agl-µbinder€¦ · legitimate application blackhat application resource and data the permission...

AGL-µBinderBinding/Binder for small ECU and non AGL world

Tokyo ALS July/2019Fulup Ar Foll Lead Architect

[email protected]

Tokyo July 19AGL µBinder 2/22

Who are we ?

● 25 Engineers dedicated to AGL● Location: Lorient/Brittany/France/Europe

● https://iot.bzh/en/● http://github.com/iotbzh

LORIENT

https://iot.bzh/en/

http://github.com/iotbzh


UBS/IoT.bzh Collaboration● Technical Team

– Internship: Aymeric Aillet

– University tutor: Johann LAURENT

– IoT.bzh tutors: Thierry BULTEL & Jose Bollo● Technical Explorations

– Zephyr/AGL architecture for commercial boat signal acquisition

– Potential transport for µController2AGL IPC

– Integration of µController within AGL microservices architecture

– Downsizing of AGL AppFw

– Integration of NMEA2000 inside AGL distributed security model, …● Duration

– 6 months (January→June 2019)


What’s an AGL Binder

● A standard component use to expose API from a binding

● An Abstraction on transport layer● A security model● A container

Binding/Binder is somehow similar to WebServer/Applet in the Java world


Micro Service Architecture


Security Mechanism

Protected Service

LINUX KERNEL

Legitimate application BlackHat application

Resource and data

The permission database Cynara

helps to protect services

Smack linux security module helps to

protect resources and data

DENIED

DENIED

GRANTED

GRANTED


Binder is a Container for Bindings

● Connect services/applications together (UDS, WS/UDS, WS/TCP, HTTP, linked)

● High level flexible RPC mechanism (hide connections)

● Framework for event signalling

● Security and permissions facilities (Smack + Cynara)

● Builtin HTTP server support REST, WebSockets and TLS

● Management of client sessions and contexts

● Automatic Recovery from unexpected disconnections

● Handle dependencies and startup order

● Debugging, monitoring and supervision


Binding/Binder Connection

● HTTP+WS: common connection (Dbus legacy)

● Act as HTTP server & accept upgrade to websocket● It exports API● It manages sessions● It checks security tokens● API/WS: specific to API

● Only one API● It manages sessions● It doesn’t check tokens


Binder Remote Access

● Ask to launch APP 23● Returns the URL of the BINDER for APP 23 and its token (in the URI?)● Connect to the binder with its token● Check token validity with OpenIDconnect

BINDER23

CLIENTBROWSER

APP 23

REVERSEPROXY

AGL domain (CAR)

internetREMOTE“HOME”CLIENT

BROWSER“HOME”

AGLAPPFW ④②

③

①

①


Programming Model

monitor/get({“verbosity”: “monitor”})

Sample, call to get the verbosity level of API monitor

The api (or service)

The verb (or method) of the api

The request arguments is any JSON value

Curl invocation$ curl -H ‘x-afb-token: HELLO’ \ localhost:1056/api/monitor/get?verbosity=monitor

Javascript invocation

afb.call(‘monitor/get’, {‘verbosity’: ‘monitor’}).then(gotapis);

C binding invocation

wrap_json_pack(&req, “{ss}”, “verbosity”, “monitor”);afb_api_call(myapi, “monitor”, “get”, req, gotpis, NULL);

The reply is a JSON value

{ "verbosity": { "monitor":"info" }}


Binder/Binding AGL vocabulary

● Binder: the process afb-daemon (change name in ps -ef)

● Binding: share object that implements one/multiple api

● Api: exportable set of verbs belonging to the same namespace and implemented within only and one binding

● Verb: A callable endpoint, accept arguments, return result, can be protected by ACL (Cynara)

● Shadow api: an imported remote api accessed like a local api


AGL MicroService Architecture

Cluster

Carte handling

Localistion management

POI

CAN GPS

Geopositioning Virtual Signal

Multi ECU & Cloud Aware Architecture

Entertainement

CAN-BUS Virtual Signal

Gyro, AcelerometerCAN-BUS

LIN-BUS

Engine-CAN-BUS

ABS

Transport & ACL

Head Unix

Direction Indication

Cloud

Log Analytics

No-SQL Engine

Statistics & Analytics

Transport & ACL

My Car Portal

Paiement

Subcriptions

Preference

Preferences &

Custumisation

MongoDB Engine

Paiement Service

Cluster Virtual Signal

Transport & ACL

Navigation Service

Maintenance Portal

Know Bugs

Maintenances

Service Packs

Soft RealTimeHard RealTime


Why Zephyr as µController RTOS

● Opensource & hosted by the Linux Foundation● Ongoing Safety Certification● Modern Operating RTOS system

