A Secure and Reliable OS for Automotive ApplicationsCars on Code

Matthias Langemlange {@} sec.t-labs.tu-berlin.de

TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit

July 7th, 2010

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 1 / 19

Outline

1 Introduction

2 Architecture

3 Proof-of-Concept Implementation

4 Further Research

5 Important Related Work

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 2 / 19

Introduction

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 3 / 19

Introduction

Cars remained static for 80years

I Gasoline engineI Four wheelsI Familiar user interface

Change since late 70’sI Computers coordinate and

monitor sensorsI Ca. 100MB of binary code

spread over 50 - 70 ECUs

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 4 / 19

Objective of Computerization

SafetyI Anti-lock Brake SystemI AirbagI Assistance

Value added featuresI Automatic crash responseI Remote diagnosticsI Stolen vehicle recovery

Economically advantageousI CostI Weight

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 5 / 19

Future Trends

Consolidation

Classic control applications are supplemented by new complex applicationson a single control unit

Proactive Systems

Prevent or mitigate critical situations

User Customization

App Store, let the user buy “upgrades”

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19

Future Trends

Consolidation

Classic control applications are supplemented by new complex applicationson a single control unit

Proactive Systems

Prevent or mitigate critical situations

User Customization

App Store, let the user buy “upgrades”

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19

Future Trends

Consolidation

Classic control applications are supplemented by new complex applicationson a single control unit

Proactive Systems

Prevent or mitigate critical situations

User Customization

App Store, let the user buy “upgrades”

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 6 / 19

Challenges

Isolation

Assure spatial and timely isolation

New Attack Vectors

Future trends will open a wide range of attack vectors for attackers.

New Threats

Computerized environments bring new array of potential new threats.

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19

Challenges

Isolation

Assure spatial and timely isolation

New Attack Vectors

Future trends will open a wide range of attack vectors for attackers.

New Threats

Computerized environments bring new array of potential new threats.

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19

Challenges

Isolation

Assure spatial and timely isolation

New Attack Vectors

Future trends will open a wide range of attack vectors for attackers.

New Threats

Computerized environments bring new array of potential new threats.

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 7 / 19

Architecture

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 8 / 19

Architecture

L4 microkernelI Tasks, Threads and IPCI Object capabilities

Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers

Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19

Architecture

L4 microkernelI Tasks, Threads and IPCI Object capabilities

Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers

Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19

Architecture

L4 microkernelI Tasks, Threads and IPCI Object capabilities

Infrastructure layer with basic servicesI Memory and IO managerI Secure GUII Drivers

Reuse existing, collaboratively developed softwareI OS rehostingI Virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 9 / 19

OS Rehosting

Adapt OS kernel to run as deprivileged user space task

Full binary compatibility at API level

Change hardware aware parts of the kernel

L4Linux

Current mainline version

Performance penalty between 2 and 20 percent compared to native

Intrusive modifications to Linux kernel required

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19

OS Rehosting

Adapt OS kernel to run as deprivileged user space task

Full binary compatibility at API level

Change hardware aware parts of the kernel

L4Linux

Current mainline version

Performance penalty between 2 and 20 percent compared to native

Intrusive modifications to Linux kernel required

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19

OS Rehosting

Adapt OS kernel to run as deprivileged user space task

Full binary compatibility at API level

Change hardware aware parts of the kernel

L4Linux

Current mainline version

Performance penalty between 2 and 20 percent compared to native

Intrusive modifications to Linux kernel required

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19

OS Rehosting

Adapt OS kernel to run as deprivileged user space task

Full binary compatibility at API level

Change hardware aware parts of the kernel

L4Linux

Current mainline version

Performance penalty between 2 and 20 percent compared to native

Intrusive modifications to Linux kernel required

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 10 / 19

Virtualization

Almost no modifications to virtualized OS kernel required

With nested paging negligible performance impactI up to 30 percent otherwise

Relies on hardware support

VT, SVM (and Trustzone)

