encode Phase; TX Data = 0 SYSGO AG PUBLIC 22

Cache Based Timing Covert Channel Decode Phase; RX Data = 0 SYSGO AG PUBLIC 23

Cache Based Timing Covert Channel Encode Phase; TX Data = 1 SYSGO AG PUBLIC 24

Cache Based Timing Covert Channel Decode Phase; RX Data = 1 SYSGO AG PUBLIC 25

Cache Based Timing Covert Channel Maximum Bandwidth Measurement Experiment TX = 0 even set is evicted For RX, tb_e > tb_o TX = 1 odd set is evicted For RX, tb_o > tb_e SYSGO AG PUBLIC 26

Cache Based Timing Covert Channel Maximum Bandwidth Measurement Experiment Experiment Configuration TX window size = 350 us RX window size = 350 us Data transferred = 3 MB 9 minutes to transfer 3MB of data bandwidth of 44.6Kbits per second 12 bit Errors SYSGO AG PUBLIC 27

Mitigate the Cache Covert Channel Flushing takes variable time based on number of modified lines -> potential timing covert channel Sandwich partition to contain the cache flushing time -> also effective to contain the non-premptable kernel actions taken just before the time partition switch SYSGO AG PUBLIC 28

Agenda Security Challenges Connectivity Industrial Security Separation Kernel Multiple Independent Levels of Security Separation Kernel Security Concept Security Add-On Secure Boot Secure Update Summary SYSGO AG PUBLIC 29

Secure Boot What am I trying to protect? System availability Reverse engineering/cloning Who am I trying to protect from? Malicious Hacker Customers Competition How do I protect? Implement a chain of trust Encrypt SYSGO AG PUBLIC 30

Secure Boot - Implementation 1. 2. 3. 4. 5. Validation Start of an 3 rd and of Application party 3 rd start party applications of applications the loader bootloader PikeOS and Secure image File Provider P2040 4 Power On 1 Hardware validation Security Engine 1 2 2 Bootloader 2 PikeOS PSP Kernel SE 3 3 Validation Module 4 Application Loader 5 5 Partition1: 3 rd party App1 Partition2: 3 rd party App2 FLASH Bootloader and its header PikeOS Image header PikeOS Image 3 rd party Apps 3 rd party App Header SYSGO AG PUBLIC 31

Secure Boot - Trusted Chain P2040 4 Power On 1 Hardware validation Security Engine 1 2 2 Bootloader 2 PikeOS PSP Kernel SE 3 3 Validation Module 4 Application Loader 5 5 Partition1: 3 rd party App1 Partition2: 3 rd party App2 FLASH Bootloader and its header PikeOS Image header PikeOS Image 3 rd party Apps 3 rd party App Header SYSGO AG PUBLIC 32

Secure Update - Implementation 5 1 Power On 1 Hardware validation Security Engine Bootloader PikeOS PSP Kernel SE Validation Module 4 Application Loader 2 6 Update Manager Partition1: 3 rd party App1 3 FLASH 3 rd party Apps 3 rd party App Header SYSGO AG PUBLIC 33

Agenda Security Challenges Connectivity Industrial Security Separation Kernel Multiple Independent Levels of Security Separation Kernel Security Concept Security Add-On Secure Boot Secure Update Security Certification Common Criteria PikeOS Security Certification Summary SYSGO AG PUBLIC 34

Use Case: Secure Gateway PikeOS Native system partition Controls boot process of Linux Implements secure boot Routines for individual partition update Separate partition for secure gateway update ELinOS as Secure IO guest PikeOS Native System Partition Fast Boot Secure Boot Secure Partition Update Esterel graphics ELinOS Secure IO Graph ETH ETH ETH CoreAVI PikeOS i.mx6 External Com TCP/IP with Security patches And updates ETH SYSGO AG PUBLIC 35

Microkernel Summary Security is an integral part of the system design Separation There is no on- size-fits-all Separation and MILS help implement system security Certification Hypervisors can implement this separation approach Secure Boot SYSGO AG PUBLIC 36

Thank you for your attention! More information on www.sysgo.com SYSGO AG PUBLIC 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback