tock a secure operating system for microcontrollers
play

Tock: A Secure Operating System for Microcontrollers Limitations of - PowerPoint PPT Presentation

Feb 10, 2023 •545 likes •1.11k views

Amit Levy SITP Retreat, June 22, 2018 Tock: A Secure Operating System for Microcontrollers Limitations of Microcontroller Sofware Low memory: ~64 kB RAM No virtual memory Cant use Linux! No isolation USB authentication

  1. Amit Levy SITP Retreat, June 22, 2018 Tock: A Secure Operating System for Microcontrollers

  2. Limitations of Microcontroller Sofware ➔ Low memory: ~64 kB RAM ➔ No virtual memory ➔ Can’t use Linux! ➔ No isolation ➔ USB authentication keys have multiple functions ➔ Sensor networks run several experiments at once ➔ Fitness watches support diferent activities 2

  3. Multi-User Device: Signpost Modular city-scale sensing ➔ Tracking Ambient conditions ➔ Pedestrian density ➔ Noise monitoring 8 pluggable modules ➔ Microcontroller + Sensors Several applications per module Currently deployed @ U.C. Berkeley 3

  4. OTA Updates: Helium ➔ End-to-end IoT “solution” ➔ Programmable module – Long-range radio – MCU runs customer services + applications ➔ Abandoned a previous version that used Lua ➔ Next version uses Tock 4

  5. Security Sensitive Device: Google Titan ➔ Google’s Titan chip: security hardened MCU ➔ Server root-of-trust, authentication ➔ Without Tock: a handful of experts audit all code ➔ Open source port of Tock started during internship 5

  6. Thesis: Embedded Devices are Multiprogrammed ➔ Multiple users running applications concurrently ➔ Applications updated dynamically – Small payloads better – Buggy updates shouldn’t brick devices ➔ Security sensitive devices want least privilege 6

  7. Tock Embedded OS ➔ Growing open-source community – 883 GitHub followers, >100 mailing list subscribers – 54 contributors (so far) to main project – ~20 contributors to out-of-tree HW ports – >100 developers trained at Tock tutorials ➔ Growing HW support – ARM Cortex-Ms: Atmel SAM4L, Nordic NRF5x, TI CC26xx & TM4C129x, NXP MK66, STM32 – RISC-V port at a secret facility outside Boston

  8. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 8

  9. Example: USB Authentication Key ➔ Multiple independent applications ➔ No programmability in favor of security ➔ Result: Handful of programmers control sofware stack 9

  10. Platform (~10 developers) ➔ Build the hardware ➔ Responsible for TCB: core kernel, MCU-specific code ➔ Trusted: complete control over firmware & hardware Goal: possible to correctly extend TCB 10

  11. OS Services (~1000 developers) ➔ Most OS services come community – Device drivers, networking protocols, timers... ➔ Platform provider can audit but won’t catch all bugs Goal: protect kernel from safety violations 11

  12. Applications (~20M developers) ➔ Implement end-user functionality ➔ “Third-party” developers: unknown to platform provider ➔ Potentially malicious Goal: end-users can install 3rd-party apps 12

  13. Need New Isolation Techniques ➔ With 64 kB, malloc a serious threat to system stability ➔ No virtual memory ➔ Still need to solve driver isolation – GC’d languages & hardware isolation too resource heavy 13

  14. New Tools Available Memory Protection Unit (MPU) ➔ Protection bits for 8 memory regions ➔ Isolate processes for applications Rust ➔ Non-GC'd type-safe systems language ➔ Prevent safety violations in kernel at very low cost 14

  15. Tock: A Microcontroller OS ➔ Processes : Use the Memory Protection Unit ➔ Capsules : Type-safe Rust API for safe driver development ➔ Grants : Bind dynamic kernel resources to process lifetime 15

  16. Tock’s Isolation Mechanisms Processes ● Standalone executable in any language ● Isolation enforced at runtime ● Higher overhead ● Applications Totally untrusted Capsules ● Rust code linked into kernel ● Isolation enforced at compile-time ● Lower overhead Trusted for liveness, not safety ● Used for device drivers, protocols, timers... 16

  17. Processes ➔ Hardware-isolated concurrent programs in any language – MPU to protect memory regions without virtualization – Independent stack, heap, static variables ➔ Run dynamically, compiled with position independent code ➔ Scheduled preemptively ➔ System calls & IPC for communication 17

  18. Process Overhead ➔ Dedicated memory region (at least a stack) ➔ Context switch for communication (340 cycles) 18

  19. Capsules ➔ A Rust module and structs ➔ Single-threaded event-loop with asynchronous I/O ➔ Single stack ➔ No heap ➔ Communicate via references & method calls, ofen inlined 19

