ppt 2

advertisement
Title of Selected Paper:
Design and Implementation of Secure
Embedded Systems Based on
Trustzone
Authors:
Yan-ling Xu, Wei Pan, Xin-guo Zhang
Presented by:
Chris Massie
Introduction
• Diversified network computing resources relies on
embedded technology
• Areas such as governmental infrastructures and
economic practices
• Embedded systems often serve as supporting components
• Serve an important role for many applications and
services
• Security problems for embedded systems often make
them counterproductive
• Security very important in many embedded systems
Security Principles
•
•
•
•
Security is based on five essential principles:
• (Supposed to guarantee the correct execution of both the program and the
communication)
1.) Confidentiality
• Only the entities involved in the execution or communication can have access to
data
• To prevent sensitive system information from unauthorized access and intentional
abuse
2.) Integrity
• A message must not be damaged during the transfer
• To guarantee critical files and data against deletion and modification in
unauthorized ways
• Provide tamper-proofing protection for applications and services on embedded
operating systems from malicious code and virus protection
3.) Availability
• Defend the whole system against attacks and ensures authorized, legitimate access
Security Principles (cont.)
•
•
•
•
Security is based on five essential principles:
• (Supposed to guarantee the correct execution of both the program and
the communication)
4.) Authenticity
• The entity must be sure that the message comes from the right entity
• The system must trust the program source code
5.) Non-repudiation
• The entities implied in the exchange must not have the possibility to deny
the exchange
Authors only placed emphasis on Confidentiality, Integrity, and Availability
Security Solutions for Embedded Systems
•
•
•
•
Current embedded systems suffer a large number of penetration and threats
• Due to the intrinsic weakness of hardware structure and the uninsured
security status of the OS
Security solutions like IDS (Intrusion Detection Systems) and firewalls can
claim to carry out secure reinforcement
• But internal vulnerabilities seriously impair the external effectiveness
those solutions play
• Still expose the whole system to malicious communities
• The embedded system would fail to guard the applications and services
based on it
Trustworthy computing techniques are maturing
• Schemes are becoming possible for effectively solving deficiencies of
computer architecture and enhancing the security of embedded systems
Depending on trustworthy hardware and secure OSs, a viable security
framework is presented
Trusted Hardware Technology
•
Security solutions based on trustworthy hardware technology include
• AEGIS secure processor
• eXecute Only Memory (XOM) technique
• TrustZone secure processor architecture
•
TrustZone assumes that the complete secure solution is not feasible
• Goal is to secure only some parts of the architecture and data
• TrustZone assumes and requires an architecture with a secure core and a
secure portion within the memory
• Implements zone isolation by a unique secure zone (trusted zone)
TrustZone develops a high level software architecture supported by hardware
protection
Has been widely recognized as a trusted computing base and successfully
used
The paper presents a TrustZone-based secure enhancement framework for
embedded systems
•
•
•
TrustZone
•
TrustZone implements zone isolation by using a trusted zone
• Trusted zone establishes the connection between user mode and kernel
mode
• Has a higher privilege level than kernel mode
• Not an exclusive zone, but a zone where kernel mode or user mode
applications run
• A monitor module controls switching
between normal zone and trusted zone
Also protects context switching and
supervises all tasks in the processor in
real time
• If a secure request is captured, the request
is encrypted in normal zone and then stored
in a shared part assigned by the secure
kernel
•
TrustZone (cont.)