Virtual Machine Monitor (VMM)

Only with nested paging (VTLB underway)

Slight modifications to guest kernel (custom virtualized devices)

Staged virtualization for faithfull virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19

Virtualization

Almost no modifications to virtualized OS kernel required

With nested paging negligible performance impactI up to 30 percent otherwise

Relies on hardware support

VT, SVM (and Trustzone)

Virtual Machine Monitor (VMM)

Only with nested paging (VTLB underway)

Slight modifications to guest kernel (custom virtualized devices)

Staged virtualization for faithfull virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19

Virtualization

Almost no modifications to virtualized OS kernel required

With nested paging negligible performance impactI up to 30 percent otherwise

Relies on hardware support

VT, SVM (and Trustzone)

Virtual Machine Monitor (VMM)

Only with nested paging (VTLB underway)

Slight modifications to guest kernel (custom virtualized devices)

Staged virtualization for faithfull virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19

Virtualization

Almost no modifications to virtualized OS kernel required

With nested paging negligible performance impactI up to 30 percent otherwise

Relies on hardware support

VT, SVM (and Trustzone)

Virtual Machine Monitor (VMM)

Only with nested paging (VTLB underway)

Slight modifications to guest kernel (custom virtualized devices)

Staged virtualization for faithfull virtualization

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 11 / 19

Achitecture

Hardware (x86, ARM)

µ-Kernel

Infrastructure

IO Mgr MemMgrLoader

VirtualNetwork Switch

TPM Driver

L4Linux(driver provider)

SecureGUI

AndroidStack

L4Linux withAndroid-Patches

TrustworthyDocument

Viewer

KeyMgmt

SignaturCreator

un

pri

vile

ged

pri

vile

ged

Applications

GeniviStack

L4Linux AutoSAR

Core

Auto

SA

R A

pp

Auto

SA

R A

pp

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 12 / 19

Proof-of-Concept Implementation

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 13 / 19

Proof-of-Concept Implementation

Intel Atom Z510 platform@1.1GHz, 512MB RAM

Two instances of Android,realtime AutoSAR task

One Android, one L4Linux withBusybox, realtime AutoSARtask

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 14 / 19

Further Research

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 15 / 19

Further Research

Scheduling

Integrate real-time, event driven scheduler with time driven schedule

Power Management

Power efficiency, consider power budget

MP / Multicore

Symetric and asymetric multicore systems

Virtualization

Inter VM communication, performance improvements, hybrid tasks

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19

Further Research

Scheduling

Integrate real-time, event driven scheduler with time driven schedule

Power Management

Power efficiency, consider power budget

MP / Multicore

Symetric and asymetric multicore systems

Virtualization

Inter VM communication, performance improvements, hybrid tasks

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19

Further Research

Scheduling

Integrate real-time, event driven scheduler with time driven schedule

Power Management

Power efficiency, consider power budget

MP / Multicore

Symetric and asymetric multicore systems

Virtualization

Inter VM communication, performance improvements, hybrid tasks

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19

Further Research

Scheduling

Integrate real-time, event driven scheduler with time driven schedule

Power Management

Power efficiency, consider power budget

MP / Multicore

Symetric and asymetric multicore systems

Virtualization

Inter VM communication, performance improvements, hybrid tasks

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 16 / 19

Important Related Work

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 17 / 19

Important Related Work

Experimental Security Analysis of a Modern AutomobileKoscher, Karl Czeskis, Alexei Roesner, Franziska Patel et al.

L4CarsKevin Elphinstone Gernot Heise Ralf Huuck Stefan M. Petters SergioRuocco

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 18 / 19

Thank you!

Matthias Langemlange {@} sec.t-labs.tu-berlin.de (TU BerlinSpring 2010 SIDAR - Graduierten Workshop ber Reaktive Sicherheit)A Secure and Reliable OS for Automotive ApplicationsCars on CodeJuly 7th, 2010 19 / 19