Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors

Similar documents
Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Applying MILS to multicore avionics systems

Flicker: An Execution Infrastructure for TCB Minimization

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Using a Certified Hypervisor to Secure V2X communication

10 Steps to Virtualization

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Deos SafeMCTM. - Flight Software Workshop - Thursday December 7 th, Safety Critical Software Solutions for Mission Critical Systems

Real-Time Systems and Intel take industrial embedded systems to the next level

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Operating System Security


CSC 5930/9010 Cloud S & P: Virtualization

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Advanced Systems Security: Virtual Machine Systems

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Virtualization. Michael Tsai 2018/4/16

Virtualization. Pradipta De

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Nested Virtualization and Server Consolidation

CSE 120 Principles of Operating Systems

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

IO virtualization. Michael Kagan Mellanox Technologies

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

W11 Hyper-V security. Jesper Krogh.

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

ARM Security Solutions and Numonyx Authenticated Flash

Intel Virtualization Technology Roadmap and VT-d Support in Xen

SentinelOne Technical Brief

Chapter 5 C. Virtual machines

Advanced Systems Security: Virtual Machine Systems

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Towards Application Security on Untrusted Operating Systems

Paperspace. Architecture Overview. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

Module 1: Virtualization. Types of Interfaces


Security: The Key to Affordable Unmanned Aircraft Systems

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Operating system hardening

Hypervisor Market Overview. Franz Walkembach. for GENIVI AMM, April 19 th, 2018 (Munich) SYSGO AG Public

VMware ESX Server 3i. December 2007

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Security and Performance Benefits of Virtualization

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

The Quest-V Separation Kernel for Mixed Criticality Systems

CSE543 - Computer and Network Security Module: Virtualization

A Review On optimization technique in Server Virtualization

Virtualization and memory hierarchy

Integration of Mixed Criticality Systems on MultiCores: Limitations, Challenges and Way ahead for Avionics

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

Virtual Machine Security

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

Security for the Xen Hypervisor Status Quo & Perspective 2006

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

OPERATING SYSTEMS Chapter 13 Virtual Machines. CS3502 Spring 2017

The Quest-V Separation Kernel for Mixed Criticality Systems

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

LINUX Virtualization. Running other code under LINUX

USING DEVICE LIFECYCLE MANAGEMENT TO FUTURE PROOF YOUR IOT DEPLOYMENT

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion

The MILS Partitioning Communication System + RT CORBA = Secure Communications for SBC Systems

LINUX KVM FRANCISCO JAVIER VARGAS GARCIA-DONAS CLOUD COMPUTING 2017

Virtual Machine Monitors (VMMs) are a hot topic in

Virtualization for Embedded Systems

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

CSE543 - Computer and Network Security Module: Virtualization

Hypervisor Part 1- What is a Hypervisor and How Does it Work?

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Operating-System Structures

CSE Computer Security

A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Virtualization, Xen and Denali

The vsphere 6.0 Advantages Over Hyper- V

FPGAs: High Assurance through Model Based Design

Virtualization. Application Application Application. MCSN - N. Tonellotto - Distributed Enabling Platforms OPERATING SYSTEM OPERATING SYSTEM

I/O and virtualization

Virtualization. Dr. Yingwu Zhu

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

Distributed Systems COMP 212. Lecture 18 Othon Michail

Architectural Support for A More Secure Operating System

Facing the Reality: Virtualization in a Microkernelbased Operating System. Matthias Lange, MOS, January 26th, 2016

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Using a Hypervisor to Manage Multi-OS Systems Cory Bialowas, Product Manager

Optimizing and Enhancing VM for the Cloud Computing Era. 20 November 2009 Jun Nakajima, Sheng Yang, and Eddie Dong

Secure Partitioning (s-par) for Enterprise-Class Consolidation

Securing the End Node in a Cloud World

Transcription:

Safety & Security for the Connected World Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors 13 October 2015 Mark Pitchford, Technical Manager, EMEA

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors The CAST-32 position paper urges caution in the use of Multi-Core Processors in avionics systems What are the attributes of a Separation Kernel Hypervisor (SKH) which potentially help to address these concerns? 2

There are alternative approaches A multicore platform running a partitioning operating system Today I am focusing specifically on Separation Kernel Hypervisors There are benefits from an ARINC-653 based approach too!

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors The alchemy of a cutting edge Separation Kernel Hypervisor (SKH) is a happy marriage of some improbable raw materials Understand the component parts Explain the combinations Understand the benefits 4

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 5

Separation Kernel First mooted by John Rushby in 1981 Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the Multiple Independent Levels of Security (MILS) initiative a vision of modular building blocks for highassurance secure systems 6

Separation Kernel Primary information flow is from high to low security block But SOME information flow will be required in the opposite direction That inevitably compromises the distinction in criticality between blocks 7

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 8

Least Privilege 40 years ago, Saltzer and Schroeder suggested that Every program and every user of the [operating] system should operate using the least set of privileges necessary to complete the job This becomes imperative where applications of differing security classifications are run in close proximity to each other 9

