7 research outputs found
A TrustZone-assisted secure silicon on a co-design framework
Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresEmbedded systems were for a long time, single-purpose and closed systems, characterized
by hardware resource constraints and real-time requirements. Nowadays, their functionality is
ever-growing, coupled with an increasing complexity and heterogeneity. Embedded applications
increasingly demand employment of general-purpose operating systems (GPOSs) to handle operator
interfaces and general-purpose computing tasks, while simultaneously ensuring the strict
timing requirements. Virtualization, which enables multiple operating systems (OSs) to run on
top of the same hardware platform, is gaining momentum in the embedded systems arena,
driven by the growing interest in consolidating and isolating multiple and heterogeneous environments.
The penalties incurred by classic virtualization approaches is pushing research towards
hardware-assisted solutions. Among the existing commercial off-the-shelf (COTS) technologies for
virtualization, ARM TrustZone technology is gaining momentum due to the supremacy and lower
cost of TrustZone-enabled processors.
Programmable system-on-chips (SoCs) are becoming leading players in the embedded systems
space, because the combination of a plethora of hard resources with programmable logic
enables the efficient implementation of systems that perfectly fit the heterogeneous nature of
embedded applications. Moreover, novel disruptive approaches make use of field-programmable
gate array (FPGA) technology to enhance virtualization mechanisms.
This master’s thesis proposes a hardware-software co-design framework for easing the economy
of addressing the new generation of embedded systems requirements. ARM TrustZone is
exploited to implement the root-of-trust of a virtualization-based architecture that allows the execution
of a GPOS side-by-side with a real-time OS (RTOS). RTOS services were offloaded to hardware,
so that it could present simultaneous improvements on performance and determinism. Instead
of focusing in a concrete application, the goal is to provide a complete framework, specifically tailored
for Zynq-base devices, that developers can use to accelerate a bunch of distinct applications
across different embedded industries.Os sistemas embebidos foram, durante muitos anos, sistemas com um simples e único
propósito, caracterizados por recursos de hardware limitados e com cariz de tempo real. Hoje
em dia, o número de funcionalidades começa a escalar, assim como o grau de complexidade
e heterogeneidade. As aplicações embebidas exigem cada vez mais o uso de sistemas operativos
(OSs) de uso geral (GPOS) para lidar com interfaces gráficas e tarefas de computação de
propósito geral. Porém, os seus requisitos primordiais de tempo real mantém-se. A virtualização
permite que vários sistemas operativos sejam executados na mesma plataforma de hardware.
Impulsionada pelo crescente interesse em consolidar e isolar ambientes múltiplos e heterogéneos,
a virtualização tem ganho uma crescente relevância no domínio dos sistemas embebidos.
As adversidades que advém das abordagens de virtualização clássicas estão a direcionar estudos
no âmbito de soluções assistidas por hardware. Entre as tecnologias comerciais existentes, a
tecnologia ARM TrustZone está a ganhar muita relevância devido à supremacia e ao menor custo
dos processadores que suportam esta tecnologia.
Plataformas hibridas, que combinam processadores com lógica programável, estão em crescente
penetração no domínio dos sistemas embebidos pois, disponibilizam um enorme conjunto
de recursos que se adequam perfeitamente à natureza heterogénea dos sistemas atuais. Além
disso, existem soluções recentes que fazem uso da tecnologia de FPGA para melhorar os mecanismos
de virtualização.
