Secure and safe virtualization-based framework for embedded systems development

Tese de Doutoramento - Programa Doutoral em Engenharia Electrónica e de Computadores (PDEEC)The Internet of Things (IoT) is here. Billions of smart, connected devices are proliferating at rapid pace in our key infrastructures, generating, processing and exchanging vast amounts of security-critical and privacy-sensitive data. This strong connectivity of IoT environments demands for a holistic, end-to-end security approach, addressing security and privacy risks across different abstraction levels: device, communications, cloud, and lifecycle managment. Security at the device level is being misconstrued as the addition of features in a late stage of the system development. Several software-based approaches such as microkernels, and virtualization have been used, but it is proven, per se, they fail in providing the desired security level. As a step towards the correct operation of these devices, it is imperative to extend them with new security-oriented technologies which guarantee security from the outset. This thesis aims to conceive and design a novel security and safety architecture for virtualized systems by 1) evaluating which technologies are key enablers for scalable and secure virtualization, 2) designing and implementing a fully-featured virtualization environment providing hardware isolation 3) investigating which "hard entities" can extend virtualization to guarantee the security requirements dictated by confidentiality, integrity, and availability, and 4) simplifying system configurability and integration through a design ecosystem supported by a domain-specific language. The developed artefacts demonstrate: 1) why ARM TrustZone is nowadays a reference technology for security, 2) how TrustZone can be adequately exploited for virtualization in different use-cases, 3) why the secure boot process, trusted execution environment and other hardware trust anchors are essential to establish and guarantee a complete root and chain of trust, and 4) how a domain-specific language enables easy design, integration and customization of a secure virtualized system assisted by the above mentioned building blocks.Vivemos na era da Internet das Coisas (IoT). Biliões de dispositivos inteligentes começam a proliferar nas nossas infraestruturas chave, levando ao processamento de avolumadas quantidades de dados privados e sensíveis. Esta forte conectividade inerente ao conceito IoT necessita de uma abordagem holística, em que os riscos de privacidade e segurança são abordados nas diferentes camadas de abstração: dispositivo, comunicações, nuvem e ciclo de vida. A segurança ao nível dos dispositivos tem sido erradamente assegurada pela inclusão de funcionalidades numa fase tardia do desenvolvimento. Têm sido utilizadas diversas abordagens de software, incluindo a virtualização, mas está provado que estas não conseguem garantir o nível de segurança desejado. De forma a garantir a correta operação dos dispositivos, é fundamental complementar os mesmos com novas tecnologias que promovem a segurança desde os primeiros estágios de desenvolvimento. Esta tese propõe, assim, o desenvolvimento de uma solução arquitetural inovadora para sistemas virtualizados seguros, contemplando 1) a avaliação de tecnologias chave que promovam tal realização, 2) a implementação de uma solução de virtualização garantindo isolamento por hardware, 3) a identificação de componentes que integrados permitirão complementar a virtualização para garantir os requisitos de segurança, e 4) a simplificação do processo de configuração e integração da solução através de um ecossistema suportado por uma linguagem de domínio específico. Os artefactos desenvolvidos demonstram: 1) o porquê da tecnologia ARM TrustZone ser uma tecnologia de referência para a segurança, 2) a efetividade desta tecnologia quando utilizada em diferentes domínios, 3) o porquê do processo seguro de inicialização, juntamente com um ambiente de execução seguro e outros componentes de hardware, serem essenciais para estabelecer uma cadeia de confiança, e 4) a viabilidade em utilizar uma linguagem de um domínio específico para configurar e integrar um ambiente virtualizado suportado pelos artefactos supramencionados

Modeling of embedded software on MDA platform models

This study proposes the use of abstract software models in order to meet the diversity of embedded platforms. A UML 2.0 Profile for Modeling Application and Platform of Embedded Software (called PROAPES) is proposed. Such profile is intended to generically describe the services provided by a system platform that makes use of an RTOS. In addition, this study presents a Model Transformation (MT) based on the PROAPES profile, named MT-PROAPES. In this way, MT-PROAPES uses a Platform Model (PM), created on the basis of the proposed profile (PROAPES), and performs a transformation named Platform Independent Model (PIM)-behavior into Platform Specific Model (PSM)-behavior. Thus, the generation of reusable model transformations that are adaptable to different platform models is possibleFacultad de Informátic

