Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
A Secure and Reliable OS for Automotive ApplicationsCars on Code
Matthias Langemlange {@} sec.t-labs.tu-berlin.de
TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit
July 7th, 2010
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 1 / 19
Outline
1 Introduction
2 Architecture
3 Proof-of-Concept Implementation
4 Further Research
5 Important Related Work
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 2 / 19
Introduction
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 3 / 19
Introduction
Cars remained static for 80years
I Gasoline engineI Four wheelsI Familiar user interface
Change since late 70’sI Computers coordinate and
monitor sensorsI Ca. 100MB of binary code
spread over 50 - 70 ECUs
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 4 / 19
Objective of Computerization
SafetyI Anti-lock Brake SystemI AirbagI Assistance
Value added featuresI Automatic crash responseI Remote diagnosticsI Stolen vehicle recovery
Economically advantageousI CostI Weight
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 5 / 19
Future Trends
Consolidation
Classic control applications are supplemented by new complex applicationson a single control unit
Proactive Systems
Prevent or mitigate critical situations
User Customization
App Store, let the user buy “upgrades”
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19
Future Trends
Consolidation
Classic control applications are supplemented by new complex applicationson a single control unit
Proactive Systems
Prevent or mitigate critical situations
User Customization
App Store, let the user buy “upgrades”
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19
Future Trends
Consolidation
Classic control applications are supplemented by new complex applicationson a single control unit
Proactive Systems
Prevent or mitigate critical situations
User Customization
App Store, let the user buy “upgrades”
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19
Challenges
Isolation
Assure spatial and timely isolation
New Attack Vectors
Future trends will open a wide range of attack vectors for attackers.
New Threats
Computerized environments bring new array of potential new threats.
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19
Challenges
Isolation
Assure spatial and timely isolation
New Attack Vectors
Future trends will open a wide range of attack vectors for attackers.
New Threats
Computerized environments bring new array of potential new threats.
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19
Challenges
Isolation
Assure spatial and timely isolation
New Attack Vectors
Future trends will open a wide range of attack vectors for attackers.
New Threats
Computerized environments bring new array of potential new threats.
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19
Architecture
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 8 / 19
Architecture
L4 microkernelI Tasks, Threads and IPCI Object capabilities
Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers
Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19
Architecture
L4 microkernelI Tasks, Threads and IPCI Object capabilities
Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers
Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19
Architecture
L4 microkernelI Tasks, Threads and IPCI Object capabilities
Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers
Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19
OS Rehosting
Adapt OS kernel to run as deprivileged user space task
Full binary compatibility at API level
Change hardware aware parts of the kernel
L4Linux
Current mainline version
Performance penalty between 2 and 20 percent compared to native
Intrusive modifications to Linux kernel required
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19
OS Rehosting
Adapt OS kernel to run as deprivileged user space task
Full binary compatibility at API level
Change hardware aware parts of the kernel
L4Linux
Current mainline version
Performance penalty between 2 and 20 percent compared to native
Intrusive modifications to Linux kernel required
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19
OS Rehosting
Adapt OS kernel to run as deprivileged user space task
Full binary compatibility at API level
Change hardware aware parts of the kernel
L4Linux
Current mainline version
Performance penalty between 2 and 20 percent compared to native
Intrusive modifications to Linux kernel required
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19
OS Rehosting
Adapt OS kernel to run as deprivileged user space task
Full binary compatibility at API level
Change hardware aware parts of the kernel
L4Linux
Current mainline version
Performance penalty between 2 and 20 percent compared to native
Intrusive modifications to Linux kernel required
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19
Virtualization
Almost no modifications to virtualized OS kernel required
With nested paging negligible performance impactI up to 30 percent otherwise
Relies on hardware support
VT, SVM (and Trustzone)
Virtual Machine Monitor (VMM)
Only with nested paging (VTLB underway)
Slight modifications to guest kernel (custom virtualized devices)
Staged virtualization for faithfull virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19
Virtualization
Almost no modifications to virtualized OS kernel required
With nested paging negligible performance impactI up to 30 percent otherwise
Relies on hardware support
VT, SVM (and Trustzone)
Virtual Machine Monitor (VMM)
Only with nested paging (VTLB underway)
Slight modifications to guest kernel (custom virtualized devices)
Staged virtualization for faithfull virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19
Virtualization
Almost no modifications to virtualized OS kernel required
With nested paging negligible performance impactI up to 30 percent otherwise
Relies on hardware support
VT, SVM (and Trustzone)
Virtual Machine Monitor (VMM)
Only with nested paging (VTLB underway)
Slight modifications to guest kernel (custom virtualized devices)
Staged virtualization for faithfull virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19
Virtualization
Almost no modifications to virtualized OS kernel required
With nested paging negligible performance impactI up to 30 percent otherwise
Relies on hardware support
VT, SVM (and Trustzone)
Virtual Machine Monitor (VMM)
Only with nested paging (VTLB underway)
Slight modifications to guest kernel (custom virtualized devices)
Staged virtualization for faithfull virtualization
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19
Achitecture
Hardware (x86, ARM)
µ-Kernel
Infrastructure
IO Mgr MemMgrLoader
VirtualNetwork Switch
TPM Driver
L4Linux(driver provider)
SecureGUI
AndroidStack
L4Linux withAndroid-Patches
TrustworthyDocument
Viewer
KeyMgmt
SignaturCreator
un
pri
vile
ged
pri
vile
ged
Applications
GeniviStack
L4Linux AutoSAR
Core
Auto
SA
R A
pp
Auto
SA
R A
pp
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 12 / 19
Proof-of-Concept Implementation
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 13 / 19
Proof-of-Concept Implementation
Intel Atom Z510 [email protected], 512MB RAM
Two instances of Android,realtime AutoSAR task
One Android, one L4Linux withBusybox, realtime AutoSARtask
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 14 / 19
Further Research
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 15 / 19
Further Research
Scheduling
Integrate real-time, event driven scheduler with time driven schedule
Power Management
Power efficiency, consider power budget
MP / Multicore
Symetric and asymetric multicore systems
Virtualization
Inter VM communication, performance improvements, hybrid tasks
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19
Further Research
Scheduling
Integrate real-time, event driven scheduler with time driven schedule
Power Management
Power efficiency, consider power budget
MP / Multicore
Symetric and asymetric multicore systems
Virtualization
Inter VM communication, performance improvements, hybrid tasks
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19
Further Research
Scheduling
Integrate real-time, event driven scheduler with time driven schedule
Power Management
Power efficiency, consider power budget
MP / Multicore
Symetric and asymetric multicore systems
Virtualization
Inter VM communication, performance improvements, hybrid tasks
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19
Further Research
Scheduling
Integrate real-time, event driven scheduler with time driven schedule
Power Management
Power efficiency, consider power budget
MP / Multicore
Symetric and asymetric multicore systems
Virtualization
Inter VM communication, performance improvements, hybrid tasks
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19
Important Related Work
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 17 / 19
Important Related Work
Experimental Security Analysis of a Modern AutomobileKoscher, Karl Czeskis, Alexei Roesner, Franziska Patel et al.
L4CarsKevin Elphinstone Gernot Heise Ralf Huuck Stefan M. Petters SergioRuocco
Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 18 / 19