Efficient Region-Based Memory Management for Resource-limited Real-Time Embedded Systems.

This paper presents a simple and efficient static analysis algorithm, combined with a region allocation policy for real-time embedded Java applications. The goal of this work is to provide a static analysis mechanism efficient enough to be integrated in an assisted-development environment, and to implement region-based memory management primitives suited for resource-limited platforms such as smart cards

Exploiting Java Code Interactions

Many Java technologies allow the execution of code provided by multiple parties. Service-oriented platforms based on components such as OSGi are good examples of such a scenario. Those extensible component-based platforms are service-oriented, as components may directly interact with each other via the services they provide. However, even robust languages such as Java were not designed to handle safely code interaction between trusted and untrusted parties. In this technical report, we review how basic Java interactions can break encapsulation or execution safety. The Java security layers contribution is questionable in such environments as they induce tangible overheads without covering all threats. We also review flaws in the Java access control design that can allow untrusted code to bypass restrictions by exploiting vulnerabilities in trusted code. Our audit on real-life trusted bundles from OSGi implementations shows that real-life components do not seem prepared yet to malicious interactions.De multiples technologies Java permettent l'exécution de code fourni par différentes parties dans un même environnement. Les plateformes orientées service comme OSGi en sont un exemple. Ces plateformes gèrent des composants différents qui n'interagissent entre eux que par les points d'entrées publics que sont les services. Même si Java est robuste par nature, il n'a pas été conçu pour gérer de telles interactions dans le cas où certaines parties sont malveillantes. Dans ce rapport technique, nous exposons comment les méchanismes basiques de Java peuvent mettre en danger l'encapsulation et la sureté d'exécution. Nous expliquons aussi pourquoi les couches de sécurité additionelles ne paraissent pas adaptées à ces environnements à composants et ne garantissent pas une couverture de sécurité optimale. Nous exposons également les problèmes du contrôle d'accès basé sur la pile d'appel et comment il peut permettre à du code malveillant de contourner les restrictions en s'appuyant sur du code de confiance. Enfin, notre audit de différents composants du monde réel montre que les plateformes à composants ne sont pas préparées à la présence de code malveillant

Hardware Resource Control in L4 micro-kernels

International audienceIn traditionnal operating systems, application programs are granted direct access to APIs provided by hardware device drivers. This architecture is likely to yield a poor quality of service, or is even vulnerable to denial-of-service attacks on the device itself. For instance, a malicious process issuing lots of disk requests targetting nearby blocks could prevent other processes from getting any access to their data. The micro-kernel architecture, on the other hand, provides strong isolation between components, as all communication goes through IPC. The objective of our work is to leverage this communication layer in order to transparently intercept all requests before they reach the actual drivers. This would enable the system to monitor how much pressure each program puts on each resource, in order to balance, filter, or reschedule these requests. This would make it impossible for malicious programs to abuse hardware resources, while requiring no change in the code of the driver nor in the application.Dans les systèmes d'exploitation classiques, les processus utilisateurs ont un accès direct aux méthodes des pilotes de périphériques matériels. Cet accès direct peut être exploité afin de forcer un déni de service sur le périphérique concerné ou diminuer fortement la qualité du service fourni. Par exemple, un processus malveillant demandant des accès intensifs au disque sur des blocs très proches empêchera d'autres processus d'accéder à cette ressource. L'isolation forte inhérente aux micro-noyaux canalise les communications entre processus via IPC. L'objectif de notre travail est de profiter de cette couche de communication pour intercepter les appels aux périphériques et permettre un contrôle d'admission ou un réordonnancement des demandes aux périphériques. Ceci pourrait empêcher des processus malveillants de forcer un déni de service sur un composant matériel via l'inaccessibilité du pilote correspondant, en forçant un partage équitable du temps d'accès au pilote

Swap Fairness for Thrashing Mitigation

International audienceThe swap mechanis mallows an operating system to work with more memory than available RAM space, by temporarily flushing some data to disk. However, the system sometimes ends up spending more time swapping data in and out of disk than performing actual computation. This state is called thrashing. Classical strategies against thrashing rely on reducing system load, so as to decrease memory pressure and increase global throughput. Those approaches may however be counterproductive when tricked into advantaging malicious or long-standing processes. This is particularily true in the context of shared hosting or virtualization, where multiple users run uncoordinated and selfish workloads. To address this challenge, we propose an accounting layer that forces swap fairness among processes competing for main memory. It ensures that a process cannot monopolize the swap subsystem by delaying the swap operations of abusive processes, reducing the number of system-wide page faults while maximizing memory utilization