Esta dissertação propõe uma framework baseada em hardware-software de modo a cumprir
os requisitos da nova geração de sistemas embebidos. A tecnologia TrustZone é explorada para
implementar uma arquitetura que permite a execução de um GPOS lado-a-lado com um sistemas
operativo de tempo real (RTOS). Os serviços disponibilizados pelo RTOS são migrados
para hardware, para melhorar o desempenho e determinismo do OS. Em vez de focar numa
aplicação concreta, o objetivo é fornecer uma framework especificamente adaptada para dispositivos
baseados em System-on-chips Zynq, de forma a que developers possam usar para acelerar
um vasto número de aplicações distintas em diferentes setores
TZ- VirtIO: Enabling Standardized Inter-Partition Communication in a Trustzone-Assisted Hypervisor
Virtualization technology allows the coexistence and execution of multiple operating systems on top of the same hardware platform. In the embedded systems domain, virtualization has been focused on the isolation of critical requirements like real-time, security and safety from non-critical characteristics. The strict confinement of guest partitions typically provided by virtualization does not suit the modular and inter-cooperative nature of embedded systems. The need for inter-partition communication has been addressed by multiple virtualization solutions, either to enable guest-level device para-virtualization or to ensure increased flexibility regarding cooperative partitions. However, the majority of existing approaches follow an ad hoc approach with limited to none applicability outside their solution's scope. This paper presents TZ-VirtIO, an asynchronous standardized inter-partition communication (IPC) mechanism on top of a TrustZone-assisted dual-OS hypervisor (LTZVisor). The implemented IPC uses the standard VirtIO transport layer. The experiments conducted on a physical platform show a scalable, high-bandwidth and low-overhead solution for both single-core and multi-core architectures.FCT - Fundação para a Ciência e a Tecnologia (UID/CEC/00319/2013
Asymmetric Multiprocessing on the ARM Cortex-A9
Asymetrický multiprocessing (AMP) je způsob rozdělování zátěže počítačového systému na heterogenní hardwarové a softwarové prostředí. Tato práce popisuje principy AMP se zaměřením na ARM Cortex--A9 procesor a Altera Cyclone V hardwarovou platformu. Postup tvorby AMP systému založeného na OpenAMP frameworku ukazujícího komunikaci mezi procesorovými jádry, dokumentace a prognóza budoucího vývoje jsou výstupy této práce.Asymmetric multiprocessing (AMP) is a way of distributing computer system load toheterogeneous hardware and software environment. This thesis describes the principles of the AMP focusing on the ARM Cortex--A9 processor and Altera Cyclone V hardware platform. Development of a OpenAMP framework based AMP system showing communication among the processor cores, documentation and future work suggestion are the products of this thesis.
Enabling system survival across hypervisor failures
Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresEmbedded system’s evolution is notorious and due to the complexity growth,
these systems possess more general purpose behaviour instead of its original single
purpose features. Naturally, virtualization started to impact this matter. This
technology decreases the hardware costs since it allows to run several software
components on the same hardware. Although virtualization begun as a pure software
layer, many companies started to provide hardware solutions to assist it.
Despite ARM TrustZone technology being a security extension, many developers
realized that it was possible to use this extension to support development
of hypervisors. With TrustZone, hypervisors can ensure one of the most important
features in virtualization: isolation between guests. However, this hardware
technology revealed some vulnerabilities and since the whole system is TrustZone
dependent, the virtualization can be compromised.
To address this problem, this thesis proposes an hybrid software/hardware
mechanism to handle failures of TrustZone-based hypervisors. By using the processor’s
abort exceptions and hash keys, this project detects system malfunctions
caused by imperfect designs or even deliberate attacks. Additionally, it provides
a restoration model by checkpoints which allows a system recovery without major
throwbacks. The implemented solution was deployed on TrustZone-based LTZVisor,
an open-source and in-house hypervisor, and the revealed results are appealing.
With a 6.5% memory footprint increase and in the worst case scenario, an
increment of 23% in context switching time, it is possible to detect secure memory
invasions and recover the system. Despite of the hypervisor memory footprint
increment and latency addition, the reliability and availability that the system
bring to the LTZVisor are unquestionable.A evolução dos sistemas embebidos é notória e, devido ao aumento da sua complexidade,
estes sistemas cada vez mais possuem um comportamento de propósito
geral, em vez das suas características originais de propósito único. Naturalmente,
a virtualização começou a ter impacto sobre este meio, uma vez que permite executar
vários componentes de software no mesmo hardware, diminuindo os custos de
hardware. Embora a virtualização tenha começado como uma camada de software
pura, muitas empresas começaram a fornecer soluções de hardware para auxiliá-lo.
Apesar da TrustZone ter sido projetada pela ARM para ser uma extensão
de segurança, muitos desenvolvedores perceberam que era possível usá-la para
suporte ao desenvolvimento de hipervisores. Com a TrustZone, os hipervisores
podem garantir uma das premissas mais importantes da virtualização: isolamento
entre hóspedes. No entanto, esta tecnologia de hardware revelou algumas vulnerabilidades
e, sendo todo o sistema dependente da TrustZone, a virtualização pode
ficar comprometida.
Para solucionar o problema, esta tese propõe um mecanismo híbrido de software/
hardware para lidar com as falhas em hipervisores baseados em TrustZone.