  20. Capsule Resource Overhead Example 1: “blink” ROM size (B) RAM size (B) Tock 3208 916 TinyOS 5296 72 Example 2: Networked sensor ROM size (B) RAM size (B) Tock 41744 9704 TinyOS 39604 10460 20

  21. Capsule Isolation struct DMAChannel { length: u32, base_ptr: *const u8, } impl DMAChannel { fn send_buffer(&self, buf: &'static [u8]) { self.length = buf.len(); self.base_ptr = buf.as_ref(); } } ➔ Exposes the DMA base pointer and length as a Rust slice ➔ Type-system guarantees user has access to memory ➔ Won’t be deallocated before DMA completes 21

  22. Safe Dynamic Kernel Allocation 22

  23. Working Example: Sofware Timer Sofware Timer Kernel HW Alarm 23

  24. Statically allocate timer state? FAIL Sofware Timer Driver Static allocation must trade of memory eficiency and maximum concurrency 24

  25. What About Dynamic Allocation? FAIL AES Driver Sofware Timer Driver Bluetooth Driver Can lead to unpredictable shortages. One process’s demands impacts capabilities of others. 25

  26. Grants: Per-Process Kernel Heaps ➔ Allocations for one process do not afect others ➔ System proceeds if one grant section is exhausted ➔ All process resources freed on process termination Grant section RAM Heap Process Data Accessible Stack Memory Flash Code 26

  27. Grants: Per-Process Kernel Heaps Sofware Timer Driver Grants balance safety and reliability of static allocation with flexibility of dynamic allocation 27

  28. Grants use the type-system to ensure references only accessible when process is live // Can’t operate on timer data here timer_grant.enter(process_id, |timer| { // Can operate on timer data here if timer.expiration > cur_time { timer.fired = true; } }); // timer data can’t escape here fn enter<'a, F>(&'a self, pid: ProcId, f: F) → where F: for<'b> FnOnce(&'b mut T) 28

  29. Grants: No Cross-Process Structures Shared Heap Process 1 Process 2 Sofware Timer Driver 29

  30. Grants: No Cross-Process Structures μS 30

  31. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 31

  32. Power State & Clock Control ➔ Power draw combo of duty cycle and active draw – What’s the deepest sleep state we can drop to? – Which clock should drive active peripherals? ➔ Multiprogramming makes both harder! RCSYS RCFAST Duty Cycle a Function of Workload Impact of Active Clock Selection 32

  33. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 33

  34. Multiprogramming a Peripheral ➔ A platform must support all possible applications – Eficient protocols may not be so eficient anymore ➔ Peripheral communication not designed for multiprogramming – How to restart individual components? – How to isolate services? – Virtualizing vs. Multiplexing 34

  35. Multiprograming a Microcontroller 1.Memory & Performance Isolation 2.Power & Clock Control 3.Peripheral communication busses 4.Future work 35

  36. Future Work ➔ Writing & Enforcing security policies – For the kernel: language-based capability system? – For processes: permissions without a file system? – For networked applications: cryptographic tokens? ➔ Debugging embedded applications – Security implications – Logging ➔ More applications, more hardware – RISC-V, x86 – Wearables, sensor networks, security devices 36

  37. Tock: A Secure Operating System for Microcontrollers ➔ Embedded devices are multiprogrammable – Security, Sofware Updates, Multi-tenancy ➔ Tension between isolation and resources – Traditional approaches insuficient for low memory – New programming languages & hardware features help ➔ Must also rethink: power management, networking, security policies... 37

  38. Evaluating End-to-End 38

  39. Evaluating with Practitioners ➔ Researchers working with Tock ➔ Half-day tutorials (~100 people) ➔ Open source community (45+ contributors) ➔ Embedded Systems class at Stanford 39

  40. Security is an End-to-End Property ➔ Is threat model realistic? ➔ Can system builders extend TCB safely? ➔ Can developers build applications? 40

  41. Realistic Threat Model? Signpost Helium Titan App Applications Researchers Customers Developers Module Community, Product Capsules builders Helium Inc. developers Signpost Platform Helium Inc. Titan team authors 41

  42. Security is an End-to-End Property ✓ ➔ Is threat model realistic? ➔ Can system builders extend TCB safely? ➔ Can developers build applications? 42

  43. Safely Extend the TCB? Rule out common errors by design: ➔ Synchronization with interrupt handlers ➔ Untrusted user pointers ➔ Use-afer-free 43

Recommend

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2

Tock Operating System Safety without Processes for Embedded Systems 1 Stanford University 2 University of Michigan 3 University of California, Berkeley 1 Amit Levy 1 Brandon Ghena 2 Michael Andersen 3 Brad Campbell 2 Gabe Fierro 3 Pat Pannuto 2