Incremental checkpointing of program state to NVRAM for transiently-powered systems

International audienceAs technology improves, it becomes possible to design autonomous, energy-harvesting networked embedded systems, a key building block for the Internet of Things. However, running from harvested energy means frequent and unpredictable power failures. Programming such Transiently Powered Computers will remain an arduous task for the software developer, unless some OS support abstracts energy management away from application design. Various approaches were proposed to address this problem. We focus on checkpointing, i.e. saving and restoring program state to and from non-volatile memory. In this paper, we propose an incremental checkpointing scheme which aims at minimizing the amount of data written to non-volatile memory, while keeping the execution overhead as low as possible

Accurate Power Consumption Evaluation forPeripherals in Ultra Low-Power embedded systems

International audienceWe propose a methodology to measure, model and simulate power consumption of peripheral devices of a lowpower embedded micro-controller, while keeping a reasonable development cost. This methodology is experimented against the low-power MSP-EXP430FR5739 platform that includes nonvolatile RAM for intermittent computing purposes and a handful of peripherals. The experimental measurements enable the characterization of the consumption of the peripherals, while many existing comparable studies do not provide power consumption for peripherals. These measurements are integrated into a simulator that targets low-power peripheral-intensive applications, as are most of IoT embedded programs. The accuracy of the power consumption estimation is within a 5% error on intermittent embedded computing using peripherals

Adaptive GPS Duty Cycling and Radio Ranging for Energy-efficient Localization

International audienceThis paper addresses the tradeoff between energy consumption and localization performance in a mobile sensor network application. It focuses on fusing GPS loca- tion with more energy-efficient location sensors to bound position estimate uncertainty in order to prolong node lifetime. We consider an animal monitoring application and use empirical GPS and radio contact data from a large-scale deployment to model animal mobility, GPS and radio performance. These models are used to explore duty cycling strategies for maintaining position uncertainty within specified bounds. We then explore the benefits of using short-range radio contact logging alongside GPS as an energy-inexpensive means of lowering uncertainty while the GPS is off. Results show that GPS combined with radio-contact logging is effective in extending node lifetime while meeting application- specific positioning criteria

Entropy transfers in the Linux Random Number Generator

One of the services provided by the operating system to the applications is random number generation. For security reasons, the Linux Random Number Generator is built upon the combination of a deterministic algorithm known as the cryptographic post-processing and an unpredictable physical phenomenon called an Entropy Source. While the various cryptographic post-processing algorithms and their properties are well described in the literature, the entropy collection process itself is little studied. This report first presents the different approaches to random number generation, and then details the architecture of the Linux Random Number Generator. Then, we present the experiments we performed to monitor entropy transfers. Our results show that the main source of randomness in the system is the behavior of the hard drive, and that most random numbers produced by the generator are actually consumed by the kernel itself.La génération de nombres aléatoires est l'un des services offerts par le système d'exploitation aux applications qu'il exécute. Pour des raisons de sécurité, le générateur de Linux est construit autour de la combinaison d'un traitement cryptographique déterministe et d'un mécanisme physique réellement non-déterministe appelé source d'entropie. Si les différents traitements cryptographiques et leurs propriétés sont abondamment décrits dans la littérature, le processus de collecte d'entropie lui-même est assez mal connu. Ce rapport, après une présentation des différentes approches de génération de nombres aléatoires, détaille l'architecture du générateur de Linux, puis les différentes expériences que nous avons menées pour observer les transferts d'entropie. Nos résultats montrent entre autre, que la plus grande source d'aléa est le comportement du disque dur, et que la majorité des nombres aléatoires produits dans le système sont consommés par le noyau lui-même

MPU-based incremental checkpointing for transiently-powered systems

International audienc

Sytare: Persistence de l'état des périphériques pour les systèmes à alimentation intermittente

National audienceLes systèmes dits à alimentation intermittente sont de petits systèmes embarqués récupérant l'énergie dans leur environnement. À cause de contraintes de taille et de coût, ils subissent de fréquentes coupures de courant, mais sont néanmoins capables d'exécuter un programme logiciel, en sauvegardant les données nécessaires au calcul dans une mémoire non-volatile. Cet article présente une technique permettant à ces systèmes d'utiliser des périphériques non triviaux tels qu'un convertisseur analogique-numérique, une interface série ou une radio