The Contiki Operating System Allan Blanchard, INRIA CHARIOT-VESSEDIA Workshop “THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS” The Contiki Operating System Allan Blanchard, INRIA CHARIOT-VESSEDIA Workshop 9 May 2019, Dublin, Ireland CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Overview of Contiki

A lighweight OS for Internet of Things Open Source OS (BSD License) https://github.com/contiki-ng/contiki-ng C-based (+ protothreads) Supports many embedded platforms Supports standard low-power IPv6 Certified IPv6 stack from CISCO in 2008 6LoWPAN (IPv6 for IEEE 802.15.4) RPL (Routing in “low-power and lossy networks”) CoAP (Application layer (HTTP-lite)) TSCH and 6TiSCH CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Typical Scenarios Traffic lights Parking spots Public transport Street lights Smart metering … IoT scenarios: smart cities, building automation, … Multiple hops to cover large areas Low-power for battery-powered scenarios Nodes are interoperable and addressable (IP) Light bulbs Thermostat Power sockets CO2 sensors Door locks Smoke detectors … CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Typical hardware Many different platforms (currently 9 + variants) 8, 16, 32 bits MCUs Typically an IEEE 802.15.4 radio Battery-based RAM (4-10s of kB) ROM (10-100s of kB) Sensors / actuators CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Security risks If the operating system fails, everything fails Wireless devices, easy to access No memory protection unit on most targeted devices Even if there was one, no distinction user/kernel space in Contiki CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Target of Verification

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Contiki Code Base 250k lines of C code from more than 150 contributors The operating system is too large to be entirely verified (for now) And unit tests are under-represented We focus on platform independent code (useful for any instance) 100k lines of C code We need to further restrict the code base CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Contiki (Selected) Code Base Module kLOC Description Priority lib 39.3 Different general purpose librairies   |- lib/*.[ch] 2.1 Memory management, lists, crypto, etc. HIGH |- lib/dgb-io 0.7 Debugging tools using input/output MED net 36 Networking stack |- net/ipv6 11.9 IPv6 stack |- net/mac 8.2 MAC layers |- net/mac/csma 0.5 Standard CSMA MAC |- net/mac/framer 1.3 Encoding and decoding of MAC frame headers |- net/mac/*.[ch] 0.2 MAC API |- net/routing 8 Currently RPL implementations |- net/*.[ch] 0.9 Neighbour tables, packet buffers etc. sys 1.8 Core components: scheduler, timers, etc. 3.9 kLOC of high priority code 23.5 kLOC of medium priority code CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland What’s hard to analyse? Global states (a lot of them) Static configurations (code coverage is hard to evaluate) Tricky C constructs (protothreads) Long functions (sometimes several thousand lines for a single one) And sometimes all of this in the same time CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Tools and Methods

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland High priority code Target functional verification Select critical modules Analyze them in isolation We use Frama-C + WP CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Medium priority code Show the absence of runtime errors Using abstract interpretation (We use Frama-C + EVA) Using minimal contracts (also used on some high priority code) When all of this is too hard, use runtime verification Ongoing experiment that aims at running instrumented Contiki instances We use Frama-C + E-ACSL CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Conclusion

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Take home message Contiki is a lightweight open-source OS for IoT It has originally been designed without security in mind Targeted devices are easy to reach and do not have hardware protection We have focused our verification effort on the most used and critical code Tools should be chosed according to the properties to verify The more a module is critical, the more the verification should be detailed CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Contact Details INRIA Allan Blanchard allan.blanchard@inria.fr The projects CHARIOT & VESSEDIA have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780075 & No 731453. CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland