Transcript Bhargavi Konduru`s presentation on Constructing Secure Operating

Presented By,
Bhargavi Konduru
 Nowadays,
most electronic appliances have
computing capabilities that run on embedded
operating system (OS) kernels, which provide
basic execution primitives that can be commonly
used by many appliances.
 The recent emergence of digital appliances
requires more advancde features, such as
networking and GUI, which dramatically
complicates the appliances’ software systems and
increases their code size.
 Networked systems need to be prepared for attacks
through the internet.
 Users
software systems must be more robust than
ordinary personal computer systems.
 Building such large, complex, and robust software
systems on embedded kernels with the absence of
a protection domain is very difficult as software
bugs can cause system malfunction, data
corruption, security breaches, or even system
destruction.
 To reduce the problem of the attacks a new system
architecture is proposed in this paper.
 A system
architecture that co-locates multiple
embedded operating systems on a microkernel is
proposed.
 It employs a microkernel to provide protected
execution environment for the existing embedded
kernels that have no protection mechanism.
 No need to run the existing software on different
operating systems as the same protection domain is
shared.
 As the micro kernel supports multiple protected
execution environments, we can run multiple
instances along with the applications.
 System
reinforces reliability and security, as the
applications and servers can be decoupled to
different protection domains.
 The microkernel performs the scheduling of
embedded kernel instances.
 Here a system is developed that consists of a TL4
microkernel and a μITRON kernel.
 It
enables the provision of protected domains
without affecting the compatibility of the kernel
APIs by employing a microkernel.
 It can achieve maximum reusability of the existing
software resources including embedded OS kernels
and their applications.
 It enables the schedulability analysis of real-time
tasks on an embedded OS kernel.
 These features can protect the existing software
resources, maintain the software quality, and save
costs.
 To
accommodate large and complex software
systems, new kernels that support protection
domains have been created.
 But this is considered as a drawback as there will
be compatibility issues.
 The architecture proposed in this paper enables the
reuse of the current kernel, by co-locating
multiple kernels on a micro kernel.
 The proposed architecture incorporates the
hierarchical CPU scheduling to handle the multiple
independent instances of a real time kernel.
 It
consists of TL4 microkernel, the multiple
instances of a μITRON kernel.
 Multiple applications can run within a single
instance of a μITRON kernel.
 Applications can access services provided by
servers through server proxies.
 Only TL4 microkernel executes in the privileged
mode directly on top of hardware. It provides
protection domains, threads, and IPC.
 The misbehaviors of applications do not cause data
destruction in servers protection domains as
different protection domains are allocated for
applications and servers.
 It
can effectively utilize multiple protection
domains.
 Mainly a protection domain should be dedicated to
personal data file services in order to isolate
personal data files from any illegal access.
 Network services are isolated in another protection
domain since a network subsystem is the most
likely an entry point for a system to be
compromised.
 Local device servers implement the drivers of
devices shared by applications and the other
services
 We
can make system consume less resources by
using protection domain.
 It is desirable to dedicate a protection domain to an
application program when it is not trusted or it
needs to be installed from the internet.
 Another use of protection domain is for
debugging, as it is usually difficult to find bugs
that share the same domain.
 Out of range memory references can be easily
detected.
microkernel is based on L4 μ-kernel and is
enhanced to enable the execution of multiple
μITRON kernel instances.
 TL4 microkernel inherits L4 μ-kernel’s simple
abstractions, that include threads, protection
domains, memory pages, and IPC.
 Here TL4 microkernel’s execution entities are
referred as threads and μITRON kernel’s execution
entities are referred to as tasks or applications.
 TL4
A
μITRON kernel is a simple embedded real-time
kernel that provides real-time tasks,
synchronization and communication mechanisms
and device drivers.
 It is divided in to 3 parts
• Machine Independent Part
• Machine dependent part
• Processor Emulator
 To
maximize the reusability and minimize the
modifications, a layer called processor emulator
is introduced that emulates the hardware and
encapsulates the differences from the hardware.
 The processor emulator deals with interrupts, time
management, scheduling events, and the idle state.
 Controlling Interrupts: Interrupts are disabled by
setting a flag and enabled by a message
notification.
 Time Management: Here we need to consider the
scheduling of the timer interrupt emulation threads
for those kernel instances.
 Dealing
with external scheduling events: It
happens when an interrupt occurs and a higher
priority task wakes up.
 Dealing with Idle State: When all tasks are
blocked and there is no task to run in a ITRON
kernel, the kernel falls into the idle state. Here the
main execution thread needs to block in order to
avoid disturbing the other instances execution.
 Enhancements:
 Scheduler:
Here the scheduler determines which
thread to run as each instance has a thread queue
that maintains runnable threads of the instance.
 Scheduling of Interrupt Emulation Threads: It
has three States.
• The instance is running
• The instance is runnable but not running
• The instance is not runnable
 As
the implementation of the system is finished
and described let us see the evaluation of the
system.
 Memory Footprints: It shows the memory sizes
consumed to run a single instance of μITRON
kernel on TL4 microkernel.
 The memory footprint of a μITRON kernel
instance on TL4 microkernel is 63KB, which is
slightly smaller than the original μITRON kernel.
 Invocation
Latencies: Latencies from the
software entry point of interrupt are measured.
 They are measured by considering two tasks
Application task 1 and Application task 2.
 Latency values are measured for both cases of
μITRON kernel on TL4kernel and μITRONkernel
on hardware.
 The results show that the μITRONkernel on TL4
kernel outperforms the μITRONkernel on the
hardware.
 Here
the authors proposed an alternative approach
to introduce protected domains to the existing
embedded systems.
 This approach employs a microkernel to provide
protected execution environments for the existing
embedded kernels.
 It can achieve the maximum reusability of the
existing software resources including embedded
OS kernels and their applications.
 Future work includes creating more realistic and
practical setup, and more accurate system and its
evaluation.

G. Bollella and K. Jeffay. Support for Real-Time Computing within General Purpose Operating Systems Supporting Co-Resident Operating Systems. In Proceedings of the 1st IEEE Real-Time Technology and
Applications Symposium, May 1995.

R. J. Creasy. The Origin of the VM/370 Time-Sharing System. IBM Journal of Research and Development, 25
(5), 1981.

R. P. Goldberg. Survey of Virtual Machine Research. IEEE Computer Magazine, pages 34–45, June 1974.

G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, P. M. Chen. ReVirt: EnablingIntrusion Analysis through
Virtual-Machine Logging and Replay.In Proceedings of the 2002 Symposium on Operating Systems Design
and Implementation, December 2002.

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection BasedArchitecture for Intrusion Detection.
In Proceedings of the Internet Society’s 2003 Symposium on Network and Distributed System Security,
February 2003.

S. T. King, G. W. Dunlap, and P. M. Chen. Operating System Support for Virtual Machines. In Proceedings of
the 2003 Annual USENIX Technical Conference, June 2003.

J. Sugerman, G. Venkitachalam, and B. H. Lim. Virtualizing I/O Devices on VMware Workstation’s Hosted
Virtual Machine Monitor. In Proceedings of 2001 USENIX Annual Technical Conference, 2001.

H. Takada ed. μITRON4.0 Specification. TRON Association, 1999. (In Japanese)

H. Takada ed. μITRON4.0/PX Specification: Protection MechanismExtension to μITRON4.0 Specification.
TRON Association Version Up WG, 2002. (In Japanese)