Rétro-ingénierie des plateformes pour le déploiement des applications temps réel

This Work deals with te defintion of a new methodology called DRIM for the development of real-time embedded systems following the Model-Driven development paradigm.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du développement logiciel des systèmes temps réel embarqués. Nous définissons dans ce travail une méthodologie nommée DRIM (Design Refinement toward Implementation Methodology). Cetteméthodologie permet de guider le déploiement des applications temps réel sur différentssystèmes d’exploitation temps réel (RTOS) en suivant la ligne de l’Ingénierie Dirigée parles Modèles (IDM) et en assurant le respect des contraintes de temps après le déploiement.L’automatisation de la méthodologie DRIM montre sa capacité à détecter les descriptionsnon-implémentables de l’application, réalisées au niveau conception, pour un RTOS donné,ce qui présente l’avantage de réduire le temps de mise sur le marché (time-to-market) d’unepart et de guider l’utilisateur pour un choix approprié du RTOS cible d’autre part

Porting sloth system to FreeRTOS for ARM Multicore

Dissertação de mestrado integrado em Engenharia Eletrónica Industrial e ComputadoresThe microprocessor industry is in the midst of a dramatic transformation. Up until recently, to boost microprocessors’ performance it was solely relied on increasing clock frequency. Nowadays, however, the power consumption requirements, coupled with the growing consumer demand, made the industry shift their focus from singlecore to multicore solutions, which offer an increase in performance, without a proportional increase in power consumption. The embedded systems field is no exception and the trend to use multicore solutions has been rising substantially in the last few years. Managing control flow is one of the core responsibilities of an operating system. Bearing this in mind, operating systems suffer from the existence of a bifid priority space, dictated by the co-existence of synchronous threads, managed by kernel scheduler, and asynchronous interrupt handlers, scheduled by hardware. This induces a well-identified problem, termed rate-monotonic priority inversion. Regarding safety-critical real-time systems, where time and determinism play a critical role, the inherent possibility of delayed execution of real-time threads by hardware interrupts with semantically lower priority can have catastrophic consequences to human life. Within this context, this dissertation presents the extension of a previous ’inhouse’ project, by proposing the implementation of a unified priority space approach (Sloth) in a multicore environment. To accomplish this, it is proposed the offloading of the scheduling decisions and synchronization mechanisms to a Commercial Off-The-Shelf (COTS) hardware interrupt controller (removing the need for a software scheduler) on an ARM Cortex-A9 MPCore platform.A indústria de microprocessores está envolta numa transformação dramática. Até recentemente, para impulsionar a performance, a indústria dependia somente do aumento gradual da frequência de relógio. Atualmente, os requisitos de consumo energético, conjugados com as crescentes exigências do consumidor, levaram a indústria a mudar o seu foco de soluções singlecore para soluções multicore. Estas oferecem um aumento substancial de performance, sem o proporcional aumento de consumo energético, característico das arquiteturas singlecore. Os sistemas embebidos não são excepção e a tendência para a utilização de soluções multicore tem aumentado substancialmente nos últimos anos. Uma das principais responsabilidades de um sistema operativo é a gestão do fluxo de controlo. Neste contexto, os sistemas operativos sofrem da existência de um espaço de prioridades bifurcado, caracterizado pela existência de tarefas, geridas pelo escalonador do kernel (software) e de interrupções, escalonadas por hardware. Introduz-se, assim, um problema bem identificado na comunidade científica, denominado rate-monotonic priority inversion. Em sistemas de tempo real, em que a segurança assume um papel fulcral e onde a performance e o determinismo são essenciais, a possibilidade da execução de tarefas de elevada prioridade ser atrasada, por interrupções de hardware com prioridade semântica inferior, pode ter consequências catastróficas para a vida humana. Neste sentido, esta dissertação apresenta a extensão de um trabalho anterior, propondo a implementação de um espaço de prioridades unificado (Sloth), num ambiente multicore. Assim sendo, é proposto o offloading do escalonador e mecanismos de sincronização para o controlador de interrupções (hardware) numa plataforma ARM Cortex-A9 MPCore

Evaluation of the parallel computational capabilities of embedded platforms for critical systems

