the open-source sel4 kernel - amazon web...
TRANSCRIPT
h"ps://sel4.systems
TheOpen-SourceseL4KernelMilitary-GradeSecurityThroughMathema@csGernotHeiser|[email protected]|@GernotHeiserTrustworthySystems|Data61
LinaroConnectSFO’17
CarHacking–What’sBehind?
LinaroConnectSFO'172|
Engine Control
etc
Sensor
Networkingfor:• Entertainment• Connectedcar• Safety(@repressure…)• Maintenance(OTAupgrades)
Infotainmentetc
NosecuritywhatsoeveronCANbus!
ChallengeofNetworking
LinaroConnectSFO'173|
Networkingcreatesremotea"ackopportuni@es• frompassengers(wifi,Bluetooth)• fromnearbycars(wifi,Bluetooth)–
drive-byshoo@ng,spreadofviruses• fromanywhere(cellular)
A"ackvectors:• Insecureprotocols• Reusingcryptokeys• Soawarevulnerabili@es
SoawareVulnerabili@es
SystemComplexity
Depe
ndabilty,Security
ComplexityDrivers• Features/func@onality• Legacyreuse
LinaroConnectSFO'174|
Soaware-engineeringruleofthumb:• 1–5bugsper1,000linesofqualitycode
Bluetoothprotocolstack:Mul@ple100,000lines
Linuxkernel:Tensofmillionslines
OK,SoLet’sPatchRegularly
LinaroConnectSFO'176|
10MLOC10kbugs
1knownvulnerability
10MLOC10kbugs
10MLOC10k-1bugs
Patch
Patch-and-Pray:Alosingproposi@on
• Imposesoverhead(SWaP)or• RunsonvulnerableOS⇒worthlessifOScompromised• Evenmorecode–mayincreasea"acksurface• Nohelpforvalidmessagesthattriggerbugsinsoaware
So,Let’sUseFirewalls!
LinaroConnectSFO'177|
Engine Control
etc
Sensor
Infotainmentetc
Firewallstreatsymptoms,notcausesofproblems!
• RunsonvulnerableOS⇒worthlessifOScompromised• Evenmorecode–mayincreasea"acksurface• Canonlydetectthatsystemisalreadycompromised
Let’sUseAItoDetectCompromise!
LinaroConnectSFO'178|
Engine Control
etc
Sensor
Infotainmentetc
Intrusiondetec@on:admissionofdefeat
FundamentalSecurityRequirement:Isola@on
Enforcedbytrustworthysepara@onkernel
Processor
Uncri@cal/untrusted
Sensi@ve/cri@cal/trusted
StrongIsola@on
Communica@onsubjecttoglobalsecuritypolicy
LinaroConnectSFO'179|
Claim:Asystemmustbeconsidereduntrustworthyunlessprovedotherwise!
Corollary[withapologiestoDijkstra]:Tes@ng,codeinspec@on,etc.canonlyshowlackoftrustworthiness!
LinaroConnectSFO'1710|
Trustworthiness:CanWeRelyonIsola@on?
A system is trustworthy if and only if: • it behaves exactly as it is specified, • in a timely manner, • while ensuring secure execution
ProvablySecureOpera@ngSystem
LinaroConnectSFO'1711|
Small,
fast,
capability-based,
operating system kernel
World’s fastest (5–10X faster) operating system designed for
security and safety ⬇
Suitable for real-world deployment
~10,000 lines of C and ASM code ⬇
Small attack surface, Amenable to full verification
Code that runs in privileged mode of the hardware ⬇︎
Most critical part
Non-kernel code can only access resources and communication channels if explicitly authorised with a per-object access token
(capability) ⬇ ︎
• Confined damage • Least privilege
Threads IPC VM seL4
access control
com
pone
nts
hardware
Privileged mode
Unprivileged mode
L3→L4 “X” Hazelnut Pistachio
L4/Alpha
L4/MIPS
OKL4-µKernel
OKL4-Microvisor
Codezero
P4→PikeOS
Fiasco Fiasco.OC
L4-embed.