582 views • 57 slides
HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir

HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir

HIERARCHICAL CLUSTERING OF MESSAGE FLOWS IN A MULTICAST DATA DISSEMINATION SYSTEM Yoav Tock, Nir Naaman, Avi Harpaz, Gidon Gershinsky IBM Haifa Research Laboratory Mount Carmel, Haifa 31905, Israel { tock,naaman,harpaz,gidon } @il.ibm.com

291 views • 7 slides
AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller

AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller

Microprocessors, Lecture 3: AVR Microcontrollers- Introduction AVR Microcontrollers Widely-used microcontroller Different families Based on the application and Flash memory capacity Classic AVR e.g. AT90S2313, AT90S4433

704 views • 27 slides
InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 23, 2005 Lecture 11 Lecture 11 Page 1 Page 2

553 views • 8 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 27, 2006 Lecture 12 Lecture 12 Page 1 Page 2

329 views • 9 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

981 views • 39 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

588 views • 20 slides
InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

1.06k views • 79 slides
Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Silberschatz and

714 views • 35 slides
Module 3: Operating-System Structures System Components Operating-System Services

Module 3: Operating-System Structures System Components Operating-System Services

' $ Module 3: Operating-System Structures System Components Operating-System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation &amp; %

589 views • 13 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = &gt; good scope

103 views • 8 slides
to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051

to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051

Introduction review to of Microcontrollers ECE Senior Design 9 February 2017 Popular Microcontrollers 8051 Intel then Everyone (8-bit old ) PIC Microchip (8, 16 &amp; 32bit) AVR Atmel (8 &amp; 32bit) MSP430 TI

288 views • 5 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
A better picture Many applications Application One Operating System System calls Operating

A better picture Many applications Application One Operating System System calls Operating

Introduction Operating Systems Spring 2003 OS Spring03 What is Operating System? It is a program! It is the first piece of software to run after boot It coordinates the execution of all other software User programs It

306 views • 12 slides
Operating System Overview Chapter 2 1 Operating System A program that controls the

Operating System Overview Chapter 2 1 Operating System A program that controls the

Operating System Overview Chapter 2 1 Operating System A program that controls the execution of application programs An interface between applications and hardware 2 1 Operating System Objectives Convenience Makes the

719 views • 33 slides
T AKING S TOCK OF THE S ELF - R EGULATION E XPERIMENT : T HE P AST

T AKING S TOCK OF THE S ELF - R EGULATION E XPERIMENT : T HE P AST

T AKING S TOCK OF THE S ELF - R EGULATION E XPERIMENT : T HE P AST , P RESENT AND F UTURE OF THE P LATFORM ON D IET , P HYSICAL A CTIVITY AND THE EU A LCOHOL AND H

179 views • 4 slides
Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent

Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent

Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent http://www.cs.kent.ac.uk/ Compiling occam to C with Tock p. 1 Introduction We do most of our work with occam- Big new project starting in a couple of

369 views • 22 slides
The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating

The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating

The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating System Applications and Plug-ins Examples for Operating Systems Function of Operating System Virtual Memory Bootstrapping GUI

482 views • 12 slides
Operating System Overview Chapter 2 Operating System A program that controls the execution

Operating System Overview Chapter 2 Operating System A program that controls the execution

1 Operating System Overview Chapter 2 Operating System A program that controls the execution of application programs An interface between applications and hardware 2 Operating System Objectives Convenience Makes the

758 views • 65 slides
PICOBIT: A Compact Scheme System for Microcontrollers Vincent St-Amour Universit e de Montr

PICOBIT: A Compact Scheme System for Microcontrollers Vincent St-Amour Universit e de Montr

PICOBIT: A Compact Scheme System for Microcontrollers Vincent St-Amour Universit e de Montr eal (now at Northeastern University) Marc Feeley Universit e de Montr eal 21st Symposium on the Implementation and Application of

500 views • 31 slides
ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A

ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A

ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A Microcontroller-Based Embedded System 2 / 40 Introduction ARM Extensions IP Cores ARM based System Summary Roadmap Introduction 1 ARM ARM Basics

833 views • 40 slides
Introduction Outline What is an operating system? History of operating systems

Introduction Outline What is an operating system? History of operating systems

Introduction Outline What is an operating system? History of operating systems Where does the operating system fjt in a computing system? User mode and kernel mode What are the general operating system functions? 1 What is

450 views • 26 slides
Security I CS 4410 Operating Systems [E. Birrell, A. Bracy, F. B. Schneider, E. Sirer, R. Van

Security I CS 4410 Operating Systems [E. Birrell, A. Bracy, F. B. Schneider, E. Sirer, R. Van

Security I CS 4410 Operating Systems [E. Birrell, A. Bracy, F. B. Schneider, E. Sirer, R. Van Renesse] References: Security Introduction and Access Control by Fred B. Schneider Secure Systems? A secure system will do what is expected

592 views • 25 slides

More recommend