creating a practical security architecture based on sel4 · •use sel4 to improve the security of...

Creating a Practical Security Architecture Based on seL4

Xinming (Simon) Ou

University of South Florida(many slides borrowed/adapted from my student Daniel Wang)

1

Questions for seL4 Community

• Is there concrete evidence that seL4 can improve security of computing systems we use today?

If so,

• How shall we architect a system using seL4?

• How can we make the real world adopt it?

2

A Tale of Two Efforts

• Use seL4 to improve the security of building automation systems (BAS)• Built physical prototypes using both seL4 and Linux and demonstrated how

attacks fare on each

• Transition the technology to a major BAS vendor• Built multiple proof of concepts for the company

• Convinced business units that seL4 is the preferred technology to use for future products

Efforts funded by the DHS CPSSEC program

3

Buildings are critical cyber infrastructures

• Building Automation System (BAS) inter-connects multiple types of cyber physical systems

• Computerized controls

• Moving towards “smart” like the rest of the world

4

Threats

• Buildings are already on the Internet

• “Air-gapping” BAS network has long become impossible

• Stepping stone for launching attacks on connected CPSs

• New attack surfaces in “intelligent applications”

Enterprise IP

Network

Building

Controllers

Internet Field Devices

5

Security Issues

• Zero security in communication protocol

• BAS controller has little protection

• More and more functions start to be deployed on the same controller

• BAS controller is becoming a mixed-critical system

• BASs require a (more) secure computing platform

Big attack surface, serious risks

6

Anchor Security to the Controllers

•What do we need from a BAS controller?• Process Isolation• Robust Design with small Trusted Computing Base• Non-bypassable, Explicit Management of Critical System

Resources – mandatory access control (MAC)• Maintain critical functionalities even when partially

compromised

7

Microkernel Seems to be the Right Choice

Most current BAS controllers are built with conventional OS such as Linux, which is monolithic.

8

Experimented with Two Microkernels

MINIX 3• Free, open-source microkernel OS; developed over 30 years (V3 released in 2005)

• 4000 LOC

• Small, simple, and easy to modify

• Lack of formal verification

• No built-in support for MAC

seL4• “The world's first operating-system kernel with an end-to-end proof of implementation correctness and

security enforcement”

• 10.2 KLOC

• Support real-time constraints (not formally verified yet)

• Support MAC naturally through its capability-based access model

9

Q1: Is there concrete evidence that seL4 can improve security of BAS we use today?

• Temperature Control Scenario

HVAC: Fan & Sensor Building Controller

Alarm System

Implemented using BeagleBone Black Board

10

Temperature Control Scenario -- Linux

11

FanActuator AlarmActuator TempSensor TempControl WebInterface

Message Queue Drivers

Monolithic Kernel

Virtual File SystemProcess Control

Block


12


Message Queue

Drivers

Monolithic Kernel


Block

Spoofing message: Alarm OFF & Fan OFFCompromised with root


13


Message Queue

Drivers

Monolithic Kernel


Block

kill(FanActuator); & kill(AlarmActuator);

Compromised with root

Temperature Control Scenario

WebInterface

seL4

TempControlTempSensorAlarmActuatorFanActuator

WebInterface has no way of

communicating with FanActuator or

AlarmActuatorProcess

Manager

14

Compromised

Kernel derives capability: denied

Temperature Control Scenario – seL4

WebInterface

seL4

TempControlTempSensorAlarmActuatorFanActuator

WebInterface has no way of

communicating with ProcessManager,

thus cannot terminate the other

processes

Process

Manager

15

Compromised

Kernel derives capability: denied

Q2: How can we make the BAS industry adopt it?

• In practice, companies have legacy code developed targeting existing platforms

• It is cost-prohibitive to replace architecture overnight

• It is infeasible to expect businesses to build applications from scratch in favor of security

• Security solution must be transparent

• Adoption is a gradual process

16

Our Approach: Use seL4 as a Hypervisor

seL4 running as a hypervisor

Device Drivers

File System

Network Stack

Process Control

Libraries Libraries

Application ApplicationThird-party Application

Hardware (e.g., ARM Processor with virtualization support)

Sensitive App

Guest OS (e.g., Linux)

Secure Storage

• Security sensitive applications run natively on seL4

• Legacy OS+s/w stack runs in a virtualized environment; applications do not see anything different

• Applications request sensitive services from secure apps though microkernel IPC using modified libraries

• Microkernel audits/mediates all interactions through pre-defined policies

17

ARM Cortex-A9

L4Re microkernel

Root Pager

ARM Cortex-A9

Linux

User Mode

Kernel Mode

Drivers Modules

File System

Crypto Client App

Libraries

Crypto Server

App

encrypt/decrypt request

Key stored in file system

Current/Standard Linux Architecture

encrypt/decrypt request

L4Linux crypto Server

App

User Mode

Kernel Mode

Modified Library

Key stored in isolated L4 native app

Proposed Secure Controller Architecture

Anther Linux App

Socket L4Re

The Goal: Protect the Private Key

VMM

18

POC1:

Anther Linux App

Crypto Client App

Adapted Approach:

seL4 running as a hypervisor

Hardware (e.g. ARM Processor with virtualization support)

19

VMM VMM VMM

Linux Linux Linux

BAS AppNetwork

StackCrypto Server Use seL4 as a

means to separating legacy code components

into VMs mediated by the microkernel

ARM Cortex-A15

seL4 microkernel

CapDL-Loader

ARM Processor

Linux

User Mode

Kernel Mode

Drivers Modules

File System

Cloud Client

Libraries

BAS Apps

Current BAS Edge Gateway Architecture

IoT Gateway(e.g. Azure

Sphere)

User Mode

Supervisor Mode

Modified Library

Compromise in one component confined to that component

Proposed New Edge Gateway Architecture

Cloud ClientSecurity

Monitor

The Goal: Provide separation within legacy code

VMM

20

POC2:

Customized Linux

Modified Library

Security Monitor

Customized Linux

Modified Library

BAS Apps

VMMVMM

Guest OS Guest OS Guest OS

Compromise in one componentCompromise all

Take Away

• seL4 seems to be a useful technology for improving the cybersecurity of BAS and possibly many other types of CPSs

• seL4 by itself is not sufficient; we need an architectural design for the overall system

• The architecture must be able to work with existing legacy systems for seL4 to be adoptable by industry

• There is still huge amount of important engineering efforts needed for seL4 to be usable in real-world systems

21

creating a practical security architecture based on sel4 · •use sel4 to improve the security of...

Documents