NovaGMD/IBM/Karlsruhe
UNSW/NICTA
Dresden
Other(commercial)
OKLabs
L4Re
20+YearsofL4MicrokernelR&D
June'1712|
APIInheritance
CodeInheritance
93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
seL4:Thelatest(andmostadvanced)memberoftheL4microkernelfamily
Qualcommmodemchips
iOSsecurityprocessor
Integrity
AbstractModel
CImple-menta@on
Confiden-@ality Availability
Binarycode
Proo
fProo
fProo
f
Func@onalcorrectness[SOSP’09]
Isola@onproper@es[ITP’11,S&P’13]
Transla@oncorrectness[PLDI’13]
Exclusions(atpresent):§ Ini@alisa@on§ Low-levelMMUmodel§ caches§ Mul@core§ Covert>mingchannels
Worst-caseexecu@on@me
[RTSS’11,RTAS’16]
Provablyimpossible:§ bufferoverflow§ null-pointerdereference§ codeinjec@on§ memoryleaks§ kernelcrash§ undefinedbehaviour§ privilegeescala@on
ProvingTrustworthinessofseL4
LinaroConnectSFO'1713|
HowDoesseL4Compare?
LinaroConnectSFO'1714|
Feature seL4 Otherhypervisors, RTOSes,
separationkernels
Performance Fastest 2–10×slower
Functional
correctness
Proved NoGuarantee
Isolation Proved NoGuarantee
Worst-case
latencybounds
Sound&
complete
Estimatesonly
Storagechannel
freedom
Proved NoGuarantee
Timingchannel
prevention
Lowoverhead NoneorHighOverhead
Mixed-criticality
support
Fullysupported,
highutilisation
Limited,resource-wastive
Virtualisa@on
COMP9242S2/2017W04
guestOS
Guestapps VMM
Syscall
Hypercall Excep@onIPC
VM
User
Kernel
Hyp
guestOS
Guestapps VMM
VM
Uncri@cal/untrusted
SecuritybyArchitecture
LinaroConnectSFO'1716|
Cri@calcontrol
Uncri@cal/untrusted
Linux
AppsAppsApps
Devicedriver
Virtualmachineforlegacy
Extractcri@calbits,runna@ve
NWstack
Cyber-retrofit!
Incrementalprocess:migrate
inpieces
Real-WorldExample:DARPAHACMS
BoeingUnmannedLi"leBird USArmyAutonomousTrucks
TARDECGVR-BotSMACCMcopterResearchVehicle
Retrofitexis@ngsystem!
Retrofitexis@ngsystem!
Developtechnology
LinaroConnectSFO'1717|
Example:Communica@ngProcesses
June'1718|
Thread-ObjectA CNodeA1 EP Thread-ObjectBCNodeB1CNodeA2
VSpace
VSpace
CSpace CSpace
Send
Receive
PDAPTA1FRAME
FRAME
...
...
... ...
...
...CONTE
XT
CONTE
XT
A B
Communica@onendpoint(port)
ComponentMiddleware:CAmkES
June'1719| ����������� ������ ������������������������� &9�#�$"
�2-!�
3 ����������������������(������������
3 ���*������������<$8(�����-������
3 ������������������(��������)���)����)�����
component
connector
interfaceHigher-levelabstrac@onsoflow-levelseL4constructs
Example:SimplifiedHACMSUAV
June'1720|
RadioDriver
Crypto
CANDriver
DataLink
Uncri@cal/untrusted
Uncri@cal/untrusted,contained
Linux
Camera
Wifi
EnforcingtheArchitecture
LinaroConnectSFO'1721|
Architecturespecifica@onlanguage
A
CNode EP CNodeCSpace CSpace
Send
Receive
... ...
CONTE
XT
CONTE
XTVSpace
component code+
CAmkES
capDLgluecode
+ proof
initialised system + proof
+ proofThreadObject
ThreadObject
VSpace
A B
B
Low-levelaccessrights
init.c
driver.c VMM.cglue.c
Compiler/Linker
binary
RadioDriver
Crypto
CANDriver
DataLink
Uncri@cal/untrusted
Uncri@cal/untrusted,contained
Linux
Camera
Wifi
Binary
AnalysisTools
Open-SourceArchitectureAnalysis
LCA'16Geelong22|
Generate
GenerateCAmkESComponentDescrip@on .h,.c
GlueCode
Eclipse-basedIDE
Design AADLArchitectureAnalysis&Descrip@onLanguage
Safety✔
Military-GradeSecurity
LinaroConnectSFO'1723|
Cross-DomainDesktopCompositor
Mul@-levelsecureterminal• SuccessfuldefencetrialinAU• EvaluatedinUS,UK,CA• Formalsecurityevalua@onsoon
Pen10.com.aucryptocommunica@ondeviceundergoingformalsecurityevalua@oninUK
h"p://sel4.systems
Securityisnoexcuseforpoorperformance!
Military-GradeSecurityforYou!
GernotHeiser|[email protected]|@GernotHeiserLinaroConnectSFO’17