Usando as excepções do processador e chaves de hash, este projecto detecta defeitos
no sistema causados por imperfeições no design e também ataques intencionais.
Além disso, este fornece um modelo de restauração por pontos de verificação,
permitindo uma recuperação do sistema sem grandes retrocessos. A solução foi
implementada no LTZVisor, um hipervisor em código aberto e desenvolvido no
ESRG, sendo que os resultados revelados são satisfatórios. Com um aumento de
6,5% da memória usada e um incremento, no pior caso, de 23% no tempo de
troca de contexto, é possível detectar invasões de memória segura e recuperar o
sistema. Apesar do incremento de memória do hypervisor e da adição de latência,
a confiabilidade e a disponibilidade que o sistema oferece ao LTZVisor são
inquestionáveis
Secure and safe virtualization-based framework for embedded systems development
Tese de Doutoramento - Programa Doutoral em Engenharia Electrónica e de Computadores (PDEEC)The Internet of Things (IoT) is here. Billions of smart, connected devices are proliferating
at rapid pace in our key infrastructures, generating, processing and exchanging
vast amounts of security-critical and privacy-sensitive data. This strong connectivity
of IoT environments demands for a holistic, end-to-end security approach, addressing
security and privacy risks across different abstraction levels: device, communications,
cloud, and lifecycle managment.
Security at the device level is being misconstrued as the addition of features in a
late stage of the system development. Several software-based approaches such as
microkernels, and virtualization have been used, but it is proven, per se, they fail in
providing the desired security level. As a step towards the correct operation of these
devices, it is imperative to extend them with new security-oriented technologies
which guarantee security from the outset.
This thesis aims to conceive and design a novel security and safety architecture
for virtualized systems by 1) evaluating which technologies are key enablers for
scalable and secure virtualization, 2) designing and implementing a fully-featured
virtualization environment providing hardware isolation 3) investigating which "hard
entities" can extend virtualization to guarantee the security requirements dictated by
confidentiality, integrity, and availability, and 4) simplifying system configurability
and integration through a design ecosystem supported by a domain-specific language.
The developed artefacts demonstrate: 1) why ARM TrustZone is nowadays a reference
technology for security, 2) how TrustZone can be adequately exploited for
virtualization in different use-cases, 3) why the secure boot process, trusted execution
environment and other hardware trust anchors are essential to establish and
guarantee a complete root and chain of trust, and 4) how a domain-specific language
enables easy design, integration and customization of a secure virtualized
system assisted by the above mentioned building blocks.Vivemos na era da Internet das Coisas (IoT). Biliões de dispositivos inteligentes
começam a proliferar nas nossas infraestruturas chave, levando ao processamento
de avolumadas quantidades de dados privados e sensíveis. Esta forte conectividade
inerente ao conceito IoT necessita de uma abordagem holística, em que os riscos
de privacidade e segurança são abordados nas diferentes camadas de abstração:
dispositivo, comunicações, nuvem e ciclo de vida.
A segurança ao nível dos dispositivos tem sido erradamente assegurada pela inclusão
de funcionalidades numa fase tardia do desenvolvimento. Têm sido utilizadas diversas
abordagens de software, incluindo a virtualização, mas está provado que estas
não conseguem garantir o nível de segurança desejado. De forma a garantir a correta
operação dos dispositivos, é fundamental complementar os mesmos com novas tecnologias
que promovem a segurança desde os primeiros estágios de desenvolvimento.
Esta tese propõe, assim, o desenvolvimento de uma solução arquitetural inovadora
para sistemas virtualizados seguros, contemplando 1) a avaliação de tecnologias
chave que promovam tal realização, 2) a implementação de uma solução de virtualização
garantindo isolamento por hardware, 3) a identificação de componentes
que integrados permitirão complementar a virtualização para garantir os requisitos
de segurança, e 4) a simplificação do processo de configuração e integração da solução
através de um ecossistema suportado por uma linguagem de domínio específico.
Os artefactos desenvolvidos demonstram: 1) o porquê da tecnologia ARM TrustZone
ser uma tecnologia de referência para a segurança, 2) a efetividade desta tecnologia
quando utilizada em diferentes domínios, 3) o porquê do processo seguro de inicialização,
juntamente com um ambiente de execução seguro e outros componentes de
hardware, serem essenciais para estabelecer uma cadeia de confiança, e 4) a viabilidade
em utilizar uma linguagem de um domínio específico para configurar e integrar
um ambiente virtualizado suportado pelos artefactos supramencionados
OSS architecture for mixed-criticality systems – a dual view from a software and system engineering perspective
Computer-based automation in industrial appliances led to a growing number of
logically dependent, but physically separated embedded control units per
appliance. Many of those components are safety-critical systems, and require
adherence to safety standards, which is inconsonant with the relentless demand
for features in those appliances. Features lead to a growing amount of control
units per appliance, and to a increasing complexity of the overall software
stack, being unfavourable for safety certifications. Modern CPUs provide means
to revise traditional separation of concerns design primitives: the consolidation
of systems, which yields new engineering challenges that concern the entire
software and system stack.
Multi-core CPUs favour economic consolidation of formerly separated
systems with one efficient single hardware unit. Nonetheless, the system
architecture must provide means to guarantee the freedom from interference
between domains of different criticality. System consolidation demands for
architectural and engineering strategies to fulfil requirements (e.g., real-time
or certifiability criteria) in safety-critical environments.
In parallel, there is an ongoing trend to substitute ordinary proprietary base
platform software components by mature OSS variants for economic and
engineering reasons. There are fundamental differences of processual properties
in development processes of OSS and proprietary software. OSS in
safety-critical systems requires development process assessment techniques to
build an evidence-based fundament for certification efforts that is based upon
empirical software engineering methods.
In this thesis, I will approach from both sides: the software and system
engineering perspective. In the first part of this thesis, I focus on the
assessment of OSS components: I develop software engineering techniques
that allow to quantify characteristics of distributed OSS development
processes. I show that ex-post analyses of software development processes can
be used to serve as a foundation for certification efforts, as it is required
for safety-critical systems.
In the second part of this thesis, I present a system architecture based on
OSS components that allows for consolidation of mixed-criticality systems
on a single platform. Therefore, I exploit virtualisation extensions of modern
CPUs to strictly isolate domains of different criticality. The proposed
architecture shall eradicate any remaining hypervisor activity in order to
preserve real-time capabilities of the hardware by design, while
guaranteeing strict isolation across domains.Computergestützte Automatisierung industrieller Systeme führt zu einer
wachsenden Anzahl an logisch abhängigen, aber physisch voneinander getrennten
Steuergeräten pro System. Viele der Einzelgeräte sind sicherheitskritische
Systeme, welche die Einhaltung von Sicherheitsstandards erfordern, was durch
die unermüdliche Nachfrage an Funktionalitäten erschwert wird. Diese führt zu
einer wachsenden Gesamtzahl an Steuergeräten, einhergehend mit wachsender
Komplexität des gesamten Softwarekorpus, wodurch Zertifizierungsvorhaben
erschwert werden. Moderne Prozessoren stellen Mittel zur Verfügung, welche es
ermöglichen, das traditionelle >Trennung von Belangen< Designprinzip zu
erneuern: die Systemkonsolidierung. Sie stellt neue ingenieurstechnische
Herausforderungen, die den gesamten Software und Systemstapel betreffen.
Mehrkernprozessoren begünstigen die ökonomische und effiziente Konsolidierung
vormals getrennter Systemen zu einer effizienten Hardwareeinheit. Geeignete
Systemarchitekturen müssen jedoch die Rückwirkungsfreiheit zwischen Domänen
unterschiedlicher Kritikalität sicherstellen. Die Konsolidierung erfordert
architektonische, als auch ingenieurstechnische Strategien um die Anforderungen
(etwa Echtzeit- oder Zertifizierbarkeitskriterien) in sicherheitskritischen
Umgebungen erfüllen zu können.
Zunehmend werden herkömmliche proprietär entwickelte Basisplattformkomponenten
aus ökonomischen und technischen Gründen vermehrt durch ausgereifte OSS
Alternativen ersetzt. Jedoch hindern fundamentale Unterschiede bei prozessualen
Eigenschaften des Entwicklungsprozesses bei OSS den Einsatz in
sicherheitskritischen Systemen. Dieser erfordert Techniken, welche es erlauben
die Entwicklungsprozesse zu bewerten um ein evidenzbasiertes Fundament für
Zertifizierungsvorhaben basierend auf empirischen Methoden des Software
Engineerings zur Verfügung zu stellen.