Least Privilege Separation Kernel Separation Kernels and Least Privilege are therefore both centred on modularisation Levin, Irvine and Nguyen noted that Separation kernels had traditionally been focused on resource isolation Consequently they lacked the required granularity of privilege in the logic of the software design So a Least Privilege Separation Kernel superimposes Least Privilege principles on the Separation Kernel blocks 10

Least Privilege Separation Kernel Per-subject and per-resource flow-control granularity No subject needs to be given more access than that required to allow the desired flows Minimal TCB Code Execution (Extended Abstract) Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri Carnegie Mellon University 11

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege Safety implications of compromised security Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components Lynx Software Technologies - Proprietary & Confidential 12

Safety or Security First mooted by John Rushby in 1981 Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the MILS initiative a vision of modular building blocks for highassurance secure systems 13

Security? Safety? Security systems demand extreme rigour to ensure adequate isolation of functions from a security perspective Level of scrutiny applied depends on the level of that security These principles have clear parallels to those proven so successful in the application of DO-178B/C etc. 14

Security = Safety Scaremongering or not, recent press reports highlight the need for vigilance Lynx Software Technologies - Proprietary & Confidential 15

Security = Safety Military applications are not immune either! Lynx Software Technologies - Proprietary & Confidential 16

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 17

Hypervisor Functionality We are all familiar with Desktop Virtual Machine Monitors (Hypervisors) Early implementations required privilege levels to be manipulated to accommodate the VMM There were also overheads associated with to the software implementation Binary translation decoupled the operating system from the underlying hardware Not a basis for a real time system but a promising concept to limit hardware demand in the face of burgeoning functionality 18

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 19

Hardware Virtualization Hardware-assisted virtualization overcomes the VMM privilege issues seen in desktop hypervisors Intel VT AMD-V ARM v7 Freescale Virtualization Extensions CPU execution feature allows the hypervisor to run in a root mode Hardware-assisted virtualized performance can achieve near-native levels 20

Trusted Computing Base (TCB) Untrusted Application Space Untrusted Application Space Trusted LynxSecure Separation Kernel TCB ~25 thousand SLOC Executable ~150K Memory ~10MB Trusted Monolithic Linux Kernel > 5 million SLOC More than 200 times fewer SLOC than 2.6 Linux Kernel Minimal TCB Code Execution (Extended Abstract), Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri, Carnegie Mellon University Lynx Software Technologies Proprietary & Confidential 21

Hardware Virtualization Also provides an effective path for Least Privilege characteristics to be enabled On most Intel platforms, for example, control over the assignment of CPU, memory and device resources is directly supported by the h/w, via capabilities such as VT-x, VT-d and EPT 22

Least Privilege Separation Kernel Hypervisors in practice 23

Least Privilege Separation Kernel Hypervisors in practice Implements fundamental principles of Least Privilege Separation Kernel RTOS and GPOS subjects illustrate Hypervisor functionality Multicore processors facilitate assignment of subject to core User API privileges explicitly controlled Minimal attack surface Drivers in subject (VM) space 24

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors Separation Kernel Least Privilege High Criticality & increasing demand Hypervisor functionality Hardware Virtualization & Multicore Network and storage encryption components 25

Extending the application of MILS We have seen that the Separation Kernel Hypervisor is based on MILS principles Consists of a combination of hardware and software that permits multiple functions to be realized on a common set of physical resources without unwanted mutual interference Basic foundation of the Multiple Independent Levels of Security (MILS) initiative a vision of modular building blocks for high-assurance secure systems Extend the application of those principles Encrypted data storage Encrypted network traffic 26

MILS Based High Level Architecture Critical App Gateway App Server VM Non-Critical App Gateway App Server VM Third Party App Gateway App Server VM MILS. connect Net Cert Tunneled Virtual Networks Network Gateway VM Critical VM V-NIC V-Disk Non-Critical VM V-NIC V-Disk Third Party VM V-NIC V-Disk MILS.store Disk Manager VM Encrypted Disk Partitions VM Image VM Image VM Image Lynx Software Technologies - Proprietary & Confidential 27

Least Privilege Separation Kernel Hypervisors Explained 28

Example Application: Electronic Flight Bag Cockpit UI for miscellaneous features including MAP display and electronic forms Advantages of architecture: LynxSecure Isolates low integrity UI from high integrity aircraft bus Graphical display options Certifiable approach to isolating fully virtualized OSes Lynx Software Technologies - Proprietary & Confidential 29

Example application: UAV Ground Controller UI and control platform for controlling unmanned vehicles Advantages of architecture Path to DO 178 certification Safety Critical Partitioning Deterministic Control Flexible application options Lynx Software Technologies - Proprietary & Confidential 30

Summary Least Privilege Separation Kernel Hypervisor represents the coming together of the complementary principles of Least Privilege, Separation Kernels, and Hypervisors This theoretical idyll is made practical by the advent of hardware virtualization Multicore processors equipped with hardware virtualization present the opportunity to deploy Separation Kernel Hypervisors MILS based communications and storage mechanisms advance that principle further His countenance, like richest alchemy, Will change to virtue and to worthiness William Shakespeare. Casca, in Julius Caesar. 31

Safety & Security for the Connected World For further information visit www.lynx.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback