Safety & Security for the Connected World Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors 13 October 2015 Mark Pitchford, Technical Manager, EMEA
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors The CAST-32 position paper urges caution in the use of Multi-Core Processors in avionics systems What are the attributes of a Separation Kernel Hypervisor (SKH) which potentially help to address these concerns? 2
There are alternative approaches A multicore platform running a partitioning operating system Today I am focusing specifically on Separation Kernel Hypervisors There are benefits from an ARINC-653 based approach too!
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors The alchemy of a cutting edge Separation Kernel Hypervisor (SKH) is a happy marriage of some improbable raw materials Understand the component parts Explain the combinations Understand the benefits 4
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 5
Separation Kernel First mooted by John Rushby in 1981 Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the Multiple Independent Levels of Security (MILS) initiative a vision of modular building blocks for highassurance secure systems 6
Separation Kernel Primary information flow is from high to low security block But SOME information flow will be required in the opposite direction That inevitably compromises the distinction in criticality between blocks 7
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 8
Least Privilege 40 years ago, Saltzer and Schroeder suggested that Every program and every user of the [operating] system should operate using the least set of privileges necessary to complete the job This becomes imperative where applications of differing security classifications are run in close proximity to each other 9
Least Privilege Separation Kernel Separation Kernels and Least Privilege are therefore both centred on modularisation Levin, Irvine and Nguyen noted that Separation kernels had traditionally been focused on resource isolation Consequently they lacked the required granularity of privilege in the logic of the software design So a Least Privilege Separation Kernel superimposes Least Privilege principles on the Separation Kernel blocks 10
Least Privilege Separation Kernel Per-subject and per-resource flow-control granularity No subject needs to be given more access than that required to allow the desired flows Minimal TCB Code Execution (Extended Abstract) Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri Carnegie Mellon University 11
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components Lynx Software Technologies - Proprietary & Confidential 12
Safety or Security First mooted by John Rushby in 1981 Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the MILS initiative a vision of modular building blocks for highassurance secure systems 13
Security? Safety? Security systems demand extreme rigour to ensure adequate isolation of functions from a security perspective Level of scrutiny applied depends on the level of that security These principles have clear parallels to those proven so successful in the application of DO-178B/C etc. 14
Security = Safety Scaremongering or not, recent press reports highlight the need for vigilance Lynx Software Technologies - Proprietary & Confidential 15
Security = Safety Military applications are not immune either! Lynx Software Technologies - Proprietary & Confidential 16
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 17
Hypervisor Functionality We are all familiar with Desktop Virtual Machine Monitors (Hypervisors) Early implementations required privilege levels to be manipulated to accommodate the VMM There were also overheads associated with to the software implementation Binary translation decoupled the operating system from the underlying hardware Not a basis for a real time system but a promising concept to limit hardware demand in the face of burgeoning functionality 18
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 19
Hardware Virtualization Hardware-assisted virtualization overcomes the VMM privilege issues seen in desktop hypervisors Intel VT AMD-V ARM v7 Freescale Virtualization Extensions CPU execution feature allows the hypervisor to run in a root mode Hardware-assisted virtualized performance can achieve near-native levels 20
Trusted Computing Base (TCB) Untrusted Application Space Untrusted Application Space Trusted LynxSecure Separation Kernel TCB ~25 thousand SLOC Executable ~150K Memory ~10MB Trusted Monolithic Linux Kernel > 5 million SLOC More than 200 times fewer SLOC than 2.6 Linux Kernel Minimal TCB Code Execution (Extended Abstract), Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri, Carnegie Mellon University Lynx Software Technologies Proprietary & Confidential 21
Hardware Virtualization Also provides an effective path for Least Privilege characteristics to be enabled On most Intel platforms, for example, control over the assignment of CPU, memory and device resources is directly supported by the h/w, via capabilities such as VT-x, VT-d and EPT 22
Least Privilege Separation Kernel Hypervisors in practice 23
Least Privilege Separation Kernel Hypervisors in practice Implements fundamental principles of Least Privilege Separation Kernel RTOS and GPOS subjects illustrate Hypervisor functionality Multicore processors facilitate assignment of subject to core User API privileges explicitly controlled Minimal attack surface Drivers in subject (VM) space 24
Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 25
Extending the application of MILS We have seen that the Separation Kernel Hypervisor is based on MILS principles Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the Multiple Independent Levels of Security (MILS) initiative a vision of modular building blocks for high-assurance secure systems Extend the application of those principles Encrypted data storage Encrypted network traffic 26
MILS Based High Level Architecture Critical App Gateway App Server VM Non-Critical App Gateway App Server VM Third Party App Gateway App Server VM MILS. connect Net Cert Tunneled Virtual Networks Network Gateway VM Critical VM V-NIC V-Disk Non-Critical VM V-NIC V-Disk Third Party VM V-NIC V-Disk MILS.store Disk Manager VM Encrypted Disk Partitions VM Image VM Image VM Image Lynx Software Technologies - Proprietary & Confidential 27
Least Privilege Separation Kernel Hypervisors Explained 28
Example Application: Electronic Flight Bag Cockpit UI for miscellaneous features including MAP display and electronic forms Advantages of architecture: LynxSecure Isolates low integrity UI from high integrity aircraft bus Graphical display options Certifiable approach to isolating fully virtualized OSes Lynx Software Technologies - Proprietary & Confidential 29
Example application: UAV Ground Controller UI and control platform for controlling unmanned vehicles Advantages of architecture Path to DO 178 certification Safety Critical Partitioning Deterministic Control Flexible application options Lynx Software Technologies - Proprietary & Confidential 30
Summary Least Privilege Separation Kernel Hypervisor represents the coming together of the complementary principles of Least Privilege, Separation Kernels, and Hypervisors This theoretical idyll is made practical by the advent of hardware virtualization Multicore processors equipped with hardware virtualization present the opportunity to deploy Separation Kernel Hypervisors MILS based communications and storage mechanisms advance that principle further His countenance, like richest alchemy, Will change to virtue and to worthiness William Shakespeare. Casca, in Julius Caesar. 31
Safety & Security for the Connected World For further information visit www.lynx.com