In dieser Arbeit nähere ich mich von beiden Seiten: der Softwaretechnik, und
der Systemarchitektur. Im ersten Teil befasse ich mich mit der Beurteilung von
OSS Komponenten: Ich entwickle Softwareanalysetechniken, welche es
ermöglichen, prozessuale Charakteristika von verteilten OSS
Entwicklungsvorhaben zu quantifizieren. Ich zeige, dass rückschauende Analysen
des Entwicklungsprozess als Grundlage für Softwarezertifizierungsvorhaben
genutzt werden können.
Im zweiten Teil dieser Arbeit widme ich mich der Systemarchitektur. Ich stelle
eine OSS-basierte Systemarchitektur vor, welche die Konsolidierung von
Systemen gemischter Kritikalität auf einer alleinstehenden Plattform
ermöglicht. Dazu nutze ich Virtualisierungserweiterungen moderner Prozessoren
aus, um die Hardware in strikt voneinander isolierten Rechendomänen unterschiedlicher
Kritikalität unterteilen zu können. Die vorgeschlagene Architektur soll jegliche
Betriebsstörungen des Hypervisors beseitigen, um die Echtzeitfähigkeiten der
Hardware bauartbedingt aufrecht zu erhalten, während strikte Isolierung
zwischen Domänen stets sicher gestellt ist
Defining interfaces between hardware and software: Quality and performance
One of the most important interfaces in a computer system is the interface between hardware and software. This interface is the contract between the hardware designer and the programmer that defines the functional behaviour of the hardware. This thesis examines two critical aspects of defining the hardware-software interface: quality and performance.
The first aspect is creating a high quality specification of the interface as conventionally defined in an instruction set architecture. The majority of this thesis is concerned with creating a specification that covers the full scope of the interface; that is applicable to all current implementations of the architecture; and that can be trusted to accurately describe the behaviour of implementations of the architecture. We describe the development of a formal specification of the two major types of Arm processors: A-class (for mobile devices such as phones and tablets) and M-class (for micro-controllers). These specifications are unparalleled in their scope, applicability and trustworthiness. This thesis identifies and illustrates what we consider the key ingredient in achieving this goal: creating a specification that is used by many different user groups. Supporting many different groups leads to improved quality as each group finds different problems in the specification; and, by providing value to each different group, it helps justify the considerable effort required to create a high quality specification of a major processor architecture. The work described in this thesis led to a step change in Arm's ability to use formal verification techniques to detect errors in their processors; enabled extensive testing of the specification against Arm's official architecture conformance suite; improved the quality of Arm's architecture conformance suite based on measuring the architectural coverage of the tests; supported earlier, faster development of architecture extensions by enabling animation of changes as they are being made; and enabled early detection of problems created from architecture extensions by performing formal validation of the specification against semi-structured natural language specifications. As far as we are aware, no other mainstream processor architecture has this capability. The formal specifications are included in Arm's publicly released architecture reference manuals and the A-class specification is also released in machine-readable form.
The second aspect is creating a high performance interface by defining the hardware-software interface of a software-defined radio subsystem using a programming language. That is, an interface that allows software to exploit the potential performance of the underlying hardware. While the hardware-software interface is normally defined in terms of machine code, peripheral control registers and memory maps, we define it using a programming language instead. This higher level interface provides the opportunity for compilers to hide some of the low-level differences between different systems from the programmer: a potentially very efficient way of providing a stable, portable interface without having to add hardware to provide portability between different hardware platforms. We describe the design and implementation of a set of extensions to the C programming language to support programming high performance, energy efficient, software defined radio systems. The language extensions enable the programmer to exploit the pipeline parallelism typically present in digital signal processing applications and to make efficient use of the asymmetric multiprocessor systems designed to support such applications. The extensions consist primarily of annotations that can be checked for consistency and that support annotation inference in order to reduce the number of annotations required. Reducing the number of annotations does not just save programmer effort, it also improves portability by reducing the number of annotations that need to be changed when porting an application from one platform to another. This work formed part of a project that developed a high-performance, energy-efficient, software defined radio capable of implementing the physical layers of the 4G cellphone standard (LTE), 802.11a WiFi and Digital Video Broadcast (DVB) with a power and silicon area budget that was competitive with a conventional custom ASIC solution.
The Arm architecture is the largest computer architecture by volume in the world. It behooves us to ensure that the interface it describes is appropriately defined