h"ps://sel4.systems

TheOpen-SourceseL4KernelMilitary-GradeSecurityThroughMathema@csGernotHeiser|gernot.heiser@data61.csiro.au|@GernotHeiserTrustworthySystems|Data61

LinaroConnectSFO’17

CarHacking–What’sBehind?

LinaroConnectSFO'172|

Engine Control

etc

Sensor

Networkingfor:•  Entertainment•  Connectedcar•  Safety(@repressure…)•  Maintenance(OTAupgrades)

Infotainmentetc

NosecuritywhatsoeveronCANbus!

ChallengeofNetworking

LinaroConnectSFO'173|

Networkingcreatesremotea"ackopportuni@es•  frompassengers(wifi,Bluetooth)•  fromnearbycars(wifi,Bluetooth)–

drive-byshoo@ng,spreadofviruses•  fromanywhere(cellular)

A"ackvectors:•  Insecureprotocols•  Reusingcryptokeys•  Soawarevulnerabili@es

SoawareVulnerabili@es

SystemComplexity

Depe

ndabilty,Security

ComplexityDrivers•  Features/func@onality•  Legacyreuse

LinaroConnectSFO'174|

Soaware-engineeringruleofthumb:•  1–5bugsper1,000linesofqualitycode

Bluetoothprotocolstack:Mul@ple100,000lines

Linuxkernel:Tensofmillionslines

Linux“Security”

LinaroConnectSFO'175|

Soawarewillbreak

Theenemywillbeontheplahorm!

OK,SoLet’sPatchRegularly

LinaroConnectSFO'176|

10MLOC10kbugs

1knownvulnerability

10MLOC10kbugs

10MLOC10k-1bugs

Patch

Patch-and-Pray:Alosingproposi@on

•  Imposesoverhead(SWaP)or•  RunsonvulnerableOS⇒worthlessifOScompromised•  Evenmorecode–mayincreasea"acksurface•  Nohelpforvalidmessagesthattriggerbugsinsoaware

So,Let’sUseFirewalls!

LinaroConnectSFO'177|

Engine Control

etc

Sensor

Infotainmentetc

Firewallstreatsymptoms,notcausesofproblems!

•  RunsonvulnerableOS⇒worthlessifOScompromised•  Evenmorecode–mayincreasea"acksurface•  Canonlydetectthatsystemisalreadycompromised

Let’sUseAItoDetectCompromise!

LinaroConnectSFO'178|

Engine Control

etc

Sensor

Infotainmentetc

Intrusiondetec@on:admissionofdefeat

FundamentalSecurityRequirement:Isola@on

Enforcedbytrustworthysepara@onkernel

Processor

Uncri@cal/untrusted

Sensi@ve/cri@cal/trusted

StrongIsola@on

Communica@onsubjecttoglobalsecuritypolicy

LinaroConnectSFO'179|

Claim:Asystemmustbeconsidereduntrustworthyunlessprovedotherwise!

Corollary[withapologiestoDijkstra]:Tes@ng,codeinspec@on,etc.canonlyshowlackoftrustworthiness!

LinaroConnectSFO'1710|

Trustworthiness:CanWeRelyonIsola@on?

A system is trustworthy if and only if: •  it behaves exactly as it is specified, •  in a timely manner, •  while ensuring secure execution

ProvablySecureOpera@ngSystem

LinaroConnectSFO'1711|

Small,

fast,

capability-based,

operating system kernel

World’s fastest (5–10X faster) operating system designed for

security and safety ⬇

Suitable for real-world deployment

~10,000 lines of C and ASM code ⬇

Small attack surface, Amenable to full verification

Code that runs in privileged mode of the hardware ⬇︎

Most critical part

Non-kernel code can only access resources and communication channels if explicitly authorised with a per-object access token

(capability) ⬇ ︎

•  Confined damage •  Least privilege

Threads IPC VM seL4

access control

com

pone

nts

hardware

Privileged mode

Unprivileged mode

L3→L4 “X” Hazelnut Pistachio

L4/Alpha

L4/MIPS

OKL4-µKernel

OKL4-Microvisor

Codezero

P4→PikeOS

Fiasco Fiasco.OC

L4-embed.

