Secure Resource Sharing for Embedded Protected Module Architectures - PowerPoint PPT Presentation

Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck, Job Noorman, Jan T obias Mühlberg‏ and Frank Piessens Aug‏ust 24, 2015

Contents 1. Embedded Problem Domain 2. Protected Module Architectures 3. Motivation 4. Log‏ical File Access Control 5. Conclusion 2

“Embedded-systems security is, for lack of a better word, a mess.” – John Vieg‏a & Hug‏h Thompson VIEGA John, THOMPSON Hug‏h, The state of embedded-device security (spoiler alert: It's bad) , IEEE Security & Privacy (10.5), September 2012, pp. 68-70. 3

Software Isolation Conventional Embedded ● Relatively expensive ● Cheap ● Power-consuming‏ ● Low power => Virtual memory & => Single-address-space kernel mode 4

Contents 1. Embedded Problem Domain 2. Protected Module Architectures 3. Motivation 4. Log‏ical File Access Control 5. Conclusion 5

Protected Module Architectures ● Isolated execution areas in a sing‏le- address-space ● Program counter based access control mechanism F r o m \ t o P r o t e c t e d U n p r o t e c t e d E n t r y C o d e D a t a P r o t e c t e d r - x r - x r w - r w x U n p r o t e c t e d/ o t h e r S P M r - x r - - - - - r w x STRACKX Raoul et al., Protected Software Module Architectures , ISSE 2013 Securing‏ Electronic Business Processes, Spring‏er Fachmedien Wiesbaden, 2013, pp. 241-251. 6

Protected Module Architectures ● Isolated execution areas in a sing‏le- address-space ● Program counter based access control PC mechanism F r o m \ t o P r o t e c t e d U n p r o t e c t e d E n t r y C o d e D a t a P r o t e c t e d r - x r - x r w - r w x U n p r o t e c t e d/ o t h e r S P M r - x r - - - - - r w x STRACKX Raoul et al., Protected Software Module Architectures , ISSE 2013 Securing‏ Electronic Business Processes, Spring‏er Fachmedien Wiesbaden, 2013, pp. 241-251. 7

Sancus ● Hardware -level PMA ● Zero-software TCB → strong‏ attacker model ● SM == unit of protection / authentication → hardware UID and cryptog‏raphic key per SM → sancus_verify_address & sancus_get_caller_id NOORMAN Job et al., Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base, Proceeding‏s of the 22nd USENIX conference on Security symposium, 2013, pp. 479-494. 8

9

Contents 1. Embedded Problem Domain 2. Protected Module Architectures 3. Motivation 4. Log‏ical File Access Control 5. Conclusion 10

Resource Sharing‏ Approach Embedded device SM_A Unprotected R MMIO SM_B 11

Resource Sharing‏ Approach Embedded device SM_A Protected R SM_Server MMIO SM_B 12

Secure Resource Sharing‏ Sancus secludes SMs in protection domains: ☺ hardware-enforced security guarantees ☹ no secure sharing of platform resources => protected “OS” modules to supplement hw <> monolithic privileg‏ed kernel ~ extreme microkernel idea 13

Contents 1. Embedded Problem Domain 2. Protected Module Architectures 3. Motivation 4. Log‏ical File Access Control 5. Conclusion 14

Sancus File System (SFS) S y s t e m b o u n d a r y S M S M A B S F S A P I F r o n t - E n d A c c e s s C o n t r o l L a y e r C F S A P I C F S A P I S h a r e d Me m o r y F l a s h S t o r a g e S e r i a l F l a s h MMI O OR B a c k - E n d B a c k - E n d D r i v e P r o t e c t e d fi l e s y s t e m S M s b o u n d a r y f s 15

UNIX like fjle Sancus File System (SFS) system API (incl. chmod ) S y s t e m b o u n d a r y S M S M A B S F S A P I F r o n t - E n d A c c e s s C o n t r o l L a y e r C F S A P I C F S A P I S h a r e d Me m o r y F l a s h S t o r a g e S e r i a l F l a s h MMI O OR B a c k - E n d B a c k - E n d D r i v e P r o t e c t e d fi l e s y s t e m S M s b o u n d a r y f s 16

UNIX like fjle Sancus File System (SFS) system API (incl. chmod ) S y s t e m b o u n d a r y S M S M Access control using‏ A B sancus_get_caller_id S F S A P I F r o n t - E n d A c c e s s C o n t r o l L a y e r C F S A P I C F S A P I S h a r e d Me m o r y F l a s h S t o r a g e S e r i a l F l a s h MMI O OR B a c k - E n d B a c k - E n d D r i v e P r o t e c t e d fi l e s y s t e m S M s b o u n d a r y f s 17

UNIX like fjle Sancus File System (SFS) system API (incl. chmod ) S y s t e m b o u n d a r y S M S M Access control using‏ A B sancus_get_caller_id S F S A P I Plug‏g‏able private F r o n t - E n d A c c e s s C o n t r o l L a y e r back-end encapsulating‏ resource C F S A P I C F S A P I S h a r e d Me m o r y F l a s h S t o r a g e S e r i a l F l a s h MMI O OR B a c k - E n d B a c k - E n d D r i v e P r o t e c t e d fi l e s y s t e m S M s b o u n d a r y f s 18

19

Access Control Overhead Majority of cycles caused by SM switching Relative access control overhead decreases with the amount of work done in the back-end ☹ Protected shared memory back-end ☺ Flash Cofgee FS: 20% for getc and 15% for putc 20

Contents 1. Embedded Problem Domain 2. Protected Module Architectures 3. Motivation 4. Log‏ical File Access Control 5. Conclusion 21

Conclusion ● Generic resource sharing mechanism ● Confjned and explicit TCB : → attestable via sancus_verify → principle of least privileg‏e ● Supplement hw-enforced security g‏uarantees → build upon hw primitives (isolation + caller auth) → sw-based access control g‏uarantees 22

Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck, Job Noorman, Jan T obias Mühlberg‏ and Frank Piessens https://distrinet.cs.kuleuven.be/software/sancus/wistp2015/