Modern critical systems need higher performance which cannot be delivered by the simple architectures used so far. Latest embedded architectures feature multi-cores and GPUs, which can be used to satisfy this need. In this thesis we parallelise relevant applications from multiple critical domains represented in the GPU4S benchmark suite, and perform a comparison of the parallel capabilities of candidate platforms for use in critical systems. In particular, we port the open source GPU4S Bench benchmarking suite in the OpenMP programming model, and we benchmark the candidate embedded heterogeneous multi-core platforms of the H2020 UP2DATE project, NVIDIA TX2, NVIDIA Xavier and Xilinx Zynq Ultrascale+, in order to drive the selection of the research platform which will be used in the next phases of the project. Our result indicate that in terms of CPU and GPU performance, the NVIDIA Xavier is the highest performing platform

Deploying RIOT operating system on a reconfigurable Internet of Things end-device

Dissertação de mestrado integrado em Engenharia Eletrónica Industrial e ComputadoresThe Internet of Everything (IoE) is enabling the connection of an infinity of physical objects to the Internet, and has the potential to connect every single existing object in the world. This empowers a market with endless opportunities where the big players are forecasting, by 2020, more than 50 billion connected devices, representing an 8 trillion USD market. The IoE is a broad concept that comprises several technological areas and will certainly, include more in the future. Some of those already existing fields are the Internet of Energy related with the connectivity of electrical power grids, Internet of Medical Things (IoMT), for instance, enables patient monitoring, Internet of Industrial Things (IoIT), which is dedicated to industrial plants, and the Internet of Things (IoT) that focus on the connection of everyday objects (e.g. home appliances, wearables, transports, buildings, etc.) to the Internet. The diversity of scenarios where IoT can be deployed, and consequently the different constraints associated to each device, leads to a heterogeneous network composed by several communication technologies and protocols co-existing on the same physical space. Therefore, the key requirements of an IoT network are the connectivity and the interoperability between devices. Such requirement is achieved by the adoption of standard protocols and a well-defined lightweight network stack. Due to the adoption of a standard network stack, the data processed and transmitted between devices tends to increase. Because most of the devices connected are resource constrained, i.e., low memory, low processing capabilities, available energy, the communication can severally decrease the device’s performance. Hereupon, to tackle such issues without sacrificing other important requirements, this dissertation aims to deploy an operating system (OS) for IoT, the RIOT-OS, while providing a study on how network-related tasks can benefit from hardware accelerators (deployed on reconfigurable technology), specially designed to process and filter packets received by an IoT device.O conceito Internet of Everything (IoE) permite a conexão de uma infinidade de objetos à Internet e tem o potencial de conectar todos os objetos existentes no mundo. Favorecendo assim o aparecimento de novos mercados e infinitas possibilidades, em que os grandes intervenientes destes mercados preveem até 2020 a conexão de mais de 50 mil milhões de dispositivos, representando um mercado de 8 mil milhões de dólares. IoE é um amplo conceito que inclui várias áreas tecnológicas e irá certamente incluir mais no futuro. Algumas das áreas já existentes são: a Internet of Energy relacionada com a conexão de redes de transporte e distribuição de energia à Internet; Internet of Medical Things (IoMT), que possibilita a monotorização de pacientes; Internet of Industrial Things (IoIT), dedicada a instalações industriais e a Internet of Things (IoT), que foca na conexão de objetos do dia-a-dia (e.g. eletrodomésticos, wearables, transportes, edifícios, etc.) à Internet. A diversidade de cenários à qual IoT pode ser aplicado, e consequentemente, as diferentes restrições aplicadas a cada dispositivo, levam à criação de uma rede heterogénea composto por diversas tecnologias de comunicação e protocolos a coexistir no mesmo espaço físico. Desta forma, os requisitos chave aplicados às redes IoT são a conectividade e interoperabilidade entre dispositivos. Estes requisitos são atingidos com a adoção de protocolos standard e pilhas de comunicação bem definidas. Com a adoção de pilhas de comunicação standard, a informação processada e transmitida entre dispostos tende a aumentar. Visto que a maioria dos dispositivos conectados possuem escaços recursos, i.e., memória reduzida, baixa capacidade de processamento, pouca energia disponível, o aumento da capacidade de comunicação pode degradar o desempenho destes dispositivos. Posto isto, para lidar com estes problemas e sem sacrificar outros requisitos importantes, esta dissertação pretende fazer o porting de um sistema operativo IoT, o RIOT, para uma solução reconfigurável, o CUTE mote. O principal objetivo consiste na realização de um estudo sobre os benefícios que as tarefas relacionadas com as camadas de rede podem ter ao serem executadas em hardware via aceleradores dedicados. Estes aceleradores são especialmente projetados para processar e filtrar pacotes de dados provenientes de uma interface radio em redes IoT periféricas

A knowledge based reengineering approach via ontology and description logic.