NovaGMD/IBM/Karlsruhe

UNSW/NICTA

Dresden

Other(commercial)

OKLabs

L4Re

20+YearsofL4MicrokernelR&D

June'1712|

APIInheritance

CodeInheritance

93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

seL4:Thelatest(andmostadvanced)memberoftheL4microkernelfamily

Qualcommmodemchips

iOSsecurityprocessor

Integrity

AbstractModel

CImple-menta@on

Confiden-@ality Availability

Binarycode

Proo

fProo

fProo

f

Func@onalcorrectness[SOSP’09]

Isola@onproper@es[ITP’11,S&P’13]

Transla@oncorrectness[PLDI’13]

Exclusions(atpresent):§  Ini@alisa@on§  Low-levelMMUmodel§  caches§  Mul@core§  Covert>mingchannels

Worst-caseexecu@on@me

[RTSS’11,RTAS’16]

Provablyimpossible:§  bufferoverflow§  null-pointerdereference§  codeinjec@on§  memoryleaks§  kernelcrash§  undefinedbehaviour§  privilegeescala@on

ProvingTrustworthinessofseL4

LinaroConnectSFO'1713|

HowDoesseL4Compare?

LinaroConnectSFO'1714|

Feature seL4 Otherhypervisors, RTOSes,

separationkernels

Performance Fastest 2–10×slower

Functional

correctness

Proved NoGuarantee

Isolation Proved NoGuarantee

Worst-case

latencybounds

Sound&

complete

Estimatesonly

Storagechannel

freedom

Proved NoGuarantee

Timingchannel

prevention

Lowoverhead NoneorHighOverhead

Mixed-criticality

support

Fullysupported,

highutilisation

Limited,resource-wastive

Virtualisa@on

COMP9242S2/2017W04

guestOS

Guestapps VMM

Syscall

Hypercall Excep@onIPC

VM

User

Kernel

Hyp

guestOS

Guestapps VMM

VM

Uncri@cal/untrusted

SecuritybyArchitecture

LinaroConnectSFO'1716|

Cri@calcontrol

Uncri@cal/untrusted

Linux

AppsAppsApps

Devicedriver

Virtualmachineforlegacy

Extractcri@calbits,runna@ve

NWstack

Cyber-retrofit!

Incrementalprocess:migrate

inpieces

Real-WorldExample:DARPAHACMS

BoeingUnmannedLi"leBird USArmyAutonomousTrucks

TARDECGVR-BotSMACCMcopterResearchVehicle

Retrofitexis@ngsystem!

Retrofitexis@ngsystem!

Developtechnology

LinaroConnectSFO'1717|

Example:Communica@ngProcesses

June'1718|

Thread-ObjectA CNodeA1 EP Thread-ObjectBCNodeB1CNodeA2

VSpace

VSpace

CSpace CSpace

Send

Receive

PDAPTA1FRAME

FRAME

...

...

... ...

...

...CONTE

XT

CONTE

XT

A B

Communica@onendpoint(port)

ComponentMiddleware:CAmkES

June'1719| ����������� ������ ������������������������� &9�#�$"

�2-!�

3 ����������������������(������������

3 ���*������������<$8(�����-������

3 ������������������(��������)���)����)�����

component

connector

interfaceHigher-levelabstrac@onsoflow-levelseL4constructs

Example:SimplifiedHACMSUAV

June'1720|

RadioDriver

Crypto

CANDriver

DataLink

Uncri@cal/untrusted

Uncri@cal/untrusted,contained

Linux

Camera

Wifi

EnforcingtheArchitecture

LinaroConnectSFO'1721|

Architecturespecifica@onlanguage

A

CNode EP CNodeCSpace CSpace

Send

Receive

... ...

CONTE

XT

CONTE

XTVSpace

component code+

CAmkES

capDLgluecode

+ proof

initialised system + proof

+ proofThreadObject

ThreadObject

VSpace

A B

B

Low-levelaccessrights

init.c

driver.c VMM.cglue.c

Compiler/Linker

binary

RadioDriver

Crypto

CANDriver

DataLink

Uncri@cal/untrusted

Uncri@cal/untrusted,contained

Linux

Camera

Wifi

Binary

AnalysisTools

Open-SourceArchitectureAnalysis

LCA'16Geelong22|

Generate

GenerateCAmkESComponentDescrip@on .h,.c

GlueCode

Eclipse-basedIDE

Design AADLArchitectureAnalysis&Descrip@onLanguage

Safety✔

Military-GradeSecurity

LinaroConnectSFO'1723|

Cross-DomainDesktopCompositor

Mul@-levelsecureterminal•  SuccessfuldefencetrialinAU•  EvaluatedinUS,UK,CA•  Formalsecurityevalua@onsoon

Pen10.com.aucryptocommunica@ondeviceundergoingformalsecurityevalua@oninUK

Contribu@ons

LinaroConnectSFO'1724|

Review

Pullrequestorpatchonmailinglist

Thankyou

LinaroConnectSFO'1725|

RobinRandhawa

Pleasecheckouth"ps://sel4.systems

h"p://sel4.systems

Securityisnoexcuseforpoorperformance!

Military-GradeSecurityforYou!

GernotHeiser|gernot.heiser@data61.csiro.au|@GernotHeiserLinaroConnectSFO’17