• Once the request is verified
• the monitor module records non-secure states
• then switches monitoring sessions to trusted zone
• Like a context switch
• The monitor module protects data in the trusted zone from infiltrating
into normal zone
• This is all achieved by hardware, not the OS
• TrustZone architecture provides a secure hardware base for many OS
like embedded Linux and Windows CE
Embedded Linux System Security
• OS security determines the security level of applications and the
whole system for embedded Linux systems
• Access control mechanism plays an essential role for OS security
• Vulnerability is the main reason that causes threat of
confidentiality and integrity
• The main content for security mechanisms of the OS
• Discretionary access control (DAC) is a simple access control
mechanism adopted in embedded Linux
• The access control is prone to attack by malicious programs
• Security can’t be assured by only having an embedded Linux OS
• To improve security of embedded systems, access control must
have enhanced security
Multi-policy Mandatory Access Control
• Mandatory access control (MAC) mechanisms can ensure
confidentiality and integrity of a system
• Two security models to enhance access control:
• Domain and Type Enforcement (DTE) model
• Bell-La Padula (BLP) model
• DTE Provides a MAC with the same security level as that
of BLP
• The paper designs a joint MAC mechanism based on both
DTE and BLP
• Use of DTE model ensures integrity of system
• Use of improved BLP model ensures confidentiality of
system
Domain and Type Enforcement (DTE)
• DTE is an access control method based on a table
• Implements integrity independent of trusted users
• All subjects or processes in the system connect with a
domain
• All objects or resources connect with a type
• DTE establishes a domain definition table to describe
operation right of each domain on different types of
resources
• System searches table, if access request is allowed
then the process can access the needed resource
• Domain interaction table defines the allowed access
models between domains
Bell-La Padula (BLP)
• BLP model is a state machine model
• System states are defined, and transition rules between states are
defined
• Groups entities within the system into different access levels
• Classifies subjects and objects into different levels and categories
• In the multi-security policy model of BLP, the authors modified the
rules to create an enhanced version
• The “reading up” of BLP is added with integrity requirement
• By restricting “over writing”, only append mode is allowed to
implement “reading up” to prohibit a covert channel
Linux Security Module (LSM)
•
•
•
Linux Security Module (LSM) framework is
embedded into the Linux2.6 kernel.
• Thus there exists a uniform measure for
implementation of mandatory access
mechanisms
The embedded Linux OS with security
enhancement uses:
• LSM framework
• Adopts security policy of BLP and DTE
model
• Utilizes security module stacking
technology
• Assigns security label for process and
resource in the system to implement MAC
More secure than DAC, which is a simple
access control mechanism for embedded
Linux
Linux Security Module (LSM) (cont.)
•
•
•
•
The domain/type implements the security policy of DTE
The BLP policy improves the confidentiality of the system
Therefore, the reinforced operating system ensures the secure
implementation of TrustZone architecture
The secure embedded system architecture based on TrustZone technique and
the secure Linux OS shown in figure
Secure Embedded System Architecture
• Normal zone allocates BLP and DTE policies to avoid malicious
trespasses
• Thus assures the confidentiality and integrity of the whole system
• General apps belonging to normal zone run on the secure embedded
Linux system
• Secure Monitor Interrupt (SMI) instructions are called for apps to visit
the trusted zone
• Secure applications call the TrustZone access control driver and SMI
to perform trusted processes
• The monitor establishes secure switching between normal zone and
trusted zone
• Trusted applications belonging to trusted zone directly function on the
secure kernel
• Is supported by TrustZone technique to achieve necessary
protection and access control for applications
System Security Analysis
• The confidentiality and integrity of the author’s prototype system is
guaranteed by the Linux Security Module (LSM) framework
• Protects not only general apps, but also secure apps in normal
zone
• LSM provides mandatory access control, so general apps just
function in normal zone rather than in trusted zone
• When comparing a standard Linux 2.6.18 kernel against the enhanced
security 2.6.18 kernel with LSM
• Worst case overhead was 9.4% for open/close and 11.8% for file
deletion
• Enhanced system employs SMI instructions to manage secure
switching between normal and trusted zone to protect secure apps
belonging to normal zone
Conclusion
• The enhanced security system successfully achieves a
combination of a secure OS and trustworthy hardware
techniques
• The paper employs mandatory access control to:
• Operate an embedded Linux system on an enhanced
security standard
• Presents an embedded system security solution based
on TrustZone technique and secure embedded Linux
• Proposed solution serves as a viable and effective way to
settle security problems in embedded systems
Download