• No results found

Microcontrollers Deserve Protection Too

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Microcontrollers Deserve Protection Too"

Copied!
29
0
0

Loading.... (view fulltext now)

Download now ( 29 Page )

Full text

(1)

Microcontrollers Deserve Protection Too

Amit Levy

with:

Michael Andersen, Tom Bauer, Sergio Benitez, Bradford Campbell, David Culler, Prabal Dutta, Philip Levis, Pat Pannuto, Laurynas Riliskis

(2)
(3)

Microcontrollers

● Tightly integrated hardware

– A single IC computer (memory, CPU, I/O peripherals)

● Typically:

– Small amount of code memory (<= 512KB flash) – Small amount of RAM (1 – 128KB)

– Low speed CPU (<<< 80MHz)

– Low power consumption (μA sleep currents) – Little/no hardware support for isolation

(4)

Tock

*

: An Operating System for Microcontrollers

● Designed for multi-programming microcontrollers ● Strict application/kernel boundary

● Written in Rust

– Safe but low-level programming language

– Allows compile guarantees on contributed kernel code

● Leverage new hardware features, e.g.

– Memory Protection Unit (MPU) – Faster processor speeds

– DMA, many more I/O peripherals, etc...

(5)

Today's Microcontroller “Operating Systems”

“Operating System”

– Hardware abstraction layer

– Libraries for complex/common tasks

● e.g. 6lowpan, Bluetooth, virtual timers etc'

(6)

Outline

● Why?

– New use cases – New developers – New hardware

● What?

– Untrusted application sandboxing

– Protection from drivers/kernel modules

● How?

– Hardware sandbox for apps

– Language-level sandbox for drivers – Zero dynamic allocation in the kernel

(7)

Outline

● Why?

– New use cases – New developers – New hardware

● What?

– Untrusted application sandboxing

– Protection from drivers/kernel modules

● How?

– Hardware sandbox for apps

– Language-level sandbox for drivers – Zero dynamic allocation in the kernel

(8)

New Use Cases

Ubiquitous computing

– Fitness bands, medical devices, “smart home”

Programmable platforms

– Smart watches – Drones

(9)

New Developers

Cost + tools make hardware development more accessible

– Small teams/startups

● Iterative development

process

● Rapid deployment

– Hobbyists

● One off applications, modding

– Not necessarily embedded

(10)

Old Hardware - telosb

Based on MSP430

– 16-bit – 8Mhz, 10Kb RAM, 48Kb code ●

802.15.4 radio

Power draw

– 5.1 μA idle – 1.8mA idle

(11)

New Hardware

● Based on ARM Cortex-M

– 32-bit

– 40Mhz, 64Kb RAM, 128Kb code

● 802.15.4 and Bluetooth radios ● Power draw

– 2.3-13.0 μA idle – 8 mA active

– < 25% on realistic workloads

● Many more peripherals:

– USB, several USARTS, SPIs and I2Cs,AES

accelerator…

(12)

Why a new Operating System?

New Use Cases

– Software updates on my medical device – Third-party apps

New Developers

– Non expert developers building highly

personal/sensitive products

New Hardware

– Different power profile → different tradeoffs

(13)
(14)

Outline

● Why?

New use cases

– New developers – New hardware

● What?

– Untrusted application sandboxing

– Protection from contributed drivers/kernel modules

● How?

– Hardware sandbox for apps

– Language-level sandbox for drivers – Zero dynamic allocation in the kernel

(15)

Third-party apps

Dynamically loadable

May run concurrently

Example: Pebble watch

– 3rd party app ecosystem

● E.g. pedometer, 2-factor auth, weather info

– Must protect sensor data as well as other app data

Potentially malicious threat model

(16)

Contributed Drivers

● E.g. storage system, network stack, LCD screen, sensors

● Written by the product/platform developer or non-core kernel developers ● Need low-latency access to hardware

– Bitbanging devices, latency sensitive network stacks etc

● Not modeled as malicious, but potentially buggy

– Shouldn't bring down the system

● “If I upgrade this flash driver, will my glucose monitor give me bad

results?”

● Compiled into the kernel

(17)

What Protections does Tock Provide?

● Applications:

– Isolated from each other and from the kernel

– A buggy application cannot bring down the rest of the system

● Drivers:

– Can reason about behavior at compile time

– (Relatively) easy to write non-buggy code with help from the

compiler

– Buggy driver cannot interfere with other critical code – Model ownership of hardware resources explicitly

(18)

Outline

● Why?

New use cases

– New developers – New hardware

● What?

– Untrusted application sandboxing

– Protection from drivers/kernel modules

● How?