● TCP/IP, WIFI, Bluetooth● CANbus (even if not working out of the box)

● Very clean and straightforward API● Run on multiple boards

STM32F411RE NXP FRDM-K64F STM32L432KC


NMEA-2000 relies on CAN

● Based on CAN 2.0B● Integrated to AGL LowCAN binding (PNGs ported from CanBoatJS project to OpenXC JSON model)


NMEA200 POC


Porting Binder/Binding beyond AGL

● Goal● Make binding portable to expand AGL micro-services architecture to non AGL world● Hide OS specificities within the binder● Support multiple RTOS (imposes an OS abstraction layer µBinder)● Expand to Windows, MacOS, Android, QNX, Trusted zone, Hypervisor, …● Keep binder code generic enough to limit LTS maintenance cost

● Difficulties● Partial or total lost of Posix API (especially ePool)● Should work even without access to a filesystem● Limited resources RAM+CPU● Should support non TCP/IP connectivity model for remote access● Lack of native operative system security mechanism● Very different scheduling behaviour (threading, exception, events, …)

●


µbinding POC

● µbinding for Zephyr● Change AGL Binder architecture to select transport/options at compilation time● Enable Transport as a plugin (today static config only)● Enable Config as a plugin (eg: config from file, config from network, static config at

compilation, ...● Clean OS abstraction layer

● A lot of Work Still TBD● Implement a genetic security model supporting multiple OS● Realtime concept to Binding/API (as today Binding support ACL per API but no time/priority

constrains)● Merge µBinding code with mainstream AGL code (as today it’s a hack to prove it is possible)● Expands beyond Zephyr (Android, Windows, QNX, Autosar, VxWorks, QNX, TrustZone,

Hypervisor, ...)


µbinder Memory Usage ?

● Helloworld– FLASH: 14544 B 256 KB 5.55%

– SRAM: 4152 B 64 KB 6.34%

– IDT_LIST: 120 B 2 KB 5.86%

● TCP/IP– FLASH: 31005 B 256 KB 11.83%

– SRAM: 17028 B 64 KB 25.98%

– IDT_LIST: 120 B 2 KB 5.86%

● Binder + IPV4– FLASH: 94181 B 256 KB 35.93%

– SRAM: 18560 B 64 KB 28.32%

– IDT_LIST: 120 B 2 KB 5.86%

● Binder + IPV6– FLASH: 108077 B 256 KB 41.23%

– SRAM: 20460 B 64 KB 31.22%

– IDT_LIST: 120 B 2 KB 5.86%

µBinder with one transport (TCP webSocket) ~64KB


µBinder IPC Transport● Added a console/serial transport abstraction

● Based on previous work done for L4RE hypervisor inter AGL domains● Explored transport on Zephyr: TCP, UDP, I2C & MBUF● Note: currently transport are statically selected at compilation only

● Difficulties● Zephyr PoolFD is not as smart as the one from Linux● No file system on the board we used● AGL security model heavily relies on SMACK that is not available outside Linux● Multiple things that anyone would expect existing by default are optional or not present● No systemd to start services on demand or in the right order

● To be Solved in order to move beyond POC● No AGL support for remote authorities (security/authentication)● No discovery service (as today micro-services location are statically defined)● No realtime support at API level (critical when resources are limited)


Supporting Multiple OS/RTOS

● OS abstraction: LibUV looks like promising● Support Linux, Windows, MacOS, Zephyr, Android, …● Ported to a couple of embedded projects (eg: JerryScript)● WARNING: LibUV might not be a good choice for older generation of RTOS (VxWorks, QNX, ...)

● Distributed Security Model for a smaller footprint● Create an abstraction for SMACK (eg: seLinux for Android)

● Enable remote access to Cynara● Implement an security/authority delegation model (OpenIDconnect)

● Support of Tiny/Certified OS as AutoSAR● Provide a mechanism for 100% alien systems to play a role within

AGL micro-services architecture (eg: uart or buffer client model).● Provide a support to enforce realtime constrains at API binding level


Conclusions

● µBinder POC shows that AGL Binder May:● Skim down below 64KB and run on RTOS with 128/256KB● Support Non-TCP/IP IPC transport (memory, UART, ...)● Share a unique code base from µController to the cloud● Allow customization without touching the core● Support both static and dynamic model (config, transport, ...)

● Challenges before going to production● Current code need to be significantly restructured in a modular way (plugins)● Linux dependencies (Posix, SystemD, SMACK, …) should be abstracted● Remote internal capabilities should be added (API discovery, ACL, Token, ...)● Mapping to non AGL world (Android, TrustZone, QNX, …) would need sponsors


Visiting us in Lorient

agl-µbinder€¦ · legitimate application blackhat application resource and data the permission...

Documents