How To Build A Provably Secure Execution Platform For Embedded Systems

(1)

Provably Secure Execution

Platforms for Embedded

Systems

----

The PROSPER Project

Mads Dam

KTH Royal Institute of Technology

(2)

The Evolving Security Landscape

Increasing attack surfaces Increasing aggregate value

Increasing attack sophistication

Increasing demand for strong security solutions Industrial pull for strong verification techniques Significant exploitation potential

(3)

It’s the Execution Platform, Stupid !

Processor hardware: a shared commodity

- User, payment provider, media owner, platform provider, operating system, …

- All need private, tamperproof storage and cpu cycles - Without this, security will remain fragile

Need trustworthy execution environments

- Allow secure sharing of hardware - Memory isolation

- Minimal

(4)

Secure Virtualization

CPU OS Applications Secure OS Applications Hypervisor

(5)

PROSPER Objectives

Build the next-generation framework for fully

verified, secure hypervisors for embedded systems Demonstrate utility using

- Commodity hardware – ARMv7/v8, MIPS, … - Commodity software – Linux, RTOS, …

Develop the required verification technology

- Theory - Tools

- For security formalization and analysis - For hypervisor development

(6)

Demonstrator: Provably Secure Kernel

Updates in Linux on ARM

Monitor Hypervisor Network driver Objective: Execute only signed programs

(7)

What Does This Give Us?

Theorem: Assume:

1. The processor model is correct.

2. The hypervisor is securely initialized.

3. The initial Linux image is signed. Then:

(8)

What Does This Give Us?

Only signed code is ever executed, AND Hypervisor is never tampered with

(9)

What Does This Give Us?

Only signed code is ever executed, AND Hypervisor is never tampered with, AND Monitor is never tampered with

(10)

What Does This Give Us?

Only signed code is ever executed, AND Hypervisor is never tampered with, AND Monitor is never tampered with, AND

No memory page is ever simultaneously write and execute enabled, …

(11)

What Does This Give Us?

Only signed code is ever executed

(12)

What Does This Give Us?

Only signed code is ever executed

This is a big deal!

Theorem about security inside COTS OS

No Linux bug can cause unsigned code to be executed

(13)

How Do We Do This?

Theorem proving + binary verification

• Formal processor ISA specification

- Including memory management unit - Large task

• Top level security specification:

Processor + idealized MMU behaviour

• Low level implementation

• Proof of equivalence

(14)

PROSPER Results So Far

Hypervisor #1:

• Separation kernel for ARMv7

• Fully verified at assembly level

• Papers in CCS’13, CPP’13, TrustED’13

Hypervisor #2:

• Linux-on-ARM hypervisor

• Partially verified at assembly level

• Papers in CCS’14, Sofsem’15 Lots of auxiliary theory and tools

(15)

PROSPER Results To Come

Hypervisor #3:

• Linux-on-ARM hypervisor for 64 bit ARMv8

• Much more complex hardware: - Multicore essential

- Virtualization support To do:

• ISA-level multicore model + validation

• Processor architecture analysis tool

• Verification support for concurrent machine code

(16)

Spin-offs and Collaborations

Vinnova UDI project HASPOC w. Ericsson, Sectra, T2Data, Tutus, Atsec, SICS, KTH

1 patent application 2 PhD’s completed

Open source hypervisor release

SICS project with Ericsson Research EU FP7 project UaESMC, KTH

MONITOR project KTH-Ericsson

HOL4 Cambridge team (Fox, Myreen) TU-Berlin and DT Labs (Seifert)

INRIA/IRISA/DGA Rennes

(17)

Team

At KTH:

•Mads Dam, Prof, PI

•Roberto Guanciale, postdoc

•Christoph Baumann, postdoc

•Hamed Nemati, PhD student

•MSc students

•(Andreas Lundblad, PhD)

•(Gurvan le Guernic, postdoc)

•(Narges Khakpour, postdoc)

•(Musard Balliu, PhD)

At SICS:

•Christian Gehrmann, PhD, co-PI

•Arash Vahidi, PhD

•Oliver Schwarz, PhD student

•Viktor Do, researcher

(18)

Main Publications

• Schwarz, Gehrmann, “Securing DMA through Virtualization”, IEEE Workshop on Complexity in Engineering, June 2012, Aachen, Germany.

• Balliu, Dam, Le Guernic. “ENCOVER: Symbolic Exploration for Information Flow Security”. In Proc. CSF '12.

• Dam, Lundblad, le Guernic: “TreeDroid: a tree automaton based approach to enforcing data processing policies", Proc. CCS'12

• Vahidi, Jämthagen, "Secure RPC in embedded systems - Evaluation of some GlobalPlatform implementation alternatives”, 8th Workshop on Embedded Systems Security, 2013

• Dam, Guanciale, Khakpour, Nemati, Schwarz, "Formal Verification of Information Flow Security for a Simple ARM-Based Separation Kernel", CCS’13

• Khakpour, Schwarz, Dam, "Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties", Proc CPP’13

• Dam, Guanciale, Nemati, “Machine code verification of a tiny ARM hypervisor”, in Proc. TrustED’13

• Lundblad, “Inlined reference monitors: Certification, concurrency, and tree based monitoring”, PhD thesis, KTH, 2013

• M. Balliu: A Logic for Information Flow Analysis of Distributed Programs. Proc. 18th Nordic Conference on Secure IT Systems, NordSec 2013, Ilulissat, Greenland, October 18- 21, 2013.

• M. Dam, R. Guanciale, N. Khakpour "Method and Approach for Kernel Security Analysis," PCT pat. application no. PCT/EP2013/059602, 2013

• O. Schwarz, C. Gehrmann, V. Do. Affordable Separation on Embedded Platforms: Soft Reboot Enabled Virtualization on a Dual Mode System, Proc. Trust’14, 2014.

• Balliu, Dam, Guanciale: Automating information flow analysis of low level code, CCS’14

• Schwarz, Dam: Formal verification of secure user mode device execution with DMA, HVC’14

• Nemati, Guanciale, Dam: Trustworthy isolation of the ARMv7 memory subsystem, Sofsem’15

• Musard Balliu: Logics for information flow security: From specification to implementation, PhD thesis, KTH, 2014.