1 SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018
2 Securify Approach Compositional Security Securify Architecture Reasoning with Untrusted Components Model-based Automatic Secure Code Program Applications Generation Verification Security- Enhanced Libraries Library Runtime Verification Security Verification Secure Micro- OS / Micro Kernel Kernel Verification Hardware-aided Hardware Dynamic Hardware Security Verification Analysis
3 Research Highlights • Detection of errors in the ARINC-653 standard for safety of partitioning systems. • Recognized by the ARINC-653 Committee and revised according to our proposed fixes. • Multi-Core separation micro-kernel Verification • Building demos using the verified micro-kernels • Library Verification and Safe Code Generation • Collaboration on generating secure libraries for Linux kernel and critical components in autonomous vehicles • Runtime verification • Attack detection in CANBUS and Android for malware detection • Vulnerability Reported • 100+ CVE reported in commercial software with 100K USD bug bounties
4 Internet of Things Communication Defense Devices Smart Home Attack Isolation Dynamic Monitoring Aerospace Isolated Critical back- ends from Non-secure Front-ends Smart Nation Fault Contemption Foundational Secure Architecture Banking Devices Medical Devices Embedded Systems ITS High Assurance Systems
5 Approaching Devices Security by Construction Current Non-secure Architecture Proposed Secure Architecture Processes Processes Truly Isolated Call to Buggy System/Library Functional and memory safety correctness using safe code generation from specification Linux (Monolithic Kernel) Security Monitor • Drivers (Bugs) Runtime monitor for dynamic security • Libraries (Bugs) • Security Mechanisms (NX, ASLR, etc.) (Bugs) Separation Micro-Kernel • Control Access Mechanisms (Bugs). Necessary and Sufficient set of verified services providing Spatial and temporal isolation HW HW
6 Approaching Devices Security by Construction Security Monitor Runtime monitor for dynamic security Scheduling Process Communication Illegal Legal Actions Actions Actions System Call System Call Verified Kernel Interface Verified Separation Micro-Kernel Necessary and Sufficient set of verified services providing Spatial and temporal isolation HW
7 Monolithic Approach in AV Self-Driving User Interface System GPS CAN adaptor Camera Driver Driver Driver Steering Brake WiFi Bluetooth ECU ECU Driver Driver Linux Acceleration CAN BUS ECU
8 Monolithic Approach in AV Self-Driving Vulnerable System User Interface GPS CAN adaptor Camera Driver Driver Driver Steering Brake WiFi Bluetooth ECU ECU Driver Driver Linux CAN BUS Acceleration ECU CAN BUS easily accessible AV easy to hijack!!!
9 A separation approach for AV Security Malicius Bluetooth Isolated Components Driver User Interface • Malicious Agents Camera do not have Driver access to other WiFi domains Driver Self-Driving CAN adaptor GPS System Driver Driver Security Monitor Steering Brake Separation ECU ECU Micro-Kernel Acceleration CAN BUS ECU
10 A separation approach for AV Security Malicius Bluetooth Verified Micro Kernel Driver User Interface ensures that there are Camera no kernel exploits Driver able to affect the WiFi information flow. Driver Self-Driving CAN adaptor GPS System Driver Driver Security Monitor Steering Brake Separation ECU ECU Micro-Kernel Acceleration CAN BUS ECU
11 A separation approach for AV Security Malicius Bluetooth Indirect access can Driver User Interface be controlled: Camera • limited Driver communication in WiFi the channel Driver • Security Monitor can control the Self-Driving CAN adaptor GPS information sent System Driver Driver between domains Security Monitor Steering Brake Separation ECU ECU Micro-Kernel Acceleration CAN BUS ECU
12 Summary • Securify provides a secure architecture by construction with a verified secure Separation kernel and run-time monitoring for dynamic security. • Separation Kernel provides a secure architecture for high assurance systems. • Security can be enhanced with a trusted privileged system run- time monitor. • Securify foundations can be used to provide a secure architecture for IoT devices and IST, which naturally fixes most of the problems of monolithic approaches.
13 Thanks for your attention!
Recommend
More recommend