Traditional software reengineering often involves a great deal of manual effort by software maintainers. This is time consuming and error prone. Due to the knowledge intensive properties of software reengineering, a knowledge-based solution is proposed in this thesis to semi-automate some of this manual effort. This thesis aims to explore the principle research question: “How can software systems be described by knowledge representation techniques in order to semi-automate the manual effort in software reengineering?” The underlying research procedure of this thesis is scientific method, which consists of: observation, proposition, test and conclusion. Ontology and description logic are employed to model and represent the knowledge in different software systems, which is integrated with domain knowledge. Model transformation is used to support ontology development. Description logic is used to implement ontology mapping algorithms, in which the problem of detecting semantic relationships is converted into the problem of deducing the satisfiability of logical formulae. Operating system ontology has been built with a top-down approach, and it was deployed to support platform specific software migration [132] and portable software development [18]. Data-dominant software ontology has been built via a bottom-up approach, and it was deployed to support program comprehension [131] and modularisation [130]. This thesis suggests that software systems can be represented by ontology and description logic. Consequently, it will help in semi-automating some of the manual tasks in software reengineering. However, there are also limitations: bottom-up ontology development may sacrifice some complexity of systems; top-down ontology development may become time consuming and complicated. In terms of future work, a greater number of diverse software system categories could be involved and different software system knowledge could be explored

Capability Memory Protection for Embedded Systems

This dissertation explores the use of capability security hardware and software in real-time and latency-sensitive embedded systems, to address existing memory safety and task isolation problems as well as providing new means to design a secure and scalable real-time system. In addition, this dissertation looks into how practical and high-performance temporal memory safety can be achieved under a capability architecture. State-of-the-art memory protection schemes for embedded systems typically present limited and inflexible solutions to memory protection and isolation, and fail to scale as embedded devices become more capable and ubiquitous. I investigate whether a capability architecture is able to provide new angles to address memory safety issues in an embedded scenario. Previous CHERI capability research focuses on 64-bit architectures in UNIX operating systems, which does not translate to typical 32-bit embedded processors with low-latency and real-time requirements. I propose and implement the CHERI CC-64 encoding and the CHERI-64 coprocessor to construct a feasible capability-enabled 32-bit CPU. In addition, I implement a real-time kernel for embedded systems atop CHERI-64. On this hardware and software platform, I focus on exploring scalable task isolation and fine-grained memory protection enabled by capabilities in a single flat physical address space, which are otherwise difficult or impossible to achieve via state-of-the-art approaches. Later, I present the evaluation of the hardware implementation and the software run-time overhead and real-time performance. Even with capability support, CHERI-64 as well as other CHERI processors still expose major attack surfaces through temporal vulnerabilities like use-after-free. A naive approach that sweeps memory to invalidate stale capabilities is inefficient and incurs significant cycle overhead and DRAM traffic. To make sweeping revocation feasible, I introduce new architectural mechanisms and micro-architectural optimisations to substantially reduce the cost of memory sweeping and capability revocation. Another factor of the cost is the frequency of memory sweeping. I explore tradeoffs of memory allocator designs that use quarantine buffers and shadow space tags to prevent frequent unnecessary sweeping. The evaluation shows that the optimisations and new allocator designs reduce the cost of capability sweeping revocation by orders of magnitude, making it already practical for most applications to adopt temporal safety under CHERI.CSC Cambridge Scholarshi

ARMor: fully verified software fault isolation

ManuscriptWe have designed and implemented ARMor, a system that uses software fault isolation (SFI) to sandbox application code running on small embedded processors. Sandboxing can be used to protect components such as the RTOS and critical control loops from other, less-trusted components. ARMor guarantees memory safety and control flow integrity; it works by rewriting a binary to put a check in front of every potentially dangerous operation. We formally and automatically verify that an ARMored application respects the SFI safety properties using the HOL theorem prover. Thus, ARMor provides strong isolation guarantees and has an exceptionally small trusted computing base-there is no trusted compiler, binary rewriter, verifier, or operating system