Development of an Embedded Platform for Secure CPS Services Vincent Raes, Jan Vossaert and Vincent Naessens CyberICPS 2017 15/09/2017
Contents Problem Statement The Platform Evaluation of the Prototype Conclusion
Problem Statement
Problem Statement A Cyber-Physical System links the physical world with the virtual world
Problem Statement Previously isolated systems, now connected Systems receive more calculating power Opportunities for new products and services Introduces new challenges Privacy Security
Problem Statement Onboard computer Proprietary Local Data Processing Critical (eg: engine start) and non-critical (eg infotainment) services In-vehicle networks and external networking Ensure critical services while allowing extensible non-critical software Proprietary Local Data Processing Services for monitoring, analysing and managing industrial systems Typically runs in back-end to prevent exposure Cases where analysis is needed in location with poor Internet connectivity Protect algorithm in the field while less trusted code gathers and displays data Insert voorbeelden van application domains hier!!!!!! Fleet Management is een ervan Onboard computer
Goals Create an open platform to run secure services Protect the service using Trusted Computing Technology Allow integration of third-party software
The Platform
Overview Used Technologies Threat Model Requirements Design of the Platform
ARM TrustZone Hardware extensions on ARM processors Splits device in Secure and Normal World Division on hardware and software level 1 Figuur maar overlaten Het zal wss de rechtse worden die het overleeft
Genode Open source framework for highly secure OS Modular microkernel with strong hierarchical isolation Application specific TCB Supports wide range of embedded systems
Attacker Model Commodity OS is untrusted due to large code base Communication channels are untrusted Attacker is unable to break cryptographic primitives Secure World and applications in Secure World are trusted Hardware attacks are out of scope Sexy figuurtje voor maken!!! Iets waar al men attack vectoren opstaan preferably
Requirements of the Platform Isolated execution Protect integrity and privacy of a service Secure boot Attest the services upon booting Secure service development Build environment for development and deployment of secure services Rich Normal world Easily develop applications using secure services
Design of the Platform Software Architecture Inter-World Communication Software Development Support System Boot
Software Architecture 2 Software stacks Android as Normal World Genode as Secure World
Software Architecture Android Offers familiar environment Easily install new applications Rich UI for touchscreens Kernel
Software Architecture Android Genode Services as applications Secure monitor as application Monitor manages list of references to services Service 1 Monitor S1 S2 Service 2 … … Kernel Kernel
Inter-World Communication Genode acts as slave to Android If an application requires a secure service, a request is issued New driver was added to enable requests Service 1 Monitor S1 S2 Service 2 … … Kernel Kernel Genode driver
Inter-World Communication Application contacts driver with request Driver passes request to secure monitor Monitor calls requested service Service handles request 3 Service 1 Monitor S1 S2 Service 2 … 2 … 1 Kernel Kernel Genode driver
Inter-World Communication Application contacts driver with request Driver passes request to secure monitor Monitor calls requested service Service handles request Service responds to monitor Monitor notifies driver Driver responds to application 5 Service 1 Monitor S1 S2 Service 2 … 6 … 7 Kernel Kernel Genode driver
Software Development Support Android application development Use regular development environment Java library to enable communication with secure services Library provides generic communication API Developers of secure services can build service-specific library
Software Development Support Android application development Secure service development Developed in Genode framework Use C or C++ based on FreeBSD Additional libraries can be ported (eg OpenSSL) Script is provided to build the Genode world and add the written services
System Boot Guarantees authenticity of Secure World on startup 3-stage boot process Authenticated start of the bootloader Bootloader authenticates and boots Genode Genode starts Android Guarantees authenticity of Secure World on startup Bootloader Genode Android
Evaluation of the Prototype
Evaluation of the Prototype Prototype has been developed on i.MX6 SABRE Lite board Security analysis Currently ~24.000 LOC Sharply reduces risk of bugs and exploits compared to commodity OS Main attack vector is interface with Normal World Service should provide a strict communication API between the world Current calls have a very specific purpose
Requirements Review Secure execution Secure boot Services run isolated from untrusted world Narrow attack vector Secure boot Secure service development Rich normal world
Requirements Review Secure execution Secure boot i.MX technology enables trusted bootloader Bootloader verifies authentic secure world Secure service development Rich normal world
Requirements Review Operation Genode (ms) Android (ms) RSA Public key Secure execution Secure boot Secure service development Services can be developed in C++ Performance of secure world Rich normal world Operation Genode (ms) Android (ms) RSA Public key 53,6 1,4 RSA Private key 1774,1 41,1 AES Encrypt 76,0 63,9 AES Decrypt 75,3 49,9
Requirements Review Secure execution Secure boot Secure service development Rich normal world Android applications developed as usual Java library allows contact to secure world Impact of secure world on performance is minimal
Conclusion
Conclusion Presented the design of a platform which can be used to offer secure services in a Cyber-Physical System environment The platform uses a Trusted Execution Environment to isolate critical services A prototype has been developed Future work Utilize this platform design in use cases to truly validate Currently working on onboard computer case for IoT trucks Conclusion fixen
https://distrinet.cs.kuleuven.be/ vincent.raes@kuleuven.be Thank you! Eventjes pauzeren voor je een antwoord geeft op een vraag want je wil vaak te snel zijn wat voor onnauwkeurigheden zorgt in de antwoorden https://distrinet.cs.kuleuven.be/ vincent.raes@kuleuven.be