New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

Slides:



Advertisements
Similar presentations
Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
An Overview of Virtual Machine Architectures by J.E. Smith and Ravi Nair presented by Sebastian Burckhardt University of Pennsylvania CIS 700 – Virtualization.
Virtualization: An Overview Brendan Lynch. Forms of virtualization In all cases virtualization is taking a physical component and simulating the interface.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
MultiPARTES Towards Model-Driven Engineering for Mixed- Criticality Systems: MultiPARTES Approach A. Alonso, C. Jouvray, S. Trujillo, M.A. de Miguel, C.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Virtualization Concepts Presented by: Mariano Diaz.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Virtualization: Not Just For Servers Hollis Blanchard PowerPC kernel hacker.
The Entropia Virtual Machine for Desktop Grids Brad Calder, Andrew A. Chien, Ju Wang, Don Yang – VEE-2005 Raju Kumar CS598C: Virtual Machines.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Bart Miller – October 22 nd,  TCB & Threat Model  Xen Platform  Xoar Architecture Overview  Xoar Components  Design Goals  Results  Security.
Chapter 2 Introduction to OS Chien-Chung Shen CIS, UD
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.
Graciela Saunders.  Introduction / Review  Challenges to Embedded Security  Approaches to Embedded Security  Security Analysis & Attack Taxonomy 
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Security Vulnerabilities in A Virtual Environment
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Lecture 12 Virtualization Overview 1 Dec. 1, 2015 Prof. Kyu Ho Park “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”, White.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
VMM Based Rootkit Detection on Android
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
1.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 1: Introduction What Operating Systems Do √ Computer-System Organization.
Virtual Machine Monitors
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Trusted Computing and the Trusted Platform Module
Providing Security for Embedded Devices Through Virtualization
Chapter 1: Introduction
Outline What does the OS protect? Authentication for operating systems
Operating System Structure
Outline What does the OS protect? Authentication for operating systems
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
By Dunlap, King, Cinar, Basrai, Chen
System Calls.
Virtualization Techniques
An Overview of Virtual Machine Architectures
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Operating Systems: A Modern Perspective, Chapter 3
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Operating Systems Structure
Presentation transcript:

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin

2 Background Why application software protection in distributed embedded systems? In embedded systems, application programs perform mission-critical tasks and carry sensitive info Privacy/integrity of these applications is critical to the security and robustness of any distributed embedded system Current approach: have the OS protect the applications E.g., OS provides process isolation, crypto services, etc. Apps must trust OS. OS should be protected by hardware Processor protects OS via user/kernel separation

3 My Position Classical user/kernel separation is too coarse to confidently protect app software with high security needs. The limitation should be overcome by creating a new protection system.

4 Classical User/Kernel Separation An autocratic model for separation of power: the kernel code executes with absolute power Entire security of the system hinges on the trustworthiness of the kernel mode software (i.e., OS) Effective for protecting OS, but this simple dichotomy is too coarse and there are several limitations Kernel modeUser mode Processor state without privilege - Execution mode for applications - Can’t execute system instructions - Restricted access to hardware Processor state with privilege - Execution mode for OS - Ability to execute all instructions - Unrestricted access to hardware

5 Limitations of user/kernel Dichotomy 1.No defense against OS compromise There is no effective 2 nd line of defense to applications Further protection of applications is meaningless as the attacker can easily disarm any protection mechanism 2.Difficult to reduce the OS verification overhead Trend: OS is becoming larger and is from diverse sources The dichotomy dictates any code that requires even slightest privilege must execute in kernel mode, where the code is subject to complete verification 3.Undue trust dependencies App vendors require OS vendors not to spy on the apps Apps must trust every component of OS Every OS component must be validated (e.g., device drivers)

6 New Directions for Software Protection Need a new protection system Protect applications even in case of OS compromises Lessen the kernel verification overhead Break trust dependencies Challenges in designing such a protection system Identifying an appropriate threat model Model that captures essential security needs of apps Preserving OS’s management power Restriction by the new protection shouldn’t obstruct OS’s job Finding a small and simple enforcing mechanism Implementation must be easily verifiable My proposal: Separate security from management The new protection system protects privacy/integrity of apps. It is implemented by a ‘security kernel’ (continue)

7 Security Kernel vs. Mgmt Kernel Traditional OS  Security kernel + Management kernel Management kernel is responsible for resource management Security kernel is a thin layer enforcing the new protection system It directly protects privacy/integrity of applications data Applications are protected even if the management kernel is compromised Management kernel doesn’t have to be trusted by applications App Traditional layout App OS Hardware App Management Kernel Security Kernel Hardware Security kernel approach Trust Base Security kernel directly protects the applications

8 Implementation Alternatives 1.Hardware Processor is modified to implement the protection logic 2.Software: Using virtual machine monitor (VMM) A VMM, sitting between HW and OS, can be utilized Due to size/complexity, verifying the VMM is challenging 3.Software: Standalone security kernel A thin layer implementing only the protection system Can be made small and simple, thus easy to secure App 1. Hardware App Mgmt Kernel Hardware with protection logic Hardware with protection logic App Mgmt Kernel (VM) Mgmt Kernel (VM) App Mgmt Kernel Standalone Security Kernel Standalone Security Kernel Hardware To Verify & secure To realize To deploy HardwareEasyHard VMMHardEasy StandaloneEasy 2. VMM3. Standalone Mgmt Kernel (VM) Mgmt Kernel (VM) VMM with Protection logic VMM with Protection logic Hardware

9 Impact Paradigm shift in designing secure distributed embedded systems The new application protection system relaxes many assumptions currently made To ensure the security of application software, management OS no longer has to be trusted It enables implementing ambitious distributed systems which were too risky under the assumption of trusted OS

10 Conclusion Another system of protection is needed to overcome the limitations inherent with the coarse classical user/kernel separation. The protection system must Protect applications even in case of OS compromises Lessen the kernel verification overhead Break trust dependencies We have been exploring approaches for implementing such a protection system