Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented by: Chris Massie Introduction • Diversified network computing resources relies on embedded technology • Areas such as governmental infrastructures and economic practices • Embedded systems often serve as supporting components • Serve an important role for many applications and services • Security problems for embedded systems often make them counterproductive • Security very important in many embedded systems Security Principles • • • • Security is based on five essential principles: • (Supposed to guarantee the correct execution of both the program and the communication) 1.) Confidentiality • Only the entities involved in the execution or communication can have access to data • To prevent sensitive system information from unauthorized access and intentional abuse 2.) Integrity • A message must not be damaged during the transfer • To guarantee critical files and data against deletion and modification in unauthorized ways • Provide tamper-proofing protection for applications and services on embedded operating systems from malicious code and virus protection 3.) Availability • Defend the whole system against attacks and ensures authorized, legitimate access Security Principles (cont.) • • • • Security is based on five essential principles: • (Supposed to guarantee the correct execution of both the program and the communication) 4.) Authenticity • The entity must be sure that the message comes from the right entity • The system must trust the program source code 5.) Non-repudiation • The entities implied in the exchange must not have the possibility to deny the exchange Authors only placed emphasis on Confidentiality, Integrity, and Availability Security Solutions for Embedded Systems • • • • Current embedded systems suffer a large number of penetration and threats • Due to the intrinsic weakness of hardware structure and the uninsured security status of the OS Security solutions like IDS (Intrusion Detection Systems) and firewalls can claim to carry out secure reinforcement • But internal vulnerabilities seriously impair the external effectiveness those solutions play • Still expose the whole system to malicious communities • The embedded system would fail to guard the applications and services based on it Trustworthy computing techniques are maturing • Schemes are becoming possible for effectively solving deficiencies of computer architecture and enhancing the security of embedded systems Depending on trustworthy hardware and secure OSs, a viable security framework is presented Trusted Hardware Technology • Security solutions based on trustworthy hardware technology include • AEGIS secure processor • eXecute Only Memory (XOM) technique • TrustZone secure processor architecture • TrustZone assumes that the complete secure solution is not feasible • Goal is to secure only some parts of the architecture and data • TrustZone assumes and requires an architecture with a secure core and a secure portion within the memory • Implements zone isolation by a unique secure zone (trusted zone) TrustZone develops a high level software architecture supported by hardware protection Has been widely recognized as a trusted computing base and successfully used The paper presents a TrustZone-based secure enhancement framework for embedded systems • • • TrustZone • TrustZone implements zone isolation by using a trusted zone • Trusted zone establishes the connection between user mode and kernel mode • Has a higher privilege level than kernel mode • Not an exclusive zone, but a zone where kernel mode or user mode applications run • A monitor module controls switching between normal zone and trusted zone Also protects context switching and supervises all tasks in the processor in real time • If a secure request is captured, the request is encrypted in normal zone and then stored in a shared part assigned by the secure kernel • TrustZone (cont.) • Once the request is verified • the monitor module records non-secure states • then switches monitoring sessions to trusted zone • Like a context switch • The monitor module protects data in the trusted zone from infiltrating into normal zone • This is all achieved by hardware, not the OS • TrustZone architecture provides a secure hardware base for many OS like embedded Linux and Windows CE Embedded Linux System Security • OS security determines the security level of applications and the whole system for embedded Linux systems • Access control mechanism plays an essential role for OS security • Vulnerability is the main reason that causes threat of confidentiality and integrity • The main content for security mechanisms of the OS • Discretionary access control (DAC) is a simple access control mechanism adopted in embedded Linux • The access control is prone to attack by malicious programs • Security can’t be assured by only having an embedded Linux OS • To improve security of embedded systems, access control must have enhanced security Multi-policy Mandatory Access Control • Mandatory access control (MAC) mechanisms can ensure confidentiality and integrity of a system • Two security models to enhance access control: • Domain and Type Enforcement (DTE) model • Bell-La Padula (BLP) model • DTE Provides a MAC with the same security level as that of BLP • The paper designs a joint MAC mechanism based on both DTE and BLP • Use of DTE model ensures integrity of system • Use of improved BLP model ensures confidentiality of system Domain and Type Enforcement (DTE) • DTE is an access control method based on a table • Implements integrity independent of trusted users • All subjects or processes in the system connect with a domain • All objects or resources connect with a type • DTE establishes a domain definition table to describe operation right of each domain on different types of resources • System searches table, if access request is allowed then the process can access the needed resource • Domain interaction table defines the allowed access models between domains Bell-La Padula (BLP) • BLP model is a state machine model • System states are defined, and transition rules between states are defined • Groups entities within the system into different access levels • Classifies subjects and objects into different levels and categories • In the multi-security policy model of BLP, the authors modified the rules to create an enhanced version • The “reading up” of BLP is added with integrity requirement • By restricting “over writing”, only append mode is allowed to implement “reading up” to prohibit a covert channel Linux Security Module (LSM) • • • Linux Security Module (LSM) framework is embedded into the Linux2.6 kernel. • Thus there exists a uniform measure for implementation of mandatory access mechanisms The embedded Linux OS with security enhancement uses: • LSM framework • Adopts security policy of BLP and DTE model • Utilizes security module stacking technology • Assigns security label for process and resource in the system to implement MAC More secure than DAC, which is a simple access control mechanism for embedded Linux Linux Security Module (LSM) (cont.) • • • • The domain/type implements the security policy of DTE The BLP policy improves the confidentiality of the system Therefore, the reinforced operating system ensures the secure implementation of TrustZone architecture The secure embedded system architecture based on TrustZone technique and the secure Linux OS shown in figure Secure Embedded System Architecture • Normal zone allocates BLP and DTE policies to avoid malicious trespasses • Thus assures the confidentiality and integrity of the whole system • General apps belonging to normal zone run on the secure embedded Linux system • Secure Monitor Interrupt (SMI) instructions are called for apps to visit the trusted zone • Secure applications call the TrustZone access control driver and SMI to perform trusted processes • The monitor establishes secure switching between normal zone and trusted zone • Trusted applications belonging to trusted zone directly function on the secure kernel • Is supported by TrustZone technique to achieve necessary protection and access control for applications System Security Analysis • The confidentiality and integrity of the author’s prototype system is guaranteed by the Linux Security Module (LSM) framework • Protects not only general apps, but also secure apps in normal zone • LSM provides mandatory access control, so general apps just function in normal zone rather than in trusted zone • When comparing a standard Linux 2.6.18 kernel against the enhanced security 2.6.18 kernel with LSM • Worst case overhead was 9.4% for open/close and 11.8% for file deletion • Enhanced system employs SMI instructions to manage secure switching between normal and trusted zone to protect secure apps belonging to normal zone Conclusion • The enhanced security system successfully achieves a combination of a secure OS and trustworthy hardware techniques • The paper employs mandatory access control to: • Operate an embedded Linux system on an enhanced security standard • Presents an embedded system security solution based on TrustZone technique and secure embedded Linux • Proposed solution serves as a viable and effective way to settle security problems in embedded systems