creating a practical security architecture based on sel4 · •use sel4 to improve the security of...
TRANSCRIPT
Creating a Practical Security Architecture Based on seL4
Xinming (Simon) Ou
University of South Florida(many slides borrowed/adapted from my student Daniel Wang)
1
Questions for seL4 Community
• Is there concrete evidence that seL4 can improve security of computing systems we use today?
If so,
• How shall we architect a system using seL4?
• How can we make the real world adopt it?
2
A Tale of Two Efforts
• Use seL4 to improve the security of building automation systems (BAS)• Built physical prototypes using both seL4 and Linux and demonstrated how
attacks fare on each
• Transition the technology to a major BAS vendor• Built multiple proof of concepts for the company
• Convinced business units that seL4 is the preferred technology to use for future products
Efforts funded by the DHS CPSSEC program
3
Buildings are critical cyber infrastructures
• Building Automation System (BAS) inter-connects multiple types of cyber physical systems
• Computerized controls
• Moving towards “smart” like the rest of the world
4
Threats
• Buildings are already on the Internet
• “Air-gapping” BAS network has long become impossible
• Stepping stone for launching attacks on connected CPSs
• New attack surfaces in “intelligent applications”
Enterprise IP
Network
Building
Controllers
Internet Field Devices
5
Security Issues
• Zero security in communication protocol
• BAS controller has little protection
• More and more functions start to be deployed on the same controller
• BAS controller is becoming a mixed-critical system
• BASs require a (more) secure computing platform
Big attack surface, serious risks
6
Anchor Security to the Controllers
•What do we need from a BAS controller?• Process Isolation• Robust Design with small Trusted Computing Base• Non-bypassable, Explicit Management of Critical System
Resources – mandatory access control (MAC)• Maintain critical functionalities even when partially
compromised
7
Microkernel Seems to be the Right Choice
Most current BAS controllers are built with conventional OS such as Linux, which is monolithic.
8
Experimented with Two Microkernels
MINIX 3• Free, open-source microkernel OS; developed over 30 years (V3 released in 2005)
• 4000 LOC
• Small, simple, and easy to modify
• Lack of formal verification
• No built-in support for MAC
seL4• “The world's first operating-system kernel with an end-to-end proof of implementation correctness and
security enforcement”
• 10.2 KLOC
• Support real-time constraints (not formally verified yet)
• Support MAC naturally through its capability-based access model
9
Q1: Is there concrete evidence that seL4 can improve security of BAS we use today?
• Temperature Control Scenario
HVAC: Fan & Sensor Building Controller
Alarm System
Implemented using BeagleBone Black Board
10
Temperature Control Scenario -- Linux
11
FanActuator AlarmActuator TempSensor TempControl WebInterface
Message Queue Drivers
Monolithic Kernel
Virtual File SystemProcess Control
Block
Temperature Control Scenario -- Linux
12
FanActuator AlarmActuator TempSensor TempControl WebInterface
Message Queue
Drivers
Monolithic Kernel
Virtual File SystemProcess Control
Block
Spoofing message: Alarm OFF & Fan OFFCompromised with root
Temperature Control Scenario -- Linux
13
FanActuator AlarmActuator TempSensor TempControl WebInterface
Message Queue
Drivers
Monolithic Kernel
Virtual File SystemProcess Control
Block
kill(FanActuator); & kill(AlarmActuator);
Compromised with root
Temperature Control Scenario
WebInterface
seL4
TempControlTempSensorAlarmActuatorFanActuator
WebInterface has no way of
communicating with FanActuator or
AlarmActuatorProcess
Manager
14
Compromised
Kernel derives capability: denied
Temperature Control Scenario – seL4
WebInterface
seL4
TempControlTempSensorAlarmActuatorFanActuator
WebInterface has no way of
communicating with ProcessManager,
thus cannot terminate the other
processes
Process
Manager
15
Compromised
Kernel derives capability: denied
Q2: How can we make the BAS industry adopt it?
• In practice, companies have legacy code developed targeting existing platforms
• It is cost-prohibitive to replace architecture overnight
• It is infeasible to expect businesses to build applications from scratch in favor of security
• Security solution must be transparent
• Adoption is a gradual process
16
Our Approach: Use seL4 as a Hypervisor
seL4 running as a hypervisor
Device Drivers
File System
Network Stack
Process Control
Libraries Libraries
Application ApplicationThird-party Application
Hardware (e.g., ARM Processor with virtualization support)
Sensitive App
Guest OS (e.g., Linux)
Secure Storage
• Security sensitive applications run natively on seL4
• Legacy OS+s/w stack runs in a virtualized environment; applications do not see anything different
• Applications request sensitive services from secure apps though microkernel IPC using modified libraries
• Microkernel audits/mediates all interactions through pre-defined policies
17
ARM Cortex-A9
L4Re microkernel
Root Pager
ARM Cortex-A9
Linux
User Mode
Kernel Mode
Drivers Modules
File System
Crypto Client App
Libraries
Crypto Server
App
encrypt/decrypt request
Key stored in file system
Current/Standard Linux Architecture
encrypt/decrypt request
L4Linux crypto Server
App
User Mode
Kernel Mode
Modified Library
Key stored in isolated L4 native app
Proposed Secure Controller Architecture
Anther Linux App
Socket L4Re
The Goal: Protect the Private Key
VMM
18
POC1:
Anther Linux App
Crypto Client App
Adapted Approach:
seL4 running as a hypervisor
Hardware (e.g. ARM Processor with virtualization support)
19
VMM VMM VMM
Linux Linux Linux
BAS AppNetwork
StackCrypto Server Use seL4 as a
means to separating legacy code components
into VMs mediated by the microkernel
ARM Cortex-A15
seL4 microkernel
CapDL-Loader
ARM Processor
Linux
User Mode
Kernel Mode
Drivers Modules
File System
Cloud Client
Libraries
BAS Apps
Current BAS Edge Gateway Architecture
IoT Gateway(e.g. Azure
Sphere)
User Mode
Supervisor Mode
Modified Library
Compromise in one component confined to that component
Proposed New Edge Gateway Architecture
Cloud ClientSecurity
Monitor
The Goal: Provide separation within legacy code
VMM
20
POC2:
Customized Linux
Modified Library
Security Monitor
Customized Linux
Modified Library
BAS Apps
VMMVMM
Guest OS Guest OS Guest OS
Compromise in one componentCompromise all
Take Away
• seL4 seems to be a useful technology for improving the cybersecurity of BAS and possibly many other types of CPSs
• seL4 by itself is not sufficient; we need an architectural design for the overall system
• The architecture must be able to work with existing legacy systems for seL4 to be adoptable by industry
• There is still huge amount of important engineering efforts needed for seL4 to be usable in real-world systems
21