– Hardware sandbox for apps

– Language-level sandbox for drivers – Zero dynamic allocation in the kernel

(19)

Tock: Overview

Hardware separation between apps and kernel

(MPU)

Kernel written in safe language (Rust), apps written

in any language

– C, Lua, Rust, etc

– Helps balance safety with low-level access and ease of

use.

Drivers written in language-level sandbox

(20)

Tock: Architecture

Rust Syscall Interface Kernel Core Hardware Sandbox Device Drivers

(Rust language sandbox)

(21)

MPU: Hardware App Sandbox

● Enforce read/write/execute on applications for different

portions of memory

● No virtual addressing but much finer grained than MMU ● On Cortex-M4:

– Up to 64 different regions

– Region size between 32B and 4KB

● Can isolate application memory from each other

● Can allocate sensitive kernel data structures in “application

space”

(22)

MPU: Hardware App Sandbox

Code

Memory Mapped I/O

Second App Memory Kernel Stack

First App Memory

App code App specific Kernel memory Peripheral low address high address

(23)

Language-level Sanbox: Goals

Device drivers cannot interfere with each other

– E.g. a network stack cannot muck with readings from a

glucose sensor

Single threaded execution model

– Simpler to write correct code

– Kernel/hardware does not have to worry about

concurrent access bugs

– Much faster processing speeds make this feasible

(24)

Language-level Sanbox: Why Rust?

● No runtime system

– Not garbage collected, zero-cost safety abstractions ● Memory Safety

– Elimates a large class of bugs: dangling pointers, double-frees,

pointer arithmetic errors, etc

● Type Safety

– Can expose low-level hardware interfaces through safe interfaces ● Strict Aliasing

– Unique references and read/write references obviate many

(25)

Zero Dynamic Kernel Allocation

Embedded OSs generally avoid dynamic allocation for

good reason

– Hard to determine in the lab if something will crash in the

field

– No swapping, so no way to deal with memory overflows

But problematic with dynamically loaded applications

– A new app may use drivers differently

(26)

Tock: Dynamic Allocation

Three ways kernel allocates memory:

● Statically

– Size determined at compile-time

● Kernel stack

– Maximum size can be determined

at compile-time via anlaysis

● Application memory

– Fined grained MPU allows

dynamic sizing of app-specific kernel-heap.

Application Stack Application Heap App-specific kernel heap

(27)

Tock: Dynamic Allocation

Example kernel allocations

in application space:

Linked list nodes

Virtual timer structs

Network stack buffers

Application Stack Application Heap App-specific kernel heap

(28)

Summary

Traditional embedded systems are outdated:

– New hardware – New use cases

– New generation of developers

Security should be a main goal of any new system

Leverage hardware protection to isolate third-party

applications

Leverage advances in programming languages to

(29)

Challenges & Questions

● Will this work?

– Maintain reliability and power constraints unique to

embedded devices

– While making security accessible to non-expert developers

● Dynamically updating the kernel/drivers?

● How do we leverage multi-microcontroller platforms? ● MGC security - Applications that span embedded

References

Download now ( PDF - 29 Page - 1.41 MB )

Related documents

Seksueel misbruik bij mensen met een verstandelijke beperking

(2009) laat net als het onderzoek van Sullivan en Knutson (2000) zien dat mensen met een verstandelijke beperking niet alleen ten opzichte van mensen zonder beperking

Much Ado About Nothing? Revitalizing Literature teaching and learning in Higher Education through ICT

We also point out that there is a growing need for training teachers in the proper use of technology, and that there is also a need to make students realize of how important the

Educational orientation and employer influenced pedagogy: Practice and policy insights from three programmes in Europe

The catalyst for programme development came from a business led Engineering Foundation (Instituto de MaquinaHerramienta (IMH)) in the Basque area of Spain which

Me and My Robot Smiled at One Another: The Process of Socially Enacted Communicative Affordance in Human-Machine Communication

Relevantly, because this is a communicational model in the context of HMC, I consider social affordances as emerging from a process of perceived and enacted communicative behaviors

Balancing generativity and control when developing digital platforms in product development firms A qualitative case study of Volvo Cars

If we compare thess five principles with the three digital platforms at Volvo Cars we can obviously see differences between them regarding how generative they

Snapchat\u27s Ability to Build and Maintain Friendships

• Purpose of Research: The goal of this research is understand how Snapchat users, use the app to build and maintain friendships as well as to determine how Snapchat

A Critical Analysis of the Information Technology Act, 2000 vis-à-vis Mitigation of Child Pornography

However, on a plain reading of the provision dealing with child pornography, the act of publishing or transmitting of sexually explicit material involving children,

Continued operation of multi-terminal HVDC networks based on modular multilevel converters

The primary objective of this study is to achieve continued operation of any multi-terminal HVDC network using relatively slow dc circuit breakers (with minimum